Scam of the day – June 17, 2016 – Scams springing up following the Orlando nightclub shootings

June 17, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day, unfortunately is very much a repeat of warnings I have had to make after tragedies such as the school shootings at the Sandy Hill Elementary School in Newtown, Connecticut. Today,’s warning, of course, relates to the tragic shootings of innocent people at an Orlando nightclub this past week.  Scammers and identity thieves will be preying upon both our best and worst instincts in response to this tragedy.  People seeking videos and photographs of the event may find themselves clicking on links that purport to provide you with such material, but may only end up downloading keystroke logging malware that will steal all of the information from the computers of these curious people who will find themselves becoming victims of identity theft.

Another group of scams stemming from the murders will be the pleas for charitable contributions for the victims and their families.  You should always be wary when anyone asks you for a charitable donation, but particularly when a charitable solicitation quickly follows an emotional event such as the killings in Orlando.  You will want to make sure that you are giving to legitimate charities that will use your contribution wisely rather than giving your money to a scammer or a “legitimate” charity that misuses your donations by paying its administrator inordinately large salaries.  It is important to know the difference between a legitimate charity and a phony one.

TIP

Whenever you are contacted by a charity whether by text, phone, email or otherwise, you can never be sure that the person contacting you legitimately represents the charity or that the charity itself is legitimate.  If you are charitably inclined, you should not respond directly to the person or entity soliciting you, but rather first, confirm that the charity itself is legitimate.  Many phony charities have similar names to legitimate charities. You should always check out the legitimacy of the charity first before considering making a contribution.  A good place to find out if a charity is legitimate or merely has a name that sounds legitimate is www.charitynavigator.org.  This website also will provide you with information as to how much of the charity’s collected donations actually are applied to its charitable works and how much goes to administrative fees and salaries.  As a general rule of thumb if a charity spends more than 25% of its donations on salaries and administrative costs, you may wish to contribute to another charity.

As for looking for videos and other “inside” information about the Orlando shootings,  many of the sources for that “exclusive” information will be infected with malware that will attack your computer and lead to your becoming a victim of identity theft.  So first and foremost, it is important to have good firewalls and security software installed and kept up to date on all of your electronic devices including your computers, smart phones, iPads and other portable devices that you use.  Many people may think to protect their home computers, but fail to protect their portable devices even though they may use these devices as much and even more than their home computers.  Second, you should not click on any link unless you are sure that it is legitimate and even if the link is contained in what appears to be a text message or social media posting of a friend, you can’t be sure that your friend has not had his or her account hacked into by an identity thief in order to make you more trusting than you should be of the message being sent.  Additionally, even if you receive a text, email or social media posting that actually is from a friend of yours, it may merely be passing on to you a tainted link that your friend does not realize they are helping to spread after receiving it themselves from a source that they should not have trusted.  Frankly, the safest course of action is not to click on any links from anyone that try to appeal to your curiosity about major public events such as this, but rather limit your search for information to legitimate news websites that you can be confident are not likely to contain tainted or provide  inaccurate information.  As for those people who lust after disturbing videos and photographs that they think they will only be able to access from “special” sources, those special sources are usually phony as are the videos and photographs that they provide, however, the malware that you get from them is very real and dangerous.

Scam of the day – June 16, 2016 – SEC closed down phony charity

June 15, 2016 Posted by Steven Weisman, Esq.

Following legal action brought by the Federal Trade Commission (FTC), phony charities American Handicapped, Inc and American Handicapped and Disadvantaged Workers, Inc. have been shut down.  According to the FTC, these companies called consumers in an attempt to sell trash bags and cleaning products at hugely inflated prices while seeking charitable donations in return for a free gift.  The telemarketers would tell their victims that these charities employed disabled people and that most of the money raised would be used to pay the salaries of these disabled people which was a lie.  The two companies sent unordered merchandise including light bulbs and trash bags along with inflated bills for the shipped items to their victims.  The truth is that the companies only paid a fraction of what it collected to its few disabled employees and the free gift that customers received came with an inflated bill.

TIPS

Even if you are on the Do Not Call list, legitimate charities may call you soliciting donations, however, whenever you are called by any purported charity or business, you have no way of knowing when they call you whether or not they are legitimate.  Therefore you should never buy items or make a donation to a charity in response to a telemarketing call until you have investigated the charity independently through websites such as charitynavigator.org to determine whether or not the charity is legitimate.  In addition, if a business or a charity sends you any merchandise that you did not order, the law permits you to keep the merchandise as a gift without having to pay for it.

