Some good news on the spam front this month: worldwide spam was cut in half when a single web hosting firm was shut down, The Washington Post reported. McColo Corp, a company based in San Jose, California (but claiming a Delaware mailing address), allegedly operated servers that sent spam messages for various international groups. These clients, in turn, were behind activities ranging from managing compromised computers to selling fake drugs and other goods online. When the plug was finally pulled by McColo’s Internet providers, security researchers reported a drop in spam traffic that ranged from 60 to 75 percent across the globe.

It seems amazing that a single firm can be responsible for so much spam traffic. Security researchers have been watching McColo and collecting evidence of wrongdoing for over a year, and they were the ones who eventually brought the evidence to McColo’s ISPs and asked for the shutdown. U.S. law enforcement officials aren’t giving statements about the case or about the potential repercussions for McColo’s spamming actions. After all, firms like McColo provide a service, and they frequently claim ignorance when a client misuses that service, making them tough to blame for annoyances like spam traffic. Shutting them down is frequently difficult, because as frustrating as spam is, it isn’t illegal. In this case, McColo might have broken no laws, and they haven’t been charged with any crime. The spam decrease, however, is a welcome change for the companies and consumers who monitor its traffic. 

Of course, the respite won’t last; experts caution that the slowdown in spam is only temporary because other servers will start taking up the slack. In fact, you might have noticed your spam inbox filling up once again with the usual assortment of ads and scams. But we can take some hope from this case, at least. Everyone from the security professional to the average consumer is fed up with spam, and finally, some steps are being taken to help curtail it. Perhaps more pressure from a frustrated community could help to shut down additional spam servers worldwide, or perhaps a “Do Not Spam” list will eventually be created to spare our accounts from the onslaught. With annoying sales pitches, false advertising and identity-stealing scams peppering our email accounts daily, a change can’t come too soon.  

Sources for this article: The Washington Post. Photo courtesy of freedigitalphotos.net.

The holidays are coming, and that means more unsolicited catalogs and direct mail offers crammed into your mailbox than ever. While unsolicited mail is annoying at any time of year, the flood of junk mail usually hits hardest in November and December, all in the hopes that you’ll make holiday purchases from the piles of possible vendors that the postman delivers to you. I remember watching my parents sort through a stack of catalogs that was two, sometimes three feet tall each winter. And that was just the catalogs they chose to browse through; most of the offers that came in the mail went straight into the trash.

Privacy Council wants you to know just how much waste is due to junk mail and catalogs. In a given year, it’s estimated that 19 billion catalogs are mailed to consumers. Of those, 5.6 million tons of catalogs and direct mail ads are put into landfills. That’s so much waste that it’s hard to comprehend! According to Worldwatch Institute (as quoted at Carbonrally.com), the United States has 5 percent of the world’s population, but consumes 30 percent of the world’s paper. Can we recycle it? Sure, but according to the Center for a New American Dream, only 22 percent of junk mail is recycled today. Besides, that doesn’t even begin to address the energy and trees used in making all the junk mail in the first place, then recycling it later. It’s a blow to the environment on several fronts, but you can do something about it.

First, sign up for Privacy Council’s environmentally-friendly service and get yourself removed from the major catalog mailing lists. This will drastically cut the amount of junk mail you receive, so you’ll know you’re doing your part to reduce the paper waste. How much waste can you personally help to prevent? Estimates indicate that, on average, consumers receive 110 catalogs per household per year, so over ten years, you could help to keep more than a thousand catalogs from ending up in a landfill. That makes a real difference.

Also, make sure that you aren’t granting companies the right to sell your contact information to mailing lists when you sign up for a new product or service (check the fine print and opt-out whenever possible). Finally, if you still want to receive a few specific catalogs during the holidays, contact those companies directly and ask them to send you their catalogs, perhaps at a lesser pace (instead of four or five catalogs per company during the holiday season, for example, the company could send you just one or two catalogs). 

‘Tis the season to be festive, but don’t forget about the environment!   

Sources for this article: Center for a New American Dream, Carbonrally, The Virginia Gazette    

This week, I had the good fortune to see a presentation by Kevin Mitnick, the former hacker who now makes a living as a security consultant. I went into the talk expecting a 90-minute lesson on the latest tools and toys that hackers might use to steal my identity. Instead, Mitnick’s very engaging lecture was about a low-tech trick that hackers have used since hacking began, and that they continue to use today: social engineering. Simply put, good hackers can get the information they need simply by asking for it, bypassing technology entirely and focusing on the weakness of the human being.

Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.

A few years ago, I was checking my Yahoo! email account and saw that I had received dozens of strange emails. All of them were listed as “undeliverable,” as if I’d sent the emails out, but then they’d gone to a nonexistent email address and bounced back to me. The problem was, I didn’t recall sending that many emails out, especially to questionable email addresses. I opened a few of the emails to see what the message was that I had allegedly sent, and each one of the emails was a spam ad for vitamins and supplements.

You can imagine my confusion: I hadn’t sent any spam emails selling vitamins and supplements, but I was receiving the undeliverable spam messages back to my account. Sure enough, in each message, the “return” address was listed as mine! Now I was concerned. I followed the link in the emails and contacted the company about the my email address being used as the return address on their spam messages (no one responded to me). I also contacted Yahoo! and let them know that I was receiving these “undeliverable” messages, but that I hadn’t sent them in the first place. In short, I was inconvenienced, annoyed, and slightly violated because of spammers using my perfectly legitimate email account as their own return contact.

As it turns out, I wasn’t alone in my “undeliverable” spam troubles, and this problem is growing worse. There’s even a name for it: Backscatter spam.

According to USA Today, backscatter spam now makes up 3 percent of all email sent, and it clogs up the email accounts of hapless users. Backscatter spam consists of NDR (undeliverable) messages, but it’s also floods of “out of office” autoreply messages, waves of “confirm your subscription to our service” emails, and misdirected virus alerts. Spammers create this problem by collecting legit email addresses (like mine), often by employing viruses that attack corporate databases and steal the data. Email addresses that have been in use for a long time (again, like mine) tend to be good targets because they’ve been “floating” around in cyberspace for a while. The real email addresses are then “spoofed” so that any emails the spammers send look like they’re coming from the real email accounts, not from the spammersthemselves. The holder of the legit account is unaware of all of this, meanwhile, until the “undeliverable” spam emails – those sent to inactiveaddresses that can’t receive email - start bouncing back. They go to the return address that the spammers provided, which of course is the one that belongs to the victim. The bounced messages can pack the victim’s inbox full and create a very large headache.

Why would spammers do this? Aside from the obvious desire to avoid bounce-back emails themselves, spammers know that most emails sent without a valid “From:” address (or those sent from addresses and/or domains that are known as spam originators and are blocked accordingly) don’t reach their destinations. A forged return address gives an air of legitimacy to the mailing. The spammers aren’t using your server for their mass mailing; they’re just using your email address in the “From:” field.

How many messages are we really talking about here? Spam email lists are notoriously inaccurate, as a high percentage of the emails on the lists are no longer active or deliverable. Of the undeliverable emails sent, most will simply disappear, but 7-10% of the emails will be accepted by the server on the other end, then sent back as undeliverable later. These are the bounce-backs that end up causing the problem. As Al Iverson wrote on his Spam Resource blog, the math is simple: if a spammer sends 2 million messages in a single mailing, and 40% of the email addresses he uses are invalid, and 9% of those invalid addresses send the message back as undeliverable, that means that 72,000 bounce notifications will go to the return address listed on the spam emails. And that address might be yours or mine.

So what can you do? For one thing, don’t contribute to backscatter yourself. Don’t use a “challenge/response” anti-spam program, since your automated challenge/response messages are a form of backscatter, and they make life more difficult for other legitimate users. Also, don’t use an “out of office” auto-response message if you can help it… Again, this is a form of backscatter, and worse, it lets spammersknow that your address is active. Finally, don’t use a fake bounce-back anti-spam system (a system that sends fake bounce-backs in response to spam in the hope that spammers will take your address off their lists when the spam is undeliverable) – your bounce-back doesn’t go to the spammer, as we’ve already made clear. It goes to a victim whose email address was spoofed as the spammer’s return address, and your bounced message just becomes another of the backscatter messages that the victim receives. Since the spammers never receive the bounced message, they don’t update their own mailing lists based on the bounces, so the fake bounce-back systems are pretty useless.

