Scam of the day – April 18, 2015 – TD Bank hit by a skimmer

April 18, 2015 Posted by Steven Weisman, Esq.

The Chelmsford Massachusetts police are investigating a skimmer that was found installed on a branch of TD Bank in Chelmsford Massachusetts.  Skimmers are small electronic devices that are easily installed by an identity thief on ATMs and other card reading devices, such as at gas pumps.  The skimmer steals all of the information from the credit card or debit card which then permits the identity thief to access that information to access the victim’s bank account when the skimmer is used on a debit card attached to a bank account.  Each skimmer can hold information on as many as 2,400 cards.

TIPS

Always look for signs of tampering on any machine through which you swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, which are used at ATMs when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if they do not report a theft promptly.   Skimmers at ATMs are often coupled with a thin, clear electronic device that goes on top of the keyboard to capture the victim’s PIN to enable the identity thief to access the account of the victim whose account number was captured through the skimmer.

Scam of the day – April 17, 2015 – Mass email service hacked

April 16, 2015 Posted by Steven Weisman, Esq.

Many people may not be aware of SendGrid, but there is a good chance that you have received an email from them.  SendGrid is a mass email service that is used by 180,000 companies worldwide including Uber, Pinterest, Spotify and Foursquare when companies wish to send mass email messages to their customers, such as when a company wants to alert customers to a service update. When you receive an email from SendGrid or other such mass email services, it appears that the message is being sent by the company with which you have an account, but it actually comes from SendGrid or other mass email services.  Last week one of the companies that uses SendGrid had its SendGrid account hacked in an attempt to hack into the company’s account with Coinbase, a Bitcoin exchange.  Although the company, unnamed by SendGrid, had its account with Coinbase hacked,  according to SendGrid no Bitcoins were stolen.  Last year a similar attack aimed at stealing Bitcoins from another SendGrid client, ChunkHost was foiled because, Chunkhost used dual factor authentication, preventing the hacker from accessing the Bitcoins in Chunkhost’s account even after the hackers had managed to steal ChunkHost’s password.  More and more hackers are trying to hack into the accounts of users of mass email services such as SendGrid because it enables the hacker to make his or malware containing message appear to come from a trusted source.

TIPS

Remember my motto, “trust me, you can’t trust anyone.”  Merely because an email or text message appears legitimate or appears to come from a trusted email address is no reason to trust the message and click on links contained in the email or text message or download attachments to such emails or text messages.  The risk is too great.  Never click on links or download attachments unless you are absolutely sure that they are safe and legitimate.  Even if you are protected by the latest security software, you are still not safe because the most updated anti-malware and anti-virus software is always at least a month behind the latest malware.

Scam of the day – April 16, 2015 – Airline hacking danger

April 16, 2015 Posted by Steven Weisman, Esq.

As more and more devices that we use, such as everything from refrigerators to cars become connected to the Internet for convenience, the threat of these devices being hacked has become a significant problem.  I wrote about this recently in my USA Today column dealing with the danger of what has come to be known as the Internet of Things.  Here is a link to that column.  http://www.usatoday.com/story/money/columnist/2015/04/04/weisman-internet-of-things-cyber-security/70742000/  In that column, I referred to a previous GAO study that indicated security threats involving the FAA’s air traffic control system and its vulnerability to hackers.

Earlier this week the General Accountability Office (GAO) issued a new report detailing the security threat posed to commercial airplanes due to the extensive connection of many of its systems to the Internet.  According to the GAO, “Modern aircraft are increasingly connected to the internet.  This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”  The WiFi used by passengers on an airplane is part of the same IP network used for the cockpit controls.    The GAO went on to note that “According to cybersecurity experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”  Even though firewalls separate these functions, as we have seen in numerous hacking of the computer systems of major companies, firewalls certainly do not guarantee security from sophisticated hackers.   As a part of its report, the GAO made three recommendations for the FAA to follow in order to increase the safety and security of air travel.

