Scam of the day – October 6, 2015 – Phony kidnapping scam

October 5, 2015 Posted by Steven Weisman, Esq.

Another scam I advised you about previously is having a resurgence and is now the subject of a recent FBI warning.  This scam is the phony kidnapping scam.  This scam starts with a telephone call informing the person answering the phone that his or her spouse or other relative has been kidnapped and if they do not respond by wiring money right away, the relative will be killed.  A typical scenario often involves the story that the person being held was kidnapped following a motor vehicle accident in which the missing relative was responsible for damage to the caller’s car or motorcycle.  When it comes to many scams, we are often our own worst enemy and this scam is no exception.  In many instances, the scammers gather personal information about the intended scam victims from information that the intended victims put up on social media.  Armed with this personal information, a scammer can describe the supposed kidnapped victim or provide personal information that would make it appear that indeed they actually do have the person in their custody.  This scam is going on around the country, but New York, Nevada, Texas and California have been experiencing particularly large numbers of this scam.


Always be skeptical if you receive such a call.  Never wire money to anyone for anything unless you are totally convinced that what you are doing is legitimate because unlike paying for something with a credit card, once your wired funds have been sent, they are impossible to get back.  Talk to the alleged kidnapper as long as possible, thereby giving someone else with you the time to call  or text the alleged kidnap victim on his or her smartphone.  You also could ask the kidnapper to describe your relative as well as provide information, such as his or her birth date, which could be found on a driver’s license, however, it is important to remember that much of this information may be available through social media or elsewhere on the Internet.

Many of these kidnapping scams are originating in Puerto Rico or Mexico so be particularly skeptical if you receive the telephone call from Puerto Rico area codes 787, 939 or 856.  Also be wary of calls from Mexico where the area codes which are quite numerous, but can be found by clicking on this link.

Scam of the day – October 4, 2015 – Scottrade hacked in massive data breach

October 4, 2015 Posted by Steven Weisman, Esq.

For the third day in a row our Scam of the day involves a major data breach, which is somewhat ironic since October is National Cyber Security Awareness Month.  Certainly the millions of people affected by the data breaches involving T-Mobile, Experian, Trump Hotels and now Scottrade have become more aware of cybersecurity than perhaps they wished to be.  Discount brokerage firm Scottrade just announced that it was the victim of a massive data breach that occurred between late 2013 and early 2014.  Like so many corporate data breaches, the company itself never discovered the hacking.  Rather, in this case it was the FBI that discovered the data breach in August of 2015.  Approximately 4.6 million customers of Scottrade were and are affected by the data breach. Although we are being told by Scottrade that the data lost was limited to names and addresses, it is still a bit too soon to be truly comfortable that the data breach was indeed limited to this information.  The company waited until now to announce the data breach at the request of the FBI so as not to jeopardize their investigation.  Affected customers are now being contacted by Scottrade.  As is so often the case, Scottrade is offering a year of free credit monitoring to affected customers although since the hacking took place so long ago, this may be a bit late for this type of response to be considered timely.  Here is a link to Scottrade’s webpage containing information about the data breach, which also contains information about how to apply for the free credit monitoring if you were affected by the data breach.


If you were affected by the data breach and wish to sign up for the free credit monitoring service, you should call AllClearID at 855-229-0083 between 8:00 a.m. and 8:00 p.m. Central Time Monday through Saturday.  However, as I have said many times before, credit monitoring does not protect you from identity theft, it only lets you know sooner that you are a victim.  It is similar to if you were crossing the street and got hit by a truck and someone came over to you lying in the street to tell you that you just got hit by a truck.  A better step to consider is to put a credit freeze on your credit report which is possibly the best thing you can do to help protect yourself from identity theft.  You can find information about credit freezes and how to put one on your credit reports at each of the three major credit reporting agencies by going to the Scamicide archives and typing in “credit freeze.”

If you became a customer of Scottrade after February of 2014, your information was not compromised.

Although Scottrade will be notifying affected customers, so will scammers with emails in which they pose as Scottrade and attempt to lure you into clicking on links or providing information that will put you in danger of identity theft.  Trust me, you can’t trust anyone.   Never click on a link unless you are absolutely sure that it is legitimate.  In the case of Scottrade customers, you are better off calling them directly rather than clicking on a link or providing information in response to an email or text message.

Steve Weisman’s latest USA Today column

October 4, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today entitled “Beware of New Smart Chip Credit Card Scams.”

Scam of the day – October 3, 2015 – 15 million T-Mobile customers in danger of identity theft

October 3, 2015 Posted by Steven Weisman, Esq.

