Fraud is big business. Whether a person walks out of a store with a dollar too much change, sues an insurance company for millions of dollars that isn’t deserved, or engages in phising, it’s theft and lies. Fraud always hurts someone, and often, it hurts a great many someones.
The cashier has to pay back the extra change. The entire insurance paying public experiences increased premiums in order to cover millions of fraudulently appropriated dollars. Individuals lose their identities. And life gets harder for honest people because dealing with the companies we do business with becomes increasingly difficult.
Gone are the days where you could call your bank and say, “Hi. Jane Doe here. I'd like to know ...,“ and you’d get an answer from a friendly person. These days you wouldn’t past “Hi.”
A few weeks back, my life was quite harried, and within the same ITM payment session, a bill was paid twice. Trying to stop the second payment required answering a nightmare of questions, six or seven, to verify my identity. It's insanity because I called a couple of minutes after the incident with all the necessary information. It was obviously a mistake. Honestly, who else would it be?
Fraud has become an everyday occurrence that has escalated beyond normal tolerance. The toll taken on our senses, on our humanity, on our spirituality, is beyond measure. Trust and joy of life are replaced by suspicion and fear of loss.
Have compassion for the cashier and give back the dollar. Stop the fraudsters (Canadians can contact the Insurance Bureau of Canada to report suspected insurance fraud and the RCMP for all other frauds). Stop answering the phone when you don’t recognize the number. If it’s important they’ll leave a message; if they don’t leave a message, you probably don’t want to talk to them anyway. And sometimes, don’t answer the phone even when you do recognize the number. One day I got multiple calls from, well, ME!
Take the time and extra steps to report phising emails to your email provider, or to the sender's email provider, or to both. Making the reports won't put an end to the thieving; however, making the reports might stop one person from being victimized.
What triggered this post?
Recently, a very official looking email was sent to the contact email provided on my Editors Canada profile. It appeared to come from the unnamed HR Director of a very large publishing house.
There was a company logo at the top of the email, a named contact person (a real New York office HR employee) and a bunch of other important, enticing stuff like job description, responsibilities, salary range, a code to use when responding, and even a note that training would be available.
It was all typed up in bold, so if it’s in bold it must be official, right? Just like the guy who comes to your door must be official if he has a clipboard, right?
I saw it the next morning— so thrilling!
Little me, was being solicited, sort of, by this great publishing house! Just think: Not only did the unnamed HR Director take the time to review my profile, but this person liked it so much (???) they asked me to apply to a proofreading job call.
Was it real? For a while, yes it was, in my mind.
Normally the email would have been suspect and deleted immediately; I wouldn't have given it another thought. But on that day, I was waiting for exactly this kind of notice. And that's the point! The sender is always banking on such things: either you're waiting or hoping for such a notice and therefore, respond or you ignore it and say nothing.
Not long ago a longtime, well-respected editor, who is my former teacher and someone I look up to as a mentor, asked if I’d be interested in a position as a proofreader. Could she put my name forward?
“Of course. Yes, please and thank you.”
So when the aforementioned garbage email arrived in my inbox, muttering great blessings to my teacher, my most current resume was reviewed, updated, and a response email was crafted—beautifully, I might add.
However, years of disappointment and the increase in scams and spams leave one jaded. Little things in the email, which initially had been dismissed, started to jump off the screen (not literally).
The Google Connection Made Me Look:
• The response, that required my resume be included, was to be sent to a "gmail" account. (The publishing company this email was supposed to be coming from is huge and would most certainly use company attached emails, not gmail accounts. For example, email@example.com.)
• Interviews would be conducted through Google Hangouts. Say What??
I advised Google about how they were being used. No response has been received, however, from past experiences they are on it and will respond eventually.
Long story a bit shorter: after taking a good look, it all fell apart like a chain letter does if you take the time to look.
Other Red Flags:
Time of interviews were to be scheduled during office hours CST. Wouldn’t it be more appropriate for scheduling to be EDT, given the person named in the email was with the New York office?
The email was unsigned. No, I didn’t notice that right away because there was a name for the person who would vet the responses.
The company would provide training for the job. Training to be a proofreader? Not bloody likely! A publisher as large as the one in question would want their proofreaders trained and ready to go.
The email address of the sender was wonky. The address did show a variation of the name of the large publishing company, but it was included as a sub-domain of a completely unheard of company.
Breaking down the fraudulent email address firstname.lastname@example.org
- info (name of the intended recipient)
- @ (points to the company to which the recipient is attached)
- largepublisher (name of the company being used as bait)
- phisher.com (this, and only this, is the domain name)
If you get emails that employ sub-domains, look for the root domain. It will be the name that preceeds the extension: .com, .ca, .net, .org, etc. For example, in the example the domain is "phiser.com." "Largepublishers" was added as a sub-domain.
Finally, and this is what I should have seen first, because no big brand would tolerate it: the logo was wrong.
whois the Phising company?
Conducting a "Whois" search is simple and will provide a motherload of information. Type "whois" into your browser's search field and a number of websites that provide registration information will be provided. Pick one of the sites and follow the instructions.
The whois registry will tell you
- the proper name of the domain
- when the domain was issued and registered
- who issued and registered it
- when the registration expires
- particulars of the domain holder such as address, telephone number, contact person, etc. It should be noted, however, that more and more individuals and companies are paying for obfuscation.
- other technical information
A Step Further:
If you would like to dig deeper, to discover who is hosting the fraudster's domain, you can use a publicly available tool such as http:www.mxtoolbox.com this tool will provide you with the e-mail hosting provider of the domain name, which can then be compared to the ARIN.net IP allocation database. This will give you the relevant information for the true e-mail hosting provider. Note that use of arin.net requires opening an account.
When you find out these little tidbits of info, speak up and report the bastards!
Do any of my efforts matter? Probably not. Cut off one head and ten more grow in its place.
The bottom line is that I gave it a shot. Once voice may not make a difference—two probably won't either, but two thousand will definitely be heard.
The point is, if you get a fabulous request or a frightening request, don’t jump! Think it through. Look for anomalies in the email. Don't click on anything and don't respond immediately. Don’t jump! The email I received was a fake. But it would have got me if I hadn't looked twice.
A.P. Cairns is a Canadian Author and Editor
Copyright 2020 A.P. Cairns