TIPS

There is little that we as individuals can do to insure our safety while flying, however, as consumers we can demand of the companies with which we do business that they build safety and security into their products that are a part of the Internet of Things.  And while we have little control over our security while flying, we can protect our security elsewhere on the Internet of Things in regard to webcams, heating systems and elsewhere by taking some elementary steps, such as:

1. Don’t store personal identifying information on any device. Don’t even use your real name.
2. Use a unique and complex password for all of your devices so that if one is hacked, all of your devices are not jeopardized.
3. Read the fine print and find out what information is gathered and stored by your devices as well as how that information is used by the manufacturer.
4. Your smartphone is the entrance way to your car’s connectivity. Keep your smartphone protected with a strong and unique password as well as anti-virus and anti-malware security software.
5. Change the default usernames and passwords on all of your home network devices.
6. Use and update anti-virus and anti-malware software on your home computer network.

Scam of the day – April 15, 2015 – TIGTA report on income tax identity theft

April 14, 2015 Posted by Steven Weisman, Esq.

The April 15th deadline for the filing of federal income taxes has come and gone, but if you have become a victim of income tax identity theft this tax season, your problems have only just begun. Income tax identity theft occurs when an identity thief files an income tax return using the name and Social Security number of a legitimate taxpayer and claims a refund based generally on a counterfeit W-2.  If you discover that you are a victim of income tax identity theft this year, your problems have just started. According to a recently released report by the Treasury Inspector General for Tax Administration (TIGTA), although the IRS has made some progress in assisting the innocent victims of income tax identity theft in getting their legitimate refunds, it still takes, on average, 278 days to resolve the claim of a victim of income tax identity theft although the IRS routinely tells taxpayers that they can expect their claims to be resolved within 180 days. According to the TIGTA report, the range of time it takes the IRS to resolve an income tax identity theft victim’s account and pay the legitimate refund ranged from a commendable low of 16 days to an inexcusable high of 762 days.

TIPS

So what should you do if you are a new victim of income tax identity theft?    Filing a police report immediately is very important in order to document your claim.  Although this is the era of electronic communications, the next thing you should do is mail to the IRS a paper tax return with an attached Form 14039 Identity Theft Affidavit and the police report.  According to the IRS, this will shave an average of 54 days off the time it takes the IRS to process your claim.   Your case will then be assigned to an IRS employee to assist you with clearing your name and getting your refund. As a victim of identity theft, you also are eligible to receive an Identity Protection Personal Identification Number (IP PIN) to use for future income tax returns to protect you from becoming a victim again of income tax identity theft.  You also should put a credit freeze on your credit report because if someone is able to file an income tax return on your behalf, they have access to your Social Security number which they could also use to access your credit report and obtain credit in your name.  Putting a credit freeze on your credit report will thwart future attempts by an identity thief to access your credit.  You can find information about credit freezes and how to put one on your credit reports at Experian, Equifax and Transunion by going to the Archives section of Scamicide.

Scam of the day – April 14, 2015 – Former NFL player accused by SEC of running a Ponzi scheme

April 14, 2015 Posted by Steven Weisman, Esq.

Will Allen, a former National Football League cornerback who played in the NFL between 201 and 2013 has been charged by the SEC along with a business associate of running a Ponzi scheme by which he is accused of raising more than 31 million dollars from investors whom he promised to pay interest rates of as high as 18%  on loans that were to be used in turn for loans through his company Capital Financial Partners to professional athletes who needed cash.  However, according to the SEC in its complaint, Allen and his business associate, Susan Daub diverted investors funds to their own personal use, did at least one phony loan and lied to investors about the company.  In one instance, at least 24 investors paid more than 4 million dollars to fund a purported loan of 5.65 million dollars to an NHL player who went bankrupt, however Allen is accused of telling his investors that the loan was current. Capital Financial Partners paid its investors about 20 million dollars although it only received 13.2 million dollars in loan repayments from the athletes to whom the company had loaned money. To make up the deficit of funds coming in from the loans, Allen is accused of paying back investors with funds of other investors.

TIPS

If it sounds too good to be true, it usually is.  Promises of guaranteed returns of 18% should be a red flag that this is an investment that should be scrutinized carefully.  Investing in someone who does not have much experience in  business can also be a cause for concern as can investing without the backup of an experienced investment company to oversee the investment.  In addition, no one should ever invest in anything that they do not firmly understand nor invest without carefully considering the business plan.  This entire enterprise was one that reeked of risk.

