Scam of the day – November 19, 2017 – Income tax identity thief sentenced

Michael Oluwasegun Kazeem, a 24 year old Nigerian living in Oregon was sentenced this week  to seven years in prison for his participation in an income tax identity theft scam in which he and his co-conspirators filed 2,900 income tax returns using personal information stolen from a variety of sources including the IRS’ own Get Transcript program by which people are able to get copies of their previous income tax returns.  Kazeem and his fellow criminals successfully obtained more than 11 million dollars in bogus refunds from the IRS.

TIPS

Along with protecting your personal information, particularly your Social Security number,  as much as you can, the best thing you can do to avoid becoming a victim of income tax identity theft is to file your income tax return early.  Income tax identity theft can only be accomplished when the criminal files an income tax return using your name and Social Security number before you file your own legitimate income tax return so consider filing as early as possible.

Scam of the day – November 18, 2017 – Is the iPhone X facial recognition system safe?

Everyone is concerned about security on their smartphone and passwords have too often proved to be not sufficient to protect the privacy of your device.  The new iPhone X incorporates biometrics through a facial recognition system that will provide you access to your phone simply and easily, however, as always, there is a concern about if this system can be exploited by hackers.

Recently a Vietnamese research team called Bkav claimed to have breached the security of the iPhone X’s facial recognition system by utilizing a 3D printer, a hand-sculpted nose and a custom skin surface to create a mask that was able to hack the phone.

While some people are skeptical as to whether or not Bkav actually did manage to hack the phone, even if they did manage to do so, the level of effort required and technological sophistication is such that ordinary users of the iPhone X face little risk of having their facial recognition system hacked.

TIPS

Regardless of the type of smartphone you have there are a few steps that you should take to keep your phone secure.

First and foremost you should lock your phone with a PIN or a password.  Some phones will allow you to use biometrics that unlock your phone with your fingerprint.  You also should encrypt the data stored on your phone and backup everything you store on your phone in the cloud or on your computer.  It is also important to enable your phone to wipe out all of the data in your phone remotely so that if it is stolen, you can immediately delete the data contained in your phone.  You also should use a tracking app to locate your phone if it is lost or stolen.

There are many other tips that you should follow to use your phone safely and securely, but those are for another day.

Scam of the day – November 17, 2017 – Amazon phishing email scams

Shopping on Amazon is extremely popular both with consumers and scammers seeking to exploit Amazon’s popularity.  With the holiday shopping season rapidly approaching scammers are sending various types of phishing emails which purport to be from Amazon that attempt to lure you into either clicking on links which can download malware, such as ransomware or keystroke logging malware or provide personal information that can be used to make you a victim of identity theft.

Here are three examples of Amazon related phishing emails presently being used.   As so often is the case with these type of phishing emails,  they do not contain your account number in the email.  Two of them contain a legitimate looking Amazon logo, but that is easy to counterfeit.

Dear Customer,                                                                                                                        We have recently upgraded our server for the help of our customers, and we recommend a new security features as part of our commitment to keep our customers safe.  For security measures the following information is required to solidify your profile. 

INFECTED LINK WAS FORMERLY LOCATED HERE.  IT HAS BEEN REMOVED FROM THIS COPY

Your sincerely                                                                                                            

Amazon

© 2017 Amazon or its affiliates.                                                                                                All rights reserved                                                                                                                          410 Terry Avenue N., Seattle, WA 98109-5210.    Reference:219862590

TIPS

There are a number of indications that these are not legitimate emails from Amazon, but instead are phishing emails. Legitimate emails from Amazon would  be directed to you by name rather than being addressed to “Dear Customer.”   As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.

If you receive  emails like these and think they may possibly be legitimate, merely call the customer service number for Amazon where you can confirm that it is a scam.

November 16, 2017 – Steve Weisman’s latest column for the Saturday Evening Post

It isn’t even Thanksgiving yet, but many people are turning their thoughts to holiday shopping.  Here is a copy of my column for the Saturday Evening Post in which I provide tips for safe online shopping.

