Identity Theft is Too Easy – Phishing with a Fax Number
January 25, 2008
Have you ever faxed over a copy of your name, address, and social security number to an identity thief? I thought for a brief moment today I might have fallen victim to a savvy phishing/fax scheme that originated with the email below:
2nd Notice! – Important! – W-9 tax form
This is just a reminder. We request that you assist us in updating our records, therefore expediting the delivery of your 1099-MISC (Statement of Earning for Non-Employees) for 2007. Please print out the W-9 form then complete and sign it. Please fax completed form into our office ASAP at xxx-xxx-xxxx. Please make sure that the name, address, and Tax ID Number are the same which are used when filing your tax return.
If this form is not completed and faxed back to us by the end the business day Thursday 1/24/2008, the Internal Revenue Service requires us to begin backup withholding at the current applicable rate allowed.
Internal Revenue Service! Backup withholding! I faxed that W-9 over as fast as I could. As I replied to the email to confirm receipt of the fax I had a sinking feeling in my stomach.
Was this a legitimate email? Had I just sent my information to a scammer? Luckily, it turns out it was all above board but the more I thought about it, the more I realized how a technically savvy person could pull off a scam like that.
Misrepresenting a Legitimate Company
I won’t go into detail but a person could find enough information on most any personal blog to spoof an email that would appear legitimate but actually contain a fax number with an identity thief waiting on the other end. Revealing your social security number, name, and address could leave you vulnerable to identity theft, especially combined with the information revealed on some blogs.
Of course many people would probably sense something wasn’t right for a variety of reasons. But all it takes is for one person to fall for it and their personal information could be compromised and exploited. The reason I bring this up is that this approach is a sneaky derivative of the standard phishing emails many people have come to ignore. We’ve seen enough phishing emails that we can mouse over the link and see it doesn’t go to paypal.com but instead some obscure web domain so we simply delete the email.
Phishing with a Fax Number
In this hypothetical instance, instead of listing a disguised link the scammer simply lists a fax number and creates a sense of urgency with the recipient. With no hyperlink to trigger my internal scam filter, I didn’t pick up the potential danger of this one until after the information had been sent. I’m fortunate that it was a legitimate request and will be more careful in the future.
Identity Theft Evolving
What this reminded me of is that identity thieves and scammers will continually come up with ways to defraud people of their hard earned money. Fraud awareness, education, and a common sense filter have served me well so far to date, knock on wood, but “they” will always be out there looking for ways to get into my wallet. Of course I don’t lose sleep over it but I do hear horror stories about people whose identity was stolen and I definitely don’t want to go through the mess they have.
Protecting Yourself Against Identity Fraud
For now, I continue to rely on common sense but lately I’ve been giving thought to signing up for a program like LifeLock that helps protect your identity and also provides you money to help clean up the mess in the event someone does take your information and abuse it. I haven’t done a cost/benefit analysis yet on the price of the service vs. the value of protection & cleanup coverage but it’s on my to-do list. Has anyone had any experience with the LifeLock service?
However you decide to protect your identity, make sure to think twice before clicking that link, sending that fax, or giving out information over the phone. It may be a legitimate request like it was for me today but you certainly don’t want to find out down the road that you’ve been scammed.
All posts by Ben Edwards
Be careful with LifeLock. Sounds like a great inexpensive identity theft protection service, but I’ve heard from others that the service may also hinder your ability to obtain your free annual credit report from annualcreditreport.com because of the fraud alert placed on your credit file by being a LifeLock member. Otherwise go for it if you suspect someone of trying to steal your identity.
The LifeLock commercial where their CEO is walking around handing out his social is priceless. Definitely a good marketing ploy and judging from all of the good reviews floating around, this sounds like a solid service as well.
Nick
I actually did an interview with a man the other day who used to be the postmaster of AOL and is a spam expert, and he said there is a scam going around. It’s an email that looks like it’s from the IRS saying you overpaid by $37-something, and if you reply with your personal information, the money will be wired to you. Instead, they commit identity theft with your information. The man said almost nobody falls for the Nigerian scam emails anymore, but when an email looks like its from the IRS, people trust it. Pretty scary stuff. If you get an unsolicited fax or email requesting personal information, always call the company first to make sure it really was them!
Here are some of the rules I usually follow when I get emails like that.
– check the from email address. If its from a freely available domain like yahoo, gmail then its most likely a spam. I would expect any company requesting me such info to be official and send the mail thru corporate address.
– If their are links in the email, bring the mouse pointer on the link (Do not click it) and see whats the address on the browser foot bar. see if its a legitimate and whether I have an account with that company.
– If I find all this legit then I call the company from which I got the email and ask them if they had indeed sent an email to me and if so what is the fax number to fax back. Use that fax number.
Jeremy, I know what you mean about all the companies that have our info. That’s why I signed up with an EIN instead of an SSN and used a mail box instead of my home address. My box is already flooded with junk mail, UGH!
Clever Dude, you’re obviously more clever than me : ) Good job on calling to verify before faxing, I should have done the same.
Todd, thanks for sharing your experiences with LifeLock. I see the CEO is broadcasting his social security name all over the world in their ads so he must feel pretty confident about the service
: )
I actually use Lifelock and like their services. When you sign up they do several things on your behalf. First, they lock your credit with the three major credit companies. This means that if anyone (even me) attempts to apply for credit in my name and SSN, it is blocked, then I am immediately notified. Second, they stop the junk mail that you get from all the credit card companies. Third, they actually get credit reports sent out to you on an annual basis.
The credit locks actually cost money for anyone to perform with the three major credit companies, and Lifelock will actually do this every three months, which is when the locks expire. So, I’ve been happy with their service and its a small price to pay to not have to worry about my identity being stolen.
I know the exact email you’re talking about and right before faxing it over, I did some research on the number and found it to be legit.
I bet that these types of scams on bloggers are VERY easy because the newbies (and even the experienced) don’t want to get their money or paperwork late, and definitley don’t want to have backup withholdings taken out of our pay!
Wow, never even thought of that type of scam. I’m always worried about online junk.
What is really scary is the number of companies that have all my info. I doubt even half of them keep that info truly secure.