Scam of the day – June 15, 2016 – SEC fines Morgan Stanley a million dollars over a data breach

June 15, 2016 Posted by Steven Weisman, Esq.

For over a year, the Securities and Exchange Commission (FTC) has been actively enforcing the “Safeguards Rule” requiring investment advisers to implement policies and procedures to protect the privacy and security of the information of their clients.  In 2015, R. T. Jones Capital Equities Management paid $75,000 to settle SEC charges related to the theft of customer information in a data breach.  Now Morgan Stanley Smith Barney has just agreed to pay a million dollars to settle charges that it did not have proper policies and procedures in place to protect customer information resulting in the hacking of 730,000 customer accounts and theft of information including names, phone numbers, addresses, account numbers, account balances and securities holdings.

TIPS

Regardless of how careful you are about protecting your personal information, you are only as safe and secure as the places that have your personal information with the weakest security. Therefore it is critical whenever you do business with a company that will have sensitive personal information of yours that you inquire as the commitment to security of the company and what it does to protect your data.  In this particular data breach while the information itself should not directly result in identity theft, this type of information is often gathered by cybercriminals who use it to craft carefully worded and targeted spear phishing emails that lure their victims into either trusting the email and providing personal information used by the cybercriminals for purposes of identity theft or luring the victims into clicking on malware infested links in the emails that will enable the cybercriminal to steal all of the information from your computer and use it to make you a victim of identity theft.

Scam of the day – June 14, 2016 – Hacking group attacks London Stock Exchange.

June 13, 2016 Posted by Steven Weisman, Esq.

In May 6th’s Scam of the day I told you about the international hacking collective Anonymous announcing on YouTube a month-long campaign they were launching against banks around the world. Anonymous calls this campaign Operation Icarus.   Previously Anonymous had managed to take down the website of the Bank of Greece for a short period of time.  The Bank of Greece indicated, however, that no personal information was accessed and no data was lost.  Now Anonymous managed to take down the website of the London Stock Exchange although again, it does not appear that any personal information was stolen.  The website was taken down through the use of a Distributed Denial of Service (DDoS) attack by which a website is flooded with communications often through a botnet of hacked computers that results in an overload of the website causing it to shut down.  Although this type of attack is inconvenient, it does not carry with it a significant threat to the workings of the targeted company, in this case, the London Stock Exchange, which continued trading and did not lose any sensitive information.

Here is a link to the video announcement of Anonymous of its campaign against the banks of the world.  https://www.youtube.com/watch?v=GpGWaa3uCNo

The world banking system is an increasing target of hackers and cybercriminals.   The recent cyber bank robbery of the Bangladesh Central Bank in which hackers succeeded in stealing approximately 81 million dollars is just the tip of the iceberg.  I reported to you in February of 2015 about the exploits of the Russian cybergang Carbanak that stole as much as a billion dollars from up to a hundred banks worldwide.  The full extent of the vulnerability of banks to cybercrime is still unknown because it is believed that many banks that have been victimized by cybercriminals don’t report the thefts to regulatory authorities due to vague standards mandating the reporting of such security breaches.

More recently, the FBI warned banks to be on the lookout for attacks by cybercriminals and to particularly be vigilant in regard to international transfer requests.

TIPS

The vulnerabilities in the interconnected world banking system as well as vulnerabilities in the security of individual banks have been and are being exposed by hackers such as those in Carbanak and those responsible for the hacking of the Central Bank of Bangladesh.  Greater attention to cybersecurity by banks around the world is critical.  In addition, regulators both in the United States and around the world need to establish new standards by which all banks must operate to safeguard their accounts.  As for we, the depositors in these institutions, the best we can do is monitor our own accounts regularly for fraudulent activity and make sure that we are not the weakest link when it comes to protecting our username and password when doing online banking.  We should also use dual factor authentication when doing online banking as an additional security measure.

Scam of the day – June 13, 2016 – The lesson of the hacking of Deray Mckesson’s smartphone

June 13, 2016 Posted by Steven Weisman, Esq.

