Category: ‘Site Related’

Scam of the day – February 13, 2016 – Valentine’s day scams

February 13, 2016 Posted by Steven Weisman, Esq.

Tomorrow is Valentine’s day, which is a very important day to many people including scammers and identity thieves who always manage to find an opportunity in whatever is going on to scam you out of your money.  There are many Valentine’s day scams, but the most prevalent are phony florists, online dating scams, phony Valentine’s day electronic greeting cards and delivery scams.

Scammers set up phony florist websites or send you an email purporting to be from a local florist with a great deal you merely have to click on in order to save a great deal of money on flowers.

Online dating scams are plentiful with most revolving around scammers quickly professing true love for you and then asking for money.

Electronic greeting cards are a great way to send a Valentine’s day card at the last minute when you forgot to get one ahead of time, but phony electronic greeting cards can be filled with malware and if you click on the link to open the card, you will infect your computer or other electronic device with malware that will steal your personal information and use it to make you a victim of identity theft.

A common delivery scam operating on Valentine’s day involves a delivery of a gift basket of wine and flowers to you, however the person delivering the gift basket requests a small payment, generally five dollars or less, as a delivery fee because alcohol is being delivered.  The person delivering the basket will only accept a credit card as payment.  When you turn over your credit card, the scammer then takes down the information and runs up charges on your credit card.

TIPS

Never trust an online florist or other retailer until you have checked them out to make sure that they are valid.  Otherwise, you might be turning over your credit card information to a scammer.  It is also important to remember, as I constantly warn you, that you can never be confident when you receive an email, particularly one with a link in it or an attachment to download, if the person sending you the email is who they claim to be.  Clicking on links sent by scammers can download keystroke logging malware on to your computer or other electronic device that will, in turn, enable the identity thief to steal personal information from your computer and use it to make you a victim of identity theft.  Always confirm the legitimacy of an email or text message before clicking on links contained in the message.

As for online dating scams, of course you should be wary of anyone who immediately indicates he or she is in love with you and then asks for money.  Some other telltale signs of an online romance scam include wanting to communicate with you right away on an email account outside of the dating site, claiming to be working abroad, asking for your address and poor grammar which is often a sign of a foreign romance scammer.  Many romance scams originate in Eastern Europe.

Never trust an online greeting card, particularly if it does not indicate from whom it is being sent.  Be very wary of a card sent by “an admirer.”  Even if you recognize the name, confirm that it was really sent from that person before you click on the link and open the card.

In regard to the delivery scam, there is no special delivery charge for alcohol so if someone requires a payment for such a delivery and on top of that won’t accept cash, merely decline the gift.

Happy Valentine’s day and be safe.

Scam of the day – February 12, 2016 – Update on Facebook farming scam

February 12, 2016 Posted by Steven Weisman, Esq.

Today I am updating you about Facebook farming, which is a type of scam I warned you about four days ago in the Scam of the day for February 4th.  We have all seen Facebook postings urging us to click that we “like”them.  Sometimes it is an emotional appeal to show support for a sick child.  Sometimes it is to show support for a political message. Today’s version of the scam illustrates another version of the scam. In this version a  familiar company promises a chance at a substantial prize merely for liking or sharing an offer.  In the one copied below, it appears Southwest Airlines (which they misspell as South West Air) is offering free first class tickets to anywhere in the world along with $5,000 spending money  to the winners of this contest.   A savvy traveler will know, by the way, that Southwest does not have first class seating.

While some of the postings described above urging people to click on links or share the posting are legitimate, unfortunately sometimes they are not.  Often they are done to take advantage of Facebook’s algorithms that value the popularity measured by likes and shares which then appear on the Facebook pages of more people.  Although the original content liked or shared may appear sincere or entertaining, the scammers who use this technique, which is called “farming,” then are able to change the content to something entirely different from what was originally shared or liked.  This can be done for purposes of sending advertising or gathering marketing information, but, at its worst, it can be used to send malware infected content that can steal personal information from your computer and use it to make you a victim of identity theft.

