Scam of the day – March 23, 2017 – Ponzi schemer sentenced

Ponzi scheming investment advisor Patrick Churchville has been sentenced to seven years in prison for operating a Ponzi scheme that cheated more than a hundred of his clients out of 21 million dollars. Between 2008 and 2011 Churchville invested his clients’ money in JER Receivables under participation agreements through which they would lend money to JER to buy healthcare receivables promising profits of 30% in 16 months.  When the investment failed, Churchville continued the scam by siphoning money for himself such as in his purchase of 2.5 million dollar waterfront home and used new investors money to pay older investors, which is the defining element of a Ponzi scheme.

TIPS

It bears repeating.  If it looks too good to be true, it usually is.  Anyone being promised a return of 30% in 16 months should be skeptical.  Also, never invest with anyone unless there is an independent custodian who holds the investment in order to avoid having the same person both manage and hold the investment which is a recipe for disaster since it makes it easy for the scammer to hide his or her crimes.  Churchville, like famed Ponzi schemer Bernie Madoff, both made the investments and acted as the custodian of the investment enabling him to falsify records and keep his victims unaware of the scam being perpetrated.

Scam of the day – March 22, 2017 – FTC shuts down fraudulent weight loss scam

The FTC has settled a claim against scammers who were marketing worthless weight loss products through illegal spam emails and phony celebrity endorsements.  The scammers hacked into email accounts of unwary victims and used those email accounts to send out spam emails to people on the contact list of the hacked accounts with links purporting to be to an interesting news story.  Many people receiving these emails fell for the scam because they believed the email was coming from a trusted source.

The links led to websites that touted worthless weight loss products such as Original Pure Forskolin and Original White Kidney Bean.  The websites also contained false claims of weight loss such as 17 pounds in 4 weeks or 41.7 pounds in 2.5 months.  The websites also falsely represented that the products were featured or endorsed by Oprah Winfrey or the hosts of “The Doctors” television show.

TIPS

Whenever you receive an email purporting to be from a friend with a short note instructing you to click on a link to some important story, you should immediately be skeptical.  Often the emails seem out of character with the person who appears to be sending you the email which is because often their emails have been hacked and used to send out spam emails such as this.  If you get such an email and it is spam, you should let your friend know that their email account has been hacked.

Never click on links in emails unless you have verified that they are legitimate.  While in this particular case, clicking on the link would only take you to a phony website, often clicking on links such as this can download ransomware or keystroke logging malware that will enable a hacker to steal your personal information from your computer and use it to make you a victim of identity theft.

As for weight loss products, you should always do your research and check with your primary care physician before considering buying any product promising to help you lose weight easily.

Scam of the day – March 21, 2017 – European Commission acts to reduce social media based scams

Social media is an integral part of the lives of all of us and therefore it is often used by scammers to convey scams because people often put too much trust in postings and messages they receive through social media. Cognizant of this fact, the European Commission, led by French consumer authorities have given Facebook, Twitter and Google+ until April 16th to come up with proposals to address the growing number of scams using their social media.  If the proposals of these companies are deemed not satisfactory, the European Commission has indicated it would resort to enforcement actions.

TIPS

This is a positive step by the European Commission.  It starts with the recognition that scams are rampant on social media and then permits the various social media companies to have substantial input as to how they will constructively deal with this problem.  However, if the companies fail to act responsibly in this matter, the European Commission is ready to impose regulations.

As for all of us as consumers of social media services, the most important way to avoid scams on social media is to follow my motto, “trust me, you can’t trust anyone” and always be skeptical of any offer you receive on social media, particularly ones that require you to provide personal information.  In addition, never click on links or download attachments unless you have absolutely confirmed that they are legitimate.

Scam of the day – March 20, 2017 – Hacker uses SQL attack to steal data from colleges and government agencies

According to security company Recorded Future, a notorious Russian hacker known as Rasputin used a SQL injection attack to hack into the data of sixty-three targets that included prominent colleges in the United States and the UK as well as state and federal government agencies.    The various targets were chosen because of their storage of personal information that could be sold on the Dark Web where cybercriminals buy and sell such data to be exploited for purposes of identity theft.

Among the colleges suffering a data breach were Purdue University and Cornell University.  Among the government agencies hacked was the Department of Housing and Urban Development (HUD).  Among the city government computers hacked were Pittsburgh, Pennsylvania and Springfield, Massachusetts.

Structure Query Language (SQL) is a computer language widely used in data bases.  In a SQL injection, a web app vulnerability is exploited in order to give the hacker access to all of the stored data.  A SQL injection can result in not only data being stolen, but also change or delete data as well.  The entrance point for a SQL injection is generally in login forms, sign up forms or other forms where visitors to a website can input information.

