More likely than not, the above blurbs are familiar. Each is an element of an online scam capable of stealing confidential information, identities, bank account funds and more.

Cybercrime has exploded in the last five years - according to the IC3 2004 Internet Fraud Crime Report ("IC3 Report") produced by the FBI and the National White Collar Crime Center, complaints about online fraud more than doubled between 2003 and 2004. According to the IC3 Report, more than 200,000 complaints were logged with the FBI in 2004, costing consumers more than $265 million.

And the news gets worse. In the past, cybercriminals have produced worms and viruses (malignant software programs that invade personal computers, deleting programs and generating mass e-mails) that, although pervasive, obnoxious and malicious were not designed to procure financial gain. Now professional Internet crime rings, organized to exploit computer weaknesses and the online economy are reaping illicit gains. Christopher Bolin, Chief Technical Officer at security software producer McAfee, has characterized the new threat to consumers in these terms: "This is not a pimple-faced kid who, when he gets a girlfriend, stops writing viruses. This is a guy with a business plan." 1 Like other types of fraud, cybercrime can be defeated through knowledge, common sense, and a few well-placed security measures. Below is an overview of some of the most common scams running right now, as well as some tips for avoiding victimization.

Online Auction Fraud
By far the most common type of Internet crime in the United States, online auction fraud is reminiscent of traditional methods of fraud. But unlike traditional telephone or in-person fraud schemes, the anonymity and worldwide nature of the Internet makes identifying and prosecuting the perpetrators more difficult. Online auction fraud is increasing exponentially as the popularity of online auction sites grows. According to the IC3 Report, online auction fraud accounted for nearly 75% of all complaints registered with the FBI's Internet Crime Complaint Center in 2004.

Occurring most frequently on popular online auction Web sites (such as eBay or UBid), online auction fraud takes a myriad of forms. Most commonly, scam artists are either selling products they donÕt actually possess or intend to deliver, or products that donÕt match the description given in the auction (e.g., "genuine" Gucci handbags that arenÕt quite genuine).

For example, in 2004 Mark Beaver of Salt Lake City was sentenced to prison time and restitution when he was convicted of bilking hundreds of eBay buyers out of more than $180,000. Beaver sold his victims Fiesta Bowl tickets he had never possessed, often concocting glowing stories regarding the quality of the seats and reassuring his victims that he had an excellent reputation as a ticket seller on eBay. Many of Beaver's victims, most of whom had flown to Tempe, AZ in anticipation of receiving the tickets from Beaver shortly before the game, were unable to afford scalped tickets and were forced to watch the game on television. State v. Beaver, Case No. 031900185 (3rd Dist. 2004).

The IC3 Report details a similar case. A West Virginia man sold his airplane on eBay for $16,200. The buyer sent him a $2,000 deposit but heard nothing from the seller. Frustrated, the buyer continued to e-mail the seller until the seller accused the man of harassment and said he was going to keep both the plane and the deposit. The seller then relisted the airplane on eBay and sold it again. When police attempted to arrest him, the seller fled on his motorcycle, leading police on a high-speed chase. The chase ended when police caught up with the suspect at a roadblock. The seller was charged with computer fraud and various other crimes related to the chase. He pled guilty to a lesser charge of obtaining money under false pretenses and was sentenced to six months in jail, fined $250 plus court costs, and ordered to pay restitution.

There are other types of online auction fraud as well. For example, a recurring fact pattern involves a foreign buyer who agrees to buy a big-ticket item (typically a car, boat, etc.) being sold by an American seller over the Internet. The buyer sends a cashier's check for several thousand dollars more than the agreed upon purchase price, requesting that the seller deposit the check, ship the item, and then wire any remaining money back to the buyer overseas. After the seller wires the amount of the balance in legitimate funds "back" to the buyer, the seller discovers the check is counterfeit and the bank will not honor it. The seller is then faced with the impossible task of trying to recover both the merchandise and the cash. Richard White of Sandy got lucky when he was targeted by scammers in 2003. White had listed his motorcycle for sale on the Internet for just over $5,000. The buyer, though, forwarded White a check for $10,000 requesting that White wire the difference to an overseas account. White thought the request sounded suspicious and, instead of complying with the buyer's instructions, contacted Sandy police who later determined that the check was counterfeit.

Another type of online auction fraud is the "second chance" scam. In this type of scam, the seller takes advantage of people who bid on but did not win the auction. The seller contacts the next highest bidder, indicating that the highest bidder backed out and offering the buyer a "second chance" to buy the item at less than the highest bid price. The buyer accepts and sends payment to the seller. The seller may tell several buyers this same story. The buyers all tender payment, but no one receives the item. The seller pockets the money and disappears.

Online auctions are also popular places for thieves to sell stolen goods. For example, in a recent Utah case, a West Jordan man was arrested after police found hundreds of stolen items in his home. Local law enforcement was tipped off when a Midvale man discovered his recently stolen paintball gun listed for sale on eBay. Officers set up a "sale," then, after obtaining the seller's payment information, raided the seller's West Jordan home. In the home, officers discovered hundreds of stolen items as well as information indicating that the suspect had listed more than 500 stolen items for sale on eBay in the months preceding the raid.

Reviewing a seller's online feedback from previous buyers is not always a reliable safeguard. Feedback results when participants in an online auction transaction each "rate" the quality of the transaction. That rating is then available for other prospective buyers and sellers to view. Unfortunately, the system has weaknesses that online criminals routinely exploit. For example, in June of 2003, Russell Dana Smith was arrested in Salt Lake City and charged with 54 counts of fraud when it was discovered that the laptops he was selling on eBay didn't really exist. Smith, who had assumed the identity of John Leary in order to perpetrate his auction fraud, had offered "rebates" for customers who left positive feedback for him. At the time of Smith's arrest, more than 1,000 victims had come forward with claims exceeding $1 million, making Smith's one of the largest domestic eBay auction fraud cases yet.

Finally, online auctions enable activities designed to artificially inflate the bid price, known as "shill" bidding. In 2004, three eBay sellers in New York pled guilty to charges of shill bidding. The sellers cast bids in over 1,100 of each other's online auctions for the sole purpose of driving up the bid price on the merchandise offered for sale. Such shill bidding affected more than a hundred eBay buyers and, while the actual costs are unknown, the potential cost to consumers is substantial.

Nigerian 419 Letters
Purportedly named for the section of the Nigerian penal code they violate, Nigerian 419 letter scams prey on the fundamentally greedy nature of people. The letters, sent via e-mail, claim, for example, that "the recently deposed minister of agriculture for Nodambizia, who has embezzled 30 million dollars" needs to flee and now requires your assistance to get the money out of his country. The scammers offer, as payment for helping this corrupt bureaucrat, a cut of the funds (usually about one-third). Victims are sometimes asked to travel overseas to meet with the scammers to complete the transaction; and in all cases the victim is asked to front thousands of dollars to pay for "taxes," "attorneys costs," "bribes," "advance fees," etc.

Although the scheme seems farfetched, the FBI's IC3 Report indicates that the average financial loss of victims of a Nigerian 419 letter is $3,000, an amount higher than any other reported type of online fraud except check fraud.

There are many variations on the Nigerian 419 scam. Some letters claim to be from African government committees, some claim to be from dignitaries, some claim to be from Nigerian royalty. One scam with a local spin targets Utah residents. The letter claims to be from a Mormon living in Africa who desires only to support Mormonism and to share his wealth with others. He requests only that you send your bank account information to him so he can wire the money to you.

Work at Home/Reshipping Schemes
One new facet on the often perpetrated "work at home" scheme is the postal forwarding/reshipping scam. Scammers place online ads or create employment Web sites looking for a "correspondence manager" for an offshore corporation. The "position" requires "employees" to accept goods sent to his or her personal address and then reship the goods overseas. Victims are also sometimes asked to accept wire transfers into his or her bank account, and then transfer the money to the "corporation's" account. In return, victims are paid with a percentage of the goods or money.

