Saturday, January 26, 2008

Non-Phishing Problems

Stage 1: the Internet is this nice new place where people communicate.

Stage 2: the Internet is this nasty place where people get caught by scammers, spammers, phishers, and other assorted kinds of crooks.

Stage 3: the Internet starts looking like the real world -- there are nice people as well as scam artists, you need to be careful when deciding whom to trust. Helloooo... welcome to the real world!

But that's not the end of the story. Over the last couple of weeks, to my surprise, I discovered...

Stage 4: everyone has become so distrustful that sometimes you get a legitimate message and your first reaction is to dismiss it as a scam, potentially with unpleasant consequences!

Here are the two examples I experienced recently.

The first one has to do with Paypal, the online bank (to simplify its description). I am the Treasurer of a non-profit association, so I maintain a Paypal account for us, so we can more easily accept payments from our members instead of doing everything through checks. About two weeks ago, I get an e-mail that says that I need to provide proof of our non-profit status, otherwise our account might be "limited." Well, you've all gotten all these bank-related phishing scams before, so guess what? I trashed the message. There are a couple of things that seemed legitimate: the message was addressed to me by name, and we do have a Paypal account after all. But the message was signed "Mike, Paypal Compliance Department" -- no last name. And I was asked to send information to a phone number, therefore presumably a fax but it didn't even say so. And that number was in the 402 area code, which I didn't recognize. I know Paypal has offices in San Jose, because a good friend of mine works there, so I would have expected 408, not 402. Anyway, there were enough conflicting signs that I felt very confident that this was a phishing scam.

Last week, just a day before leaving for a ski trip organized by our association (and for which we had asked people to pay us through Paypal, precisely) I got a second message, worded like the first one, except it said that since I had not responded to the first one, our account had had its access "limited," and we needed to provide the requested information to restore full access. My first reaction was, as you may have guessed: "here they go again, been there, done that, go to trash, go directly to trash, do not pass Go." After trashing the message, I thought, "well, it doesn't hurt to check where I am with the account" -- especially since we were expecting a couple of late registrations for the ski trip, and seeing an incoming payment would be a good way to check on that. I log in to Paypal and, you guessed it, our account was "limited" -- we couldn't receive or withdraw money any longer -- because of the lack of verification of our status.

I got rather annoyed and flustered, but I kept my calm as I called Paypal (four times before I could actually get an answer) and discussed this with them. The poor woman who answered the phone really had no clue, and didn't seem like she really cared to escalate my issue with how misleading the message had been. But it was quickly apparent that the only solution was to comply with the request. I was just nervous because they were asking for documentation of our tax-exempt status, and since we are a chapter of an association which is part of a university, I was envisioning all sorts of complications in (a) getting a copy of the university's 503(c) tax status certification by the IRS, and (b) satisfying Paypal that this double indirection still qualified us as non-profit. But in fact, these fears were ill founded: it only took about 48 hours for Paypal to acknowledge my statements, which I sent both by e-mail and by fax, for good measure, and to restore full access to the account.

The lesson from the story is that sometimes a phishing-like message isn't one, and when it's ambiguous enough (you are doing business with that institution, and they call you by your correct name), then you need to investigate. Of course, you need to be careful: in my case, I looked up the Paypal customer service number on the Web, and I called that number.

Example 2 concerns a letter I received this week at home. It was from "U.S. Claims Services," an official-sounding company that said that they were looking for a Claude Baudoin who had once lived, or might still be living, at a certain address in Houston, which did turn out to be my previous Houston address (2000-2002). It also listed the correct last four digits of my social security number. The letter went on to state that they had found that there were leftover funds in a certain amount (not a negligible one -- between one and two thousand dollars) in my name, coming from some insurance company I don't remember having ever dealt with, deposited with the state government, and that they could help me claim that amount if I sent them a check for $75 and some cents.

So, guess what? My first reaction was, "this has to be a scam. If I am gullible enough to send them the money, I'll never hear from them again." I went to their Web site, and it actually looked reasonably professional, well written (contrary to the usual "Nigerian" scams), had an FAQ page, listed registration numbers in California and Florida, had an 800 number, the name of the owner, etc. I then went on Google and searched for them. There were quite a few forums were people had asked the question, "I just got a letter from U.S. Claims Services, do you think it is legit?" Almost invariably, people were answering "be careful, this must be a scam." But what started looking a little strange to me is that no one was actually stating as a fact that it was a scam, they were just asserting that it must be one, clearly based on the same sort of cautionary attitude that I myself had. A number of the answers said "you shouldn't have to pay anyone to recover money that is rightfully yours," and pointed out that the writer's state had a Web site to check on unclaimed tax refunds, etc.

My next step was therefore to Google "texas unclaimed property" (the idea of using the word "property" came from the language used by some people who formulated the type of answer I just described), which led me to the Web site of the Texas State Comptroller. The "unclaimed property" page offered me a very simple search form (last and first name and city) and lo and behold, the search found exactly the same information listed in the letter from U.S. Claims Services: same amount, same year, same insurance company name! And then, it asked me to fill some additional information, including my current address, and obligingly created for me a prefilled PDF claim form, with the instructions on what documentation to attach, and where to send it!

I find the situation quite intriguing in several respects. First, this smelled like a scam, but it wasn't. The existence of this unclaimed money is real. These people are offering to get it for me for a price which is less than half of a percent of the amount I can recover. That's not a scam, that's a business proposition! Secondly, I can actually go ahead and recover the money myself, quite legally, without using them -- the state of Texas has made it super-easy -- but I wouldn't have done it if they hadn't written to me. So while I am very happy not to spend $75, I almost feel funny because I owe them the fact that I am (presumably) going to receive a nice check in the mail in a few weeks. If everyone knew about the state's unclaimed property Web site, then U.S. Claims Services would have zero revenue and would go under. So people like me depend on the fact that some other people will pay that company to do the work for them. And what is the "work" in question, for which they get $75? Well, I assume that all they would have done if I had paid them would be to print the form from the state and send it to me with instructions on what identification and past proof of residence to attach, and where to send all this -- bringing me exactly to the same point I am now. Sounds like a lot of money for just printing and mailing a claim form, doesn't it? On the other hand, it sounds like a pretty small fee for making me discover more than a thousand dollars I was blithely letting the state keep. See, it's not as simple as it seems.

Back to the initial point: twice since the year started, I thought that I was being scammed, and almost hurt myself in the process. Upon further examination, the alerts were legitimate, and careful verification allowed me to get the right outcome. If I hadn't double-checked, my club's Paypal account would have been locked longer, potentially missing contributions or causing other trouble for us, and I would have missed a personal refund for a significant amount.

Now we need to add to "careful, it may be a scam" the reverse concern: "careful, it might not be a scam." Sigh... life on the 'net ain't simple, is it?

No comments: