Scam of the day – February 8, 2016 – The dangers of Facebook farming

February 8, 2016 Posted by Steven Weisman, Esq.

We have all seen Facebook postings urging us to click that we “like”them.  Sometimes it is an emotional appeal to show support for a sick child.  Sometimes it is to show support for a political message. Sometimes these appeals are legitimate, but unfortunately sometimes they are not.  Often they are done to take advantage of Facebook’s algorithms that value the popularity measured by likes and shares which then appear on the Facebook pages of more people.  Although the original content liked or shared may appear sincere or entertaining, the scammers who use this technique, which is called “farming,” then are able to change the content to something entirely different from what was originally shared or liked.  This can be done for purposes of sending advertising or gathering marketing information, but, at its worst, it can be used to send malware infected content that can steal personal information from your computer and use it to make you a victim of identity theft.


So what should you do?  Posts that promise some sort of prize for sharing or liking are most likely scams. As for the other scams, you may wish to be a bit skeptical before automatically sharing or liking a post. You may wish to even do a little research yourself to find out if the posting is legitimate.    A 2007 photo of a seven year old Pennsylvania girl with Stage IV cancer posing in her cheerleading uniform has been used numerous times for Facebook farming.  Today that girl is a cancer free teenager whose family is understandably outraged that their daughter’s photograph has been abused by scammers through Facebook farming.

Scam of the day – February 7, 2016 – 20 million accounts hacked on Alibaba’s Taobao shopping website

February 7, 2016 Posted by Steven Weisman, Esq.

Alibaba is the biggest online shopping website in China and perhaps the world.  Hundreds of millions of people use its three main websites, which, of course, makes it a target for hackers. Recently, Alibaba revealed that 20.59 million accounts of Alibaba’s Taobao e-commerce shopping site were accessed by hackers.  The hacking was not due to a failure of the security of Alibaba, but rather, as I wrote about in the Scam of the day for February 3rd in which I discussed the hacking of online income tax preparer TaxAct, through the use of user names and passwords stolen from other websites. In the case of Taobao, the hackers used a  black market database of the user names and passwords of 99 million people and found that 20.59 million of the user names and passwords used on other hacked websites were also used on Taobao.  Alibaba said it managed to identify and block much of the unauthorized access to its customers accounts and Chinese law enforcement have already arrested twenty-five people in regard to the cyberattack.


Whether you are a user of Taobao or not, the lesson is clear that you should have unique user names and passwords for all of your online accounts.  It is not that difficult to do.   The failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  Passwords should be complex so they cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

In addition, whenever you can use dual factor authentication, you should take the opportunity to do so. With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account.  Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – February 6, 2016 – American Chamber of Commerce scam

February 6, 2016 Posted by Steven Weisman, Esq.

In Romeo and Juliet, Shakespeare asked, “What’s in a name?”  The answer, according to recent reports from the Better Business Bureau, is a scam if a business receives a telephone purportedly from the American Chamber of Commerce.  Business owners and employees may confuse that name with the U.S. Chamber of Commerce.  There is no American Chamber of Commerce that operates in the United States although organizations with that name operate in foreign countries such as Australia and Ireland.  The caller supposedly representing the American Chamber of Commerce explains in the call that they are updating the information about the company being called in the Chamber’s latest directory and they just need to confirm some basic company information such as company officers, phone numbers and other, what would appear to be, innocuous information.  But it isn’t.  Once this information has been gathered the scammers use this information for more targeted spear phishing attacks against the company in a variety of scams including phony invoices and scams in which company employees are lured into clicking on malware infected links in emails that appear to be quite legitimate due to the large amounts of accurate and relevant information contained in the email.


Trust me, you can’t trust anyone.   This motto of mine is valuable to businesses and individuals.  Whenever you receive an email, text message or phone call, you can never be sure who actually is contacting you.  In this particular scam, even if your Caller ID would make it appear that the caller is who they say they are, Caller ID can be fooled through a technique called spoofing to make it appear that it is a legitimate person or company calling when, in fact, it is a scammer contacting you.  Providing even what would appear to be unimportant information can be used by scammers to make their spear phishing more effective and believable including phony invoices sent to the proper person in a company.  When it comes to invoices, nothing should be paid until the exact bill has been confirmed as being legitimate.  As for providing information in regard to a phone call, email or text message, the best thing to do is to refrain from providing it until you have confirmed not only that the inquiry is legitimate, but also that the company asking for the information, even if they are a real company, has a legitimate reason for having that information.  Limiting the availability of too much information about you or your company will help protect you from scams and identity theft schemes.

Scam of the day – February 5, 2016 – Data breach at the University of Central Florida

February 5, 2016 Posted by Steven Weisman, Esq.

The University of Central Florida has announced that its computer system had been hacked and data on as many as 63,000 present and former students, faculty and staff was taken.  The stolen data includes data on employees of the University going back as far as the 1980s  Included in the compromised data were names and Social Security numbers which can be used by hackers for purposes of identity theft.  Although the data breach was discovered last month, it was only announced yesterday in order to give the University time to conduct an investigation into the matter. Everyone affected by the data breach will receive a letter in the mail with information about how to sign up for free credit monitoring and identity theft protection services.  The University will not be contacting people by email or text messages, so if you do receive such a communication related to this data breach, it is a scam.


The initial letters to those affected by the data breach will be going out today, but you can also call a special hot line set up by the University for more information at 877-752-5527 or go to the website set up by the University to provide information and assistance to those involved in the data breach.  The website is

Although in this instance, the Social Security numbers of those affected by the data breach legitimately needed to be obtained by the University because the bulk of those whose data was compromised were employees of the University including students involved in work-study programs, colleges and and universities are notorious for both gathering personal information that they often do not need as well as storing and maintaining that information long after the need for that information no longer exists.  So long as colleges and universities continue to both gather large amounts of personal information and fail to adequately protect that information, they will continue to be targets of hackers and identity thieves.

Scam of the day – February 4, 2016 – Internet connected teddy bear hackable

February 4, 2016 Posted by Steven Weisman, Esq.

Just last Fall, toy maker Fisher-Price started selling a new Internet connected interactive teddy bear.  This toy is one of many Internet connected products that are a part of the rapidly expanding Internet of Things about which I have written many times.  While entertaining and convenient, the Internet of Things which encompasses all manner of products from cars to refrigerators to even medical devices brings with it security concerns due to the possibility of hacking, which in the case of Smart Toy, the Fisher-Price stuffed bear was a legitimate concern.  Rapid 7, a security firm discovered that the app connected to the toy had numerous security flaws that would have enabled a hacker to steal the child’s name, birth date and gender.  This information could have been misused by a hacker and created identity theft issues for the child.  The information also could have been used by a hacker to create dangerous spear phishing emails likely to trick targeted family members into downloading dangerous malware.  Rapid 7 notified Fisher-Price about the security flaws and Fisher-Price has corrected the problems.


Fortunately, there are a number of steps you can take to make your use and your children’s use of products that are a part of the Internet of Things safer.  The fewer places that have your personal information, the safer you are so if you need to provide a birth date or other information, consider providing intentionally incorrect information.  There is no law requiring you to provide yours or your child’s correct birth date.   Also set up a separate email address for your Internet of Things devices and products.

Many of the devices that make up the Internet of Things come with preset passwords that can easily be found.  Change your password as soon as you set up the product.

Set up a guest network on your router exclusively for your Internet of Things devices.

Scam of the day – February 3, 2016 – Online tax preparers hacked

February 3, 2016 Posted by Steven Weisman, Esq.

Online tax preparation company TaxAct has notified 450 of its customers that their accounts were accessed by unauthorized third parties between November 10, 2015 and December 4, 2015.  As a result of this unauthorized access, these customers’ formerly filed income tax returns were electronically taken by the hackers who were able to get their victims’ names, Social Security numbers, drivers’ license numbers and bank account information.  This information can be utilized by identity thieves for purposes of income tax identity theft.  The problem does not appear to have been as much a security breach by TaxAct as a lack of taking proper security precautions by their customers because the accounts were accessed through usernames and passwords stolen from other sources and then used to attack the victims’ accounts with TaxAct.  This is a major problem when people use the same username and password for multiple accounts.  If your security is breached at one company, your safety everywhere is threatened.  TaxAct also as a precaution froze the accounts of approximately 9,000 of its customers and informed them by email that in order to access their accounts this year, they will need to provide additional verification.

A few days ago, just a week after TaxAct’s customers were notified of the data breach, TaxSlayer, another online tax preparation company was also targeted by hackers, but no accounts were compromised.  One reason for this is that TaxSlayer requires further verification if someone attempts to log into their account at TaxSlayer from a different computer than the one used to initially set up the account.  This simple security measure can go a long way toward protecting online taxpayers from income tax identity theft.


First and foremost, everyone should use a unique password for each and every online account that you have.  It is not that difficult to do.  In addition, whenever you can use dual factor authentication, you should take the opportunity to do so.  With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account.  Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – February 2, 2016 – Affordable Care Act income tax scams

February 2, 2016 Posted by Steven Weisman, Esq.

The Affordable Care Act, often referred to as Obamacare can be complicated and confusing.  One of the provisions of the law requires most Americans to have some form of health insurance and provides for a penalty of as much as $695 or more this year for people who are uninsured and do not qualify for one of the exemptions provided for in the law.  The open enrollment period for signing up for health insurance through the Affordable Care Act to avoid the penalty was January 30th.  The IRS is warning taxpayers about unscrupulous tax preparers who are telling their clients that they need to pay this penalty to the criminal tax preparer who then keeps the money.  This scam is particularly targeting Hispanic taxpayers and illegal immigrants.  Interestingly, illegal immigrants are not required under the law to have insurance, but they are required to pay income taxes.


All taxpayers are required to either have qualifying health insurance coverage for each month of the year, have an exemption from the requirement or make a penalty payment referred to as an individual shared responsibility payment when filing their federal income tax return.  Here is a link to a page from the IRS website that describes the various exemptions in detail.

It is also important to remember that if the penalty is due, it should be paid to the IRS with the tax return or sent directly to the IRS in response to a letter from the IRS.  It should never be paid directly to the person preparing the return or to any individual.

Scam of the day – February 1, 2016 – Police issue warnings about sextortion

February 1, 2016 Posted by Steven Weisman, Esq.

Sex extortion or sextortion has been around for years on the Internet with criminals tricking people into performing sexual acts online that are recorded and then used to blackmail the victims.  In other cases, hackers have gained access to the webcams of women and used them to take photographs of the women who unwittingly undressed in front of computers in their rooms, not knowing they were being recorded.  In one notorious case, Miss Teen USA, Cassidy Wolf refused to be a victim of sextortion and helped law enforcement find and prosecute Jared James Abrahams who was sentenced to 18 months in prison in March of 2014.

Now, however, as with many scams, sextortion has evolved.  In the latest incarnation, uncovered by cybersecurity firm Trend Micro, Cybercriminals in Asia set up fake profiles on social media such as Facebook and then lure their victims to platforms with both video and voice capabilities such as Skype and entice them into performing sexual acts, which are recorded by the cybercriminals.  In a new twist on this scam, however, the cybercriminals then pretend that they are having audio difficulties and convince their victims into downloading a specific Android app on to their Android smartphone which they represent will remedy the problem.  However, instead of fixing the problem, the app is malware that steals all of the contact information stored on the victim’s smartphone.  The cybercriminal then threatens to send the videos to everyone on the victim’s contact list unless the victim pays a ransom.

The York Regional Police in Canada have recently issued a warning about an increase in sextortion criminal activity, much of which has been traced to the Phillipines.  This follows the warning issued by the University of Colorado about this crime that I told you about in the Scam of the day for September 11, 2015.


The best solution to any problem is to avoid the problem altogether.  An easy and decidedly low-tech way to protect yourself from webcam surveillance is to merely put a post-it over the camera when you are not using it.  If you are going to indulge in cybersex or phone sex, it should only be done with people whom you totally trust.  Engaging in such activities with strangers or people you do not know well is asking for trouble.  Also, make sure that all of your electronic devices including your smartphone and computer are protected with the latest updated security software.  Even then, however, no security software is 100% effective against the latest viruses and malware so you should never click on links or download attachments unless you have absolutely confirmed that they are legitimate and you should never download apps from anywhere other than legitimate app stores.  The risk of malware is just too high.

Scam of the day – January 31, 2016 – Amazon customer service exploited by identity thief

January 31, 2016 Posted by Steven Weisman, Esq.

Amazon customer, Eric Springer was understandably concerned when he got an email from Amazon customer service thanking him for contacting them because Springer had not contacted Amazon customer service.  Unfortunately, an identity thief posing as Springer contacted Amazon for an online chat and merely by providing Springer’s name, email address and verification through a street address of Springer that he had used with Amazon was able to convince the Amazon employee to provide Springer’s real home address and phone number.   The identity thief did not even have to log in to Springer’s account in order to access the customer service representative thereby negating the protections provided by Springer’s password.  The identity thief took the information provided by the customer service representative and was able to parlay it into more information which he then used to trick Springer’s bank into issuing the identity thief a new credit card in Springer’s name.  This is not an isolated incident and it happens at more places than just Amazon.  We all are potential victims of identity thieves who troll for personal information from wherever they can get it and then use that information to make us victims of identity theft.


The less information that you share anywhere, the safer you will be.  This even means limiting the places, particularly social media, where you provide your phone number or home address.  If you can use different addresses for different accounts, it is a good thing to do.  Having multiple email accounts can also be a good idea.    Making your shipping address and home address different can also make it a little more difficult for an identity thief.  Finally, make sure that all of the places with which you have financial dealings, such as your bank, credit card company and even retailers, such as Amazon will notify you if unusual transactions occur or changes are made to your account in order to alert you as soon as possible when problems do occur.

January 30, 2016 – Steve Weisman’s latest column for USA Today

January 30, 2016 Posted by Steven Weisman, Esq.

Here is a link to an important column I wrote for USA Today that tells you about what the IRS and Congress are doing (and not doing) about income tax identity theft.