Category: ‘Site Related’

Scam of the day – September 30, 2016 – New Chase Bank phishing email

September 30, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank. It comes with the heading, “Chase Bank detected suspicious activity.”  DO NOT CLICK ON THE LINK.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is not particularly convincing. The email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.  Also, the word “now” is incorrectly capitalized.  No logo for Chase Bank appears anywhere in the email and,  most telling, the email is not directed to you by name and does not contain your account number in the email.

Confirm Transaction

Your online account has been suspended (Reason: the violation of terms of service).
Update and Restore your online account Now
Log On
Thank you for using Chase Bank.
Member FDIC © 2016 Chase Bank Financial Corporation. All Rights reserved.

 
TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email has no salutation whatsoever.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to purchase phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – September 28, 2016 – Apple iOS 10 vulnerable to hacking

September 28, 2016 Posted by Steven Weisman, Esq.

The Russian security firm, Elcomsoft has discovered  a major security flaw in the iOS 10 used to operate Apple’s iPhones that enables hackers to more readily get through the iPhone’s security system and access data stored on a PC or Mac computer.  This is a significant security flaw and Apple has acknowledged its existence and is busy working on a solution.  As soon as a security update for the iOS 10 is released, I will report on it to you.

TIPS

Meanwhile if you have an iPhone using the iOS 10 operating system, you should make sure your PC or Mac where you store data from your phone is protected with a strong and unique password.  You should also encrypt all of the data stored on your computer to further protect its security.

Scam of the day – September 27, 2016 – Another phony email lottery scam

September 27, 2016 Posted by Steven Weisman, Esq.

I often write about phony lottery scams because year after year they are among the most common and effective scams and with good reason.  Often blinded by their greed, many people fall for these scams and end up paying thousands of dollars to scammers and  end up receiving nothing in return.  Generally, there are two ways that phony lotteries work.  Either you are told that in order to claim your prize, you must pay administrative fees or income taxes to the lottery sponsor.  In both cases, victims pay money to the phony lottery sponsors and never see a dime.  Here is a copy of a recent lottery scam email I received.  It purports to be from the International Monetary Fund, an international financial organization which works under the United Nations and which does not ever offer lotteries.  This is a poorly constructed phishing email that contains numerous instances of poor grammar and spelling and makes no sense whatsoever.  The email addresses contained within the email may well be those of innocent people whose emails have been hacked.  We can’t tell from the email, if the email addresses are those of the scammers or merely email addresses they control through a botnet.

“$5,000 PAYMENT”
Wann Dienstag, 27 September 2016
12:30 PM bis 01:30 PM
(GMT) Greenwich Mean Time – Dublin/Edinburgh/Lissabon/London
Mail Dear Email ID Owner, USD $5,000 PAYMENT WE SENT TODAY TO PICK UP. The IMF is compensating all the email addresses,was fund as one of the ward win Victims and your mail address with your name is listed among one of the approved to pay sum of US$2.5 million. We have concluded to effect your own payment through Western Union Money Transfer for easy pick up those fund in good condition,$5,000 twice daily until the total sum of US$2.5 million is completely transferred to you. Now: we need your information where we will be sending the funds as following below: (1)Your Full name…: (2)Your Phone number:… (3)Your Country:… (4)Your Age:… (5)Your private E-Mail..: For urgent enquiry call Tel; +229 66024650 Mr.Steven Moses for the payment E-mail 🙁wesunion.wu101@gmail.com ) Call Steve immediately you get this mail to enable him speed up your payment immediately to released US$5000 dollar MTCN to you for picking up the payment today ok Best Rgards, Mrs.Esther Richardson. Private e-mail: eestherichardson@hotmail.com IMF MANAGEMENT.

 

TIPS

As I have often told you, it is difficult to win a lottery you have entered.  It is impossible to win one that you have not even entered.  You should always be skeptical when told that you have won a lottery you never entered.    It is also important to remember that it is illegal to play foreign lotteries unless you are present in the other country.  While it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  As for administrative fees, you never pay a fee to collect a legal lottery prize.

Scam of the day – September 26, 2016 – Arrest made in hacking of Pippa Middleton’s iCloud account

September 25, 2016 Posted by Steven Weisman, Esq.