As for stopping backscatter from hitting your own inbox, it’s generally hard to prevent it if a spammer has used your email address in the “From:” field. A spam filter sometimes helps to stem the tide a bit, so make sure you have one. Also, if you have a domain with a catch-all mailbox (an email inbox that catches any emails sent to your domain that aren’t sent to a specific user’s mailbox), you can deactivate the catch-all, since most backscatter spam heading for your domain will end up there as the spammers try different variations of emails for the return address. Check with your ISP or hosting provider on how to eliminate the catch-all address while still receiving emails directed at specific mailboxes or at certain required accounts, such as “postmaster.”

Backscatter is annoying, but if you get spoofed and end up with an inbox full of undeliverable email, you can rest assured that your reputation is probably safe. Few people in today’s world of spam email believe that the “From:” address in a spam message is the actual source of the message. If you do get backlash from an angry Internet user, show them this article; after all, they might be the next personspoofed by spammers.

Sources for this article: USA Today, Al Iverson’s Spam Resource blog, SpamNation

Photo attributed to freezelight, posted to Flickr, licensed under Creative Commons Attribution-Share Alike 3.0

You’re walking through the shopping mall, and you see a shiny chrome motorcycle sitting in the center of the atrium. Beside it is a huge sign: “Win this bike!” There is a stack of entry cards sitting on a table, and people are filling out the cards and dropping them into a slotted box. You think to yourself, Why not? I’d like to win that bike, and it’s just a contest. You fill out the card and cross your fingers to win, but by doing so, you just opened yourself up for a resurgence in junk mail and telemarketing calls.

Those contests that pop up in malls, festivals and sporting events are less about giving away a free vehicle and more about collecting consumer data. When you fill out the card, you have a minuscule chance of winning the bike (or boat, or car, or RV), but you usually DO give the company conducting the contest the right to contact you with other offers. In fact, other contests, brochures, catalogs and offers may also start to appear in your mail as your information is sold to third parties. You will also get phone calls, and they often start with something like, “Ms. Smith, you filled out an entry form at the Bass Pro Shop in June of 2006, and we’re calling to extend another great offer to you…” It can take years for the calls to stop, even if you tell them point-blank to take you off their lists. Unfortunately, this is the voice of experience talking; I didn’t win the boat I registered for, but I still get calls with new offers to this day.

The same advice goes for sweepstakes forms you receive in the mail. If you want to enter to win that fabulous grand prize, read the fine print and see whether you can “opt-out” of being put on any mailing lists when you enter. If you can’t stay off their mailing lists, don’t enter the sweepstakes! Your low odds of winning don’t compensate for the high odds of getting more junk mail. The contact information for the people who enter those contests is almost always sold or rented to other contest companies, sweepstakes and lotteries.

The bottom line is this: No matter what contest you enter, whether at the mall or in your mail, ALWAYS check the contest rules to see how your information will be used. Some contests are more likely to be the source of future junk mail headaches for you than others, and the fine print will usually disclose that information if you investigate. Look for any suggestion that you’re giving consent to receive future information, extra offers or additional communications.

If you do fill out that contest form and regret it later, what can you do to stop the sweepstakes junk mail from rolling in? You can start by calling the company sending the information. They usually print a number on their forms, so you can contact them and ask to be removed. Sometimes, the company will include a reply envelope in their pile of junk mail (with which you’re supposed to enter the contest that they’re advertising), so you can try putting instructions in that envelope to remove you from the mailing list and then send it back to the company.

And the next time you see the seemingly-innocuous kiosk at the mall that advertises a free car to a lucky winner who fills out an entry form, keep walking.

Sources for this article: The Maryland Attorney General’s Consumer Publications, Privacy Rights Clearinghouse, Contests at About.com

Have you ever been clicking your way through cyberspace, when suddenly, a very important-looking window pops up? It usually looks like it’s part of Microsoft Windows, and it says something like, “Warning! Your computer is at risk! Click ‘OK’!” Do you click on it? Is your computer really at risk? Is Windows trying to tell you something?

By now, you’ve probably figured out where this is going: that pop-up is a scam, something known as “scareware.”