TIPS

SQL injection attacks are quite common, but they can be defended against through proper security practices including constantly updating servers, applications and services with the latest security updates.  As for consumers, the best we can do is limit, as much as possible, the information we provide various websites with which we do business recognizing that we are only as safe as the places with which we do business with the weakest security.

Scam of the day – March 19, 2017 – Publishers Clearing House lottery scam

It is hard to win any lottery. It is impossible to win one that you have not even entered and yet scam artists, the only criminals we refer to as artists have found that it is extremely lucrative to scam people by convincing them that they have won various lotteries. Most lottery scams involve the victim being told that they need to pay taxes or administrative fees directly to the lottery sponsor; however no legitimate lottery requires you to do so.

As with many effective scams, the pitch of the scammer seems legitimate. Income taxes are due on lottery winnings, but with legitimate lotteries they are either deducted from the lottery winnings before you receive your prize or you are responsible for paying the taxes directly to the IRS. No legitimate lottery collects taxes on behalf of the IRS from lottery winners.  Other times, the scammer tell the “winners” that in order to collect their prizes, they need to pay administrative fees. Often, the victims are told to send the fees back to the scammer by prepaid gift cards or Green Dot MoneyPak cards. Prepaid cards are a favorite of scammers because they are the equivalent of sending cash. They are impossible to stop or trace. Again, no legitimate lottery requires you to pay administrative fees in order to claim your prize.

Everyone is familiar with the Publishers Clearing House sweepstakes from television commercials where the winners are shown being surprised by the delivery of their giant check. Publishers Clearing House is a real company that operates a legitimate lottery that many people enter which is one reason that scammers pose as representatives of Publishers Clearing House.   Scammers often take advantage of the fact that people are so familiar with the Publishers Clearing House sweepstakes to pose as being representatives of the Publishers Clearing House to scam people out of their money.  Reports are circulating around the country of this presently occurring.  One potential victim in Alabama was contacted by phone, told that she had won the sweepstakes, but had to pay $90,000 in taxes in order to claim her prize.

TIPS
Fortunately, there is an easy way to know when you are contacted by Publishers Clearing House by phone, email or text message informing you that you have won one of its multi-million dollar prizes whether you have been contacted by the real Publishers Clearing House.   Publishers Clearing House only contacts major prize winners in person or by certified or express mail. They do not contact such winners by phone, email or text message so if you do receive a notification of your winning one of their multi-million dollar prizes in this fashion you know it is a scam.   In addition, no winners of the Publishers Clearinghouse sweepstakes are ever required to make a payment of any kind to claim their prize.  As for other lotteries, remember, you can’t win a lottery you haven’t entered and no legitimate lottery asks you to pay them administrative fees or taxes.

Scam of the day – March 18, 2017 – Adobe Flash security patch

Adobe has just issued a new critical update  for its popular Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  According to security company, Symantec in 2015 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash.

It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.    Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.

Microsoft now blocks Adobe Flash by default in its Edge browser due to security concerns.  Microsoft also blocks outdated versions of Adobe Flash from running in Internet Explorer on Windows 7.  If you use Windows 8.1, Windows 10 or Windows Server 2012R2, this will not affect you because these systems automatically install Adobe Flash security patches.  In addition, to Microsoft both Google, Apple and Mozilla have  indicated that are blocking Adobe Flash.

TIPS

Here is a link to the latest Adobe Flash updates:

https://www.us-cert.gov/ncas/current-activity/2017/03/14/Adobe-Releases-Security-Updates

However, it may well be time for you to replace Adobe Flash to avoid problems.

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/

while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Scam of the day – March 17, 2017 – Four people indicted for massive Yahoo data breach

On Wednesday, the Justice Department unsealed an indictment of two Russian intelligence officers and two hackers, one Russian and the other from Kazakhstan, who, the indictment alleges were responsible for the 2014 massive data breach of Yahoo in which tremendous amounts of personal data was stolen.  The indictment was originally filed on February 28th, but was only unsealed two days ago.  The intelligence officers used the information to spy on specific targeted companies and individuals for political purposes while the hackers were permitted to use the data for a wide range of profit producing scams including credit card fraud and spamming operations.  The indictment even details how the hackers diverted Yahoo users looking for erectile dysfunction drugs to a particular pharmacy chosen by the hackers.

This indictment confirms what many of us have long known, which is that the Russian government’s cyberintelligence and cyberwarfare operations are done through a joint venture between criminal hackers with tremendous computer skills and conventional Russian intelligence officers.  Under the terms of this joint venture, the hackers working with the government are permitted to perform their own cybercriminal acts without fear of government interference so long as they do not attack Russian targets.  This is quite different from what is generally found in other centers of cybercriminal activity such as North Korea and China where the hackers are state workers.

