I’m looking at a letter from a company called “ILSCORP.NET”. It is in reference to another domain name that Webmail.us owns. The notice date is February 15th, 2005. I have a customer number of CD474454XX.
“Please make checks payable to Internet Listing Service Corp. Please write your customer number on the front of your check Enclose check in the addressed envelope provided DO NOT SEND CASH”
Pretty serious stuff here, it goes on:
“To ensure listing by Feb 28, 2005, please remit payment on or before Feb 22, 2005 All listings are final”
Well, I’d better get right on this! But then there’s the text on the back that says, “This is not a bill. This is a solicitation. You are under no obligation to pay the amount stated above unless you accept this offer.”
It’s too bad that the rest of the document makes it look like we owe someone money to continue a service that we already had.
It’s always in the fine print
OK, the print is pretty legible, but it is clearly a font size or two down from the rest of the doc. And it’s on the back page when the front page already looks like a complete document.
The art of deception
There are a few subtle but convincing touches that scams such as this use to close deals and make money.
-- They use real information about you or your company --
In this case, they used our domain name. If you own a domain name then the billing address for your company and the names of contacts at your company are available through a standard Internet service known as WHOIS. Using this information allows them to customize their attack.
-- They create the impression that you are already a customer --
The customer number at the top of the “bill” seems legit. If I have a customer number, maybe I really did send these people money before.
The solicitation itself appears to be a bill. It has 3 major sections: “How to make payment:”, “Website address listing includes:”, and “Payment information:”. It shows me how much to pay and where to send my check—but, “Do not send cash”.
-- They create a sense of urgency --
Because “All listings are final”, I need to hurry and send them a check. They give me a due date of Feb 22. This sense of urgency might get me to respond before I look things over carefully.
-- Online risks --
It seems that being a domain name owner makes you a target for this and related scams. Having your WHOIS information freely available to the entire world is a double-edged sword.
And the more we all do business online, the harder it is to remember the names of businesses we use on an infrequent basis. It’s easy to make a mistake.
Other common scams to watch out for
Domain name slamming: you get an email or a letter telling you that your domain name will expire soon. The letter explains that in order to protect your domain name a check needs to be sent to company XYZ who can keep your domain name safe. The problem is that the letter doesn’t come from the company you used to register your domain.
Phishing: you get an email asking you to go to your bank or online retail store in order to update your contact information or to check on an order. The only problem is, that the links provided in the email don’t go to Amazon.com or whatever site you intended to visit. Instead, you end up at a site that closely mimics the real site and you might mistakenly hand over a username and password or perhaps even credit card information.
Nigerian email scam: this is an absolute classic. Read about it on Snopes.com. If you’ll front some money to a wealthy but helpless stranger, they’ll send you millions.
How to protect yourself
Keep good records! Knowing whether or not something is legit can be as easy as walking to a file cabinet and looking for a name that matches the letter or email you have received. Congress, with the Sarbanes-Oxley Act, is encouraging (enforcing?) record-keeping policies for businesses in the United States.
Pick up the phone and make a call. Or send an email. ILSCorp's letter to me and their website are both lacking a phone number-- a red flag in itself. Their website says I may have to wait up to 2 days for a response to the email I sent them this morning asking about their service and my domain name. I'll let you know when they get back with me. ;)
Email scams can generally be caught by good anti-spam filters. Yes, like the ones we use for our customers. But I don’t know a good way to filter snail mail except through a little extra time and attention to detail.
And, as always: if it seems too good to be true, it probably is.