Those who DO click “OK” on the serious-looking window out of fear that their PC is actually in danger usually start a download of malware onto their hard drives. The program pretends to run a scan, telling the user that there are lots of “critical problems” with their computer that must be fixed. Of course, those mysterious problems do get fixed if the customer agrees to buy the full version of the repair software for roughly $40. The entire thing is an elaborate scam, one that is both illegal and incessant; one IP address appears to have received the pop-up at least 200 times in a single day.

It’s a “blatant rip off of consumers,” Washington State Attorney General Rob McKenna said, as reported on CNET news. He said that users were “duped into downloading a fake scan and then duped into paying for software they don’t need.”

These pop-ups have been around long enough for most of us to encounter one at least once, but now there is some news on the scareware front. Microsoft and the Attorney General’s office in Washington state filed or amended lawsuits last month against companies including Alpha Red, Branch Software, SMP Soft and Registry Update, all of which allegedly use the fake security warnings to scare users into spending money on a fix. In some of the cases, the defendants are listed as “John Doe” because the owners of the companies aren’t known. In the case of Alpha Red and Branch Software, James Reed McCreary is the owner named in the lawsuits. His Texas-based company sells a scam product called Registry Cleaner XP for $40. The lawsuits charge McCreary and the other companies with misrepresentation, harassment, and high pressure sales. The state of Washington seeks an injunction and undisclosed civil penalties from McCreary.

The lawsuits were made possible because of Washington’s Computer Spyware Act, which makes it illegal to create scary messages that appear to come from elsewhere (in this case, Windows) in order to terrify people into a software purchase. The Computer Spyware Act was put into place in 2005, and in that year, Microsoft and Washington state successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million when they charged the company with using scareware pop-ups. The law was recently updated to include outlawing the sort of deception that McCreary and others allegedly conducted. The state has filed seven cases under the law since 2005, while Microsoft has filed 17 spyware-related legal actions in that time.

In the current case, consumers who have experienced the scareware ads can file their own lawsuits if they wish. Since many people have a healthy fear of a security breach on their computer, the messages work particularly well when the scammers play on that fear, suggesting that personal privacy and security are at stake. The defendants, if convicted in the current lawsuit, face fines of up to $2,000 per violation, plus restitution and attorney fees. We’ll keep you posted on the results and any future lawsuits brought against the companies.

So what should you do if the “Warning!” pop-up appears on your screen? Don’t click the red X in the upper right hand corner of the window, for one thing, says Christopher Null of Yahoo! Tech Blogs. While it appears to be the same sort of button that makes the standard Windows box go away, remember that this isn’t a true Windows box. Clicking the red X might start the download of the malware. Instead, go to the task bar at the bottom of the screen and right-click on the pop-up’s bar to close it. Other than that, you can close and restart your Internet browser to make the pop-up go away.

Just don’t click “OK”… It’s anything BUT okay.

Sources for this article: Yahoo! News, Yahoo! Tech News, Yahoo! Tech Blogs, CNET news, Scareware, Seattle Post Intelligencer

This week’s security threat: clickjacking.

Clickjacking is the latest in a series of security threats to web surfers. The United States Computer Emergency Readiness Team (US-CERT) issued a warning about clickjacking on September 26, and the news has spread quickly. This is a crime in which hackers hide behind harmless-looking websites so that people who visit them might be accidentally revealing sensitive information to the hackers by clicking around the site. Matt Hines of Security Watchdescribes it like this: “Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!”

Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. The ramifications of this sort of spying are powerful, and the industry is on high alert.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, discovered the vulnerability and were scheduled to speak about it at the Open Web Application Security Project NYC AppSec conference in New York last month. The talk was put off, however, until the various browser companies could take a stab at fixing the problem. There was no sense, after all, in tipping off hackers about the problem before there were solutions to be found.

So far, there is some success, albeit not as much as one might hope. The free Firefox add-on known as NoScript has been updated to combat clickjacking attempts. Italian developer Giorgio Maone calls the update “ClearClick,” meaning that it reveals anything that’s hidden or obstructed when a user tries to interact with a website. The ClearClick update stops the interaction from completing and points out the disguised content present, giving the user a chance to back away from the potentially-dangerous content. But NoScript only works with Firefox and other Mozilla-based browsers, so what about Adobe Flash player, Internet Explorer and others?  