In reality, the goods have been purchased with stolen credit card numbers and reshipped by "correspondence managers" to scam participants who fence them overseas. Moreover, the money transferred into victims' accounts is stolen money being transferred from one account to another to launder the money. The thieves also use the employee's employment information (such as social security number, birth date and bank account information) to steal the employee's identity and money. This scam is popular with con artists because it allows them to fence stolen goods, launder money, and obtain access to confidential information. The FBI recently reported that they had identified more than 5,000 U.S. addresses that had been utilized in furtherance of a reshipping scheme.2

Spyware
Spyware is software used to covertly monitor actual computer activity - including Web sites visited, passwords, and other confidential information. In addition to monitoring users' online activities, spyware can also monitor offline computer activity. The program gathers confidential information (such as bank account information, credit card numbers, social security numbers, etc.) and then transmits the information to criminals who either use the information to steal funds and identities, or who sell the information to other criminals who do likewise.

Despite its name, the Utah Spyware Control Act (Utah Code ¤13-40-101 et seq.) (the "Act") mainly addresses adware. Although the terms are frequently confused by both legislators and consumers alike, adware refers to relatively benign software programs that track consumers' Internet surfing and spending habits, and cause "pop-up" advertisements to appear on the user's computer screen. The Act is based largely on copyright/trademark infringement policies and requires express user consent before the software downloads on a computer.

Phishing
Phishing (sometimes called "brand spoofing") is one of the most well known and fastest growing scams on the Internet today. The typical phishing scam involves an e-mail that appears as though it came from Paypal, eBay, a bank or some other reputable financial institution. The e-mail appears to be legitimate, and includes appropriate logos and working or "live" links to authentic areas of the institution. The message generally indicates that, due to problems with a database, a reset server or, ironically, identity theft concerns, the recipient is required to update personal data such as passwords, bank account information, driver's license numbers, social security numbers, PIN numbers, and so forth. Consumers are warned that failure to immediately provide the updated information will result in suspension or termination of the account.

Once consumers click on the link enclosed in the e-mail, they are taken to a legitimate looking (but fraudulent) Web site. Consumers are then asked to log in to complete a form "updating" their account information. Once thieves have a victim's personal information, they drain the victim's bank account, ruin his or her credit, and/or steal his or her identity.

Despite growing consumer awareness of phishing scams, people continue to fall victim to them in increasing numbers. One survey found that 28% of Internet users in the United States could not tell the difference between a legitimate e-mail and a fraudulent phishing e-mail.3 The click-through rate on phishing e-mails remains high at about three percent, compared with a typical response rate of about 0.5 percent for other types of spam.4 Losses to consumers due to phishing schemes have been estimated to be as high as $500 million nationwide.

To exacerbate the situation, phishing scams are getting more sophisticated as hackers employ other means to more accurately target customers of specific banks. Phishers are now using spyware and/or programs designed to log users' keystrokes (keylogging programs) to track those users' online activity and to gain access to consumer information. The criminals then tailor phishing e-mails to look like they came from the victim's actual bank - improving the odds that the victim will "take the bait."

Spyware is also used to gain control over personal computers. Once thieves have control of a number of computers (sometimes called a "zombie network" or a "botnet"), the network can be used to generate "phishing" attacks. Although spyware isn't the only way a phishing scam can be perpetrated, the use of zombie networks disrupts the computer "trail," making it more difficult for law enforcement to track fraudulent activity. Given the ease with which spyware programs may be created or acquired (many free spyware programs are available on the Internet), using spyware programs to establish a zombie network of compromised computers is an attractive proposition to many computer criminals.

Trojan Horse Programs
Trojan horse programs hide malevolent programming within a shield of benign computer code to circumvent security software and firewalls. These programs are often transmitted via e-mail and Internet worms - malicious software programs that trigger massive e-mail by the infected computer in order to perpetuate the spread of the program. Like spyware, once installed on a host computer, the Trojan horse program collects system information, downloads and executes files, and even remotely controls a connected Web cam. Frequently, Trojan horse programs wait until users visit online banking sites and then log and transmit user names, passwords, and other account information to thieves.

