Scam of the day – January 23, 2017 – Latest Gmail phishing scam

An effective new phishing email scam is presently circulating that is targeting users of Gmail.  It starts when you receive an email that appears to be sent from the email address of one of your real friends and, in fact, the email may have been sent from a friend’s email account that unfortunately has been hacked and taken over in order to send out phishing emails that victims will trust because it appears to come from a trusted source.  The email has an attachment and when you click on the attachment, a sign-in page for your Gmail account appears requiring you to type in your email address and password.  Unfortunately, if you do so, you have just turned over this information to a cybercriminal who can wreak havoc with this information.

TIPS

Although this particular spear phishing email scam is quite sophisticated, there are a number of simple steps you can take to prevent yourself from becoming a victim of the scam.  Primarily, you should follow my rule and never click on any link or download any attachment unless you have absolutely confirmed that the communication sending the link or attachment is legitimate.  Even if the email address from which the communication is sent appears legitimate, your friend’s email may have been hacked and it is a cybercriminal sending you the email.

It is also a good idea to use dual factor authentication when possible for your email account.  If you use dual factor authentication, such as where a one time code is sent to your smartphone each time you want to access your email, you are protected from having your email account taken over even if the cybercriminal has your password and username.  Finally, it is a good idea not to store sensitive information in your email account.

Scam of the day – January 22, 2017 – College falls victim of ransomware

Ransomware, as regular readers of Scamicide know, is  a type of malware that gets unwittingly downloaded on to a company’s, institution’s, government agency or individual person’s computer, which when downloaded encrypts the data of the victim.  The victim is then told to either pay a ransom, generally in bitcoins within a short period of time, or the hacker will destroy the data.

The latest public victim of ransomware is the Los Angeles Valley Community College District which recently paid a $28,000 bitcoin ransom after ransomware locked the campus’ computer network along with its email and voicemail systems.  After paying the ransom, the code was delivered to the school enabling them to regain their files and control over their email and voicemail systems.

Ransomware has become one of the most common and effective cybercrimes in the last year, successfully targeting individuals and a wide range of companies including law firms, accounting firms and even police departments. As big a problem as ransomware was last year, I predict it will be much worse in 2017.

TIPS

The key to not becoming a victim of a ransomware attack is to prevent it in the first place.  Generally, the malware is installed unwittingly by victims when they are lured through phishing and spear phishing emails to click on links infected with the malware.  Never click on links in emails or text messages regardless of how legitimate they may appear until you have verified that it is legitimate.  You should also install anti-phishing software.

It is also important to not only have anti-malware software installed on all of your electronic devices, but to make sure that you update the security software with the latest security patches and updates.  Many victims of ransomware have fallen victim to strains of ransomware for which there are already security software available to thwart it.   Finally, always back up your computer’s data daily, preferably in two different ways in order to protect your data in the event you do become a victim of ransomware.

Scam of the day – January 21, 2017 – Warning issued about hacking fingerprints from photos

Using biometrics, such as retina scans and fingerprints for identification verification for various devices such as your smartphone are effective security measures that provide greater security than mere passwords, however, recently Japan’s National Institute of Informatics warned people not to have photos of themselves flashing the V sign with their fingers due to concerns that technologically skilled hackers could steal the images of fingerprints and use them for identity theft purposes.

With present technology this is very difficult to accomplish although even paranoids have enemies and in fact the fingerprints of Germany’s Defense Minister Ursula von der Leyen were hacked from a photograph and cloned in 2014.

Companies involved in fingerprint biometric technology are working to increase the security of this type of technology to make it more difficult to steal fingerprints from a photograph.

TIPS

Despite the fact that it is still quite difficult for someone to hack your fingerprints from a photograph, it is still possible and the simplest way to avoid this problem is to merely not have photographs taken that disclose your fingerprints to the lens of any camera.  Just taking this simple step can provide you with much greater protection.

Scam of the day – January 20, 2017 – Western Union to pay $586 million to settle FTC fraud charges

Western Union, which provides money wiring services around the world has just settled fraud charges brought by the Federal Trade Commission, the Justice Department and a number of states’ Attorneys General.  Under the terms of the settlement which was achieved through a Deferred Prosecution Agreement, Western Union will pay 586 million dollars to be used to reimburse victims of the various scams operated by Western Union in conjunction with scammers around the world who used the services of Western Union to scam victims out of money and also to illegally launder funds.

Wiring money has long been a favored manner for scammers to request payment in a wide variety of scams because of the difficulty of tracing or retrieving the funds once they have been wired.

Among the scams uncovered by prosecutors were scams in which the scammers posed as family members of their victims desperately in need of money, phony lotteries and phony job opportunities.

Under the Deferred Prosecution Agreement, Western Union admits its guilt, but will not be prosecuted if they comply with a number of required changes in how they do business as well as pay the 586 million dollar forfeiture.

TIPS

Because wiring of funds is such a favorite method for scammers to seek to be paid, you should always be a bit skeptical when you are asked, as a part of any business dealing to wire funds.

If you were a victim of a scam in which funds were wired through Western Union, you may be eligible for reimbursement through the forfeited funds Western Union is paying to settle this matter.  For specific information about making a claim, go the Justice Department’s victim website at www.justice.gov/criminal-afmls/remission.

Scam of the day – January 19, 2017 – W-2 scam

We have just come out of the holiday season which is, perhaps, the biggest time of the year for scams and now we are entering the income tax season which probably runs a close second when it comes to scams.