T-Mobile has announced that personal information on 15 million of its customers has been stolen as a result of a data breach that occurred between September 1, 2013 and September 16, 2015.  The stolen information includes names, birth dates and Social Security numbers.  This type of information can readily be used by a criminal to steal the identities of the people whose personal information was compromised.  Because identity theft can be a devastating crime, this is a major problem if you were a customer of T-Mobile during that time.  It is important to note that it was not T-Mobile’s computers that were hacked.  Rather it was a server used by the credit reporting agency Experian that was hacked to steal this customer information.  T-Mobile used the services of Experian to run credit checks on people applying for T-Mobile services or devices.  A number of questions are brought up by this hacking including why Experian continued to store this personal information long after the determination of creditworthiness had been done.  Also, there are questions about the encryption program Experian used to protect its data because the encryption proved ineffective.


T-Mobile is offering free credit monitoring services through ProtectMyID to affected customers for two years.  However, it should always be noted that credit monitoring does not help prevent identity theft, but merely helps you learn sooner when you do become a victim of identity theft.  Somewhat ironically, it should also be noted that ProtectMyID is owned and operated by Experian, the same company responsible for the data breach.  For more information about obtaining the free credit monitoring services if you have were affected by this data breach, click on this link which provides instructions from T-Mobile about signing up for the service.

Meanwhile, everyone should consider putting a credit freeze on their credit reports to actually help prevent identity theft.   With a credit freeze in place, an identity theft who has your personal information including your Social Security number will be prevented from accessing your credit report to obtain credit or make purchases in your name.   For more information about credit freezes, go to the archives of and type in “credit freeze.”

Scam of the day – October 2, 2015 – Update on data breach at Trump hotels

October 2, 2015 Posted by Steven Weisman, Esq.

It has just been disclosed by the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York that its hotels had been hit with a Target-like credit card and debit card data breach that appears to have occurred between May 19, 2014 and June 2, 2015.  Although the Trump Hotel Collection is just announcing this now and much of the media is reporting this as a new story, here at Scamicide, we reported to you about this data breach in our Scam of the day on July 5, 2015.  As with so many data breaches, it was discovered not by the company hacked, but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.    The malware used to perform this data breach was installed on computers at Trump hotels front desk terminals as well as as payment card terminals in the hotels’ restaurants and gift shops.  This type of hacking and data breach could have been prevented had the Trump Hotel Collection switched to the modern EMV smart chip credit cards now being required to be used according to credit card regulations that just went to effect yesterday.  Instead the Trump Hotel Collection, as many companies still do, used the old fashioned credit and debit cards with magnetic strips which are so susceptible to hacking.


If you used your credit and debit card at one of the affected Trump hotels between May 19, 2014 and June 2, 2015, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.  The Trump Hotel Collection is offering free credit monitoring for people who used their cards at their hotels during the time period indicated above.  For more information about this offer, call them at 877-803-8586.  Here also is a link to the statement of the Trump Hotel Collection about this data breach.

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.

Scam of the day – October 1, 2015 – EMV smart chip card scams

October 1, 2015 Posted by Steven Weisman, Esq.

Scammers always are taking advantage of whatever current events are going on.  Today is the deadline for retailers and credit card issuing companies to switch over to using the new EMV credit cards containing a computer chip that creates and encrypts a new number every time the card is used.  Unlike credit cards in other parts of the world, American credit cards still mostly use magnetic strip technology that has been around since the 1960s in which personal information is contained on a magnetic strip on the back of the card.  When the information on this strip is stolen as through a hacking, the identity thief has access to the credit of the victim.  However in more than 80 other countries around the world, the magnetic strip card technology has been replaced with cards embedded with a microchip.  This technology is often referred to as EMV which stands for Europay, MasterCard and Visa, the originators of the card.  With EMV cards, the chip creates and encrypts a new number every time the card is used.  Thus hacking into the credit and debit card processing terminals used by the cardholder is a worthless exercise in trying to access the credit card or debit card.  For cost reasons, credit card companies and retailers have resisted updating the credit card system in the United States although changes in regulations in regard to liability for fraudulent credit card use will prompt credit card companies and retailers to switch to this technology.   Under these new rules, after October 1st if a retailer does not switch its card processing machines over to EMV card processing of sales, in the event of a data breach, the retailer will be held financially responsible for any losses incurred.  Previously, in the event of data breaches, it has generally been the credit card issuing banks that have been held responsible for such credit card fraud.

The October 1st deadline, however,  has not been met by many credit card issuers and retailers.  More than a billion credit and debit cards will have to be switched to the new EMV cards and only 120 million people have already received a new EMV card.  That number is expected to reach 600 million by the end of 2015.  Meanwhile, many retailers have not yet converted their card processing devices to accept the new EMV cards.  Since under the new regulation regarding liability in the event of credit card fraud, the liability passes to the party that is the least EMV compliant, there is much incentive for the credit card companies to issue new EMV cards and for retailers to convert their credit card processing equipment as soon as possible.

