Scam of the day – November 19, 2014 – The twelve scams of Christmas

November 18, 2014 Posted by Steven Weisman, Esq.

It seems that the holiday season starts earlier and earlier each year so it certainly is not too early to warn you about some of the many scams that will be threatening your holidays if you are not careful.  As it says, in “Santa Claus is Coming to Town,” you better watch out.  My list of twelve scams of Christmas isn’t meant to be sung, but it is meant to provide an early warning of the fact that although every season is scam season, the holiday season is a particularly dangerous time of year for scams.  Here is my list of twelve scams of Christmas.  Over the next month I will be explaining them in detail here on Scamicide.

1.  Major data breach at retailers.

2.  Phony online shopping websites purporting to sell the latest toys and gadgets.

3.  Gift card scams.

4.  Delivery service scams.

5.  E greeting card scams.

6.  Phony charities.

7.  Puppy scams in which you are sold non-existent dogs.

8.  Phishing emails that appear to come from major retailers.

9.  Phony holiday vacation deals.

10. Phony holiday apps for your smartphone.

11. Phony holiday contests and lotteries.

12. Grandparent scam – holiday style.

TIPS

Although I will be explaining these scams in detail over the next month, here are a few major tips to keep in mind.

When shopping in a retail store, if you have the Apple iPay, use it.  It may not be perfect, but it is a great improvement over the magnetic stripe credit cards still used by almost all American retailers.   You also might want to consider getting a smart chip card from your credit card provider and using it at the stores such as WalMart which are switching to these safer credit cards well ahead of the October 2015 deadline to change over to the new cards.  Also remember not to use your debit card while retail shopping.  The consumer protection laws relating to debit card use are not as strong as those relating to fraudulent use of credit cards.  It is important to remember that there will be major data breaches at retail stores where we all shop and the hacked companies won’t be quick to discover that they have been hacked so carefully monitor on line your credit card’s usage more often than your monthly statement to be able to learn as quickly as possible if you have been victimized in a data breach.  Also, when shopping at a brick and mortar retail store, keep an eye on your credit card as it is processed by the sales clerk.  There will be more than a few seasonal, rogue employees who will have small electronic devices called skimmers that enable the sales clerk to run your card through this card reading skimmer to steal your credit card information before running the card through the store’s legitimate credit card processing equipment.

Here is a link to a column I wrote for USA Today that describes these holiday scams.  Within the column is another link to an additional column on the same subject.

http://www.usatoday.com/story/money/personalfinance/2014/11/22/holiday-scams-identity-theft/19340731/

Scam of the day – November 18, 2014 – Bitcoin Ponzi scheme

November 18, 2014 Posted by Steven Weisman, Esq.

Bitcoins are the increasingly popular digital currency that is privately issued and not supported by any government in the world.  It is, however, used by many people throughout the world.  Recently, Trendon Shavers was arrested in Texas and charged with securities and wire fraud in relation to his offer of 7% weekly interest on bitcoins deposited with his Bitcoin Savings and Trust Company.  This promise of an annual percentage interest of 3,641% managed to lure investors to turn over to him 740,000 bitcoins valued at 4.5 million dollars.  Shavers advertised his scheme on the internet bulletin board “Bitcoin Forum” and other online discussion groups.  He claimed that using his market-arbitrage strategy that included lending and trading bitcoins on online exchanges.  His complex and non-understandable strategy mirrors the original Ponzi schemer, Charles Ponzi who used a similar scheme involving international stamps.  As with Ponzi, Shavers appeared to be legitimate by paying profits to early investors.  However, as with Ponzi himself, there were not profits and the early investors were paid with the funds being contributed by newer investors to make the phony investment scheme appear legitimate.  Shavers, like Ponzi was extremely persuasive and according to prosecutors, at the height of his scam, he personally controlled 7% of the world’s bitcoins.

TIPS

Due to the fact that bitcoins are totally unregulated by any government, they are a questionable investment.  Add to that fact, their digital character and its susceptibility to hackers and fraud and you have a dangerous investment at best.  Shavers is just the latest in a long line of Ponzi schemers who make promises that are too good to be true backed up by an incomprehensible formula for investment success. You should always remember the prime rule of investing which is to never invest in anything or any investment strategy that you do not totally understand.