Employers are now sending out W-2 forms to employees which are necessary for the employees to complete their income tax returns.  Many employers will send an email to employees about obtaining their W-2s online and scammers are taking advantage of this by sending emails that appear to come from the potential victim’s employee which contain a link to be used to view and then print the victim’s W-2.  However, when scammers send these phishing emails they are seeking the username and password of the victim which will be provided to the scammer when the victim clicks on the link and provides this information when prompted.  This can lead to identity theft.  In another variation of this scam, merely by clicking on the link, the victim downloads keystroke logging malware that will steal all the information in the victim’s computer and use it to make the person a victim of identity theft.  In yet another variation of the scam, clicking on the link will download dangerous ransomware.

TIPS

Employers will generally not include a link in legitimate emails to access their W-2 forms online.  Instead they will instruct the employee to go directly to this information at the appropriate department within the employer using their username and password separately.    Even if your employer were to provide a link in such a legitimate email, you could never be sure that the email was from your employer so you should not click on the link.  It is better to independently go to the department of your employer that has this information.

Scam of the day – January 18, 2017 – New twist on secret shopper scam

Although there is nothing new about secret shopper scams or mystery shopper scams as they are sometimes called, they are scams that remain popular and  are still constantly finding new victims.   What is unusual about today’s version of the scam, which has been hitting the University of Nebraska at Omaha students and faculty is that it appears to come from a trusted staff member of the University.  The truth is that the scam email comes from the email account of a University staff member, but that is because the staff member’s email account was hacked and taken over by the scammer, which is a relatively simple thing to do.

When you answer an advertisement or an email to become a secret shopper, you are sent a bank check to deposit and use for your shopping.  You spend some of the money on the goods that you purchase which you are allowed to keep and also are directed to keep some of the balance of the check as payment for your services.   You are instructed to return the remaining funds by a wire transfer and report to the company about your shopping experience.  The problem is that the check is counterfeit, but the money you send by wire from your own bank account is legitimate and that money is gone from your bank account forever.  In the case of the University of Nebraska at Omaha secret shopper scam, a number of people have fallen for the scam and each of them has lost about $1,000 as a result of the scam.

TIP

Remember my motto, “trust me, you can’t trust anyone.”  Regardless of who it may appear has sent you and email or a text message, you can never be sure as to who is really sending you the communication so you should never provide personal information or send money in regard to an email or a text message until you have confirmed that it is legitimate.

As for secret shopper scams, one reason why this scam snares so many people is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you.  If you want to find out if a mystery shopping company is legitimate, you can contact the MSPA-NA which is a trade organization of legitimate mystery shopping companies.  Their website is  http://www.mspa-na.org/ Other indications that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit  which is given by your bank after a few days, but which can be rescinded once a check bounces and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.

Scam of the day – January 17, 2017 – Rogue Wells Fargo employees stealing identities of customers

Robert Charles Reed has been sentenced to seven years in prison for his role as the mastermind behind an identity theft ring in which Reed recruited dishonest Wells Fargo employees to provide him with confidential information of  seventy-five Wells Fargo customers including their names, birth dates, accounts numbers and Social Security numbers which he used to steal $580,332 from these victims.  The rogue Wells Fargo employees that aided in the plot have all been fired by Wells Fargo and have pleaded guilty to their crimes.  Presently they are awaiting sentencing.

TIPS

Although we are all cognizant of protecting our confidential information from being obtained by outside hackers, the problem of corrupt employees at the various places that have our personal information is a major problem, particularly in the banking industry as I have written about numerous times in the past.  There is little you can do to protect yourself from this type of crime other than to regularly monitor all of your accounts for indications of impropriety or fraud.

Scam of the day – January 16, 2017 – Another Netflix phishing scam

I have been warning you about phishing scams using Netflix as the hook for a couple of years.  The popularity of Netflix makes it a preferred subject for phishing emails that appear to come from Netflix in which you are told you need to update your credit card information or other personal information. Reproduced below is a copy of an email presently being circulated.  It looks legitimate, but it is easy to counterfeit the Netflix logo and make the email appear to be legitimate when it is not.  In this particular scam you are asked for personal information, such as your name, date of birth and address that can be used to make you a victim of identity theft.  In many of these scams you are also asked to verify credit card information which, if done, merely provides your credit card information to an identity thief.

The scam sends users an email, appearing to be from Netflix, which ask them to update their membership details. The email includes a link that shows a fake log-in page and asks them to input details such as payment information

TIPS

As I always say, “trust me, you can’t trust anyone.”  You can never be truly sure when you receive an email seeking personal information such as your credit card number whether or not the email is a scam.  The risk of clicking on a link or providing the requested information is just too high.  Instead, if you think that the email might be legitimate, you should contact the company at a telephone number that you know is legitimate and find out whether or not the email was a scam.

As for Netflix in particular, it will never ask in an email for any of your personal information so anytime you get an email purportedly from Netflix asking for your credit card number, Social Security number or any other personal information, it is a scam.

Scam of the day – January 15, 2017 – Latest security updates from Department of Homeland Security

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security includes critical updates for Microsoft products and Adobe software including Adobe Flash.

I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  According to security company, Symantec 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash.

TIPS

Here are the links to a list of all of the recent security updates as posted by the Department of Homeland Security:

https://www.us-cert.gov/ncas/current-activity/2017/01/10/Microsoft-Releases-January-2017-Security-Bulletin

https://www.us-cert.gov/ncas/bulletins/SB17-009

https://www.us-cert.gov/ncas/current-activity/2017/01/10/Adobe-Releases-Security-Updates

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/ while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/