It was just last week that Mark Zuckerberg’s Twitter account was taken over by hackers who managed to send out embarrassing tweets using his account.   In the Scam of the day for June 7, 2016 I described how Zuckerberg failed to use a unique password for his Twitter account so when his password, which he used in multiple accounts, became known due to a data breach at LinkedIn, hackers were able to use the password to take over his Twitter account.  Zuckerberg’s other mistake was failing to take advantage of the Twitter offered option to use dual factor authentication for added security.   With dual factor authentication, whenever you are going to access an online account, a special code is sent to your smartphone after you have typed in your user name and password.  Without this code, you cannot gain access to your account.  Thus, even if Zuckerberg’s password was known by the hackers, they would not have been able to access his Twitter account without the one-time code provided to his smartphone.

Civil rights activist Deray Mckesson also had his Twitter account hacked recently and the hackers sent out a number of phony tweets that appeared to come from Mckesson, including one indicating his support for Donald Trump’s presidential candidacy.  However, what is particularly noteworthy in this hacking  was that the hackers did not have Mckesson’s password and his Twitter account was protected through dual factor authentication.  What the hackers did is call Verizon, Mckesson’s carrier, and tricked customer service into changed his SIM card to one in a phone controlled by the hackers. A Subscriber Identity Module, more commonly known as a SIM card,  is an integrated circuit that stores information including your smartphone number used to authenticate subscribers on mobile devices.  The SIM card is able to be transferred between different devices, and often is, when people update into a newer smartphone.  In the case of Mckesson, using a scam about which I warned you three years ago,  the hackers  contacted the Mckesson’s wireless carrier and pretending to be Mckesson and convinced Verizon to switch the SIM card to a new smartphone controlled by the hackers who were then able to not only then change Mckesson’s password, but also get the dual factor authentication one-time code sent to the phone that they controlled.  The hacker was able to convince the Verizon customer service employee that he was Mckesson merely by providing the last four digits of Mckesson’s Social Security number which in these days of massive data breaches is not that hard for a determined identity thief to obtain.

TIPS

Deray Mckesson did a better job of protecting the security of his Twitter account than Mark Zuckerberg did, but he did not do quite a good enough job to protect him from having his account hijacked.  Fortunately, there is an easy way to enhance your security to protect your SIM card from being switched thereby thwarting the protections provided by dual factor authentication and that is to set up a PIN or password to be used for access to your mobile service provider account.  Sprint and Verizon use PINs while T-Mobile and AT&T will let you set up a password.  It may seem like these are just more things to remember, but the protection they provide is worth it.

Scam of the day – June 12, 2016 – Zika virus vaccine company scams

June 12, 2016 Posted by Steven Weisman, Esq.

Everyone would like to be able to invest in a stock while the price is still low, but can be expected to rise dramatically.  This desire for the quick hit is exploited by scam artists in a scam called the “pump and dump.”  In this scam, you may receive an email or a fax, often apparently intended for someone else informing you of a company with a low cost stock that is about to have its price rise tremendously.  Other times the stock may be talked up in Internet chat rooms.  Most often these companies are small capitalization companies, often referred to as penny stock companies.  These stocks are often thinly traded.  Following the advice, from someone they don’t know, the victim buys the stock and, sure enough, the stock value promptly rises, but then without warning, the stock plummets in value and you are left with a poor investment.  This scam is created by criminals who buy the stock themselves at a low value and then influence others to buy the stock regardless of the fact that the stock would not be expected to rise in value were it not for the fact that the scammers misrepresent the stock to their victims and lure them into buying it.  Once the stock has shot up in value, the criminals, knowing that the emperor has no clothes, sell their stock, make a profit and leave the victims with worthless stock certificates.

According to the Securities and Exchange Commission (SEC), scammers are taking advantage of the public’s increased awareness of the Zika virus to promote companies they say have products or services that can fight the Zika virus.  Generally, these are scams and you should avoid buying stock in these companies.

TIP

Always consider the sources of any investment advice that you receive.  How reliable is the source?  What are their credentials?   What do they stand to gain?  Some particular red flags that the stock offer is a scam include unregistered investment advisers approaching you.  You can find out if a particular investment adviser is registered by going to the SEC’s Investment Adviser Public Disclosure database. Here is a link to that data base.  https://www.investor.gov/

Also, be wary of promises of huge profits with little or no risk.  That is a common thread with many scams.