Scam of the day – April 13, 2015 – FTC refunding money to victims of tax relief scam

April 12, 2015 Posted by Steven Weisman, Esq.

As we approach the April 15th deadline for filing income taxes, it is a good time to look at a scam involving a company that fraudulently promised to reduce the tax debts of many Americans.  In my February 11, 2013 Scam of the day, I told you about American Tax Relief LLC.   In 2013 the FTC announced that it had come to a settlement with the  American Tax Relief company in regard to charges that the company had stolen more than a hundred million dollars from frightened taxpayers who had turned to them to help them reduce or eliminate their income tax debts.  You may have heard or seen American Tax Relief’s advertisements in which they promised to be able to settle tax debts for pennies on the dollar, stop wage garnishments and stop property seizures.  American Tax Relief misled consumers into believing that the IRS’ Offer in Compromise program by which taxpayers are permitted to settle their tax debts for less than what they owe is easy to achieve when, according to IRS figures, only about 30% of people applying for this program achieve any level of reduction of tax debt.  If you haven’t heard or seen these advertisements of American Tax Relief, you certainly have seen or heard them from other companies.  Unfortunately, many, if not most of these companies are phony.  You end up paying large up front costs and get little relief.   Now the FTC is sending refund checks to 18,571 of the victims of American Tax Relief totaling more than 16 million dollars.  If you were a victim of American Tax Relief and have not received a check,  you can use this link for more information about the refund program of the FTC.  https://www.ftc.gov/enforcement/cases-proceedings/refunds?utm_source=govdelivery  This link also provides information about the FTC’s refund programs involved with other FTC cases against such companies as L’Occitane, AdvaCal, and Lean Spa.

TIPS

Just because you have seen advertising in legitimate media does not mean that the companies advertising are legitimate.    If you owe income taxes, the IRS has programs to assist you including the Installment Agreement Program by which you may be able to make payments on your tax debt over time.  In some limited circumstances the Offer in Compromise Program may be available to you, but you are best off utilizing a CPA or a lawyer in negotiating with the IRS over any offer in compromise.   The IRS also has a Taxpayer Advocate Service which you can reach at irs.gov/advocate or by phone at 1-877-777-4778.  I urge you to be particularly wary of companies that claim that they can reduce or eliminate your tax debts.  Check them out with the IRS and the FTC before considering using their services.  Frankly, you would be much better off with the assistance of a knowledgeable tax lawyer or CPA.

Scam of the day – April 12, 2015 – Bank telephone scam

April 11, 2015 Posted by Steven Weisman, Esq.

The rumor that the first words spoken on the telephone by Alexander Graham Bell were “Watson, come here, I want to see you, and, oh, yes, what is your credit card number” turns out not to be true, although it probably didn’t take long for the telephone to become a tool of choice for scammers and identity thieves.  The latest telephone scam that is popping up around the country begins when you receive a recorded call that purports to be from your bank informing you that your credit card or debit card been frozen.  In order to unlock your account, you are instructed to press “1” on your phone to unlock your account.  Once you press “1” you are instructed to enter your credit or debit card number.  If you do this, you will have succeeded in turning over your credit card or debit card to an identity thief.  Making this scam even more insidious is that in some instances, if you have Caller ID, it will indicate that the call is from your bank.  However, this automated call is never from your bank, it only appears to be so due to a technique called “spoofing.”

TIPS

It is easy to know when you receive a recorded call from your bank regarding your credit card or debit card if it is legitimate.  If you receive such a call, it is a scam because no bank will contact you in this fashion.  In addition, you should never provide your personal information over the phone to anyone whom you have not independently contacted in order to be sure that you are not providing that information to a scam artist or identity thief.  If you receive such a call and have any concern that it might be legitimate, merely call your bank at a number that you know is accurate to confirm that the call was a scam.

Scam of the day – April 11, 2015 – FTC sweepstakes scam

April 10, 2015 Posted by Steven Weisman, Esq.