Recent Trojan horse attacks are more sophisticated. These new attacks consist of multi-pronged attacks of coordinated software that communicate with each other and work together to bypass firewall programs and establish control over infected computers. And because the programs allow thieves to remotely access the computer, the program code can be changed quickly and often to avoid anti-virus programs and other security software.

Trojan horse programs also provide a means by which phishing scams can be accomplished without requiring users to click any links. This method of phishing, currently spreading throughout Brazil and other South American countries, works like a virus. If the user opens the e-mail, a Trojan horse program installs itself on the user's computer. The program waits for a user to visit his or her legitimate banking site, and then a keylogger program contained within the Trojan horse program steals the consumer's usernames and passwords. Although this type of attack has not yet spread to the United States, experts predict it will arrive here soon.

Pharming
Pharming (sometimes called "domain spoofing") is another way online criminals use Trojan horse programs to gain access to confidential consumer information. Pharming uses Trojan horse programs to redirect people to counterfeit banking or e-commerce sites (sometimes called "page hijacking"). The compromised computer or server redirects consumers to fraudulent Web sites even if a user manually types an address into the browser address window. The fraudulent sites are formulated to look like authentic, legitimate sites (and may even include a bogus "secure site" logo indicating that the site is genuine). The site may install spyware or prompt the consumer to enter personal information, including user name and password.

Another form of pharming "poisons," or gives false information to, domain name servers. Those servers then redirect Internet users to Web sites maintained by the attackers. A recent attack resulted in an estimated 1,300 Web site addresses being redirected to malicious sites.

Pharming is particularly dangerous because it gives the user no warning that the computer is infected. The Trojan horse operates quietly in the background, redirecting the user to fraudulent Web sites.

Conclusion
The growth of cybercrime is alarming. During the 2006 legislative session, Utah lawmakers are considering a bill making the procurement of sensitive financial information (such as driverÕs license, social security, or bank account numbers) by false pretenses a felony Ð regardless of the amount of damages incurred. See Utah SB52. At present, the communications fraud statute (Utah Code ¤76-10-1801), one of the means by which Internet fraud can be prosecuted in Utah, specifies that the amount of damages determines the severity of the punishment (e.g., misdemeanors for losses under $1,000, felonies for losses over $1,000). The proposed statute would mean possible prison time for merely obtaining the information under false pretenses even if there is no financial loss.

Opponents to recently considered anti-cybercrime legislation argue that it is not new legislation that is needed, but new means of enforcement. They claim that fraud, whether perpetrated online or off, is still fraud and is, therefore, covered by state and federal consumer protection statutes. Yet enforcement of anti-fraud statutes with respect to Internet crime is more difficult because of the ease with which scammers can create and dismantle Web sites, hide their identities, and so forth. Such groups believe that legislation expanding enforcement powers and providing for information sharing between law enforcement agencies would be more effective in the fight against cybercrime.

In order to protect themselves, it is vital for consumers to maintain a healthy skepticism and to use common sense. Do not give out confidential information unless you know to whom you are giving it, and why. Personal computer users should run up-to-date antivirus and antispyware software and should update it regularly. Any computers running Microsoft products should download program updates regularly as those programs are often the target of malicious programmers.

The Internet is global, anonymous, and fluid. Although the Internet offers a vast legitimate economic opportunity, it also offers an attractive new forum for those who perpetrate fraud. Given the increased degree of difficulty in fighting cybercrime due to the very nature of the Internet, consumers, law enforcement, and legislators must work together to create a safer and more productive e-commerce environment.

1. Grant Gross, Tech Execs Call for Cybercrime Commission, PC World, at http://www.pcworld.com/news/article/0,aid,119648,00.asp, (Feb. 10, 2005).

2. Operation Cyber Sweep, United States Dept. of Justice, at http://www.fbi.gov/cyber/cysweep/cysweep1.htm.

3. US Consumers Still Can't Spot Phishing Scams, Finextra, at http://www.finextra.com/fullstory.asp?id=12250 (July 28, 2004).

4. Tony Lima, Does Online Banking Put Your Money at Risk?, PC World, at http://www.pcworld.com/news/article/0,aid,117757,00.asp (Sept. 13, 2004).