Scam of the day – September 27, 2016 – Another phony email lottery scam

September 27, 2016 Posted by Steven Weisman, Esq.

I often write about phony lottery scams because year after year they are among the most common and effective scams and with good reason.  Often blinded by their greed, many people fall for these scams and end up paying thousands of dollars to scammers and  end up receiving nothing in return.  Generally, there are two ways that phony lotteries work.  Either you are told that in order to claim your prize, you must pay administrative fees or income taxes to the lottery sponsor.  In both cases, victims pay money to the phony lottery sponsors and never see a dime.  Here is a copy of a recent lottery scam email I received.  It purports to be from the International Monetary Fund, an international financial organization which works under the United Nations and which does not ever offer lotteries.  This is a poorly constructed phishing email that contains numerous instances of poor grammar and spelling and makes no sense whatsoever.  The email addresses contained within the email may well be those of innocent people whose emails have been hacked.  We can’t tell from the email, if the email addresses are those of the scammers or merely email addresses they control through a botnet.

“$5,000 PAYMENT”
Wann Dienstag, 27 September 2016
12:30 PM bis 01:30 PM
(GMT) Greenwich Mean Time – Dublin/Edinburgh/Lissabon/London
Mail Dear Email ID Owner, USD $5,000 PAYMENT WE SENT TODAY TO PICK UP. The IMF is compensating all the email addresses,was fund as one of the ward win Victims and your mail address with your name is listed among one of the approved to pay sum of US$2.5 million. We have concluded to effect your own payment through Western Union Money Transfer for easy pick up those fund in good condition,$5,000 twice daily until the total sum of US$2.5 million is completely transferred to you. Now: we need your information where we will be sending the funds as following below: (1)Your Full name…: (2)Your Phone number:… (3)Your Country:… (4)Your Age:… (5)Your private E-Mail..: For urgent enquiry call Tel; +229 66024650 Mr.Steven Moses for the payment E-mail 🙁wesunion.wu101@gmail.com ) Call Steve immediately you get this mail to enable him speed up your payment immediately to released US$5000 dollar MTCN to you for picking up the payment today ok Best Rgards, Mrs.Esther Richardson. Private e-mail: eestherichardson@hotmail.com IMF MANAGEMENT.

 

TIPS

As I have often told you, it is difficult to win a lottery you have entered.  It is impossible to win one that you have not even entered.  You should always be skeptical when told that you have won a lottery you never entered.    It is also important to remember that it is illegal to play foreign lotteries unless you are present in the other country.  While it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  As for administrative fees, you never pay a fee to collect a legal lottery prize.

Scam of the day – September 26, 2016 – Arrest made in hacking of Pippa Middleton’s iCloud account

September 25, 2016 Posted by Steven Weisman, Esq.

It only took a day from the news becoming public that someone had hacked into the iCloud account of Pippa Middleton, the sister of Princess Kate, the Duchess of Cambridge for authorities to make an arrest.  According to Scotland Yard, a thirty-five year old man has been arrested on suspicion of a Computer Misuse Act Offense related to the hacking.  The hacker claimed to have stolen about 3,000 private photographs including some of her sister Kate as well as her children Prince George and Princess Charlotte along with nude photos of her fiance James Matthews.  Someone purporting to be the hacker contacted several media outlets offering to sell the photographs for approximately $65,000.  At the present time, it is not known how the security breach occurred. You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In those instances, the hacker obtained the usernames and passwords of his victims by merely sending phishing emails to his victims that appeared to come from Apple in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple.  Once they entered their information, the hacker had all the information that he needed to access his victims’ accounts.  Although Kate Upton and Jennifer Lawrence as well as a number of other hacked celebrities did not use it, Apple has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of Kate Upton, Jennifer Lawrence and other hacked celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.

TIPS

For anyone who uses iCloud, you should first protect yourself from phishing attacks, such as the one that was used against Kate Upton and Jennifer Lawrence by always being skeptical when you are asked to provide personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified the message by contacting the real company that purportedly is sending the message.  In addition, you should also use dual factor authentication, which is another tool that would have prevented the Kate Upton and Jennifer Lawrence hacking.

Scam of the day – September 25, 2016 – Companies continue to fall victim to BEC fraud

September 25, 2016 Posted by Steven Weisman, Esq.