Just the other day, Adobe released a workaround for the flaw in its Flash player in order to deny hackers access to web cams and microphones. They promise to release a true fix by the end of the month. US-CERT and others suggest disabling browser scripting and plug-ins on our individual browsers, but that can limit the functionality of many websites, and it’s still not a comprehensive fix. Joe Wilcox of Microsoft Watch notes that Microsoft’s reaction to the clickjacking threat has been somewhat tepid, but perhaps with reason. One difficulty with software companies and how they address the threat lies in the fact that so little information has been released; while that’s good for avoiding exploitation of the flaw, it’s not great for assessing the true risk (although US-CERT’s warning is dire enough to take clickjacking seriously). One thing everyone can agree on: The problem is real, but there’s no easy fix, at least for now.

Sources for this article: Yahoo! News, Computer World, PC Magazine, Adobe, US-CERT, Security Watch, Microsoft Watch  

Across the country this month, cyber security professionals, software companies and government agencies are working to raise awareness of online security issues by encouraging people to protect their computers, educate themselves and take responsibility for online security. The Department of Homeland Security’s National Cyber Security Division (NCSD) is sponsoring this fifth-annual event and partnering with the National Cyber Security Alliance (NCSA), a nonprofit organization funded by public and private institutions, and the Multi-State Information Sharing and Analysis Center. By teaming up with companies like Microsoft and AOL and encouraging other organizations to participate with their own events, the NCSD and NCSA can publicize those organizations’ efforts and continue to provide safety education, events, tips and forums for everyone from the average home computer user to the small business owner and local government office.

Why have a whole month dedicated to cyber security? We’ve noted before on this site that attacks on personal privacy, security and identity are plentiful online. As Homeland Security Secretary Michael Chertoff noted on the DHS website, “Cyber attacks are increasing in sophistication and frequency every day. They include a broad spectrum of nefarious activity – from an individual hacker, to an organized criminal group stealing information or identities, to nation states engaged in cyber espionage.” Taking action to protect individual privacy and security is one of the main themes of the articles we post here at Privacy Council. We know that simple precautions and protective steps can go a long way toward keeping one’s identity safe, and this month is dedicated to spreading the word and educating consumers about what they can do to protect themselves online. 

The NCSD and NCSA offer several tips to increase personal privacy and security online. Some of them include:

• Using anti-virus and anti-spyware software, as well as a firewall, on your computer
• Creating strong passwords and never share them with anyone
• Backing up your important files
• Not clicking on links in suspicious emails or giving out sensitive information out via email (Click here for Privacy Council’s article on phishing, and click here for Privacy Council’s article on harmless-looking email attacks)
• Monitoring your children’s online activity and not letting them give out sensitive information online (click here for Privacy Council’s article on child identity theft)
• Subscribing to the National Cyber Alert Systemfor the latest updates on cyber threats and security issues
• Involving your school or organization in cyber security awareness (you can download the EDUCAUSE cyber research kit here)

Want to participate in an event to learn more about cyber security? The proclamation of National Cyber Security Awareness Month received 51 endorsements from non-profits, educational institutions, government agencies and companies this year, and many of those are offering educational events this month. Any events that the NCSA knows about are publicized on the organization’s events page. If you don’t see one that you can attend, try contacting your nearest school, college or local government to see whether they plan to offer any cyber safety seminars or events in October. Many agencies are participating at the local or state level; for example, Illinois State Universityis providing four weeks of online safety topics to educate students and staff about issues ranging from peer-to-peer file sharing to identity theft to viruses and spyware. Several states away, Minnesota’s Enterprise Security Office is holding five security awareness events at various Minnesota state agency cafeterias throughout October.

Whether you attend an event or not, help spread the word to others so that they, too, can be educated in the ways to protect their online security. And not just this month, but whenever possible. Online security is everyone’s responsibility!

The latest from Reuters: According to a survey done by Careerbuilder.com, 22 percent of potential employers check the web identities of potential new hires. That’s up from 11 percent just two years ago. And what’s more, a third of the potential employees who are checked out online are ruled unacceptable for the job they want because of what their prospective bosses find. Suddenly, the line between work life and personal life has become more blurry than ever.

We all know that our private lives have become less private since the advent of blogging, social networking and our other Internet activities. Millions of us have profiles at sites like Facebook, LinkedIn, MySpace, Friendster, Cafemom… The list goes on. It’s easy to pretend that these profiles (and the photos, information and updates posted to them) are seen only by family and friends, but the reality is that public profiles are just that – public. And increasingly, employers are checking out these profiles in an effort to find out more about their job candidates than what appears on a resume.