Scam of the day – November 16, 2014 – Latest software security patches

November 16, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates includes many important updates and security patches to prevent serious problems including important security updates for Google Chrome, Adobe and  Microsoft.  The Adobe flaw is particularly troublesome in that it can be exploited by hackers to take over your entire computer.

TIPS

Here are the links to the latest Department of Homeland Security software updates and security patches:

https://www.us-cert.gov/ncas/current-activity/2014/11/11/Google-Releases-Security-Update-Chrome

https://www.us-cert.gov/ncas/current-activity/2014/11/11/Adobe-Releases-Security-Updates-Flash-Player

https://www.us-cert.gov/ncas/bulletins/SB14-314

 

Scam of the day – November 15, 2014 – Indiana Department of Education hacked twice

November 15, 2014 Posted by Steven Weisman, Esq.

Within the space of a single week, the Indiana Department of Education was recently hacked twice although a spokesman for the Department has indicated that the vulnerability that enabled the attacks has been patched.  The Department said that no personal information of Indiana students was compromised in the attacks, saying that this information was kept on different servers than the one that operated the Department’s website.  Both attacks were claimed to be the work of a group calling itself the Nigeria Cyber Army, which boasted of the hacking on the Department’s website.  What makes this particular hacking noteworthy is that the vulnerability exploited in order to achieve the hacking was a flaw in Drupal content management software used by a billion websites around the world.  I told you about the Drupal security flaw in my Scam of the day for November 3rd.  Drupal warned its customers in late October of the flaw and urged its users to download the necessary security patch.  It was estimated by Drupal that around twelve million websites failed to install the security patch in a timely fashion.  It appears that the Indiana Department of Homeland Security was one of them.

TIPS

So what does this mean to you and me?

First of all it is a reminder that our personal information is only as secure as the places holding our personal information with the worst security.  The second thing to remember is that when security flaws are discovered and security patches issued, companies and individuals should download and install the necessary security patches as soon as possible.  It is for this reason that I regularly provide you with the latest security patches as issued by the Department of Homeland Security.  Scammers and identity thieves count on companies, governments and individuals not promptly updating their software and take advantage of this delay to the detriment of all of us.

Scam of the day – November 14, 2014 – Watch out for a “Masque Attack”

November 14, 2014 Posted by Steven Weisman, Esq.

FireEye, a cybersecurity firm announced this week that they had identified a serious flaw in Apple’s iPhone operating system that makes most iPhones and iPads extremely vulnerable to being hacked and data being stolen.  The vulnerability, is being called “Masque Attack” and was first discovered by FireEye in July, but was first made public by FireEye this week when the first attempts to exploit the vulnerability by hackers was discovered.  Hackers attempted to exploit the vulnerability through the use of malware deemed “WireLurker.”  Presently, Apple’s iPhone operating system permits a malicious app that uses the same bundle identifier as that of a legitimate app to replace the legitimate app on the victim’s iPhone or iPad while retaining the data from the replaced legitimate app.  Thus the hacker can make it appear that the victim’s bank app, for example is still installed, when in fact it has been replaced by this malicious app and steal account information, passwords and other sensitive data which can easily lead to identity theft.  A Masque Attack occurs when the victim downloads a tainted app that may appear to be that of a popular game or some other apparently innocuous app.  Once installed, the victim does not know that he or she has replaced legitimate apps on the phone or tablet with the malicious app.

TIPS

Users of iPhones and iPads can protect themselves by taking simple precautions.  First, do not install apps from any source other than Apple’s official App Store.  This is always good advice because you can never be sure of the security of apps that come from sources other than the official app stores.  When opening any app, if the iPhone or iPad operating system indicates “Untrusted App Developer,” click on “Don’t Trust” and immediately uninstall the app.

Scam of the day – November 13, 2014 – Walmart mystery shopper scam

November 13, 2014 Posted by Steven Weisman, Esq.

In a new incarnation of an old scam, people are opening mail to find a check that appears to be from Walmart.  In one recent instance, the check was for $1,991.62.   In other instances, the amounts have been as high as $5,000.   The letter accompanying the check requests the person receiving the check to become a mystery for Walmart and instructs the person to deposit the check, shop at Walmart, keep the goods they are requested to shop for and wire the balance of the check back to Walmart.