We all know by now to be wary of letters informing us of our having won a sweepstakes that we never entered, but there is one letter that is presently circulating that appears to come from the Federal Trade Commission, the very same federal agency that protects us from lottery scams.  This letter looks official.  It carries the seal of the FTC.  It is signed by Jessica Rich, the Deputy Director of the FTC’s Consumer Protection Division.  And it is still a scam.   According to the letter, all you have to do to claim your prize is pay $5,000 for a Legal Registration Bond, whatever that may be.  Of course, if you pay that bond, you will lose $5,000 and win nothing more than a hard learned lesson about sweepstakes scams.

TIPS

For starters, the FTC doesn’t sponsor or endorse any lotteries or sweepstakes.  In addition, no legitimate lottery requires you to pay fees, administrative costs or taxes in order to claim your prize.  While income taxes are due on sweepstakes winnings, they are never collected by the lottery sponsors.  The lottery sponsor either deducts the taxes from your prize and pays them to the IRS or they give you the entire prize and you are responsible for paying the taxes.  They never collect tax payments from you.  Finally, remember, it is hard to win a lottery that you enter; it is impossible to win one that you never even entered.

Scam of the day – April 10, 2015 – Member of international computer hacking ring pleads guilty to hacking video game manufacturers

April 10, 2015 Posted by Steven Weisman, Esq.

Nineteen year old Austin Alcala recently became the fourth member of an international hacking ring to plead guilty to hacking into the computer networks of a number of videogame developers including  Microsoft Corporation, Epic, Games Inc., Valve Corporation and Zombie studios.  In the course of the hacking of these companies, the hackers stole information and intellectual property valued at one-hundred million dollars including software source codes, trade secrets and other information regarding the Microsoft Xbox Live online gaming system and popular games including FIFA, Call of Duty: Modern Warfare 3 and Gears of War 3.  Sentencing is scheduled for July 29th.

TIPS

It should come as no surprise that nineteen year olds without the resources of state governments and large companies have sufficient computer power to hack into the biggest companies in the world.  This case is just another example of the fact that all of us and the companies with which we do business have got to do a better job of protecting the security of important information.  As individuals, there is little we can do to compel companies and government agencies to better protect the data they hold, however, for ourselves, there are many things including the use of strong passwords, encryption programs and security software that is constantly updated to enhance our security.  In addition, the avoiding of clicking on links in emails and text messages unless you are absolutely sure that is legitimate is a good way to avoid becoming a victim of phishing.

Scam of the day – April 9, 2015 – White House computers hacked

April 8, 2015 Posted by Steven Weisman, Esq.

The Obama Administration  has confirmed that White House computers were hacked last year, however, they emphasized that the extent of the cyberintrusion was limited to systems that only carried unclassified information.  It is theorized that it was Russian government hackers that were responsible for the attack and that they managed to download the malware used to access the computers’ data by way of phishing emails with tainted links that came using email addresses from the State Department which has long been infiltrated by Russian government hackers.  This revelation highlights the concerns about the private email server used by former Secretary of State Hillary Clinton during her tenure as Secretary of State although the most recent disclosures could bolster both her defenders and her critics.  Her defenders could say that the State Department email system was unsafe and constantly targeted by Russia, China and others and that Secretary Clinton was prudent to use her own system over which she could maintain strict controls.  Her critics could argue that it is unlikely that her private server would be as safe as that of the official government email system.

TIPS

The revelation of the White House hacking reinforces the fact that the United States, Russia, China and others are constantly engaged in cyberwarfare.  But what does this story tell us as individuals in regard to our own security and protecting our own data from hackers and identity thieves?  The primary lesson is one that we constantly need to remind ourselves of again and again, namely that in almost all data breaches, whether of individuals, governments or companies, the sophisticated malware necessary to accomplish the theft of data starts with the victim clicking on a link in a phishing email.  Therefore it is critical that you never click on links in emails or text messages regardless of how legitimate they appear until you have confirmed that they are legitimate.  You also may wish to even consider using a separate computer for financial matters and a separate computer for emails so that even if you make a mistake and download malware, there is nothing in that computer worth stealing.