Some good news on the spam front this month: worldwide spam was cut in half when a single web hosting firm was shut down, The Washington Post reported. McColo Corp, a company based in San Jose, California (but claiming a Delaware mailing address), allegedly operated servers that sent spam messages for various international groups. These clients, in turn, were behind activities ranging from managing compromised computers to selling fake drugs and other goods online. When the plug was finally pulled by McColo’s Internet providers, security researchers reported a drop in spam traffic that ranged from 60 to 75 percent across the globe.

It seems amazing that a single firm can be responsible for so much spam traffic. Security researchers have been watching McColo and collecting evidence of wrongdoing for over a year, and they were the ones who eventually brought the evidence to McColo’s ISPs and asked for the shutdown. U.S. law enforcement officials aren’t giving statements about the case or about the potential repercussions for McColo’s spamming actions. After all, firms like McColo provide a service, and they frequently claim ignorance when a client misuses that service, making them tough to blame for annoyances like spam traffic. Shutting them down is frequently difficult, because as frustrating as spam is, it isn’t illegal. In this case, McColo might have broken no laws, and they haven’t been charged with any crime. The spam decrease, however, is a welcome change for the companies and consumers who monitor its traffic. 

Of course, the respite won’t last; experts caution that the slowdown in spam is only temporary because other servers will start taking up the slack. In fact, you might have noticed your spam inbox filling up once again with the usual assortment of ads and scams. But we can take some hope from this case, at least. Everyone from the security professional to the average consumer is fed up with spam, and finally, some steps are being taken to help curtail it. Perhaps more pressure from a frustrated community could help to shut down additional spam servers worldwide, or perhaps a “Do Not Spam” list will eventually be created to spare our accounts from the onslaught. With annoying sales pitches, false advertising and identity-stealing scams peppering our email accounts daily, a change can’t come too soon.  

Sources for this article: The Washington Post. Photo courtesy of freedigitalphotos.net.

At this festive time of year, you might notice a few more phone calls than usual. The holidays are a prime time for telemarketers to amp up their solicitations and try harder to get your business. And if you’re on the Do Not Call List (which you should be), you could still get calls from charities working to increase their donations. Before you get angry and slam the phone down, or worse, sign over your assets to a shady caller claiming to be a charity, make sure you know the best ways to handle charity telemarketers, especially during the next few months.

Some consumers mistakenly think that being on the Do Not Call list means that they will receive no solicitation calls for any reason, but there are exceptions to Do Not Call. One exception is for political campaigns, and another is for charities. Legitimate charities are not restricted in their telemarketing calls by the Do Not Call list; less-than-legitimate charities, though, are one way that some people try to skirt the Do Not Call list and make some money. So how can you tell whether the charity calling you for your holiday contribution is really legitimate and trustworthy?

First, ask questions to find out where the money really goes. On average, charities get just 40% of the money that telemarketing companies collect in their name. In some cases, the telemarketing company keeps 90% or more of all the money they collect on behalf of the cause they are purportedly working for. As awful as it sounds, this practice is legal; the Supreme Court case Madigan v. Telemarketing Associates ruled that telemarketing companies can keep almost all the money they bring in, as long as they don’t claim that more goes to the charity than it does. Charities claim that even a small percentage makes a difference for them, but if you want to give to a worthy cause, you probably shouldn’t do it via telemarketer, since you’ll also be lining the pockets of the telemarketing company.

I’ll give you an example from my personal experience: A man called me once on behalf of the “fraternal order of police,” asking me to contribute to police officers in my area and delivering an emotional plea for the cops who needed me. I asked him, “Are you with the police?”

“No, ma’am,” he replied.

“So you work for a third-party company doing the solicitations?” I asked. (This is exceedingly common, of course, and doesn’t mean a charity is less than reputable.)

“Yes, ma’am.”

“Is your company a for-profit company, or a non-profit company?” I asked.

“For profit.”

Ah. Now we were getting somewhere. “So what percentage of my donation actually goes to the police?” I asked.

“Well,” he said, back on script, “Ten percent of the money that goes to the police goes to…”

“No,” I said. “What I mean is, if I give you $100, how much of that $100 goes to the police, and how much stays with your company?”

“Um, I don’t know that, ma’am.”