TIPS

So what should you do?  Posts that promise some sort of prize for sharing or liking are most likely scams. If you think that the posting of a company offering a contest might be legitimate, you should go to the company’s website to find out if indeed it is legitimate or not.  As for the other scams, you may wish to be a bit skeptical before automatically sharing or liking a post. You may wish to even do a little research yourself to find out if the posting is legitimate.    A 2007 photo of a seven year old Pennsylvania girl with Stage IV cancer posing in her cheerleading uniform has been used numerous times for Facebook farming.  Today that girl is a cancer free teenager whose family is understandably outraged that their daughter’s photograph has been abused by scammers through Facebook farming.

Here is a copy of the scam contest appearing on the Facebook pages of many Facebook users.

 

Southwest Airlines scam on Facebook

Scam of the day – February 11, 2016 – Chase email phishing scam

February 11, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating. DO NOT CLICK ON THE LINK.

“Dear  User,
Your account requires verification due to our recent upgrade. It is mandatory that you confirm your details through our secure link below.

Chase/Connect
Thank you for your co-operation.

Sincerely Yours,

Chase Center© 2016 JPMorgan Chase & Co”

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with Chase, but most likely was from a computer that was part of a botnet of computers controlled remotely by the scammer.  In addition, legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear User,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam.

Scam of the day – February 10, 2016 – FTC sues DeVry University

February 10, 2016 Posted by Steven Weisman, Esq.

For profit universities have been a target of state and federal investigations for years.  I have written about this topic since 2012.  It should be noted that not all for profit colleges are scams, but there are a large number of for profit colleges, sometimes referred to as “diploma mills” that at times offer credit for your “life experience” and lure students in with promises of a helpful degree, but the students end up with a worthless degree and an empty wallet.  Sometimes the names of these scamming colleges and universities are confusingly similar to legitimate colleges.  For instance, Columbia State University is a diploma mill while Columbia University is an eminent Ivy League school.

Now the Federal Trade Commission is suing for profit DeVry University alleging that the university’s advertising, particularly as it relates to their graduates’ opportunities for getting a job after graduation are false and deceptive.  Similarly the U.S. Department of Education is also taking legal action against Devry based on its advertising and marketing practices.

TIP

Check out any school your are considering attending that is a for profit university with the United States Department of Education’s website at www.ope.ed.gov/accreditation to make sure it is an accredited institution.

You also should investigate whether a local college, university or community college would be more cost effective for you.  For profit colleges and universities are often more expensive than these other alternatives without offering any distinct advantages.  Also, check out the graduation rates of any for profit college you are considering and finally, investigate the job prospects in your field of study.  Don’t just take the word of the college.

Scam of the day – February 9, 2016 – FDA issues new draft guidelines for medical device cybersecurity

February 9, 2016 Posted by Steven Weisman, Esq.

By now, we are all familiar with the Internet of Things which presently includes 5 billion devices and is expected to grow to 25 billion devices by the year 2020.  The Internet of Things is the popular name for the technology by which products and devices are connected and controlled over the Internet.  The range of products that are a part of the Internet of Things is tremendous and includes, cars, refrigerators, televisions, fitness bands, webcams, toys and even medical devices.  The Internet of Things offers tremendous opportunities for constructive and efficient use of these products, but as with any technology connected through the Internet also provides an opportunity for hackers to exploit the technology for their own criminal purposes.

While hacking of medical devices sounds like something out of fiction, in 2007, former Vice President Dick Cheney was so concerned about hackers that he had the Internet connection on his pacemaker disabled.  In September 2015, the FBI issued a warning saying that “Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection.”  In 2013, the Food and Drug Administration (FDA) initially issued guidelines for these medical products and now the FDA has issued a new Draft Guidance document with recommendations for how companies should be dealing with the important issue of cybersecurity in medical devices.  Medical device manufacturers affected by the Draft Guidance have until April 21, 2016 to submit comments to the FDA.

