Scam of the day – October 22, 2016 – Massive DDoS attack hits Eastern United States

October 21, 2016 Posted by Steven Weisman, Esq.

For a few hours yesterday many Internet users on the East Coast of the United States were unable to access some of the most popular destinations on the Internet including Amazon, Twitter, Spotify, Netflix and PayPal as a result of a massive Distributed Denial of Service (DDoS) attack on Dyn a prominent Domain Name System (DNS) provider that hosts the attacked companies’ websites.  Domain Name System providers permit you to type in a simple web address such as which then gets translated into the long, complicated numeric Internet address of the company and connects you to their website.  A DDoS occurs when the DNS provider gets flooded with an overwhelming amount of traffic which causes the website to shut down.  Often the traffic comes from an army of botnet computers which are computers of unsuspecting people that become infected and can be remotely used to send the huge amounts of communications necessary to cause a DDoS.  This problem has become magnified as the cybercriminals infiltrate and incorporate into their botnet not just computers, but also the myriad of devices that make up the burgeoning Internet of Things.  Anything that  is connected to the Internet can be hacked and used to become a part of a botnet.  Too often, many of these devices that make up the Internet of Things are poorly protected with weak passwords and are easily hacked.

While this particular DDoS was remedied after a few hours, the threat of DDoS attacks continues to increase.  Banks and other financial institutions have found themselves particularly targeted in the last year by DDoS attacks.  The potential for major disruption of the Internet by DDoS attacks is significant.


While there is nothing that we as consumers can do to stop DDoS other than to maintain the security of our own computers and devices connected to the Internet to keep them from becoming a part of a botnet, there are a number of steps that companies should be taking to protect themselves from future DDoS attacks in addition to the regular Firewalls and routers configured as best they can be to reject malicious traffic including the use of load balancers to spread traffic across multiple servers within a network to create additional capacity to handle the traffic as well as cloud based programs to identify and divert malicious traffic.

Already we have seen the threats of DDoS attacks used to extort money from companies and the threat that DDoS attacks pose is increased because cybercriminals are now selling the malware necessary to carry out such attacks on the Dark Web which is that part of the Internet where cybercriminals do business.  In addition, cybercriminals can also rent the use of botnets on the Dark Web as well to assist them in carrying out their crimes.

Scam of the day – October 21, 2016 – Report issued critical of IRS efforts to fight identity theft

October 21, 2016 Posted by Steven Weisman, Esq.

Yesterday, the Treasury Inspector General for Tax Administration (TIGTA) issued a report regarding its investigation into the IRS’ electronic authentication controls.  The investigation was prompted by identity thieves using the IRS’ Get Transcript program to obtain the former income tax returns filed by an estimated 724,000 taxpayers and use the information contained in those income tax returns to file phony income tax returns using the names of the victimized taxpayers and obtain fraudulent refunds.   The IRS did not become aware of the vulnerability of the Get Transcript program until May of 2015 and shut down the program until it was reintroduced with what the IRS said was increased security in June of 2016.   The idea behind the IRS’ Get Transcript program was a good one, namely permitting taxpayers to get access to copies of their tax returns from previous years conveniently and electronically.  An essential element of such a program is a strong authentication process to keep identity thieves from accessing this sensitive material and unfortunately, the authentication protocol used by the IRS was quite inadequate and did not meet industry standards resulting in the data breaches affected 724,000 taxpayers.  In one instance the TIGTA report indicated that the IRS missed an attempt by a hacker to attempt to gain access to a victim’s tax return 902 times in a single 24 hour period.

The TIGTA report made seven specific recommendations for increased IRS security in regard to the electronic authentication process to gain access to taxpayers’ records and the IRS has agreed with all seven, however, a number of the recommendations have still not been implemented by the IRS and the system is still not as secure as it should be.


The best way to avoid income tax identity theft is to file your income tax return as soon as possible because even an identity thief in possession of your Social Security number and other personal information that would enable him or her to file a phony income tax return in your name would not be able to get a payment from the IRS if you had already filed your return.

Scam of the day – October 20, 2016 – Utility company scam

October 20, 2016 Posted by Steven Weisman, Esq.

