Skip to main content
more options

How to Guard Against Internet Fraud

Internet fraud is rampant these days, and becoming more sophisticated. As criminals gain access to more information about people, fraud attempts are being more narrowly targeted. Commonly, malicious emails include invitations to see photos of family or friends, greeting cards, jokes, and pleas for disaster relief assistance. Bogus web sites lure people into a false sense of security by imitating legitimate sites that people use all the time, such as eBay, Amazon, or personal banking sites.

You may even see fraudulent messages claiming to be from a Cornell office or official, asking you for personal information and passwords.

The Internet is a criminal's paradise – a place where anyone can appear to be someone they are not, then disappear without a trace after perpetrating a crime. Don't be a victim.

Never Respond to Spam

“Never means never. Don't click on an unsubscribe link in a spam message. Don't write to tell a spammer to leave you alone. Don't even use your email program's Bounce command to fake out junk senders. When you respond to an unwanted message, you let spammers know that your email address is valid.”
– MacWorld

Don’t fall for phishing

Fraudulent, or "phishing," emails try to trick you into replying with information the sender wants, or visiting a bogus web site. They play on your emotions to try to get you to react without thinking. So always beware of messages where someone is threatening to close an account or take away privileges unless you provide personal information. Likewise, if an offer seems too good to be true, it probably is.

Every time you are requested to provide personal information, such as an account number or password, think about what might happen if you give your information to the wrong person. These days, with fraud and identity theft such a widespread problem, no reputable institution should solicit personal information in email or over the phone.

An exception: Clearly, there is a difference between when someone contacts you to request information, and when you contact them. For example, when you call your doctor, you may be asked to provide your birth date to verify your identity. This is because your doctor is taking steps to make sure you are who you say you are, to protect your personal medical information. In cases where you contact a trusted service, such as your doctor, it is okay to provide personal information if it is requested.

When you aren’t sure whether a request for personal information is legitimate, confirm it at the source.

  • If it appears to be from a Cornell department, contact that department. If you don’t get a timely response, contact the CIT HelpDesk (phone 607 255-8990, email helpdesk@cornell.edu).
  • If it appears to be from a service outside Cornell, such as your bank, PayPal, eBay, or a credit card service, look up their contact information using a trusted source, such as the 800 number on the back of your credit card or the service’s official web site. Then call and ask.

You can also protect yourself by not clicking the web link you find in an email, but instead looking up the address for the company's main site typing it into your browser, and then navigating to the page you need.  Similarly, instead of replying to a suspicious email, send a message to the company's published address for customer queries.

Clues that may indicate that an email is a scam

Caution: beware a false sense of safety. The lack of any of these signs is no guarantee that an email is legitimate!

  1. The message threatens that your account will be deactivated if you do not respond. OR, you may see added emphasis, such as exclamation points and words like “immediately,” to create a sense of urgency. This is a scare tactic to get you to react.
  2. The message asks you to send personal information, including your:
    • NetID
    • Password
  3. The message asks you to confirm or verify information about your account.
  4. The message is poorly written:
    • It’s written using ALL CAPS
    • There are spelling and grammar errors, including Cornell being misspelled repeatedly
    • Sentences don’t seem to flow smoothly and the writing is fragmented

A sophisticated phish may:

  • Include Cornell vocabulary, such as the names of Cornell employees or departments
  • Use a recognizable Cornell address in the From address
  • Include your own personal identifiable information (for example, it may appear to be from your own email address)

Real life phish attempt

In 2008, people at Cornell encountered the following phish attempt to obtain personal information that could be used for identity theft or other types of fraud. Note the perpetrator’s savvy attempt to mirror an authentic email by using the name of a legitimate business, CFCU.

The Reply-To and From address are both forged in the this email. Also, the link in the email is fairly convincing, but look closely. It says myclcu.com, rather than mycfcu.com. It is actually a fraud that will take you to a web site meant to trick you into giving away your information. Fraudulent web sites that look a lot like the real thing are easy to create, so be safe (see How to Spot Fake Addresses).

______________________________________
Reply-To: <CFCU@mycfcu.com>
From: "CFCU Community Credit Union" <CFCU@mycfcu.com>
Subject: Customer Service
Date: Wed, 22 Feb 2008 14:06:17 +0200

As a CFCU Community Credit Union member, your privacy and security always come first.                 

We have been dedicated to customer safety and protection, and our mission remains as strong as ever.

In order to further protect your account, we have introduced some new important security standards and browser requirements, and we need to confirm your information.

Just click on the link below and verify your information to us:                 

<http://www.myclcu.com/verify/?secure=yes>http://www.mycfcu.com/verify?secure=yes

The Message is secure and, of course, your information will be kept confidential.
______________________________________

Watch out for scams trying to steal your money (known as advance-fee fraud or 419 scams)

There are many email scams circulating that use different country names and variations of the same story to get you to give money. Commonly, you will see:

  • Someone requesting a small advance of money, in exchange for giving you a big check in the near future.
  • A request for disaster relief funds or money for another cause that plays on your sympathies.
  • An email offering fraudulent opportunities to share in a percentage of millions of dollars, in return for helping a government official, widow, or heir/heiress, transfer money from one country to another.

An FBI account of advance-fee fraud

“The emails are rather elaborate, describing payment of taxes, bribes to government officials, and legal fees in great detail with the promise that all expenses will be reimbursed as soon as the funds are spirited out of [a country]...

In actuality, the millions of dollars do not exist and the victim eventually ends up with nothing but loss. Once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances until the victim’s assets are taken in their entirety.

While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually. Some victims have been lured to [other countries]…, where they have been imprisoned against their will, in addition to losing large sums of money.”

-- fbi.gov/majcases/fraud/fraudschemes.htm