It only took a day from the news becoming public that someone had hacked into the iCloud account of Pippa Middleton, the sister of Princess Kate, the Duchess of Cambridge for authorities to make an arrest.  According to Scotland Yard, a thirty-five year old man has been arrested on suspicion of a Computer Misuse Act Offense related to the hacking.  The hacker claimed to have stolen about 3,000 private photographs including some of her sister Kate as well as her children Prince George and Princess Charlotte along with nude photos of her fiance James Matthews.  Someone purporting to be the hacker contacted several media outlets offering to sell the photographs for approximately $65,000.  At the present time, it is not known how the security breach occurred. You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In those instances, the hacker obtained the usernames and passwords of his victims by merely sending phishing emails to his victims that appeared to come from Apple in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple.  Once they entered their information, the hacker had all the information that he needed to access his victims’ accounts.  Although Kate Upton and Jennifer Lawrence as well as a number of other hacked celebrities did not use it, Apple has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of Kate Upton, Jennifer Lawrence and other hacked celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.

TIPS

For anyone who uses iCloud, you should first protect yourself from phishing attacks, such as the one that was used against Kate Upton and Jennifer Lawrence by always being skeptical when you are asked to provide personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified the message by contacting the real company that purportedly is sending the message.  In addition, you should also use dual factor authentication, which is another tool that would have prevented the Kate Upton and Jennifer Lawrence hacking.

Scam of the day – September 25, 2016 – Companies continue to fall victim to BEC fraud

September 25, 2016 Posted by Steven Weisman, Esq.

This is another fraud about which I have written a number of times in the past that continues to plague businesses around the world.  It is called the Business Email Compromise scam (BEC) and the FBI  has noted a 1,300% increase in this crime since 2015.  The scam involves an email to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

The latest company to fall victim to this scam is Leoni AG, a German company that is one of the world’s biggest manufacturers of electronic cables.  It recently lost 40 million euros (approximately 44.6 million dollars) when it wired money in response to an email that was written in a manner that showed familiarity with Leoni’s internal procedures for approving and transferring funds.  Generally this occurs when the hackers have infiltrated the computer systems of their victim for sufficient time to observe how payments are made.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam.  Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

September 24, 2016 – Steve Weisman’s latest column for USA Today

September 24, 2016 Posted by Steven Weisman, Esq.

Protecting your privacy and security while using your smartphone is of great concern to everyone.  This is a lesson that Pippa Middleton just learned when her smartphone was hacked.  Here is a link to my column from today’s edition of USA Today in which I give you ten tips to protect your safety and security while using your smartphone.

http://www.usatoday.com/story/money/columnist/2016/09/24/staying-safe-your-smartphone/87446674/

Scam of the day – September 24, 2016 – Massive Yahoo data breach

September 24, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – September 23, 2016 – Latest security updates from the Department of Homeland Security

September 22, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security include critical new updates to Adobe Flash, Android, Google Chrome, Microsoft Edge and Windows 10.

TIPS

Here are the links to  lists of all of the recent security updates as posted by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB16-263

Here also are new links to Apple updates: https://www.us-cert.gov/ncas/current-activity/2016/09/20/Apple-Releases-Security-Updates

and

Mozilla Firefox updates: https://www.us-cert.gov/ncas/current-activity/2016/09/20/Mozilla-Releases-Security-Updates

Scam of the day – September 22, 2016 – New Aol phishing scam

September 22, 2016 Posted by Steven Weisman, Esq.

Millions of people still use AOL.  One reason is that you get greater email privacy when compared to some other email carriers. Due to its popularity, scammers and identity thieves often send out phishing emails that appear to come from AOL, such as the one reproduced below.  The logo and format of this particular email that is presently circulating is quite poor.  Compare it to the excellent counterfeit phishing email I included in the Scam of the Day for May 31, 2014.  This one comes from an email address that has no relation to the company, AOL.  Further, it is not directed to the recipient specifically by name.  Like many similar scams, this one works by luring you into clicking on a link in the email in order to resolve a problem.  However, if you click on the link, one of two things will happen.  You either will be prompted to provide information that will be used to make you a victim of identity theft or by clicking on the link you will unwittingly download a keystroke logging malware program that will steal all of the information from your computer and use it to make you a victim of identity theft.   Here is how the email appears.  DO NOT CLICK ON THE LINK:
AOL HELP.
Your two incoming mails were placed on pending status due to the recent upgrade to our database,In order to receive the messages CLICK HERE to Login and wait for response from AOL Mail.We apologies for any inconveniences
Best Regards,
The AOL! Mail Team
TIPS
When AOL communicates with its customers about their accounts, they do so by AOL Certified Mail, which will appear as a blue envelope in your inbox and will have an official AOL Mail seal on the border of the email.  This particular email had neither and only had an easy to counterfeit Aol logo appear on the email.  Whenever you get an email, you cannot be sure of from whom it really comes.  Never click on a link unless you are absolutely sure that it is legitimate.  If you think the email might be legitimate, The best thing to do is to contact the real company that the email purports to be from at an address or phone number that you know is accurate in order to find out if the communication was legitimate or not.  Remember, never click on links in emails unless you have confirmed that they are legitimate.