The electric utility company National Grid is warning its customers about phony telephone calls in which scammers posing as National Grid employees are calling customers and threatening to turn off their electricity if payment is not made immediately by wired funds or prepaid cash cards such as Green Dot MoneyPak.  Whenever you receive a call regarding anything in response to which you are advised to make a payment by way of a Green Dot MoneyPak card or any other prepaid card you should be skeptical because these prepaid cards are a favorite method for scam artists to scam you out of your money.  This is because once the scammer has the card number, it is the same as cash and you cannot stop the payment nor trace to whom the payment was made.   The scammers making these calls posing as National Grid are often quite intimidating and threatening.  Your Caller ID may even indicate that the call is indeed from your utility company, but it is an easy thing for a scammer to “spoof” or make it appear that a call from them is coming from your utility company.  You can never be sure when you receive a telephone call as to who is really calling you which is why you should never provide personal information or make a payment to someone over the phone unless you have absolutely verified that the call is legitimate.  Although National Grid is warning its customers about this scam, this type of scam is going on with other scammers posing as other utility companies, as well.


Never make a payment to a utility company in response to a telephone call you receive demanding immediate payment.  No utility will require immediate payment by way of a prepaid cash card, such as the Green Dot MoneyPak card or iTunes gift cards.  If you are behind in your utility payments, call the utility company at a number that you know is accurate and discuss a payment plan with a legitimate representative of the utility company.  If you receive a call about your account that you think might be legitimate, merely hang up and call the customer service number for your utility which you can find on the back of your bill.

Scam of the day – October 19, 2016 – Medicare open enrollment scam

October 19, 2016 Posted by Steven Weisman, Esq.

The open enrollment period for Medicare began on October 15th and continues until December 7th.  This is the only time during the year that people enrolled in Medicare can change their Medicare health plans, Medigap plans and their prescription drug plans.  By now, people already enrolled in Medicare should have received an Annual Notice of Change from their health insurance providers describing any changes to their plans such as the dropping of particular drugs from their prescription drug plan.  If you are satisfied with your plans, you do not need to do anything.

Scammers and identity thieves view the open enrollment period as senior citizen hunting season as myriads of Medicare scams are common during this time.  Among the scams are phone calls or emails purporting to be from the Centers for Medicare & Medicaid Services (CMS) informing you that Medicare is issuing new Medicare cards and that in order to continue to receive benefits, you need to obtain a new card which can be done by providing the person contacting you with your Medicare number which is your Social Security number.  If you provide this number, you will end up becoming a victim of identity theft.  What makes this scam particularly troublesome is that there is a kernel of truth to this scam.  Under legislation finally passed last year, Medicare will be required to stop using people’s Social Security number as their Medicare identification number.  Unfortunately however, the legislation does not require Medicare to change the identifying numbers of people presently receiving Medicare benefits until seven years from now.

You also may be contacted by someone purporting to be from your insurance company asking  you to verify information.  Again, this is a common tactic of identity thieves trying to trick you into providing information.  You also may be contacted by people claiming to have supplemental insurance programs that will save you thousands of dollars.  Here too, you cannot be sure that they are legitimate when they contact you by phone, text message, email or even regular mail.


Medicare is not issuing new cards to Medicare recipients at this time and they will never contact you by phone and ask for your Medicare number.  Never give personal information to anyone who calls you on the phone because you can never be sure who is actually on the other end of the line.  Through a technique called “spoofing,” a scammer can manipulate your Caller ID and make it appear that the call is from the government or some legitimate company when in fact, it is from an identity thief who is eager to steal your money.  If you want to get information you can trust about what insurance plans are available to you and at what cost, merely go to the “Plan Finder” section of Medicare’s website  If you want to speak with someone on the phone, call Medicare at its 24 hour hotline 1-800-MEDICARE.

Scam of the day – October 18, 2016 – Update on Home Depot data breach settlement

October 17, 2016 Posted by Steven Weisman, Esq.

As I reported to you last year, in March of 2015 a settlement was reached between Home Depot and the plaintiffs in a class action on behalf of the 56 million victims of Home Depot’s massive data breach which occurred between April and September of 2014.  The settlement provides for a 13 million dollar fund to reimburse victims for out of pocket losses incurred  with an additional 6.5 million dollars being set aside for legal fees and other related expenses.  You are eligible to receive payments through the settlement if you used your credit or debit card at a self checkout lane at Home Depot between April 10, 2014 and September 23, 2014 and your card information was stolen.  You also are eligible for a payment if you received notification that your email address was compromised or if you specifically received a settlement notice informing you that you are a member of the class action.  Payments of as much as $10,000 will be made to claimants who suffered out of pocket losses and unreimbursed charges as a result of the data breach.  In addition, affected shoppers can receive payments of $15 per hour for time spent remedying the problems they encountered as a result of the data breach.