It makes sense. Many people let their guard down in their profiles, posting photos of spring break or blog entries about questionable activities. In the past, there have been cases of people getting fired over what they’ve written in their blogs, but now, our social networking activities can sabotage our job chances before we even get in the door. Of the one-third of potential new hires who were dropped from consideration because of what a boss found out about them online, almost half were cut because of information about drugs or alcohol use. Other factors included lying about qualifications and posting about illegal activities. Why should your personal life matter, you might ask? According to the New York Times, what you post online says a lot about your judgment, maturity and professionalism. What you allow to be viewed by everyone says a lot about who you are, and sometimes, that’s too much information.

If you think that one out of five bosses is a fairly low number to be using this method of checking out a job candidate, consider this: another nine percent of bosses said that they were planning to start looking up candidates’ web presences in the future, and there’s every reason to believe that the numbers will continue to increase as social networking continues to expand. For many people, their “true selves” are online, and employers want to get to know these true selves before committing to offering a position. Each individual with a profile is leaving an “online footprint,” and for most of them, the photos and content posted will continue to exist online for a long time to come, potentially hurting their chances of getting or keeping a job.

Before you rush out and delete every social networking profile you have, though, remember that protecting your privacy (and projecting the best possible image of yourself) doesn’t have to mean vanishing into obscurity. After all, 24 percent of the bosses who checked out web profiles said that what they found actually SOLIDIFIED their decision to hire a candidate. So depending on what you put in your profile, you might actually help your cause. According to Reuters, “Top factors that influenced their hiring decision included candidate’s backgrounds supporting their qualifications for the job, proving they had good communications skills, and having a site that conveyed a professional image with a wide range of interests.”

The idea of using a web presence to increase one’s desirability in the job market is fast taking hold; 16 percent of job seekers surveyed said that they’ve already tweaked their profiles to make themselves more job-friendly, and some people are even going the route of hiring others to clean up their online selves for them. ReputationDefender.com charges a range of fees to do searches of job candidate names and help make sure that photos or content that can make someone look bad are not anywhere to be found via an online search for that person. DefendMyName.com is another source that works for both individuals and companies to clean up online image.

Want to do what you can to maintain your privacy AND your chance of getting that job? It’s in your hands to keep your privacy safe when using social networking sites or blogging software. First, Google yourself and see what comes up. In some cases, the results can make you look bad without cause; for example, one college senior who Googled himself discovered a satirical essay he had written, called “Lying Your Way to the Top,” which was probably counting against him in his job search. Once he requested that the website that posted the essay take it down, he started receiving job interviews and offers. Clearly, Googling oneself is like checking one’s credit periodically; it helps to know what’s on the record.

Next, go through your profiles with a fine-toothed comb, removing any questionable photos, comments, blog entries, etc. Remove any “friends” from your list who aren’t actually your friends or who might prove to be detrimental connections if seen by an employer (the guy with 1,800 “friends” whom you’ve never met who likes to leave raunchy messages on everyone’s profile might be someone to cut from your list). You can set your privacy settings so that only approved friends can see your profile, but some employers admit to knowing ways around that. Try to view your content from the perspective of someone who is looking to bring you into a workplace. If possible, have an impartial acquaintance view your profile with a fresh eye and let you know of anything that raises a red flag. Make sure to emphasize positives, like charity efforts, varied hobbies and interests, and especially anything that pertains to the field in which you’re trying to work.

Then, continue the upkeep of your profiles. Don’t approve friends for your list unless you actually know them or trust them. Be cautious of features like Facebook photo tagging, since that makes it possible for other people to post photos of you that link to your profile. Don’t post ranting blog entries that might paint you in a negative light. Remember, you control your privacy at social networking sites and blogs, so be proactive and put your best self out there.

Sources for this article: Reuters News, Reuters Lifestyle, The New York Times. CBS News

Telemarketers are bad enough; at least you know they’re trying to sell you something. But when entering a contest or calling an 800 number leads to unexpected charges “crammed” onto your telephone bill, the annoyance becomes a full-on headache.

