Finjan, an internet security firm, has discovered a new Trojan horse virus that steals money from your account. Your typical phishing or virus will steal your login credentials and send it to a thief, who either sells it or empties your account. This new virus, called URLZone, will steal your credentials but also steal money from your account, all the while displaying a fake balance when you login. How much it steals depends on your much is available, it only steals enough not to trigger a bank’s fraud detection systems.

At the moment, URLZone can only infect Windows systems using Firefox, Internet Explorer 6, 7 & 8, or Opera web browsers. Computers are infected when you open an e-mail, click on a website distributing malware, or visit an infected website using one of those browsers. When you visit a targeted bank, and it’s thus far been limited to German banks, the trojan transfers money without you even knowing.

This is the first Trojan Finjan has come across that hijacks a victim’s browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak [chief technology officer at Finjan] said.

This is scary.

Banking Trojan steals money from under your nose [CNet News]

(Photo: hendricksphotos)

The Federal Trade Commission (FTC) recently sent me some information about some popular charity frauds going around lately.

I personally never respond to a solicitation. It could’ve come in the mail, through a phone call, or an email; I ignore them all. It’s not because I’m a heartless person and it’s not because I don’t trust the solicitation, it’s that I prefer to go directly to the charity. I don’t want to write a personal check and put it in the mail. I don’t want to give any sensitive information across the phone and I certainly don’t trust email, with all the scams and phishing attempts surrounding those. I know the charities we like to support and we generally go directly to their websites to donate.

However, given the tumble the stock market had over the last year, a lot of charities are turning to solicitations to get more donations because their trusts and endowments are hurting. This has opened up an opportunity for scammers and thieves, so the FTC has offered up some good information to help you combat that.

If you recently received a phone call from a “charity” and are considering donating money, I recommend you read the FTC’s Charity Fraud website for tips on how you can protect yourself and the people you’re helping. When you give money to a scammer, it only empowers them to keep on ripping people off. As more people get burned, they start avoiding charities and charities that support the people the scammer said he or she was collecting for. In the end, it’s the people you intended to help that get hurt the most.

I also wanted to spotlight two particularly poignant scams going on right now and how to protect them. The first involves scammers pretending to collect donations to support the troops, as in vets, active duty, or their families. The second is the result of an enforcement sweep of scammers that pretended to collect donations for police, firefighters, and veterans.

It’s great to help those who are in need, but not if the money is going into the pocket of a scammer.

If you haven’t read the news lately, you should because one of the biggest scams of all time was uncovered in what could see the term Ponzi scheme renamed the Madoff scheme. Bernard L. Madoff was once the head of the Nasdaq (yes, the head of the Nasdaq) and started his own investment firm, Bernard L. Madoff Investment Securities. Over the course of decades, Madoff took investor’s money, lived the high life, and soon lost it all when investors started pulling out their money when the market went south this year. In classic Ponzi scheme fashion, once the money starts leaving, the scheme is discovered.

Some of the individual ensnared include J. Ezra Merkin, chaiman of GMAC; Fred Wilpon, principal owner of the New York Mets (miss the playoffs badly two years in a row and discover your money’s been lost due to fraud? That’s a rough run…); and Norman Braman, former owner of the Philadelphia Eagles. In total, it’s an estimated $50 billion in losses and some people don’t even know they’ve lost money because various funds invested with Madoff. For example, Merkin founded several hedge funds and one, Ascot Partners, had all of its $1.8 billion invested with Madoff.

Until his recent foray into Ponzi, Madoff was a well-respected member of the investment community. He was credited as being a pioneer in market-making, which is the act of being the middle man between buyers and sellers of stocks. It was that work that led him to become the chairman of the Nasdaq, bringing in a tremendous amount of business. However in the 1990s, he used that success to launch the asset management firm that, sometime in 2005, would turn into the largest Ponzi scheme ever.

Despite his gains, a growing number of investors began asking Madoff for their money back. In the first week of December, according to the SEC suit, Madoff told a senior executive that there had been requests from clients for $7 billion in redemptions. On Wednesday, Madoff met with his two sons to tell them the advisory business was a fraud — “a giant Ponzi scheme,” he reportedly told them — and was nearly bankrupt. The sons reportedly contacted their lawyer, who then alerted federal authorities to the fraud. Before being caught, Madoff was working on a scheme to dole out his funds’ remaining $300 million to the firm’s employees and his family members.

It’s an absolutely stunning story. How are you supposed to protect against that?

(Photo: AP)

Last week, I linked to a video about how someone had multiple shots at a six digit payday on a game show and lost it all because they were staring at a potential seven digit payday. Greed is a sick sick animal.

Today, we have a story, courtesy of the Consumerist, about a woman who got taken for $400,000 by Nigerian email scammers. Yep, that actually happens. It’s a sad story about an unfortunate thing to have happened to an otherwise good person but we should all learn some very important lessons from this (you can just as easily lose that money to the stock market!).