TIPS

While medical device manufacturer’s and the government work on security standards for Internet connected medical devices, what can you do to protect yourself in the meantime? The most important thing you can do is find out what information is stored on your device and how it is accessed.  Also learn about the use of password protection and make sure that your device is not still using a default password.  Learn from the manufacturer what steps they have already taken to protect your device from being hacked.  If your device uses an open wifi connection, you should change it to operate exclusively on a home network with a secured wifi router.  If your device is capable of transmitting data, make sure that the transmissions are encrypted.

Scam of the day – February 8, 2016 – The dangers of Facebook farming

February 8, 2016 Posted by Steven Weisman, Esq.

We have all seen Facebook postings urging us to click that we “like”them.  Sometimes it is an emotional appeal to show support for a sick child.  Sometimes it is to show support for a political message. Sometimes these appeals are legitimate, but unfortunately sometimes they are not.  Often they are done to take advantage of Facebook’s algorithms that value the popularity measured by likes and shares which then appear on the Facebook pages of more people.  Although the original content liked or shared may appear sincere or entertaining, the scammers who use this technique, which is called “farming,” then are able to change the content to something entirely different from what was originally shared or liked.  This can be done for purposes of sending advertising or gathering marketing information, but, at its worst, it can be used to send malware infected content that can steal personal information from your computer and use it to make you a victim of identity theft.

TIPS

So what should you do?  Posts that promise some sort of prize for sharing or liking are most likely scams. As for the other scams, you may wish to be a bit skeptical before automatically sharing or liking a post. You may wish to even do a little research yourself to find out if the posting is legitimate.    A 2007 photo of a seven year old Pennsylvania girl with Stage IV cancer posing in her cheerleading uniform has been used numerous times for Facebook farming.  Today that girl is a cancer free teenager whose family is understandably outraged that their daughter’s photograph has been abused by scammers through Facebook farming.

Scam of the day – February 7, 2016 – 20 million accounts hacked on Alibaba’s Taobao shopping website

February 7, 2016 Posted by Steven Weisman, Esq.

Alibaba is the biggest online shopping website in China and perhaps the world.  Hundreds of millions of people use its three main websites, which, of course, makes it a target for hackers. Recently, Alibaba revealed that 20.59 million accounts of Alibaba’s Taobao e-commerce shopping site were accessed by hackers.  The hacking was not due to a failure of the security of Alibaba, but rather, as I wrote about in the Scam of the day for February 3rd in which I discussed the hacking of online income tax preparer TaxAct, through the use of user names and passwords stolen from other websites. In the case of Taobao, the hackers used a  black market database of the user names and passwords of 99 million people and found that 20.59 million of the user names and passwords used on other hacked websites were also used on Taobao.  Alibaba said it managed to identify and block much of the unauthorized access to its customers accounts and Chinese law enforcement have already arrested twenty-five people in regard to the cyberattack.

TIPS

Whether you are a user of Taobao or not, the lesson is clear that you should have unique user names and passwords for all of your online accounts.  It is not that difficult to do.   The failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  Passwords should be complex so they cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

In addition, whenever you can use dual factor authentication, you should take the opportunity to do so. With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account.  Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – February 6, 2016 – American Chamber of Commerce scam

February 6, 2016 Posted by Steven Weisman, Esq.

In Romeo and Juliet, Shakespeare asked, “What’s in a name?”  The answer, according to recent reports from the Better Business Bureau, is a scam if a business receives a telephone purportedly from the American Chamber of Commerce.  Business owners and employees may confuse that name with the U.S. Chamber of Commerce.  There is no American Chamber of Commerce that operates in the United States although organizations with that name operate in foreign countries such as Australia and Ireland.  The caller supposedly representing the American Chamber of Commerce explains in the call that they are updating the information about the company being called in the Chamber’s latest directory and they just need to confirm some basic company information such as company officers, phone numbers and other, what would appear to be, innocuous information.  But it isn’t.  Once this information has been gathered the scammers use this information for more targeted spear phishing attacks against the company in a variety of scams including phony invoices and scams in which company employees are lured into clicking on malware infected links in emails that appear to be quite legitimate due to the large amounts of accurate and relevant information contained in the email.