“Because you see, I know your company wants to make money, and I know that many telemarketing companies who solicit for charities only donate a small percentage to the charity itself. So why would I give any money to you, when I can just give it directly to the police in my area and make sure that it ALL goes to the cause that I support?”

“Well…” he didn’t have an answer.

I hung up with a clear conscience, knowing that any “donation” I made to this caller’s company would have mostly gone to the company itself, not to the cause they claimed to support.

By law, the telemarketer has to give you their full name, the company they work for, whether they’re paid for their job, etc., but you have to ask first. They’re not required to volunteer that info, and they’d usually prefer you didn’t ask. Legitimate charity calls will not have anything to hide when you ask them these questions.

Protecting yourself and your charitable donations doesn’t stop there, though. Make sure you never give out sensitive information, such as a credit card number, Social Security number, or bank account information, over the phone. Don’t give out your mailing address; instead, offer to confirm the address they have on record, and even if the address is wrong, confirm it anyway. If they have the wrong information for you, it might be a way of trying to trick the RIGHT information out of you, so don’t tell them what the real information is. Don’t give out your email address, and don’t let the telemarketer send you to a website to pay your charitable pledge, since that website might be a scam site that was set up to look legitimate and collect personal info from victims.

If you want to make a contribution but want to be safe about it, ask the telemarketer to send hard copy donation information to the address they have on file. If it’s wrong, just play along until you say goodbye and hang up, then look up the address of the charity you want to support and send them your contribution directly. That way, you’ll know that your money is going where you want it to go. All charities are happy to take direct donations if you offer them, and bypassing the telemarketing company entirely means that your identity is safe.

You can’t do much about charity telemarketing calls, since they’re exempt from the Do Not Call list, but you can take steps to keep your identity safe and make your contributions count among the charities you prefer.  

Sources for this article: Associated Content, North Carolina Attorney General’s Office, MSN.com 

CNN Reported that candidates have resorted to setting up robocalls that sound like phone sex. I thought we crossed the proverbial line with the calls themselves, it appears this takes it to a whole new level:

A few years ago, I was checking my Yahoo! email account and saw that I had received dozens of strange emails. All of them were listed as “undeliverable,” as if I’d sent the emails out, but then they’d gone to a nonexistent email address and bounced back to me. The problem was, I didn’t recall sending that many emails out, especially to questionable email addresses. I opened a few of the emails to see what the message was that I had allegedly sent, and each one of the emails was a spam ad for vitamins and supplements.

You can imagine my confusion: I hadn’t sent any spam emails selling vitamins and supplements, but I was receiving the undeliverable spam messages back to my account. Sure enough, in each message, the “return” address was listed as mine! Now I was concerned. I followed the link in the emails and contacted the company about the my email address being used as the return address on their spam messages (no one responded to me). I also contacted Yahoo! and let them know that I was receiving these “undeliverable” messages, but that I hadn’t sent them in the first place. In short, I was inconvenienced, annoyed, and slightly violated because of spammers using my perfectly legitimate email account as their own return contact.

As it turns out, I wasn’t alone in my “undeliverable” spam troubles, and this problem is growing worse. There’s even a name for it: Backscatter spam.

According to USA Today, backscatter spam now makes up 3 percent of all email sent, and it clogs up the email accounts of hapless users. Backscatter spam consists of NDR (undeliverable) messages, but it’s also floods of “out of office” autoreply messages, waves of “confirm your subscription to our service” emails, and misdirected virus alerts. Spammers create this problem by collecting legit email addresses (like mine), often by employing viruses that attack corporate databases and steal the data. Email addresses that have been in use for a long time (again, like mine) tend to be good targets because they’ve been “floating” around in cyberspace for a while. The real email addresses are then “spoofed” so that any emails the spammers send look like they’re coming from the real email accounts, not from the spammersthemselves. The holder of the legit account is unaware of all of this, meanwhile, until the “undeliverable” spam emails – those sent to inactiveaddresses that can’t receive email - start bouncing back. They go to the return address that the spammers provided, which of course is the one that belongs to the victim. The bounced messages can pack the victim’s inbox full and create a very large headache.

Why would spammers do this? Aside from the obvious desire to avoid bounce-back emails themselves, spammers know that most emails sent without a valid “From:” address (or those sent from addresses and/or domains that are known as spam originators and are blocked accordingly) don’t reach their destinations. A forged return address gives an air of legitimacy to the mailing. The spammers aren’t using your server for their mass mailing; they’re just using your email address in the “From:” field.

