2006 Scam Response Report

2006 SCAM RESPONSE REPORT
Conducted and evaluated by the Identity Theft Resource Center™
Released and copyrighted June 2006

Funding provided by a grant from the California Consumer Protection Foundation

Despite consumer advocate and media's best efforts, consumers still respond to scams.  The list seems endless - lottery offerings, the Nigerian scam (poor widow asking to transfer money), and phishing or account verification emails are just a few.

CCPF granted money this year to The Identity Theft Resource Center (ITRC) to study this issue. The program was divided into three parts:

• To examine at least 10 business websites and analyze their efforts to assist consumers in recognizing scam emails, especially those that involved that company.
• To survey people throughout the nation to find out why they did or did not respond to a scam email. That included survey takers who would either call individuals or do this in person at a designated venue (ie. Supermarket)
• With this information, to evaluate the educational materials used by business and consumer groups and see if changes needed to be made in helping consumers to avoid scam emails.

This report summarizes the ITRC activities, results of the surveys taken and adds suggestions to improve communication with businesses and consumers. This study was not meant to be comprehensive or all-inclusive but rather a sampling of what consumers are experiencing today. This first part of this report will not highlight a specific company but rather discuss the trends in general.

Part One: The Business Website Survey

ITRC chose nineteen websites[1] which included 7 financial, 2 job search, 5 retail/service related, 5 Internet companies. The purpose was to search for consumer alerts, in terms of ease of access, amount of information provided, readability of information and ability to report frauds or scams.

Identical questions were asked about all sites with most of the questions answered on a 1-5 rating scale.

Demographics: The respondent pool were all trained ITRC volunteers from around the country and covered an age range of 18-70+, with the largest group in their 30’s and 40’s. The majority of people had at least a Bachelor’s degree or higher. All had completed high school. In terms of “competence in Internet surfing, 14% felt they were beginners, 14% ranked themselves as fair, and 72% professed to be better than most or excellent.

Questions:

How long did it take to find a link to the scam alert from the time the Home page fully downloaded?

Respondents found the link in less than 3 minutes for 9 of the 19 companies, with 65% of the survey takers used as a guide. Only three companies were found in less than 1 minute (80%, 67%, and 67%). Nine companies took more than five minutes or were never found. Given the desire to find information quickly, it is unlikely that most people would have searched a site for 5 or more minutes.

One common factor we found was the reliance on “help,” site maps, privacy or security sections, or search engines, especially among those more proficient in Internet searches. Only 2 companies consistently came out high scorers in terms of ease of use from the Home Page.

The respondents also timed how fast they could find any consumer information related to scams. One common factor we found was the reliance on site maps or search engines, especially among those more proficient in Internet searches.

Common comments were:

• Not available
• Must scroll down and find “security support”
• Had to scroll to More Services
• Had to scroll to Computer Support
• Hidden in Help
• No search engine

Question: Did you easily find a link to a scam alert warning on the Home page?

Five companies ranked higher than 67% in ease, nine companies had proportionally high “no” answers with five companies ranked higher than 80% of the respondents or more. Five companies also had mixed reviews. The most frequent sites used was “Security,” “Search Engine” or “Site Map.”

Question: If the direction to the alert was not on the Home page, how many places did you look before you found the scam warning?

By this question, patterns were beginning to emerge. It was clear that those companies who did poorly on the other questions also did poorly on this question. Almost all respondents seemed to give up after searching more than 4 places. In only eight sites did the surveyists find an answer within 2 locations. (based on a 70% rating).

Almost all concluded that they had to go through an unrelated section to find a scam alert page.

Question: Rate the scam alert warning- did it have adequate information for the average reader to avoid falling for a scam?

Seven companies ranked fair to good (70% of respondents polled). The remaining 12 companies were ranked as too short, too long and therefore discouraged reading or too technical.

The respondents were also asked to look at the site and to judge what was most valuable on the site in terms of information. This question included definition of a scam email, a statement that they don’t ask to verify information via emails, General prevention tips, warning about sharing information, a place to send an inquiry or a fraud complaint, examples of scams and any definitions of technical words.

This question did not have a clear cut answer. ITRC can only assume that each individual felt that something was being provided that they could use and may be looking for different information about scams.

Question: Did the site try to sell you an additional service?

Four companies were found selling credit monitoring or other retail products that could be related to identity theft.

Final question: Grade the site (A- excellent, B- good, C- average and needs improvement, D- barely passing, F- Fail)

Again using 70% as a marker- only five companies received and A or B grade. Using a 60% marker- 7 companies received a D or Fail. Other than the few companies that received high marks, the respondents appeared disappointed in their opinions of the website information as a whole and its ability to warn consumers.

Part 2: The Consumer Survey

Methodology: Consumers were both survey via email and in-person. They were asked a series of questions and divided into two groups- those who had never answered a scam email and those who did. The in-person survey also tested for knowledge of “what is a phishing scam?”