Con Watch: 7 Tips for Safely Shopping Online

Scam of the day – November 16, 2017 – FTC charges debt collectors with fraud

Receiving a telephone cal from a debt collector is not a pleasant experience. Being hounded by someone attempting to collect a debt you do not owe is fraud. The Federal Trade Commission (FTC)  has recently brought charges against a Georgia based debt collection business that the FTC claims collected more than 3.4 million dollars in relation to non-existent debts.  They were also accused of using  collection tactics that violated the Fair Debt Collection Practices Act.  Charges were brought against Lamar Snow, Jahaan McDuffie and Glentis Wallace along with a number of collection companies they operated under various names.

TIPS

Subject to strict federal laws, legitimate debt collectors are permitted to call debtors, however, the law prohibits them from threatening imprisonment for the failure to pay a debt and attempting to collect a debt the debt collector knows is bogus.

It can be difficult to know when someone calls attempting to collect a debt if indeed they are legitimate or not, so the best course of action if you receive such a call is to not discuss the debt with the person calling, but instead demand that they send you a written “validation notice” by regular mail which describes the debt they allege you owe and includes a listing of your rights under the Federal Fair Debt Collection Practices Act.  Never give personal information over the phone to anyone who calls you attempting to collect a debt.  You can never be sure who they are.  If you receive the validation notice and it appears to be legitimate, you may be better off contacting your creditor directly because the person who called you may not be representing the creditor, but may merely have information about the debt.

Scam of the day – November 15, 2017 – New updates for Adobe Flash

As we learned again, most recently with the Equifax data breach, delay in installing security patches and updates for your software as soon as they become available can lead to disastrous consequences.  Adobe has recently issued critical updates to a number of its software programs including the popular, but seriously vulnerable Adobe Flash.

Flaws in Adobe Flash have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.   According to security company, Symantec in 2015 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash. Adobe has announced that it will be retiring Adobe Flash in 2020.  It will still be issuing security patches until then, but now is a good time to move away from Adobe Flash if you have not already done so.

TIPS

If you are going to continue to use Adobe Flash, it is imperative that you update your software with the latest security patches when they are issued.  Here is a link to the latest updates for Adobe Flash.

https://www.us-cert.gov/ncas/current-activity/2017/11/14/Adobe-Releases-Security-Updates

However, it may well be time for you to replace Adobe Flash to avoid future problems.

Here is a link to a website with alternative plugins you may wish to consider to replace Adobe Flash.

http://alternativeto.net/software/flash-player/

 

Scam of the day – November 14, 2017 – Utility Scam Awareness Day

Scams involving utility bills for electric, water or gas services have long been popular with scammers.  Utilities United Against Scams, a consortium of more than 100 American and Canadian utility companies has designated tomorrow, November 15th as Utility Scam Awareness Day.

In one version of the scam, potential victims receive telephone calls purportedly from their utility company informing them of a special company promotion for which they are eligible.  They just need to provide some personal information.

In another version, potential victims are called on the phone and told that their utility service will be terminated for non-payment unless they pay by credit card or prepaid cards such as iTunes cards over the phone.

In a third version of this scam, potential victims receive an email that has a link to take them to their bill.

All of these are scams.  In the first, there is no special promotion and the victim ends up providing personal information that leads to identity theft. In the second, the victim is coerced into giving their credit card or prepaid card information  to a scammer and in the third, merely by clicking on the link to go to the phony bill, the victim ends up downloading keystroke logging malware or ransomware that can lead to identity theft or worse.

TIPS

You can never be sure when you get an email or a telephone call if it is really from a legitimate source.  Email addresses can be hacked to appear legitimate and even if you have Caller ID, a scammer can use a technique called “spoofing” to make it appear that the call is from a legitimate caller.

Trust me, you can’t trust anyone.  Never provide personal or financial information to anyone in response to a telephone call, text message or email until you have independently confirmed that the communication was legitimate.  In the case of a utility bill, merely call the number on the back of your bill and you will be able to confirm whether or not the communication was legitimate.  Also, never click on links unless you have confirmed that they are legitimate.  The risk is too great.  It is also important to remember that no legitimate utility company will require you to immediately pay your bill over the phone with a prepaid card such as an iTunes card.

