David Fewer was describing how internet scams have changed — from the mischievous tricks pulled by amateurs 10 years ago to the potentially dangerous cons run by organized crime today.
Fewer, an expert in internet scams, was about to talk about phishing as a seminal development in scamming when he was interrupted by an email from Scotiabank. The email was a scam — of the phishing variety.
Someone from "some dark corner of the world" was trying to get Fewer's banking information at the very moment he was being interviewed about how scammers try to get our banking information.
"And I've got pretty good security on my computer," said Fewer, director of the Canadian Internet Policy and Public Interest Clinic, run by the law faculty at the University of Ottawa.
A few things about the email triggered what Fewer calls his spidey sense: the URL used scotiabank-canada and he was tweaked by the dash and the fact Canada was named.
"There's a bunch of hints," he said.
A big hint: The real Scotiabank would never send an internet notice to clients. No bank would.
Hundreds of thousands of complaints
To say internet scamming has grown in the last 10 years is an understatement. The U.S. Federal Trade Commission, which goes after bad business practices, received 25,000 complaints about internet scams in 2000. Last year, it received 200,000.
The Canadian Anti-Fraud Centre, better known as Phonebusters, receives 140,000 complaints by phone each year, and about 36,000 by email, said Cpl. Louis Robertson,
'The dumb criminal will take a gun and steal $50 from a store. The smart criminal sets up a website. Guess who's going to be spending his winter on a sunny island?' — Cpl. Louis Robertson
the centre's head of criminal intelligence. He calculates that Canadian consumers lose about $2 billion a year to mass-market and identification fraud.
"The dumb criminal will take a gun and steal $50 from a store," Robertson said. "The smart criminal sets up a website. Guess who's going to be spending his winter on a sunny island? I'm being sarcastic but … ."
The internet is filled with people venting about being scammed. Many complaints start with "I stupidly signed up for," or "I stupidly fell for," or "I'm usually quite internet savvy, but . …"
And these are just the people who realize they've been scammed. Many people don't. They may have clicked, for instance, on an email that installed spyware or malware on their hard drive, turning their computer into a "bot'" that helps send out spam to other computers.
"We're not just victims, we're unwilling partners," Fewer said. "Organized crime has gotten involved, so scams are more systematic, more persistent, more creative."
Scammers get creative
Battles are being won.
In June 2009, the U.S. Federal Trade Commission had a big win when it shut down 3FN, a rogue Internet Service Provider hosted in the U.K. and the Baltics but with servers in San Jose, Ca. The commission charged that 3FN knowingly hosted and participated in the distribution of spam, child pornography and other harmful electronic content.
The long list of wrongdoings included establishing a forum "to facilitate communication between criminals," and running malware programs and viruses that "caused substantial consumer injury."
"Google told us that when we shut that down, a third of spam disappeared," said the commission's Dan Salsburg. "Of course, about a week later it had all gone back up."
Canada's Competition Bureau, which has partnered with enforcement agencies across the country, has also had success, particularly in the area of cheque scams that target online job seekers.
In October, a Brampton, Ont., man was sentenced to 3 ½ years in prison for operating an employment-opportunity scam involving counterfeit cheques. A second Ontario man is to be sentenced for a similar crime in January.
Like many internet scams, this one began online and ended up in the bricks-and-mortar world. And also, like many online scams, it wouldn't have worked without the unknowing aid of legitimate businesses, which did even more "damage" in the process, noted the judge in the case.
The scam works like this. The fraudster trolls online job sites where people, by necessity, are forced to post all sorts of personal information. The job-seeker is offered work as a mystery shopper. They're told they'll be testing the services of Money Gram or Western Union. The job-seeker is mailed an authentic-looking cheque and told to deposit it into his or her bank account, via the above businesses, and then evaluate the service.
Of course, the cheque bounces and the job-seeker is on the hook to pay for it.
Dan Salsburg of the U.S. Federal Trade Commission would agree. In earlier days, there wasn't a lot of imagination in a typical scam.
"It was old wine in new bottles," said Salsburg, assistant director of the marketing practices division in the bureau of protection. "Now they've shown remarkable creativity.
"The bottom line is, bad guys want to take your money. And if not your money, somebody else's."
Some bad guys will persuade you to pay for a security patch when you can do it for free by changing your default settings, Salsburg says. That's scareware.
Bad guys will install nasty programs on your computer so that you host pop-ups that allow them to collect fees from advertisers who only count clicks. That's adware.
Bad guys register URLs with misspelled names of movie stars to attract you to their sites. And you can never leave, as you become ensnared in pop-ups that direct you to other sites. That's mousetrapping, although it's largely been beaten.
Pagejacking, too, where you click on one website URL and find yourself at another, has been eliminated, thanks to pop-up blockers and improved search engines.
But this is the internet. As one scam is eliminated, another evolves. Any scam can be done more efficiently on the internet, Robertson said.
"Instead of phoning one (potential victim), you hit a button and reach 1,000 people — 100 that will talk to you and 10 that you'll scam."
A decade of internet scams started with worms and viruses that tried to get access to your financial and personal information without you knowing.
In 2003, the federal Competition Bureau, which is involved in Canada's fight against cyber fraud, registered its first complaints.
Money sent to fake school
Around 2005, phishing arrived, with scammers trying to trick people into releasing their financial and private information through emails that mimicked official websites.
About 18 months ago, scammers hijacked the website of the Université de Sherbrooke, in Sherbrooke, Que. It was a small community of targets: 5,000 to 6,000 students registering and paying for courses online. A duplicate website was created, with the only difference being the name: Université a Sherbrooke instead of de Sherbrooke.
Soon, complaints started coming in from students who'd been duped into sending money to, well, not to the Université de Sherbrooke. But who did they send their money to?
Phonebusters tried to find out. The centre followed the IP address, which landed in Switzerland, then bounced into Russia. More information was sought, unsuccessfully, from Swiss authorities, Robertson said. The case was never solved.
"You're talking about a very small community," Robertson said of the targets. "Did the (scammers) have a contact in town? Did they have someone who knew someone? It just shows you how huge the problem is. The scammers don't have borders and we're still functioning on borders and jurisdiction. We're 15 to 20 years behind the ball."
Many scams live in a grey zone between legitimate and fraudulent, selling tooth-whitening products, Acai berry weight-loss schemes, auction internet packages and access to government bailout money, both Canadian and American.
No end to bills
In a twist on the classic bait-and-switch scam, people who click on ads don't get what they thought they bought but are billed monthly at a much higher rate and find there's no way to cancel.
"Some of these scams are out-and-out fraud — you don't get anything — but some of them look like fairly legitimate business," said Ian Nielsen-Jones, assistant deputy commissioner at the Competition Bureau in Ontario.
There is a belief that only greedy, vulnerable or lazy consumers get scammed, but this is no longer true. Fraudulent cheques, fake websites and misleading offers often bear out research and double-checks, he said.
"We interviewed tonnes of victims and they aren't the dullards of the world," Nielsen-Jones said.
David Fewer would like to see more attention paid to online scams in Canada. Many internet scams still fly below the radar of enforcement agencies, which tend to focus efforts on the bricks-and-mortar scams: bad mechanics, deceptive contractors and the like.
Robertson holds out his own unit as an example of the lopsided fight. More than half of scams now involve the internet. But what does he have in his armoury? Six analysts. None of them experts in cyber fraud.
"If we don't have enough analysts," Robertson said. "There's going to be other people targeted, and it's not just seniors, it's everybody."