Here is a link to a copy of the indictment:

https://www.justice.gov/opa/press-release/file/948201/download

TIPS

Whether the cybercriminals trying to attack you are state sponsored or not, the threat is still the same and the defensive measures you must take are no different.  Cybersecurity requires constant diligence along with the recognition that you are only as safe as the places that have your information with the weakest security.  Limit the amount of personal information you provide to anyone with which you do business.   It is also important to use and constantly update security software on all of your devices as well as avoid clicking on links or downloading attachments unless you are absolutely sure that they are legitimate.  These are some of the basic steps we all should take to make ourselves safer in cyberspace.

 

Scam of the day – March 16, 2017 – IRS temporarily removes FAFSA-Autofill tool

If you are a college student, a parent of a college student or a parent of a high school student considering attending college, you are familiar with the online FAFSA form.  FAFSA stands for Free Application for Federal Student Aid and it is a form used by the U.S. Department of Education’s office of Federal Student Aid to determine eligibility for billions of dollars of federal grants, loans and work-study funds for college students.

The FAFSA form can be completed online and until recently contained an Autofill tool that enabled someone filling in the form to have specific financial information from their previous income tax returns automatically retrieved by the IRS and entered in the form thereby making the application process simpler and easier.  However, the IRS is now suspending the data retrieval feature on the FAFSA form due to concern about security and potential identity theft.  The IRS is estimating that it may take several weeks to remedy the problem.  Until then, anyone filling in a FAFSA form will need their previous income tax returns in order to insert the information required to complete the form.

TIPS

Anyone filling in a FAFSA form at this time will need to get the income tax information necessary to complete the form from hard copies of their income tax returns or from the software used to complete their income tax returns.  If an applicant has neither a hard copy nor a digital record of his or her income tax returns, he or she can obtain a transcript of past federal income tax returns from from the IRS.  Here is a link to information about how to obtain copies of past tax returns from the IRS.

https://www.irs.gov/uac/newsroom/how-do-i-get-my-tax-transcript

Everyone should keep copies of past income tax returns, but you should not store them on the hard drive of your computer because storing them on your computer makes you susceptible to identity theft in the event that your computer is hacked.  Rather you should store this data either in the cloud or on a portable hard drive.

Scam of the day – March 15, 2017 – Arrests made in Craigslist apartment rental scam

Police in Linden, New Jersey have arrested Allan Betancourt and Myra Sullivan on charges related to a scam in which they are accused of listing apartments they did not own for rent on Craigslist and swindling victims out of thousands of dollars of security deposits and upfront rental payments.

Craigslist is a popular place to go for people looking for a home or apartment to rent.  It is also a popular place for scammers to place phony ads to cheat unsuspecting victims.  Last year, New York University’s School of Engineering did a study entitled Understanding Craigslist Rental Scams in which they analyzed more than two million home and apartment rental ads for twenty cities and found that 29,000 of the ads were most likely scams.

The most common scam involved an ad for rental housing that required the person responding to the ad to obtain their credit score by clicking on a link in the email by which the scammer replied when the victim responded to the advertisement.  Under affiliate programs with companies that provide credit scores, the scammers would get up to $18 for every referral.  The victim ends up paying for a credit score he or she doesn’t need.

Other scammers place phony listings and trick people into wiring money as a security deposit or first month’s rent before the victim finds out that the scammer does not own the home.  It is a simple matter for a scammer to copy and paste a legitimate real estate advertisement or listing into the scammer’s Craigslist ad, often indicating a temptingly low rent. Unfortunately, once the victim finds out that the scammer never owned the property and the ad was a scam, it is too late to get his or her money back.

TIPS

The vast majority of the listings on Craigslist are legitimate, but you only have to be cheated once to feel the pain.  When the rent looks too good to be true, you should immediately be skeptical.  When the landlord is out of the country and wants you to wire money, you should be even more skeptical and if by out of the country we mean Nigeria, you should really be skeptical.  Scammers prefer people to wire money because unlike a check or a credit card payment, it is almost impossible to stop payment or get the money back.

If you are considering responding to a rental housing advertisement on Craigslist, confirm that the person who says he or she is the owner by going to the tax assessors listings which are available online.  If the names don’t match, that is a recipe for disaster.  Also, go on line and see if you can find a duplicate listing for the home advertised on Craigslist.

Here is a link to the NYU study http://engineering.nyu.edu/files/McCoycraigslist.pdf