Scam of the day – November 13, 2017 – FTC settles charges with online tax preparation service

Between October of 2015 and December of 2015, cybercriminals were able to hack into the accounts of almost 9,000 customers of legitimate online tax preparation service TaxSlayer Online.  The hackers used the information gathered in the data breach to make TaxSlayer Online’s customers victims of income tax identity theft and obtained phony tax refunds using the names and information of their victims.

The Federal Trade Commission (FTC) brought legal action against TaxSlayer for it failure to secure the data of its customers and other security related violations.  Among the more serious charges were that TaxSlayer Online failed to notify its customers when a change was made of the bank account to which their tax refund would be sent.

TaxSlayer Online has come to a settlement with the FTC pursuant to which it will be taking extensive security steps to prevent such data breaches in the future.

TIPS

This case again emphasizes the fact that we are only as safe as the places with which we do business that have the worst security.  So what should we be doing to help keep ourselves safe?  First and foremost, everyone should use a unique password for each and every online account that you have.  It is not that difficult to do.  In addition, whenever you can, use dual factor authentication.  With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account. Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – November 12, 2017 – New online employment scam

I have been warning you about employment related scams for years and today’s scam represents the most recent incarnation of scams that involve seeking employment.

Searching for a job online has become the norm for many people seeking employment and there are many legitimate online employment websites such as Careerbuilder.com and Monster.com, however, merely because an ad for a job appears on a legitimate website does not mean that the job is for real.  It may be just a scam seeking either personal information to make you a victim of identity theft, your money or both.  Do not assume because you see an ad for a job on a legitimate employment website that the ad is legitimate.  Although Career builder.com, Monster.com and other online employment agencies do their best to screen their ads, they can’t be even close to perfect.

In the newest variation of the scammer, the scammers will  first do research on their victims and read their resumes.  They then contact the victim and offer them a job, but tell  the victim that he or she will need to purchase some equipment and pay a fee for training.  A check is sent to the victim to pay for the equipment.  The unwary victim deposits the counterfeit check and get provisional credit from his or her bank before the check is discovered to be counterfeit which can take weeks.  At this point the funds are taken back from your account by your bank, but meanwhile the money you have wired as instructed to the scammer is lost forever.

TIPS

Never spend money to apply for a job.  Legitimate employers do not require fees.  Google the address, telephone number and name of the company to see if they match what you have been told.  Don’t send a resume with personal information, such as your Social Security number that can be used to make you a victim of identity theft.  If an ad appears to be from a company that you know is legitimate, confirm by a telephone call to the real company’s HR department that the ad you are answering is legitmate.  A legitimate company will eventually need your Social Security number, but not early in the process.  Make sure that you have confirmed that the job is legitimate before providing this information.

In regard to this particular scam, you should investigate the company thoroughly before agreeing to anything and never consider a check as being legitimate until it has fully cleared.

Scam of the day – November 11, 2017 – New Netflix phishing email

The popularity of Netflix makes it a preferred subject for phishing emails sent to people appearing to come from Netflix in which you are told you need to update your credit card information or asking for other personal information.   As recently as September 24th I warned you about a new Netflix phishing email and now there is an even newer one being circulated that requires you to provide your personal information including your credit card number or else your account will be suspended.  Reproduced below is a copy of the email presently being circulated.  It looks legitimate, but it is easy to counterfeit the Netflix logo and make the email appear to be legitimate when it is not.  Two things can happen if you click on the link in the email.  Either you will be directed to a phony but legitimate looking website where you will be prompted to input your credit card information and thereby turn it over to an identity thief or, even worse, merely by clicking on the link, you will download keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.

Screen Shot 2017-11-03 at 11.23.26-1.png

TIPS

As I always say, “trust me, you can’t trust anyone.”  You can never be truly sure when you receive an email seeking personal information such as your credit card number whether or not the email is a scam.  The risk of clicking on a link or providing the requested information is just too high. Instead, if you think that the email might be legitimate, you should contact the company at a telephone number that you know is legitimate and find out whether or not the email was a scam.

As for Netflix in particular, it will never ask in an email for any of your personal information so anytime you get an email purportedly from Netflix asking for your credit card number, Social Security number or any other personal information, it is a scam.  Here is a link to Netflix’s security page for information about staying secure in regard to your Netflix account.  https://help.netflix.com/en/node/13243