NEW YORK (CNN/Money) -
If you got an e-mail from someone you didn't know asking for credit card numbers and personal financial information, would you give it to them? Actually, you might, if you're not careful.
Cyber-criminals have hit millions of Americans with identity-theft attempts that look very much like official information requests from major corporate Web sites. Technical advancements have made it easy for fraudsters to accurately copy the Web pages of well-known companies, making the scam particularly likely to succeed.
Victims have received e-mails that seem to come from eBay, Bank of America, Best Buy and other companies. The messages say that they are alerting customers to problems with their accounts. The e-mails include hyperlinks to realistic-looking phony Web sites where the mark is asked to provide credit card or other personal information.
Since it's so inexpensive to send e-mails, con artists don't care whether most people receiving the messages actually have an account with the named company, explains Eric Wenger, an attorney with the Federal Trade Commission. Criminals can send out 100,000 e-mails for $50 or $100. "If they get one or two hits it's worthwhile," says Wenger. Not only that but they can use the data from previous victims to pay for the next scam.
A spokesperson for Best Buy, Lisa Hawks, says the volume of calls coming into the corporate offices spiked to "two or three times" normal when the phony Best Buy spam hit the fan last June 18. The e-mail mentioned an order number and the words "Fraud Alert," tricking some customers into believing someone had used their credit card info to make a purchase.
The company reacted by quickly putting a disclaimer out on their Web site and contacting local and national authorities, including the FBI and the FTC, who managed to track down the site's owners and shut it down.
Audri Lanford, co-founder of ScamBusters, says reports of Web site spoofing have flooded her organization. The most important thing to do is stay calm when you get an e-mail like this, she advises. "People get very excited because they think someone's using their credit card or has bought something that they'll have to pay for." Believing they need to act immediately, they click the hyperlink, which takes them to the phony site.
How to Avoid Being a Victim:
- Never give your social security number in response to an e-mail
- Never give out your credit card account numbers, driver's license numbers, or any other information in response to an e-mail.
- If you get an e-mail like this, don't click on the hyperlinks; these can take you to phony Web pages. Instead, type the company's Web address into your browser or use your own bookmarks. If you're unsure of the company's real Web address, use a major search engine or other reliable source to find it.
- If you're suspicious, call the company's customer service department or e-mail them yourself and ask them if they've sent out any e-mails of the type you received. (It should go without saying, but make sure you're getting the customer service e-mail address from the real Web site.)
- Once a year, check your credit reports from the three major credit reporting agencies, Equifax, Experian, and TransUnion.
If you realize that you have gotten stung, you can still limit the damage. For more on what to do, read our Identity theft survival guide.