Ingenious scam artists, the only criminals we refer to as artists are taking advantage of the situation by contacting people by email posing as your credit card company and prompting you to either provide personal information in response to the email or click on a link in the email in order to update your account to get a new smart EMV chip card.  If you provide personal information to the scammer, you will end up becoming a victim of identity theft.  If you click on the link, you may also download keystroke logging malware that will steal your information from your computer or smartphone and use it to make you a victim of identity theft.


So how do you know if you receive an email purporting to be from your credit card company if it is legitimate?

First check the address of the email sender.  If it appears to come from someone or some company wholly unrelated to your credit card issuer, it is a scam.  Many scammers use hijacked email accounts that become a part of a network of controlled computers referred to as a botnet to send out their emails so that it is difficult to trace the scams back to the scammer.

Merely because the email appears legitimate, is written in proper English and even carries the logo of your credit card company does not mean that it is legitimate.  It is easy to copy the logo of a company on to an email.  If you get an email from your real credit card company it will generally be addressed to you specifically by name rather than a generic greeting of “Dear Cardholder.”  In addition, the email to you will generally reference your account by including the last four digits of your account.  However, even paranoids have enemies so if you do get an email that appears legitimate, but you still have concerns, merely call the company at the number found on the back of your credit card to confirm that the email is legitimate.

Scam of the day – September 30, 2015 – New Dropbox scam

September 30, 2015 Posted by Steven Weisman, Esq.

Dropbox is a popular service that enables you to store photos, documents and other information in the cloud.  In a phishing scam similar to what I wrote about recently, many people are receiving an email purporting to be from Dropbox telling them that Dropbox is doing an update in order to make their service more secure from hacking and that the user needs to click on a link in order to update his or her account.  Of course, this is just a phishing scam intended to lure the victim into clicking on the link in which event the victim will either be told to provide personal information including passwords that will be used by the scammer to make the person a victim of identity theft or merely by clicking on the link, the victim will unwittingly download keystroke logging malware that will enable the identity thief to steal all of the personal information on the victim’s computer or smartphone and use it to make the person a victim of identity theft.


The particular phishing email presently being circulated appears to be legitimate, however, it is not sent by a email address used by Dropbox.  If the email does not appear to originate with, or other legitimate Dropbox email addresses, which you can find  by going to this link you can immediately dismiss the email as a phishing scam.  However, even if the email address appears legitimate you should still be skeptical and contact the company at a phone number or email address that you know is legitimate to find out if the email is legitimate.  Here is a link you can use to contact Dropbox about issues with your account. are with this type of email, it is a scam.  Dropbox is also a company that allows you to use dual factor identification, which dramatically increases your personal safety because even if someone gets your password, they cannot access your account.  If you use Dropbox, I heartily advise you to protect your account by using dual factor authentication.  Here is a link from Dropbox to help set up dual factor authentication.

This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered.  In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password.  Dropbox provides for dual factor identification.  If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account.

Scam of the day – September 29, 2015 – Hilton Hotels data breach

September 29, 2015 Posted by Steven Weisman, Esq.

Hilton Hotels appear to be the latest in a long line of companies that have suffered a significant data breach involving credit cards and debit cards.  The hacking appears to have occurred between April 21, 2015 and July 27, 2015 although it may go back as far as November of 2014.  As is most often the case, the hacking was not discovered by Hilton, but rather by a number of credit card issuing banks that picked up a pattern of fraudulent charges that they were able to trace back to gift shops and restaurants at a number of Hilton properties which include not only Hilton Hotels, but Embassy Suites, Doubletree, Hampton Inn and Suites as well as the Waldorf Astoria Hotels and Resorts.  This type of data breach is something about which I wrote for USA Today in a column a year ago in which I explained the pattern for these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”

For its part, Hilton released a statement saying, “Hilton Worldwide is strongly committed to protecting our customers’ credit card information.  We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously and we are looking into this matter.”

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards about which I wrote in detail in September 23rd’s Scam of the day.  New regulations mandate credit card issuers and retailers to switch over to the new smart EMV chip cards by October 1st or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so by October 1st.  If smart EMV chip cards had been used at Hilton, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hilton and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.


Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Hilton properties during the dates indicted above, you should carefully monitor your credit card account and bank account for any indication of a problem.

September 28, 2015 – Steve Weisman’s latest USA Today column

September 28, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s USA Today column from today’s online edition of USA Today entitled “Email Scam Hits Corporate Computers.