If It’s Too Good To Be True…

There’s a reason why this saying exists… human civilization has been around for thousands of years and seen its fair share of scams. From the time of cavemen when a lion looked like it was dead (and wasn’t) to magical male enhancement and weight loss green tea products, scams are everywhere and we’ve become very good at detecting the scam. Even in that story, while she blew past her own BS detectors, her friends and family kept warning her and she ignored them as well.

The lesson is that if it’s too good to be true, ask three friends that you believe are savvier and smarter than you whether they think its a scam. Then ask three strangers. When they all say – “that’s a scam!” you either believe them, or you get taken.

Never Send Money Abroad

Unless it’s to a relative you knew before they emailed you out of the blue because they were sick or dying or needed some cash to collect a multi-million dollar payday… don’t send cash. Don’t buy stuff from an international seller unless its with a credit card. Money orders and transfers are not protected. Once that money order leaves your possession, it’s gone.

Don’t Let Yourself Get In Too Deep

The first few hundred you throw after a bad thing can be chalked up to stupidity, the next three hundred and ninety nine thousand is the fault of stubbornness and pride. After a certain point, you try to prove to yourself that you aren’t stupid and that you aren’t an easy mark by throwing away more money on the off chance it isn’t a scam. You have to recognize when you’re being smart and sticking to your guns and when you’re simply being stupid and stubborn.

It’s unfortunate she got taken for so much but life often isn’t fair.

The other day my friends, my wife (who is also friend but unless I give her a shout out I get shouted at), went to the 16th Annual Safeway BBQ Battle (official site) down in Washington D.C. and had a marvelous time. The annual event is a ton of fun, only $10, and part of the proceeds goes to benefit the Boys & Girls Clubs of Greater Washington’s Metropolitan Police Club Houses – so it’s a win-win-win. Besides gorging ourselves on free samples and celebrity chef demonstration food, one of the interesting things I saw was a table giving away a $500 Target gift card. I wish we had taken a picture since the sign was distinctly unprofessional and the table was even less so.

If you’ve ever gone to a mall and seen the tiny stands announcing a sweepstakes giveaway of a car or incredible vacation, then you’d recognize the tell-tale cardboard boxes with the pictures of the vacation or car. Instead of a picture of a fancy new Prius or a beach in Aruba, picture a Target gift card with a big $500 on it. That’s what the table consisted of, about a dozen of these with plenty of people signing up.

Despite the convincing sign, I bet there there is a 0% chance (ok ok, maybe a 0.0001% chance) that you’d win a $500 gift card to Target if you entered. Many of those sweepstakes contests are affordable techniques to capture your name, phone number, and address for a mailing list. The surprisingly thing is that they often tell you right on the box (they are required to). By entering, you are subscribing to the XYZ Product/Timeshare Mailing list and allow XYZ Product/Timeshare to contact you even if you are the Do Not Call list.

The chances of you winning that cardboard box giveaway: 0%.
The chances of you receiving annoying phone calls during dinner offering a fantastic timeshare vacation offer or test trial of some crazy new product: 100%.

There Ain’t No Such Thing As A Free Lunch.

A reader recently sent an email asking about a program United First Financial runs called a Money Merge Account and whether it was legitimate. United First Financial promises that the program, which costs $3500, would have you pay off the mortgage in one-third to one-half the time it normally would take. Knowing nothing about money merge accounts and knowing a little bit more about simple math, I smelled a fat $3500 scam brewing. The only scenario in which I could see $3500 cutting your mortgage in half is if you had a $7000 mortgage. But, setting my mental scam alerts aside, I did some more research about the plan.

Apparently it’s a fancy name for an accelerated mortgage repayment scheme. The first step in the money merge account is to take out a second mortgage on your home, a home equity line of credit. Then, what you do pay your entire paycheck towards the first mortgage and withdraw money from the HELOC to cover your expenses. You save a little money because the interest on a HELOC is calculated based on average daily balance rather than the final monthly balance. This lets you pay off more of the mortgage at the beginning of the month and then be charged less interest on the HELOC. (this assumes the same interest rate, which is a big flaw)

However, the plan also has a lot of other assumptions and flaws.

1. It assumes that your HELOC interest rate will be the same as your first mortgage interest rate – very unlikely. The bigger the HELOC rate, the less you save on that difference.
2. It assumes a single monthly paycheck so it’s a plan that loses some of its power if you are paid irregularly or every two weeks.
3. One big flaw is that there is never discussion of HELOC fees. I’ve never opened a HELOC but I imagine it’s not free.
4. This plan requires that you don’t save at all for anything else. Since your entire paycheck goes towards the mortgage and you withdraw expenses, it penalizes you drawing on the HELOC for non-essentials. Why pay $100 towards a 6-7% mortgage and then borrow $100 from a 10% HELOC?
5. Finally, as if all those weren’t enough, you have to pay $3,500 for a program to help you do this!?

In researching this article I researched a lot of sites and they were nearly unanimous in their opinion that these types of programs are not worth the money (not surprisingly). They’re not scams in the sense that you pay your $3500 and they disappear into the night but it’s something you can do yourself.