How many messages are we really talking about here? Spam email lists are notoriously inaccurate, as a high percentage of the emails on the lists are no longer active or deliverable. Of the undeliverable emails sent, most will simply disappear, but 7-10% of the emails will be accepted by the server on the other end, then sent back as undeliverable later. These are the bounce-backs that end up causing the problem. As Al Iverson wrote on his Spam Resource blog, the math is simple: if a spammer sends 2 million messages in a single mailing, and 40% of the email addresses he uses are invalid, and 9% of those invalid addresses send the message back as undeliverable, that means that 72,000 bounce notifications will go to the return address listed on the spam emails. And that address might be yours or mine.

So what can you do? For one thing, don’t contribute to backscatter yourself. Don’t use a “challenge/response” anti-spam program, since your automated challenge/response messages are a form of backscatter, and they make life more difficult for other legitimate users. Also, don’t use an “out of office” auto-response message if you can help it… Again, this is a form of backscatter, and worse, it lets spammersknow that your address is active. Finally, don’t use a fake bounce-back anti-spam system (a system that sends fake bounce-backs in response to spam in the hope that spammers will take your address off their lists when the spam is undeliverable) – your bounce-back doesn’t go to the spammer, as we’ve already made clear. It goes to a victim whose email address was spoofed as the spammer’s return address, and your bounced message just becomes another of the backscatter messages that the victim receives. Since the spammers never receive the bounced message, they don’t update their own mailing lists based on the bounces, so the fake bounce-back systems are pretty useless.

As for stopping backscatter from hitting your own inbox, it’s generally hard to prevent it if a spammer has used your email address in the “From:” field. A spam filter sometimes helps to stem the tide a bit, so make sure you have one. Also, if you have a domain with a catch-all mailbox (an email inbox that catches any emails sent to your domain that aren’t sent to a specific user’s mailbox), you can deactivate the catch-all, since most backscatter spam heading for your domain will end up there as the spammers try different variations of emails for the return address. Check with your ISP or hosting provider on how to eliminate the catch-all address while still receiving emails directed at specific mailboxes or at certain required accounts, such as “postmaster.”

Backscatter is annoying, but if you get spoofed and end up with an inbox full of undeliverable email, you can rest assured that your reputation is probably safe. Few people in today’s world of spam email believe that the “From:” address in a spam message is the actual source of the message. If you do get backlash from an angry Internet user, show them this article; after all, they might be the next personspoofed by spammers.

Sources for this article: USA Today, Al Iverson’s Spam Resource blog, SpamNation

Photo attributed to freezelight, posted to Flickr, licensed under Creative Commons Attribution-Share Alike 3.0

“Hello. I’m calling for John McCain and the RNC because you need to know that Barack Obama has worked closely with domestic terrorist Bill Ayers, whose organization bombed the U.S. Capitol, the Pentagon, a judge’s home and killed Americans. And Democrats will enact an extreme leftist agenda if they take control of Washington. Barack Obama and his Democratic allies lack the judgment to lead our country. This call was paid for by McCain-Palin 2008 and the Republican National Committee at 202-863-8500.”

Here is the robocall’s full audio.

This is just one of the thousands of Political Robocalls from both parties that have been flooding phone lines in battleground states. According to a recent report by CNN, some voters are receiving as many as a dozen automated calls per day.

Some states, like Maine, are cracking down, claiming this is a violation of personal privacy.

According to Wikipedia, even those who have opted into the National Do Not Call Registry may still receive these calls, as political parties are exempt from the rules set forth during the formation of this registry.

Are these calls really effective, and why should we have to put up with this violation of our personal privacy?

Comment below to join the petition.

Have you ever been clicking your way through cyberspace, when suddenly, a very important-looking window pops up? It usually looks like it’s part of Microsoft Windows, and it says something like, “Warning! Your computer is at risk! Click ‘OK’!” Do you click on it? Is your computer really at risk? Is Windows trying to tell you something?

By now, you’ve probably figured out where this is going: that pop-up is a scam, something known as “scareware.”