Similar to the major data breach at Target which occurred a year earlier, Home Depot’s computers and credit card processing equipment were hacked when a third party party vendor’s computers were hacked thereby enabling the hackers to steal the passwords necessary for the third party vendor’s to access Home Depot’s computers.  As an additional part of the settlement Home Depot committed to make greater efforts at data security.


If you were affected by this data breach, you must file a claim and the deadline for filing a claim is October 29th which is rapidly approaching.  Here is the link to go to in order to file a claim.

However, even if you were not a victim of this particular data breach, it is important to remember that we are only as safe as the places with which we do business that have the weakest security. Greater use of EMV smart chip credit cards will reduce the effects of data breaches aimed at gaining credit card and debit card information, but many stores still have not shifted over to the new equipment required to process EMV smart chip credit cards.  However, whenever you can, you should use your EMV chip card.

Also, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not as strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.

Scam of the day – October 17, 2016 – Tech support scam

October 16, 2016 Posted by Steven Weisman, Esq.

I have been reporting to you about tech support scams for years, however as with many scams, this one keeps evolving into new forms although the ultimate goal is still the same.  At its essence, the scam involves being contacted purportedly by Microsoft or Apple in some fashion, either by telephone call or in its most recent incarnation by a pop up ad on your computer telling you that problems have been detected on your computer that need to be remedied immediately.  In the case of the latest tech support scam which is now the subject of a legal action by the Federal Trade Commission (FTC) against  five companies, as well as the three men behind the scams, Rajiv Chhatwal, Ruinder Kaur and Neeraj Dubey, the pop up ads often include loud alarms or recorded announcements warning you of dire circumstances.  The ads prompt you to call a toll-free number which leads you to a call center in India where the scammers pose as representatives of Apple or Microsoft.  Under this version of the scam they then ask for remote access so that they can diagnose the problem.  Once they have remote access to your computer, they show their victims innocuous screens and directories on their computers which the scammers say are dangerous malware requiring immediate repair for which they charge between $200 and $400 and provide you with nothing of value.


Neither Microsoft nor Apple will contact you by way of such pop up ads offering tech support for which you will be charged.  It should be noted, however, that Microsoft does regularly issue software security updates, but they do this in automated updates if you have provided for this service or on its website.  If you receive this type of pop up ad purporting to be from Microsoft or Apple and have any thought that it might be legitimate, you should merely contact Microsoft or Apple directly at a telephone number you know is accurate to confirm the pop up was a scam.

Scam of the day – October 16, 2016 – FTC shuts down telemarketing scam

October 16, 2016 Posted by Steven Weisman, Esq.

At the request of the Federal Trade Commission (FTC), a temporary restraining order has been issued by a judge in the Federal District Court for Arizona temporarily shutting down the operation of a telemarketing scam in which three people, utilizing numerous corporations,  lured people into investing thousands of dollars in purported  e-commerce websites.  The scammers targeted older people and veterans from whom they stole millions of dollars with promises of huge profits and fraudulent misrepresentations that the investments were “risk free” and totally guaranteed,   The scammers charged by the FTC are Susan Rodriguez, Matthew Rodriguez and William “Matt” Whitley who did business under the names “Titan Income, ” “Wyze Money,” “Prime Cash,” and “Building Money.”  As alleged by the FTC, the entire operation was a scam and the victims received neither profits nor their investments back when they requested refunds.  The next step in the case against these defendants will be a hearing to replace the temporary restraining order with a more permanent preliminary injunction to stay in affect during the litigation.

Many of the victims of this scam were on the Do Not Call List, which should have been an initial indication to the victims that the “business opportunity” was a scam because calling them to offer a business opportunity was already a violation of the law.


Never invest in anything until you have had a chance to do diligent research into the particular investment.  You should be particularly wary of investment “opportunities” that come your way through unsolicited telemarketers.  Also, the federal Business Opportunity Rule, which was ignored by  the defendants in this case, requires that before you invest in any business opportunity you are provided with a one-page disclosure that provides important facts about the business.  In addition  if, as in this case, you are told how much money you can make, you are required to be given another document with greater details.  For more information about the Business Opportunity Rule, the disclosures you should receive and claims that may not be made by people soliciting investments you can go to this link from the FTC.

Scam of the day – October 15, 2016 – Phony kidnapping scam resurfaces

October 15, 2016 Posted by Steven Weisman, Esq.

