Online fraud shouldn't happen, but it does. And when it does, how should one report the crime, and to whom? Michael Kassner would like to share what he's learned.
A friend from my creative-writing group called me completely distraught, "I've been phished." Ever the stoic, I asked, "How do you know this?" "I checked, and my bank didn't send the email message asking me to reenter my security answer and password." "And?" I had an idea what was next, but still asked. "It looked real," she argued, "So I did what the email said."
Now, I shifted to my "I told you to never do that" mode, and reminded her. "Great, Michael," she snapped, "Great advice, what do you suggest I do now?" Then there was a pause — a long pause. "Well..."
What should you do?
Quite simply, I was caught off guard. I knew well enough to have her call the bank. But that was all I was sure of — not good. Not wanting that to happen again, I immediately started looking for information.
After a bit, I came across Bob Burls, a UK-based security consultant who specializes in Computer Incident Response. Over the past several months, he has written a "How to" series about reporting computer crime for NakedSecurity. And he's done a great job. What I'd like to do is summarize what he's found.
Types of crime
Burls looked at the following attacks, and why they're considered crimes:
- Unauthorized email access: Unauthorized access to an email account.
- Malware by email: An unauthorized act is performed unknowingly on an individual's computer.
- SQL injection website attack: An attacker first identifies if a web server of interest is vulnerable to SQL injection. If it is, the attacker then applies SQL injection after which, the attacker has control of the server.
- Phishing attack: The criminal deliberately misleads a victim using imitation websites and emails, in order to obtain sensitive information (person's identity) in order to sell it or personally exploit it.
- Trolling: An attacker commits a crime by using the Internet to send messages to threaten, abuse, or harass the victim with the intent of causing alarm, distress, and or anxiety.
- Fake antivirus: Two primary offenses take place, unauthorized modification of the victim's computer, and using false representation to mislead the victim.
Laws covering the crimes
- UK: There are three laws covering the above-mentioned crimes:
- USA: All of the listed crimes above fall under the Title 18, United States Code (USC) Section 1030 — Fraud and related activity in connection with computers.
- Canada: The Criminal Code of Canada encompasses most criminal offenses. If I understand correctly, Section 342.1 (Unauthorised Use of a Computer) and Section 430.1 (Mischief in Relation to Data) are the specific laws applying to computer crimes.
- Australia: In Australia, the primary legislation for computer crime is the Summary Offences Act, 1953 and the Criminal Law Consolidation Act, 1935.
Reporting the crime
Next, Burls gets to the part I'm interested in — reporting the crime. Again, Burls describes what works in each of the four countries:
- UK: In the UK, when a crime occurs, it should be reported to the police after which, it is investigated by the police. If the crime is serious enough, it may be referred to the Police Central e-Crime Unit.
- USA: The Department of Justice website contains a contact page for reporting incidents to local, state, or federal law enforcement agencies. Having looked at the webpage is seems most computer crimes are reported to local offices of:
- The Federal Bureau of Investigation
- The United States Secret Service
- Canada: The Royal Canadian Mounted Police is the main agency when it comes to investigating federal statutes, so it is best to start with them.
- Australia: The Australian Federal Police website provides advice on whether the Australian State or Territory Police should be contacted.
In the mean time
There are many suggestions about what you should do with the computer if you intend to contact a law-enforcement agency regarding a possible crime. After interviewing Eric Huber, a highly regarded digital forensics expert, I'd do very little. Eric pointed out we tend to mess up the evidence or break the chain of custody.
Whether you report the computer crime or not is ultimately up to you. I would like to present something Mr. Burls mentioned, and I had not considered:
In general, it's important all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up, and an accurate picture of the levels of computer crime can be produced.
It seems, law enforcement agencies have not yet figured out how to read our minds.