TIPS

Trust me, you can’t trust anyone.   This motto of mine is valuable to businesses and individuals.  Whenever you receive an email, text message or phone call, you can never be sure who actually is contacting you.  In this particular scam, even if your Caller ID would make it appear that the caller is who they say they are, Caller ID can be fooled through a technique called spoofing to make it appear that it is a legitimate person or company calling when, in fact, it is a scammer contacting you.  Providing even what would appear to be unimportant information can be used by scammers to make their spear phishing more effective and believable including phony invoices sent to the proper person in a company.  When it comes to invoices, nothing should be paid until the exact bill has been confirmed as being legitimate.  As for providing information in regard to a phone call, email or text message, the best thing to do is to refrain from providing it until you have confirmed not only that the inquiry is legitimate, but also that the company asking for the information, even if they are a real company, has a legitimate reason for having that information.  Limiting the availability of too much information about you or your company will help protect you from scams and identity theft schemes.

Scam of the day – February 5, 2016 – Data breach at the University of Central Florida

February 5, 2016 Posted by Steven Weisman, Esq.

The University of Central Florida has announced that its computer system had been hacked and data on as many as 63,000 present and former students, faculty and staff was taken.  The stolen data includes data on employees of the University going back as far as the 1980s  Included in the compromised data were names and Social Security numbers which can be used by hackers for purposes of identity theft.  Although the data breach was discovered last month, it was only announced yesterday in order to give the University time to conduct an investigation into the matter. Everyone affected by the data breach will receive a letter in the mail with information about how to sign up for free credit monitoring and identity theft protection services.  The University will not be contacting people by email or text messages, so if you do receive such a communication related to this data breach, it is a scam.

TIPS

The initial letters to those affected by the data breach will be going out today, but you can also call a special hot line set up by the University for more information at 877-752-5527 or go to the website set up by the University to provide information and assistance to those involved in the data breach.  The website is http://www.ucf.edu/datasecurity/

Although in this instance, the Social Security numbers of those affected by the data breach legitimately needed to be obtained by the University because the bulk of those whose data was compromised were employees of the University including students involved in work-study programs, colleges and and universities are notorious for both gathering personal information that they often do not need as well as storing and maintaining that information long after the need for that information no longer exists.  So long as colleges and universities continue to both gather large amounts of personal information and fail to adequately protect that information, they will continue to be targets of hackers and identity thieves.

Scam of the day – February 4, 2016 – Internet connected teddy bear hackable

February 4, 2016 Posted by Steven Weisman, Esq.

Just last Fall, toy maker Fisher-Price started selling a new Internet connected interactive teddy bear.  This toy is one of many Internet connected products that are a part of the rapidly expanding Internet of Things about which I have written many times.  While entertaining and convenient, the Internet of Things which encompasses all manner of products from cars to refrigerators to even medical devices brings with it security concerns due to the possibility of hacking, which in the case of Smart Toy, the Fisher-Price stuffed bear was a legitimate concern.  Rapid 7, a security firm discovered that the app connected to the toy had numerous security flaws that would have enabled a hacker to steal the child’s name, birth date and gender.  This information could have been misused by a hacker and created identity theft issues for the child.  The information also could have been used by a hacker to create dangerous spear phishing emails likely to trick targeted family members into downloading dangerous malware.  Rapid 7 notified Fisher-Price about the security flaws and Fisher-Price has corrected the problems.

TIPS

Fortunately, there are a number of steps you can take to make your use and your children’s use of products that are a part of the Internet of Things safer.  The fewer places that have your personal information, the safer you are so if you need to provide a birth date or other information, consider providing intentionally incorrect information.  There is no law requiring you to provide yours or your child’s correct birth date.   Also set up a separate email address for your Internet of Things devices and products.

Many of the devices that make up the Internet of Things come with preset passwords that can easily be found.  Change your password as soon as you set up the product.

Set up a guest network on your router exclusively for your Internet of Things devices.