I have been warning you about phony kidnapping scams for three years, but recently there has been a resurgence of this particular scam targeting the parents of college students in Virginia, California, Texas, Arizona and elsewhere.

The scam starts with a telephone call informing the person answering the phone that a child or other relative has been kidnapped and if they do not respond by wiring money right away, the relative will be killed.  As with so many scams, we are often our own worst enemy and this scam is no exception.  In many instances, the scammers gather personal information about the intended scam victims from information that the intended victims  or members of their families post on social media.  Armed with this personal information, a scammer can describe the supposed kidnapped victim or provide personal information that would make it appear that indeed they actually do have the person in their custody.  Commonly the ransom demanded is between $600 and $1,900 according to the FBI.


Always be skeptical if you receive such a call.  Never wire money to anyone for anything unless you are totally convinced that what you are doing is legitimate because unlike paying for something with a credit card, once your wired funds have been sent, they are impossible to get back.  Talk to the alleged kidnapper as long as possible, thereby giving someone else with you the time to call  or text the alleged kidnap victim on his or her smartphone.   If the purported kidnapping victim is a young child, call the school to confirm that he or she is safe.   You also could ask the kidnapper to describe your relative as well as provide information, such as his or her birth date, which could be found on a driver’s license, however, it is important to remember that much of this kind of information may be available through social media or elsewhere on the Internet.

Many of these kidnapping scams are originating in Puerto Rico or Mexico so be particularly skeptical if you receive the telephone call from Puerto Rico area codes 787, 939 or 856.  Also be wary of calls from Mexico where the area codes which are quite numerous, but can be found by clicking on this link.

Scam of the day – October 14, 2016 – 1.5 million dollar bounty offered for iPhone hacking

October 14, 2016 Posted by Steven Weisman, Esq.

I have reported to you many times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense which offer a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal, black hat hackers, who identify vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.  Apple, which had long resisted paying bounties to people finding the worms in their Apples announced  last summer that it will pay $25,000 to people who find vulnerabilities in its digital compartments and into its customers’ data, $50,000 for identifying bugs enabling hackers to gain access into iCloud data and a whopping $100,000 to anyone who finds vulnerabilities in Apple’s firmware.

Private security companies also pay bounties for discovering software flaws in the products we use.  Recently, Zerodium tripled the amount it had previously been offering for hackers who can identify previously undiscovered vulnerabilities in iPhones and iPads to 1.5 million dollars.  Companies like Zerodium make their money by selling their information to governments as well as private companies.  Earlier this year, the FBI paid a million dollar bounty to a security company that provided them with a way to hack into the encrypted iPhone of one of the San Bernadino terrorists.


Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Facebook even paid a bounty to a ten year old Finnish boy.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs should give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – October 13, 2016 – Vera Bradley stores hacked

October 13, 2016 Posted by Steven Weisman, Esq.

Luggage and handbag manufacturer, Vera Bradley announced yesterday that its retail stores suffered a data breach in which credit card numbers, customer names, card expiration dates and verification codes for customers who used credit and debit cards at its stores between July 25th and September 23rd were stolen by criminals who hacked into the company’s payment processing equipment.  Vera Bradley was notified of the data breach by law enforcement on September 15th.  Generally, breaches like this are discovered when a pattern for stolen credit cards being sold on the Dark Web where criminals buy and sell stolen credit cards indicates a common source or when the card issuing banks notice a pattern of fraudulent use traceable back to a single common denominator, namely the victims all shopped at a particular store.  Vera Bradley could have avoided this data breach had it switched over to EMV chip cards instead of continuing to use the old-style magnetic strip credit cards which are so much more susceptible to theft through data breaches.

Unlike most companies that suffer such data breaches, Vera Bradley is not offering free credit monitoring at this time.


If you were a customer at a Vera Bradley store between July 25th and September 23rd, you should go online right away to monitor use of your credit card or debit card.  It is a good policy not to use your debit card for retail purchases because you have less protection under the law for unauthorized use.  Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.  Use your EMV chip card whenever possible and even if you were not a shopper at Vera Bradley, you should regularly monitor your credit card statement online so that you can discover any fraudulent use early.  Finally, be wary of any emails or text messages you may get that appear to be from Vera Bradley that require you to provide personal information.  Scammers often take advantage of data breaches such as this to send phishing emails to lure people into providing personal information they can use to make you a victim of identity theft.

For more information about Vera Bradley, you can go directly to its website at