“Cramming” happens when fees appear on a phone bill for services the consumer didn’t authorize or agree to. In some cases, consumers may have been tricked into agreeing to the services through a deceptive tactic that signs them up for real or imaginary services (with hefty fees) that they don’t want. Crammed charges can be hard to catch at first because most consumers find phone bills inherently confusing, but an unexpected increase on a phone bill can indicate that you’ve been crammed.

Can this actually happen? As it turns out, it can. The crammers make their money off of a telecommunications system that allows phone companies to charge for services on behalf of other companies. The phone company itself is not actually involved in the transaction, but they do funnel the charges, legitimate or otherwise, to the companies that solicit them. Here are two major examples of cramming tactics that have duped many consumers:

• The victim signs up to enter a contest at a kiosk or display. The fine print of the entry form, which is confusing at best, notes that the victim is signing up for a service by filling out the form. Later, the service is charged to the victim’s phone number, which the victim wrote on the entry form. The victim may never even receive the service, just the fees for it. This can also happen when a victim receives a sweepstakes offer in their junk mail.

• The victim calls an 800 number that is advertised as a free dating line, psychic line, way to meet local people, etc. The “free” service is anything but. The victim is usually prompted to say “I want the service,” and by doing so, they end up enrolled for a club or service program that is billed to the number that the victim is calling from. Often, there is no live operator or anyone available to answer questions about what the victim has just agreed to. Again, the service or club might never even exist in the first place.

What do cramming charges look like on your phone bill? They can be vague, for one thing. When checking your bill, look for charges labeled “other fees,” “voice mail,” “membership,” “psychic” or just “service charges.” If you didn’t authorize them, they shouldn’t be there. Another variation of cramming is when you DO authorize a charge, but it turns out to be much higher than you were told it would be. Look for those inflated charges, as well. Finally, check for fees that recur each month but don’t come with much explanation, such as “monthly maintenance fees.”

Individual consumers aren’t the only targets of crammers; businesses are often the victims. An example is when a crammer calls the company to “verify information for the yellow pages,” only to quickly sign the company up for a pay-per-month service. Business crammers smooth-talk their way into the money by calling a random employee at a company stringing together several questions quickly, one of which usually asks the employee whether they’re authorized to make decisions about the phone account (the company employee, after having said “yes” to a variety of general questions about the business, usually gets tricked into saying ”yes” to this, too). In the end, the crammer signs up the company for a questionable service, such as a directory listing, which might not exist but which costs a recurring charge to the company phone bill. One alleged crammer, Spoonfull.com, is under scrutiny from various state attorney generals because customers claim that they were billed small amounts of money for directory listings that they didn’t authorize (and in which they don’t even appear, in the end). Another accused crammer is Epixtar Corp., which is facing lawsuits in two states and had to work out an agreement in 2004 when the FTC brought a lawsuit alleging unfair and deceptive practices in connection with Epixtar’s sales of an Internet service (Epixtar admitted no wrongdoing in the agreement, of course). Companies like Epixtar deny any wrongdoing, though, because they claim to have phone records proving that the victims authorized the service. That’s where it becomes important to note that agreements gained through fast-talking tricks, intentional confusion and even phone record alteration do not count as authorizations.

What can consumers do to avoid being crammed? To start with, review your phone bill every month and look for suspicious charges. Even tiny ones can be suspicious; some crammers bill amounts of just a few dollars at a time so as to not be as easily caught when the bill comes. If you don’t know where a charge came from, call the billing company and request an explanation of the charges. If necessary, call your phone company and ask them how to remove unauthorized charges from your bill.

If calling the billing company and the phone company get you nowhere, there are other methods for handling the cramming. You can contact the FCC for charges related to telephone services between states, or the FTC for non-telephone services on your phone bill. You can also contact your state Attorney General’s office. The link to file a complaint with the FCC is here; the link for the FTC is here.

Don’t let yourself or your company be crammed; educate your employees, family members, and anyone who answers your phone what to do if someone calls in this manner. Of course, remind them that the “free” services advertised in contests, telemarketing calls and junk mail are rarely as free as they seem. In the end, the best advice comes from a former Epixtar employee who spoke to MSNBC: When you get a call from a solicitor, hang up.

Sources for this article: MSNBC, FTC, FCC, PCWorld.About.com. Photo courtesy of http://www.freedigitalphotos.net.