No holiday for online scammers

By BusinessWeek

Apparently the tables have turned because through his various correspondences, Santa has asked for a lot this year. He wants donations for sick kids, generosity for the less fortunate, money to send care packages to soldiers in Iraq.

But most of all Santa wants credit card numbers and bank account information.

Swept away by the spirit of giving around this time of year, the philanthropically inclined may find themselves vulnerable to e-mail scams posing as charitable requests.

This is how it works, the scammers hope: You get an e-mail, you click on the link, you donate your money, and it's gone -- not to some children's hospital but toward the bank account of a "phisher," someone who creates a replica of an existing Web page to fool people into submitting financial or personal details.

"They look for a hot button or they pick an emotional topic and play into it," says Dave Marcus, a security research and communications manager at McAffee Avert Labs. "This is just a digital version of the old-fashion scam artist."

Spreading the holiday cheer

Around the holidays, charity is big business, as people are interested in both spreading holiday cheer and boosting their tax deductions before the end of the year. And the Internet offers hackers and spammers the seeming safety of anonymity.

For example, the Red Cross is one of the most phished sites on the Web, according to Marcus, whose company provides a database of fraudulent online charities and software to detect phishers.

After Hurricane Katrina, a number of phony Red Cross sites sprang up, and the Red Cross eventually had to say outright that it does not solicit donations by e-mail.

The art of online scamming has progressed to the point where a real site and a fake one may be indistinguishable at a glance. Whereas older scam sites had strange fonts, bad grammar and a numerical IP address, today's sites can be directly copied from one Web page to another so that they look exactly the same.

This means that nonprofits have to put forth an extra effort -- and money -- to protect their brand names.

"(The proliferation of fake sites) reduces donor confidence in the sector, and the legit organizations have to work harder and harder to prove their validity," says Suzanne Coffman of GuideStar, a leading provider of nonprofit information.

A Web of deceit

The Internet has also made that easier for donors to make sure they're giving money to legitimate charities, says Douglas Mellinger, the vice chairman and founder of Foundation Source, which services private foundations by making them more accessible to philanthropists. "Not only does the Internet mean people are being solicited by spammers more but they also have more resources than ever to protect themselves right at their fingertips."

Watchdogs warn Internet users to refrain from following links in e-mails and avoid replying to e-mails that solicit donations. Even if the URL looks like a valid Web address, an alternate address may be encoded within the available link so that when you click on it you'll end up at savechildren.com instead of savethechildren.com, for example.

"Most reputable charities don't raise funds via e-mail," Coffman warns. Additionally, she says, the content of the e-mails is usually distinguishable from the holiday push from legitimate organizations.

"Every charity wants to make an emotional connection with its donors. But legitimate organizations understand the donor needs the facts. (Illegitimate) organizations will give vague information and lean very heavily on the donor to give now. That's the big red flag."

Sometimes it's safer to go to the charity than to wait for the charity to come to you. Take time to figure out what kind of causes you want to donate to and do the research to find the best organizations to carry out those missions.

Do your homework

Lists of legitimate nonprofits are available in databases such as the ones at GuideStar and Foundation Source. Once you find what you're looking for, make sure the organization is genuine.

By law, each nonprofit is required, upon request, to provide a Letter of Determination, a document that the Internal Revenue Service grants nonprofits for tax-exempt status. The only exceptions are faith-based charities that can provide a copy of the charity's listing in a religious directory instead.

If you don't have the time or energy to do your homework, there are companies set up to do it for you. Coffman's GuideStar and Mellinger's Foundation Source are just two examples of companies with vast databases of legitimate charities -- those recognized by the IRS as tax-exempt. There are also lists of fraudulent charity sites in the databases of companies such as McAfee and Secunia, which use database information and Web-detection software to indicate illegitimate sites.

It is possible to determine who's naughty and who's nice, so make sure you go over your lists twice before you give away your money -- and maybe more.

This article was reported and written by Paula Lehman for BusinessWeek.