Results: Emailed survey- those who did NOT respond to a scam email

The first target group, were those individuals that did not respond to a fraudulent email solicitation. The following eleven questions were sent to 178 individuals that fit this category. Of the 178 we received 22 complete survey responses. Respondents represented a wide geographic area. Based on the answers, it is clear that current information available stopped these people from responding to scam emails. ITRC also polled its volunteers as to the amount of span/scam email they receive. Most report that spam blockers have prevented 50-90% of scam emails from getting through which might be a contributing factor.

Question 1. The logo on the email looked legitimate but you were wary of the email?

• 15% Not at all important
• 0% Low importance
• 15% Medium importance
• 10% Mid-high importance
• 60% Very important

Question 2. The email did not direct you to a legitimate website or a website that appeared legitimate?

• 36% Not at all important
• 7% Low importance
• 7% Medium importance
• 14% Mid-high importance
• 36% Very important

Question 3. Even though there was a threat that your account would be suspended, you knew that companies did not communicate this way?

• 5% Not at all important
• 0% Low importance
• 11% Medium importance
• 11% Mid-high importance
• 74% Very important

Question 4. The site did not look secure?

• 41% Not at all important
• 0% Low importance
• 12% Medium importance
• 12% Mid-high importance
• 35% Very important

Question 5. You recognized that this was a fraudulent letter (i.e. that you won a lottery or were helping a needy person)?

• 11% Not at all important
• 0% Low importance
• 0% Medium importance
• 5% Mid-high importance
• 84% Very important

Question 6. You heard about internet scams and thought this seemed like a scam?

• 5% Not at all important
• 0% Low importance
• 0% Medium importance
• 0% Mid-high importance
• 95% Very important

Question 7. Other: If any of the above does not fit, please tell us what about the email made you not respond?

The fact that they were asking for personal information

It was one of those letters from Africa where I had a dead relative who left me lots of money, I was the nearest kin, they'D get a Percentage of whatever I claimed.....these are sooooo annoying....

I don't recall whether the email was actually a suspension notice, but it was something financial asking for verification of my account.

The above sort of fits in some cases. Basically, any web site asking me to update my accounting, telling me my account could be suspended if I don't do something, is something for free, or asks me for personal information, I'm extremely suspicious and forward them to the spoof, plishing, and abuse department of company they are trying to emulate, if applicable, then delete the message. In other words, if for example I receive an email that looks like it is from ebay, chase, or paypal, I always assume scam and report it to that company and then delete the message.

Question 8. Did the email come from a company that you had an account with?

• 27% Yes
• 73% No

Question 9. On a scale of 1 to 5, where 1 is not knowledgeable and 5 is very knowledgeable, how skilled are you with the internet?

• 0% Not at all knowledgeable
• 0% A little knowledgeable
• 20% Medium Knowledgeable
• 50% Knowledgeable
• 30% Very Knowledgeable

Question 10. What is your gender?

• 45% Male
• 55% Female

Results: Those who DID answer a Scam email

The second target group, were those individuals that did respond to a fraudulent email solicitation. The following twelve questions were sent to 36 individuals that fit this category. Of the 36 we received 6 complete survey responses, each from a different state.

Question 1. The logo on the email looked legitimate?

• 0% Not at all important
• 0% Low importance
• 17 % Medium importance
• 0% Mid-high importance
• 83% Very important

Question 2. The email directed you to a legitimate website or a website that appeared legitimate?

• 0% Not at all important
• 0% Low importance
• 0% Medium importance
• 0% Mid-high importance
• 100% Very important

Question 3. There was a threat that your account would be suspended?

• 17% Not at all important
• 17% Low importance
• 0% Medium importance
• 17% Mid-high importance
• 50% Very important

Question 4. You believed the email was truthful (i.e. that you won a lottery or were helping a needy person)?

• 17% Not at all important
• 17% Low importance
• 17% Medium importance
• 0% Mid-high importance
• 50% Very important

Question 5. The promise of site security?

• 33% Not at all important
• 17% Low importance
• 0% Medium importance
• 0% Mid-high importance
• 50% Very important

Question 6. You heard about internet scams but did not believe this fit what was described?

• 0% Not at all important
• 0% Low importance
• 17% Medium importance
• 33% Mid-high importance
• 50% Very important

Question 7. You had read about scams before but never truly understood what was being said about them?

• 40% Not at all important
• 20% Low importance
• 20% Medium importance
• 20% Mid-high importance
• 0% Very important

Question 8. Other: If any of the above does not fit, please tell us what about the email made you not respond?

The email said that an address had been added to my paypal account in which i had never heard of before. I wanted to go into my account and get rid of this but before i could go to it i had to very my information. Knowing this seemed suspicious and realizing that i did not see the security "lock" icon at the bottom, for some reason I put in my information anyway. I immediately regretted this decision when I hit the sumit info button and it took me to the paypal website and I saw nothing wrong with the address.

Time pressure in life and work carried over. Did not take the time to think through what I was doing, or to study the situation-PayPal payment that I did not authorize involving an amount of around $400. Feeling I was doing the right thing to protect myself.

I generally access the account from my office. The day before I received the email, I had accessed the account from home, which I hadn't done before. The scam email began with "...someone had used your account from different locations ..." Therefore, since I had accessed the account from a different location, I thought that it was for real. Now I just believe it was coincidence with timing.

Question 9. Did the email come from a company that you had an account with?

• 83% Yes
• 17% No

Question 10. On a scale of 1 to 5, where 1 is not knowledgeable and 5 is very knowledgeable, how skilled are you with the internet?

• 0% Not at all knowledgeable
• 0% A little knowledgeable
• 2% Medium Knowledgeable
• 40% Knowledgeable
• 20% Very Knowledgeable

Question 11. What is your gender?

• 50% Male
• 50% Female

Part Two: In-person Surveys

Four people were tasked with the duty of asking people, in person, if they had ever answered what they thought might be a scam email and also what a phishing email was. In total 309 people responded.

Of that group 294 had never answered a scam email.

However, 15 people had answered what they believed was a scam email.

The reasons reflected the information gathered via the email survey. Those who did answer emails thought they were legitimate or directed them to a legitimate looking website. Most believed that an account might be closed or suspended and that the email was truthful

To the question: What is a phishing email?

One of ITRC’s hypothesis was that techno-babble (use of technical terminology) played an important factor in why people might not understand media or business warnings.

These are the results of the five questions asked:

a. Email sent by virus – 5 said yes
b. Email sent by thief- 28 said yes
c. Email trying to get me to buy something- 15 said yes (the largest group was in CT)
d. I don’t know – 165 people answered in the positive representing more than 50% of the total population interviewed.
e. Other- Trying to get personal information from me – 49
f. Trying to get me to go to a website – 24

Only 77 people got the right answer.

Part Three: Recommendations from the ITRC on Educating Consumers and Companies

Consumer Education via Companies:

• Direct location information source:

The FBI has an excellent poster about scams. In San Diego a number of credit unions have posted this in all their branches AND trained all tellers about these scams. When a consumer presents a suspicious check or asks for a large sum of money (especially the elderly) the tellers make sure to point out the scam warnings and makes sure that the member is not being targeted. The combination of the poster and trained tellers has been a successful program and one that proves how companies can help educate consumers.

• Improvement of websites:

ITRC’s study of 19 websites found that most needed more direct links for consumers who want to know- “is this a scam email?” A link needs to be clearly found on a home page, especially in companies that have or could be targeted for “phishing” emails.

The second change would be in the wording of the alert. Our survey indicated that only 7 of 19 companies had information in an easy-to-read format. Examples of scam emails were appreciated. Respondents felt it was important that the wording include: “We do not send emails asking to verify Social Security numbers.”

The reading level, navigation of the scam site and length of the information also worked against companies. The companies that ranked the highest had easy to navigate sections, were in words commonly used (no techno-babble or at least define the technical term) and assumed that most readers did not have a lot of surfing skill or a high reading level. An 8^th grade reading level is used by most newspapers and books publishers.

Do not assume all readers are English speakers. Have information in Spanish or a resource for Spanish readers.

• Since many consumers are in various service locations, posters such as the ones placed in credit unions can be used. Companies can also add informational pages to monthly bills and statements.

Direct Consumer Education:

• Many states now have identity theft information somewhere in a governmental website- typically in the AG’s website or in the Department of Consumer Affairs. Again ITRC recommends a complete warning of scam emails or a resource list so that consumers can find out if an email or telephone call is legitimate.

• Do not assume all readers are English speakers. Have information in Spanish or a resource for Spanish readers.

• There is a need to create and implement an advertising campaign to educate consumers on scams including showing actual scam letters. This campaign could include PSAs, inclusion of identity theft scams on television shows, discussion on talk shows and also more direct information from the media.

ITRC’s Response:

• Redesign of our scam page for easier reference (in progress- estimated deadline August 2006- we are changing the architecture of our entire website and this will be done as part of that).

• Continuation of scam education at community fairs and at presentations including updating people on the newest scams. The in-person surveys actually turned into one-on-one educational moments. For each wrong answer we informed that consumer plus those standing around about “phishing scams.”

• ITRC already has a page on what to do if you are a scam victim. Our victim advisory center that handles phone calls and emails will be giving out more information about these scams.

• The use of media- whenever ITRC hears of and confirms a new scam it will be prominently displayed on our website.

• Distribution of this report or its information to other consumer groups and during victim assistance training sessions

• Future plans include collaborative efforts with affected companies (including those that we used for the website evaluation) and working with the Financial Crimes Investigation Association and Crime Prevention Officers Associations.