This begs the question, should you use it to force discipline? I could justify paying $100 to enforce discipline because it can save you quite a bit in the long run, if you can overcome the failings, but $3500 is ridiculous. If you have $3500 and you want to pay off your mortgage sooner, send a $3500 check to your mortgage company. (if you want a legitimate and easy way to pay off a mortgage faster, consider making mortgage payments every two weeks)

The other day my fiancée received a letter from the Insurance Program Management office of Marsh Affinity Group Services, a service of Seabury & Smith, out of West Des Moines, IA. According to the letter, written by an Associate Benefit Specialist, Marsh had not received my fiancée’s premium payment for her AICHE-sponsored life insurance plan and her coverage was about to lapse. This letter would’ve been great… if my fiancée had AICHE-sponsored life insurance!

If I didn’t know better, or if she didn’t know better, she likely would’ve called the toll free number in the letter and asked to speak with Samuel Batterson to renew her life insurance policy if she was too busy to recall she didn’t actually have a policy with them. Is this a new style of fishing for clients or just a new style to us? I had seen this type of letter before in which webmasters were sent letters that looked like bills from Domain Registry of America in a scam to get them more business, but I’ve never seen it outside of that instance.

With so many different policies in our real lives, it’s easy to get confused as to which company holds which policy so it’s not entirely impossible for someone to get tricked by this. So, the lesson of the day is to be wary of these types of letters and do your homework. While it’s very likely my fiancée had some sort of AICHE policy while she was at school (and a member of AICHE), that’s a few years back so the coverage probably lapsed long ago anyway. Either way, when you get one of these just double check everything before calling (or sending a check!).

Wasn’t it great whenever you pulled up that yellow Community Chest card in Monopoly that awarded you with $200? In real life, that almost never happens and usually, in the event of an error, it’s always not in your favor. So what do you do? In most cases, you want to call your bank and make sure you have all the pertinent information so that they can resolve it as quickly as possible. In some cases, you’ll want to contact other agencies because fraud could be involved.

ATM Withdrawal or Deposit Discrepancies

First tip: Never deposit cash via an ATM. I never deposit cash in an ATM because if the envelope is lost, which is rarely is but definitely possible, there is absolutely no proof that I put cash into an envelope. With checks, at the very least you can ask the issuer to put out a stop payment and re-issue the check. In the event of a large check deposit into an ATM, I always take the ATM receipt because it identifies the time and ATM I used (the amount deposited is useless from the bank’s perspective because you entered it).

On withdrawals, if you request $100 and get only $20, your account will still be debited $100 unless you contact the bank. They can usually resolve the register and figure out where the mistake was and properly debit your account.

Automatic Debits You Didn’t Authorize

With the advent of Check 21 and the fact that banks don’t even need to send the paper checks around anymore, more and more check transactions are merely automatic debits and credits after some paper processing. At many banks, they just scan the front and back of the check and then process the electronic information, shredding the checks afterwards. As we all know, the OCR (optical character recognition) is pretty good but not 100% accurate, so what happens if there is a mis-read? This is the same procedure you should follow if you’ve fallen victim to an automatic debit scam, call your bank and notify them of the mistake. Usually they can trace back into their records, locate the check, and fix the error without incident. If you’ve been scammed, in addition to calling your bank, call your state’s attorney general as they will investigate and go after the scammer.

Didn’t it seem like the day after you applied for and was approved for your first credit card that the credit card companies keep jamming more credit card offers down your throat? Well, the reason why it seemed that way is because once you got that first card, you joined a very exclusive fraternity of credit worthy borrowers and now every Tom, Dick and Harry credit card company wants to give you a special promotion rate or special balance transfer or special cashback reward program – and you’re probably sick of it. I know I was and when I got my first credit card in college, about 8 years ago, OptOutPrescreen didn’t exist. Back then, we had to resort to techniques like writing “return to sender” or packing ripped up catalogs into those postage-paid response envelopes, which, if they didn’t work, certainly were a lot of fun. Now, you can just go to OptOutPrescreen and stop all those credit card offers from coming in the first place.

Why should you stop the mailings? Well, first off you lower the number of opportunities you give identity thieves to pilfer your good name. You’re in this exclusive fraternity now, don’t let it go to waste! Whether or not someone actually will steal your mail, apply for a card, and then intercept it again is not very probable, why introduce the risk when you don’t need to?

Second, you reduce the amount of paper waste that’s generated for no good reason. Considering response rates for direct mail is in the single digit percentages, that’s a lot of envelopes, letters, fake plastic cards, and shipping for absolutely nothing. Do your part for both the environment and your sanity by stopping the mailings!

You would think that most people know that payday loans are ripoffs and the ones you use them are either in dire financial straits or think they’re in dire financial straits but as it turns out, a lot of folks don’t realize refund anticipation loans are ripoffs too because they usually are offered by reputable companies like Jackson Hewitt, H&R Block, and other big tax preparer names and not Fast Cash, Check Cashing R Us, or other seedily named joints. However, if you ever look at the fine print, you’ll see fees and interest rates that would make a check cashing shop blush. And an even scarier tactic nowadays is that a lot of these preparation houses don’t even need a W-2, they’re offering paystub loans and you only need to bring in your December paystub in order to apply for these loans.

(Click to continue reading…)