Naturally, you hate spam--who doesn't? So imagine how you'd feel if you suddenly started receiving angry e-mail messages from strangers accusing you of spamming them.
That's exactly what happened to Jonathan Frank, a retired traffic engineer who lives in Englewood, New Jersey. He and his wife, Michele, were shocked to learn that their primary AOL user name had inexplicably begun showing up in the Sender field of spam messages soliciting for porn and other Web sites. "We can't change or delete the master screen name without giving up the account," Frank says.
Unfortunately, spammers can make it seem as if their messages are coming from your account, even though they have no way to access that account.
I spoke to America Online Inc. spokesperson Nicholas Graham, who compared the practice to scammers making phone calls and identifying themselves as other people. "If you were fooled by a caller who pretended to be someone else, you wouldn't blame the phone company," he says.
It may come as small comfort to you if you're accused of spamming, but Graham says that user-name takeovers typically don't last long. "Spammers usually move on quickly," he explains. "The best thing to do is to simply let it run its course, like a bad cold."
(Note: PC World US provides some content for use on AOL.)
In Frank's case the perpetrator may not have had access to his mail account; in other cases, however, online miscreants are able to crack users' accounts, sometimes with serious consequences.
Instances in which spammers or other unscrupulous individuals gain access to e-mail user names and other personal information--and use them for nefarious purposes--aren't new, but they are on the rise. "There's a long, disgusting history of this type of name abuse," says Jason Catlett, president of the antispam group JunkBusters Corp. "It's good old garden-variety fraud, and it's increasing at a steep rate."
The trend is alarming, especially when you consider that anyone with an e-mail account is a potential victim of user-name theft. Sometimes the culprits are motivated by personal malice or revenge, and they need nothing more than a valid e-mail user name to do their dirty deeds. "Occasionally victims' names are chosen at random," Catlett explains. But more often, the theft "is done for reasons of retribution or deliberate harassment in an attempt to slur a person or company's reputation. This type of attack can cripple small businesses." The perpetrator is frequently someone who knows the victim personally and knows the victim's password--or can figure it out, by accessing the account on the Web and asking for the "hint" question, for example.
Catlett cites the instance of a spammer who several years ago pirated two AOL users' screen names and used them to mass-mail a solicitation for child pornography to hundreds of thousands of e-mail addresses around the world. An FBI investigation determined that the AOL users weren't involved in sending the spam. The creep who stole their names sent out the junk mail with yet another innocent person's name contained in the body of the message, as a way to harass that third victim.
Some victims of this variety of crime find themselves labeled not as spammers, but as fraud artists. In another recent case, a criminal took over a New York EBay user's account information--including her e-mail address--and used her positive feedback on the site to lure bidders to auctions of 15 nonexistent notebook computers. She learned of the break-in only when a suspicious bidder checked her record, noticed that she'd never sold computers before, and phoned to verify her identity.
How do you keep your virtual name from being used to perpetrate a scam? We all know we're supposed to make our passwords cryptic and never divulge them to anyone. But that's tough, and unfortunately some of the crutches we use to help ourselves remember our passwords can get us in trouble. As tempting as it is, don't keep passwords stored in your wallet, purse, or PDA. And be careful about using the password-hint option at Web sites--try to ensure that the hint doesn't make it easy for anyone who knows you to guess your password. Sites often suggest using your mother's maiden name or your favorite pet's name as a hint. That's lousy advice, since both pieces of information are easy to come by--especially for an acquaintance. Better are the sites that e-mail your password to you--rather than revealing it online--if you answer the hint question correctly.
If you frequent chat rooms, use a name separate from your e-mail address or AOL main screen name and use it for chatting. In fact, you should consider setting up separate e-mail accounts--or AOL screen names--for use when shopping, signing up for newsletters, and visiting other sites that require registration. That way, you keep your main e-mail account for the mail you want and abandon any auxiliary account that's compromised.
If someone employs your e-mail user name to spam people or to commit fraud, notify your ISP's abuse department immediately. Attach the offending e-mail, including all message headers.
Internet dangers can go beyond impugning your reputation: Some Web fraudsters now go directly for victims' pocketbooks with increasingly sophisticated tactics. EBay users have been hit particularly hard by these scams, which usually involve a thief sending an official-looking e-mail that purports to come from EBay. The e-mail asks the recipients to update their personal information--including name, password, credit card number, and even social security and driver's license numbers--and provides a link to a site that looks amazingly like the real EBay, right down to the color logo, copyright information, and TrustE seal. This scam isn't new, but now it may be more likely to succeed because many of the counterfeit sites look so realistic.
Last December, some EBay users were lured to a Web site called Ebayupdates.com. Before that, members were pulled into a scam at Change-ebay.com.
Many large online businesses have had their own problems with scammers. Last October, for example, some Yahoo Inc. subscribers received a phony request for their credit card information, although few fell for the hoax. Yahoo promptly notified its subscribers of the scam and warned them not to divulge their personal information in response to any e-mail query.
Similarly, a grammatically challenged thief sent an e-mail message asking for account information from PayPal users last fall. It was closely followed by a second, slightly more convincing message that cited system problems and lost data as the reason for the request. The thief provided a link to a copycat PayPal page and included an offer for two free cash transfers, and some users were duped.
The best way to protect yourself from these scams is to be suspicious of all requests for "updated" information. If a company already has your information, don't give it out again without confirming the validity of the request, especially if the e-mail message includes a link allegedly to the company's Web site. Few, if any, companies will ever send you e-mail asking for sensitive information. If you do get such a request--especially if it's poorly written or contains spelling errors--pick up the phone and call the company directly. Or you can type in the site's URL yourself and navigate to your account information to make sure it's correct.
Don't trust the links in an e-mail to send you where they claim they will. For instance, the linked text of the e-mail may read www.ebay.com, but the site the link sends you to may be www.iscamu.com. Always carefully look at the address in your browser's address bar.
If you suspect that your financial data is at risk, notify your bank, credit card companies, and the major credit bureaus-- Equifax.com, Experian.com, and TransUnion --as well as local law enforcement. And if you've been caught in a scam directed at users of a particular service, such as EBay, contact officials at the company as well, so that they can warn other users.
Unfortunately, these types of crimes can victimize anyone who uses the Internet. Keep your personal data private and your good judgment at hand.