The mystery shopper scam is a tried and true scam that scammers still use to steal their victims’ money because the scam still works. The scam begins when you are contacted by mail or email purportedly by a company asking you if you want a job as a mystery shopper who will be paid to shop at their store and then report on the shopping experience to assist in market research and improving customer relations.  The pitch sounds legitimate and often the emails and letters appear to be legitimate although it is easy to counterfeit a company’s logo and stationary.  You are asked to deposit the check into your checking account and use the money to make purchases that you are allowed to keep.  You are then instructed to send the remaining funds back to the company.  Some victims, believing they were being careful deposited the check and thinking that they were being exceedingly careful, waited a few days for the check to clear.   They then wire the funds, as requested back to the company only to learn a few days later that the certified check sent to them was a counterfeit and their bank had only given them provisional credit for the check into their account.  Once the check is found to be a fake, the provisional credit is removed from the victim’s account and the victim has lost the money that he or she wired to the scammer.

TIP

One reason why this scam works so well is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you.  If you want to find out if a mystery shopping company is legitimate, you can contact the Mystery Shopping Providers Association which is a trade organization of legitimate mystery shopping companies.  Their website is www.mysteryshop.org.  Other indications that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for you bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.  The particular Walmart mystery shopper scam presently done also has another telltale flaw.  The counterfeit check is from Wachovia Bank which was taken over by Wells Fargo six years ago and does not issue checks any longer under the name of Wachovia Bank.

Scam of the day – November 12, 2014 – Post office hacked

November 12, 2014 Posted by Steven Weisman, Esq.

Earlier this week the United States Postal Service announced that it had been hacked, most likely by Chinese hackers, who stole personal information including names, birth dates, Social Security numbers, home addresses and other personal information on as many as 800,000 employees of the Postal Service.  Although generally this is the type of hacking that would lead to massive instances of identity theft, the Chinese, who usually limit their state sponsored hacking to corporate espionage of trade secrets of companies with which they compete, may have been looking for just additional data on Americans.  Earlier this year, the Chinese hacked into the records of the federal Office of Personnel Management which conducts security clearance checks and this hacking was thought to be more closely related to counterintelligence or even recruitment purposes.  However, in the Postal Service hacking it is purely speculative as to why the Chinese government did this hack.

TIP

Once again, we see that the federal government just like private industry is not doing enough to secure its data.  Just as in the breaches of Home Depot and Target, the data breach was accomplished by the planting of sophisticated malware by way of phishing emails to federal employees who were lured into clicking on links in the tainted malware.  A recent federal study showed that 20% of hacking of federal computers was started through federal employees clicking on links in phishing emails against federal policy.

So what does this mean to you and me?  This is just another reminder that both government and the private sector have got to do a better job of protecting the data they store.  It also reminds us that we must remain eternally vigilant to identity theft threats and continue to monitor our financial accounts and credit reports regularly.

Below you can find a television interview I did yesterday about this on NewsMax TV.

 

 

 

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

November 11, 2014 Posted by Steven Weisman, Esq.

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – November 10, 2014 – SIPC investor warning

November 10, 2014 Posted by Steven Weisman, Esq.

The Securities Investor Protection Corp. is a nonprofit corporation formed by Congress to assist investors who have lost money through investment fraud in getting back money they have lost to swindlers and other investment criminals.  They work with court appointed trustees to identify and distribute funds from criminals such as Bernie Madoff.  SIPC is funded entirely by the legitimate brokerage industry and it does not charge the victimized investors for their services.  Recently, the SIPC identified what it believes are two phony websites that appear to claim that they are doing the same work that SIPC does, but are done either at a fee or are merely phishing websites intended to lure victimized investors into providing personal information about themselves and their accounts which is used to make the victim a further victim of identity theft.  The two websites named by SIPC are associated with Alliant Trust Systems and Investment Assurance Corp.  Each of these websites indicate that Stephen Harbeck is the president of their respective companies.  Harbeck is, in fact, the president of SIPC, but has no relation whatsoever with either Alliant Trust Systems or Investment Assurance Corp.

TIPS

As always, before providing personal information or payments for any services, you should make sure that you are indeed dealing with a legitimate entity.  A common trick of scammers is to use names of companies and agencies that sound legitimate or are even the slightest variations of the names of legitimate companies and government agencies.  Always confirm that the company or agency with which you are dealing is, in fact, legitimate before ever providing personal information or money.