This is another fraud about which I have written a number of times in the past that continues to plague businesses around the world.  It is called the Business Email Compromise scam (BEC) and the FBI  has noted a 1,300% increase in this crime since 2015.  The scam involves an email to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

The latest company to fall victim to this scam is Leoni AG, a German company that is one of the world’s biggest manufacturers of electronic cables.  It recently lost 40 million euros (approximately 44.6 million dollars) when it wired money in response to an email that was written in a manner that showed familiarity with Leoni’s internal procedures for approving and transferring funds.  Generally this occurs when the hackers have infiltrated the computer systems of their victim for sufficient time to observe how payments are made.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam.  Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

September 24, 2016 – Steve Weisman’s latest column for USA Today

September 24, 2016 Posted by Steven Weisman, Esq.

Protecting your privacy and security while using your smartphone is of great concern to everyone.  This is a lesson that Pippa Middleton just learned when her smartphone was hacked.  Here is a link to my column from today’s edition of USA Today in which I give you ten tips to protect your safety and security while using your smartphone.

http://www.usatoday.com/story/money/columnist/2016/09/24/staying-safe-your-smartphone/87446674/

Scam of the day – September 24, 2016 – Massive Yahoo data breach

September 24, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – September 23, 2016 – Latest security updates from the Department of Homeland Security

September 22, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security include critical new updates to Adobe Flash, Android, Google Chrome, Microsoft Edge and Windows 10.

TIPS

Here are the links to  lists of all of the recent security updates as posted by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB16-263

Here also are new links to Apple updates: https://www.us-cert.gov/ncas/current-activity/2016/09/20/Apple-Releases-Security-Updates

and

Mozilla Firefox updates: https://www.us-cert.gov/ncas/current-activity/2016/09/20/Mozilla-Releases-Security-Updates

Scam of the day – September 22, 2016 – New Aol phishing scam

September 22, 2016 Posted by Steven Weisman, Esq.

Millions of people still use AOL.  One reason is that you get greater email privacy when compared to some other email carriers. Due to its popularity, scammers and identity thieves often send out phishing emails that appear to come from AOL, such as the one reproduced below.  The logo and format of this particular email that is presently circulating is quite poor.  Compare it to the excellent counterfeit phishing email I included in the Scam of the Day for May 31, 2014.  This one comes from an email address that has no relation to the company, AOL.  Further, it is not directed to the recipient specifically by name.  Like many similar scams, this one works by luring you into clicking on a link in the email in order to resolve a problem.  However, if you click on the link, one of two things will happen.  You either will be prompted to provide information that will be used to make you a victim of identity theft or by clicking on the link you will unwittingly download a keystroke logging malware program that will steal all of the information from your computer and use it to make you a victim of identity theft.   Here is how the email appears.  DO NOT CLICK ON THE LINK:
AOL HELP.
Your two incoming mails were placed on pending status due to the recent upgrade to our database,In order to receive the messages CLICK HERE to Login and wait for response from AOL Mail.We apologies for any inconveniences
Best Regards,
The AOL! Mail Team
TIPS
When AOL communicates with its customers about their accounts, they do so by AOL Certified Mail, which will appear as a blue envelope in your inbox and will have an official AOL Mail seal on the border of the email.  This particular email had neither and only had an easy to counterfeit Aol logo appear on the email.  Whenever you get an email, you cannot be sure of from whom it really comes.  Never click on a link unless you are absolutely sure that it is legitimate.  If you think the email might be legitimate, The best thing to do is to contact the real company that the email purports to be from at an address or phone number that you know is accurate in order to find out if the communication was legitimate or not.  Remember, never click on links in emails unless you have confirmed that they are legitimate.

Scam of the day – September 21, 2016 – New proposed rules for New York financial services companies

September 21, 2016 Posted by Steven Weisman, Esq.

The New York Department of Financial Services has just proposed significant new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation.  Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The proposed regulations are open to public comment for 45 days and are slated to go into effect on January 1, 2017.

TIPS

Here is a link to the proposed regulations.  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.  http://www.usatoday.com/story/money/columnist/2016/02/27/e-banking-tip-moms-maiden-name-say-grapefruit/80756330/

Scam of the day – September 20, 2016 – Income tax identity thief sentenced

September 19, 2016 Posted by Steven Weisman, Esq.

Jesse Scott Wilson  of Alaska was recently sentenced to 92 months in prison for his role in an income tax identity theft ring that electronically filed at least 428 phony income tax returns using stolen Social Security numbers resulting in refunds of $681,258 being paid to Wilson and his three cohorts.  Wilson will not have to go far in order to start his prison sentence because both he and his fellow conspirators were already incarcerated in an Alaska prison throughout the time that they managed to pull of their crime.  This just serves as an example of how incredibly easy it has become for someone to commit income tax identity theft which costs the American taxpayers billions of dollars each year.

In 2015 the IRS instituted a new cooperative effort between the IRS, state tax administrators and private tax preparation leaders.  Included among the steps being taken are review by the IRS of the IP address of computers filing income tax returns to identify computers filing multiple returns and reviewing the time it takes to complete an electronic income tax return which can also help identify fraudulent returns since completing a fraudulent return generally takes less time than a legitimate return.  In addition, income tax preparation software companies will be using enhanced validation protocols including increased use of security questions.

However, all of these steps which are expected to cost taxpayers an additional 281 million dollars to implement totally miss the point.  The easiest and simplest way to dramatically reduce income tax identity theft still is not being done by Congress, namely changing the laws regarding employers filing of W-2s.  Under present law, for the upcoming tax filing season, employers must file W-2s with the federal government by February 29th if they file paper W-2s and as late as March 31st if they file, as so many do, electronically.  Unfortunately Congress in its infinite wisdom requires these W-2s to be filed with the Social Security Administration (SSA) by those dates.  The SSA does not send the W-2s to the IRS until July so the IRS does not get around to matching the W-2s filed by employers with those filed by individual taxpayers with their income tax returns until months after the IRS has already sent a refund based on the W-2 filed by the taxpayer or identity thief.  In order to dramatically reduce income tax identity theft, all Congress has to do is merely require employers to file W-2s with the IRS instead of waiting for the SSA to send them to the IRS.  It also would make much more sense than Congress appears to have to require the IRS to match those employer filed W-2s with those filed by individual taxpayers BEFORE sending out a refund in order to easily identify counterfeit W-2s.  For years Congress has been advised to make these simple changes, but it still fails to do so.

TIPS

Try as it may, the IRS is having a difficult time stopping income tax identity theft by which an identity thief steals your personal information and files a phony income tax return using your name and gets a refund.  Along with protecting your personal information, particularly your Social Security number as much as you can, the best thing you can do to avoid becoming a victim of income tax identity theft is to file your income tax return early.  Income tax identity theft can only work when the criminal is able to file an income tax return using your name and Social Security number before you file your own legitimate income tax return so consider filing as early as possible.

Scam of the day – September 19, 2016 – Accused autistic hacker to be extradited to the United States

September 18, 2016 Posted by Steven Weisman, Esq.

Thirty-one year old accused hacker Lauri Love, who lives with his parents in Britain was ordered last week to be extradited to the United States to face charges that he hacked into the computers of numerous high-profile victims including the Federal Reserve, the Department of Defense, NASA and even the FBI.  One thing that makes his case unique is that Love has Asperger’s syndrome, a form of autism.  However, a hacker having autism may not be as unusual as you might think.  Recent research tends to show that many people with autism have a particular aptitude for computer technology and many autistic people are active in online gaming forums where they may come into contact with cybercriminals seeking to exploit their skills.  Other autistic people may see hacking as just another online game and not be fully aware of the consequences.

TIPS

The fact that such high profile government agencies such as the Federal Reserve, the Department of Defense, NASA and the FBI have been so vulnerable to hackers, even relatively unsophisticated hackers is not particularly comforting.  Cybersecurity is an essential element of the functioning of the federal government and it presently is not as good as it should be.  In July, President Obama released his first Federal Cybersecurity Workforce Strategy in an effort to “identify, recruit, develop, retain, and expand the pipeline of the best, brightest, and most diverse cybersecurity talent for Federal service and for our Nation.”  This is just the latest action by the Obama administration which has been taking steps to increase cybersecurity since 2009.  For the most part, the new federal rules have been slow to transform the federal government’s cybersecurity culture, but hopefully, as the seriousness  of cyberthreats become increasingly more apparent, change will be more forthcoming.