Those who DO click “OK” on the serious-looking window out of fear that their PC is actually in danger usually start a download of malware onto their hard drives. The program pretends to run a scan, telling the user that there are lots of “critical problems” with their computer that must be fixed. Of course, those mysterious problems do get fixed if the customer agrees to buy the full version of the repair software for roughly $40. The entire thing is an elaborate scam, one that is both illegal and incessant; one IP address appears to have received the pop-up at least 200 times in a single day.

It’s a “blatant rip off of consumers,” Washington State Attorney General Rob McKenna said, as reported on CNET news. He said that users were “duped into downloading a fake scan and then duped into paying for software they don’t need.”

These pop-ups have been around long enough for most of us to encounter one at least once, but now there is some news on the scareware front. Microsoft and the Attorney General’s office in Washington state filed or amended lawsuits last month against companies including Alpha Red, Branch Software, SMP Soft and Registry Update, all of which allegedly use the fake security warnings to scare users into spending money on a fix. In some of the cases, the defendants are listed as “John Doe” because the owners of the companies aren’t known. In the case of Alpha Red and Branch Software, James Reed McCreary is the owner named in the lawsuits. His Texas-based company sells a scam product called Registry Cleaner XP for $40. The lawsuits charge McCreary and the other companies with misrepresentation, harassment, and high pressure sales. The state of Washington seeks an injunction and undisclosed civil penalties from McCreary.

The lawsuits were made possible because of Washington’s Computer Spyware Act, which makes it illegal to create scary messages that appear to come from elsewhere (in this case, Windows) in order to terrify people into a software purchase. The Computer Spyware Act was put into place in 2005, and in that year, Microsoft and Washington state successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million when they charged the company with using scareware pop-ups. The law was recently updated to include outlawing the sort of deception that McCreary and others allegedly conducted. The state has filed seven cases under the law since 2005, while Microsoft has filed 17 spyware-related legal actions in that time.

In the current case, consumers who have experienced the scareware ads can file their own lawsuits if they wish. Since many people have a healthy fear of a security breach on their computer, the messages work particularly well when the scammers play on that fear, suggesting that personal privacy and security are at stake. The defendants, if convicted in the current lawsuit, face fines of up to $2,000 per violation, plus restitution and attorney fees. We’ll keep you posted on the results and any future lawsuits brought against the companies.

So what should you do if the “Warning!” pop-up appears on your screen? Don’t click the red X in the upper right hand corner of the window, for one thing, says Christopher Null of Yahoo! Tech Blogs. While it appears to be the same sort of button that makes the standard Windows box go away, remember that this isn’t a true Windows box. Clicking the red X might start the download of the malware. Instead, go to the task bar at the bottom of the screen and right-click on the pop-up’s bar to close it. Other than that, you can close and restart your Internet browser to make the pop-up go away.

Just don’t click “OK”… It’s anything BUT okay.

Sources for this article: Yahoo! News, Yahoo! Tech News, Yahoo! Tech Blogs, CNET news, Scareware, Seattle Post Intelligencer

This week’s security threat: clickjacking.

Clickjacking is the latest in a series of security threats to web surfers. The United States Computer Emergency Readiness Team (US-CERT) issued a warning about clickjacking on September 26, and the news has spread quickly. This is a crime in which hackers hide behind harmless-looking websites so that people who visit them might be accidentally revealing sensitive information to the hackers by clicking around the site. Matt Hines of Security Watchdescribes it like this: “Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!”

Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. The ramifications of this sort of spying are powerful, and the industry is on high alert.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, discovered the vulnerability and were scheduled to speak about it at the Open Web Application Security Project NYC AppSec conference in New York last month. The talk was put off, however, until the various browser companies could take a stab at fixing the problem. There was no sense, after all, in tipping off hackers about the problem before there were solutions to be found.

So far, there is some success, albeit not as much as one might hope. The free Firefox add-on known as NoScript has been updated to combat clickjacking attempts. Italian developer Giorgio Maone calls the update “ClearClick,” meaning that it reveals anything that’s hidden or obstructed when a user tries to interact with a website. The ClearClick update stops the interaction from completing and points out the disguised content present, giving the user a chance to back away from the potentially-dangerous content. But NoScript only works with Firefox and other Mozilla-based browsers, so what about Adobe Flash player, Internet Explorer and others?  

Just the other day, Adobe released a workaround for the flaw in its Flash player in order to deny hackers access to web cams and microphones. They promise to release a true fix by the end of the month. US-CERT and others suggest disabling browser scripting and plug-ins on our individual browsers, but that can limit the functionality of many websites, and it’s still not a comprehensive fix. Joe Wilcox of Microsoft Watch notes that Microsoft’s reaction to the clickjacking threat has been somewhat tepid, but perhaps with reason. One difficulty with software companies and how they address the threat lies in the fact that so little information has been released; while that’s good for avoiding exploitation of the flaw, it’s not great for assessing the true risk (although US-CERT’s warning is dire enough to take clickjacking seriously). One thing everyone can agree on: The problem is real, but there’s no easy fix, at least for now.

Sources for this article: Yahoo! News, Computer World, PC Magazine, Adobe, US-CERT, Security Watch, Microsoft Watch  

Across the country this month, cyber security professionals, software companies and government agencies are working to raise awareness of online security issues by encouraging people to protect their computers, educate themselves and take responsibility for online security. The Department of Homeland Security’s National Cyber Security Division (NCSD) is sponsoring this fifth-annual event and partnering with the National Cyber Security Alliance (NCSA), a nonprofit organization funded by public and private institutions, and the Multi-State Information Sharing and Analysis Center. By teaming up with companies like Microsoft and AOL and encouraging other organizations to participate with their own events, the NCSD and NCSA can publicize those organizations’ efforts and continue to provide safety education, events, tips and forums for everyone from the average home computer user to the small business owner and local government office.

Why have a whole month dedicated to cyber security? We’ve noted before on this site that attacks on personal privacy, security and identity are plentiful online. As Homeland Security Secretary Michael Chertoff noted on the DHS website, “Cyber attacks are increasing in sophistication and frequency every day. They include a broad spectrum of nefarious activity – from an individual hacker, to an organized criminal group stealing information or identities, to nation states engaged in cyber espionage.” Taking action to protect individual privacy and security is one of the main themes of the articles we post here at Privacy Council. We know that simple precautions and protective steps can go a long way toward keeping one’s identity safe, and this month is dedicated to spreading the word and educating consumers about what they can do to protect themselves online. 

The NCSD and NCSA offer several tips to increase personal privacy and security online. Some of them include:

• Using anti-virus and anti-spyware software, as well as a firewall, on your computer
• Creating strong passwords and never share them with anyone
• Backing up your important files
• Not clicking on links in suspicious emails or giving out sensitive information out via email (Click here for Privacy Council’s article on phishing, and click here for Privacy Council’s article on harmless-looking email attacks)
• Monitoring your children’s online activity and not letting them give out sensitive information online (click here for Privacy Council’s article on child identity theft)
• Subscribing to the National Cyber Alert Systemfor the latest updates on cyber threats and security issues
• Involving your school or organization in cyber security awareness (you can download the EDUCAUSE cyber research kit here)

Want to participate in an event to learn more about cyber security? The proclamation of National Cyber Security Awareness Month received 51 endorsements from non-profits, educational institutions, government agencies and companies this year, and many of those are offering educational events this month. Any events that the NCSA knows about are publicized on the organization’s events page. If you don’t see one that you can attend, try contacting your nearest school, college or local government to see whether they plan to offer any cyber safety seminars or events in October. Many agencies are participating at the local or state level; for example, Illinois State Universityis providing four weeks of online safety topics to educate students and staff about issues ranging from peer-to-peer file sharing to identity theft to viruses and spyware. Several states away, Minnesota’s Enterprise Security Office is holding five security awareness events at various Minnesota state agency cafeterias throughout October.

Whether you attend an event or not, help spread the word to others so that they, too, can be educated in the ways to protect their online security. And not just this month, but whenever possible. Online security is everyone’s responsibility!

The latest from Reuters: According to a survey done by Careerbuilder.com, 22 percent of potential employers check the web identities of potential new hires. That’s up from 11 percent just two years ago. And what’s more, a third of the potential employees who are checked out online are ruled unacceptable for the job they want because of what their prospective bosses find. Suddenly, the line between work life and personal life has become more blurry than ever.

We all know that our private lives have become less private since the advent of blogging, social networking and our other Internet activities. Millions of us have profiles at sites like Facebook, LinkedIn, MySpace, Friendster, Cafemom… The list goes on. It’s easy to pretend that these profiles (and the photos, information and updates posted to them) are seen only by family and friends, but the reality is that public profiles are just that – public. And increasingly, employers are checking out these profiles in an effort to find out more about their job candidates than what appears on a resume.

It makes sense. Many people let their guard down in their profiles, posting photos of spring break or blog entries about questionable activities. In the past, there have been cases of people getting fired over what they’ve written in their blogs, but now, our social networking activities can sabotage our job chances before we even get in the door. Of the one-third of potential new hires who were dropped from consideration because of what a boss found out about them online, almost half were cut because of information about drugs or alcohol use. Other factors included lying about qualifications and posting about illegal activities. Why should your personal life matter, you might ask? According to the New York Times, what you post online says a lot about your judgment, maturity and professionalism. What you allow to be viewed by everyone says a lot about who you are, and sometimes, that’s too much information.

If you think that one out of five bosses is a fairly low number to be using this method of checking out a job candidate, consider this: another nine percent of bosses said that they were planning to start looking up candidates’ web presences in the future, and there’s every reason to believe that the numbers will continue to increase as social networking continues to expand. For many people, their “true selves” are online, and employers want to get to know these true selves before committing to offering a position. Each individual with a profile is leaving an “online footprint,” and for most of them, the photos and content posted will continue to exist online for a long time to come, potentially hurting their chances of getting or keeping a job.

Before you rush out and delete every social networking profile you have, though, remember that protecting your privacy (and projecting the best possible image of yourself) doesn’t have to mean vanishing into obscurity. After all, 24 percent of the bosses who checked out web profiles said that what they found actually SOLIDIFIED their decision to hire a candidate. So depending on what you put in your profile, you might actually help your cause. According to Reuters, “Top factors that influenced their hiring decision included candidate’s backgrounds supporting their qualifications for the job, proving they had good communications skills, and having a site that conveyed a professional image with a wide range of interests.”

The idea of using a web presence to increase one’s desirability in the job market is fast taking hold; 16 percent of job seekers surveyed said that they’ve already tweaked their profiles to make themselves more job-friendly, and some people are even going the route of hiring others to clean up their online selves for them. ReputationDefender.com charges a range of fees to do searches of job candidate names and help make sure that photos or content that can make someone look bad are not anywhere to be found via an online search for that person. DefendMyName.com is another source that works for both individuals and companies to clean up online image.

Want to do what you can to maintain your privacy AND your chance of getting that job? It’s in your hands to keep your privacy safe when using social networking sites or blogging software. First, Google yourself and see what comes up. In some cases, the results can make you look bad without cause; for example, one college senior who Googled himself discovered a satirical essay he had written, called “Lying Your Way to the Top,” which was probably counting against him in his job search. Once he requested that the website that posted the essay take it down, he started receiving job interviews and offers. Clearly, Googling oneself is like checking one’s credit periodically; it helps to know what’s on the record.

Next, go through your profiles with a fine-toothed comb, removing any questionable photos, comments, blog entries, etc. Remove any “friends” from your list who aren’t actually your friends or who might prove to be detrimental connections if seen by an employer (the guy with 1,800 “friends” whom you’ve never met who likes to leave raunchy messages on everyone’s profile might be someone to cut from your list). You can set your privacy settings so that only approved friends can see your profile, but some employers admit to knowing ways around that. Try to view your content from the perspective of someone who is looking to bring you into a workplace. If possible, have an impartial acquaintance view your profile with a fresh eye and let you know of anything that raises a red flag. Make sure to emphasize positives, like charity efforts, varied hobbies and interests, and especially anything that pertains to the field in which you’re trying to work.

Then, continue the upkeep of your profiles. Don’t approve friends for your list unless you actually know them or trust them. Be cautious of features like Facebook photo tagging, since that makes it possible for other people to post photos of you that link to your profile. Don’t post ranting blog entries that might paint you in a negative light. Remember, you control your privacy at social networking sites and blogs, so be proactive and put your best self out there.

Sources for this article: Reuters News, Reuters Lifestyle, The New York Times. CBS News

Telemarketers are bad enough; at least you know they’re trying to sell you something. But when entering a contest or calling an 800 number leads to unexpected charges “crammed” onto your telephone bill, the annoyance becomes a full-on headache.

“Cramming” happens when fees appear on a phone bill for services the consumer didn’t authorize or agree to. In some cases, consumers may have been tricked into agreeing to the services through a deceptive tactic that signs them up for real or imaginary services (with hefty fees) that they don’t want. Crammed charges can be hard to catch at first because most consumers find phone bills inherently confusing, but an unexpected increase on a phone bill can indicate that you’ve been crammed.

Can this actually happen? As it turns out, it can. The crammers make their money off of a telecommunications system that allows phone companies to charge for services on behalf of other companies. The phone company itself is not actually involved in the transaction, but they do funnel the charges, legitimate or otherwise, to the companies that solicit them. Here are two major examples of cramming tactics that have duped many consumers:

• The victim signs up to enter a contest at a kiosk or display. The fine print of the entry form, which is confusing at best, notes that the victim is signing up for a service by filling out the form. Later, the service is charged to the victim’s phone number, which the victim wrote on the entry form. The victim may never even receive the service, just the fees for it. This can also happen when a victim receives a sweepstakes offer in their junk mail.

• The victim calls an 800 number that is advertised as a free dating line, psychic line, way to meet local people, etc. The “free” service is anything but. The victim is usually prompted to say “I want the service,” and by doing so, they end up enrolled for a club or service program that is billed to the number that the victim is calling from. Often, there is no live operator or anyone available to answer questions about what the victim has just agreed to. Again, the service or club might never even exist in the first place.

What do cramming charges look like on your phone bill? They can be vague, for one thing. When checking your bill, look for charges labeled “other fees,” “voice mail,” “membership,” “psychic” or just “service charges.” If you didn’t authorize them, they shouldn’t be there. Another variation of cramming is when you DO authorize a charge, but it turns out to be much higher than you were told it would be. Look for those inflated charges, as well. Finally, check for fees that recur each month but don’t come with much explanation, such as “monthly maintenance fees.”

Individual consumers aren’t the only targets of crammers; businesses are often the victims. An example is when a crammer calls the company to “verify information for the yellow pages,” only to quickly sign the company up for a pay-per-month service. Business crammers smooth-talk their way into the money by calling a random employee at a company stringing together several questions quickly, one of which usually asks the employee whether they’re authorized to make decisions about the phone account (the company employee, after having said “yes” to a variety of general questions about the business, usually gets tricked into saying ”yes” to this, too). In the end, the crammer signs up the company for a questionable service, such as a directory listing, which might not exist but which costs a recurring charge to the company phone bill. One alleged crammer, Spoonfull.com, is under scrutiny from various state attorney generals because customers claim that they were billed small amounts of money for directory listings that they didn’t authorize (and in which they don’t even appear, in the end). Another accused crammer is Epixtar Corp., which is facing lawsuits in two states and had to work out an agreement in 2004 when the FTC brought a lawsuit alleging unfair and deceptive practices in connection with Epixtar’s sales of an Internet service (Epixtar admitted no wrongdoing in the agreement, of course). Companies like Epixtar deny any wrongdoing, though, because they claim to have phone records proving that the victims authorized the service. That’s where it becomes important to note that agreements gained through fast-talking tricks, intentional confusion and even phone record alteration do not count as authorizations.

What can consumers do to avoid being crammed? To start with, review your phone bill every month and look for suspicious charges. Even tiny ones can be suspicious; some crammers bill amounts of just a few dollars at a time so as to not be as easily caught when the bill comes. If you don’t know where a charge came from, call the billing company and request an explanation of the charges. If necessary, call your phone company and ask them how to remove unauthorized charges from your bill.

If calling the billing company and the phone company get you nowhere, there are other methods for handling the cramming. You can contact the FCC for charges related to telephone services between states, or the FTC for non-telephone services on your phone bill. You can also contact your state Attorney General’s office. The link to file a complaint with the FCC is here; the link for the FTC is here.

Don’t let yourself or your company be crammed; educate your employees, family members, and anyone who answers your phone what to do if someone calls in this manner. Of course, remind them that the “free” services advertised in contests, telemarketing calls and junk mail are rarely as free as they seem. In the end, the best advice comes from a former Epixtar employee who spoke to MSNBC: When you get a call from a solicitor, hang up.

Sources for this article: MSNBC, FTC, FCC, PCWorld.About.com. Photo courtesy of http://www.freedigitalphotos.net.