Finally, be skeptical when you receive a stock solicitation by way of an email, text message, phone call or any other communication that you have not initiated.  Also, be particularly skeptical if the promoter of the stock tells you that he has inside information because trading on inside information is a criminal violation and as Martha Stewart would tell you, that is not a good thing.

Scam of the day – June 11, 2016 – New government report: IRS data breach worse than originally reported

June 10, 2016 Posted by Steven Weisman, Esq.

Just a day after the IRS reopened its Get Transcript Online website, the Treasury Inspector General for Tax Administration (TIGTA) released a new study about the massive Get Transcript Online data breach that went from the beginning of 2014 to May 21, 2015 indicating it was far worse than the IRS had reported.  The Get Transcript Online program allowed taxpayers to get copies of their former income tax returns online.  TIGTA found that the IRS failed to identify 620,931 taxpayers whose information was potentially targeted by hackers.  TIGTA also found that 355,262 taxpayers actually were successfully hacked through the Get Transcript Online program although the IRS had initially acknowledged that “only” 220,000 taxpayers’ information was stolen.  The flaw in the program as operated in 2014 and 2015 was that too often the answers to personal questions required for verification purposes to gain access through the program to a taxpayer’s tax records were able to be obtained by identity thieves through data banks readily available to determined hackers.

TIPS

The IRS says that the program as now being operated has tougher requirements to enable access to a taxpayer’s account and records including a requirement of answering more personal questions including questions about credit card usage or loans taken out by the taxpayer.  In addition, the taxpayer requesting a copy of his or her records must have a valid email address and a smartphone enabled for text messages tied to the taxpayer’s name.  Whether these steps are indeed sufficient to stop hackers remains to be seen.

Scam of the day – June 10, 2016 – Massive identity theft ring through mail theft busted

June 10, 2016 Posted by Steven Weisman, Esq.

It was only four days ago that I wrote about a Texas identity theft criminal who stole checks from residential mailboxes, however, although everything is usually said to be bigger in Texas, federal indictments brought against thirteen people in Wichita, Kansas by the U.S. Attorney for Kansas exposed an identity theft ring that was based on stealing mail that enabled the criminals to steal more than 3.5 million dollars.   Unlike the Texas residential mailbox thief, the defendants in Kansas are alleged to have stolen mail not just from residential mailboxes, but also from blue postal collection boxes as well as mail rooms in and around Wichita.  The defendants are alleged to have altered checks to make them payable to themselves as well as create counterfeit checks from the information on the stolen checks and then use the counterfeit checks to steal large sums of money.  They also used personal information stolen from the mail to steal the identities of their victims and access their credit.  According to prosecutors, this mail based crime spree has been going on since October of 2013.

TIPS

Again, the lesson to be learned here is that you are probably safer paying your bills online than by mail with a check.  Even if you put your mail into the blue postal collection boxes found on many street corners, you run the risk of those mailboxes being broken into and your checks stolen.  Certainly, putting your outgoing mail containing checks in your own mailbox is an even more risky way to pay your bills and puts you in serious danger of identity theft.  If you wish to mail your letters and bills containing checks, you should mail them directly from the Post Office.  This case also highlights that even if you don’t mail checks, but do mail letters or commercial communications containing personal information, that personal information can be used to make you a victim of identity theft so it is best to mail anything with personal information only inside the post office.

Scam of the day – June 9, 2016 – Dual factor authentication scam

June 9, 2016 Posted by Steven Weisman, Esq.

Scam artists never cease to amaze when it comes to the creativity and artistry they put into their scams. As I have written many times, scammers will often lure people into providing their user names and passwords to scammers using carefully crafted spear phishing emails or text messages.  This was how the cybercriminal who was able to steal access to the gmail accounts and iCloud accounts of celebrities such as Jennifer Lawrence was able to gain access to their accounts.  One of the ways often advised to avoid this problem is to use dual factor authentication whenever you can.  With dual factor authentication, whenever you are going to access an online account, a special code will be sent to your smartphone after you have typed in your user name and password.  Without this code, you cannot gain access to your account.  Dual factor authentication works well, but nothing is fool proof.  Fools are powerful.

A fascinating way that scammers are now getting access to the accounts of people using dual factor authentication is by sending you a text message posing as the company with which you have an online account and telling you that your account may have been hacked and that if you want to close access to the account for security purposes, you will have to reply to the text message with the 6 digit verification code that you will be sent by the company momentarily.  Of course, the text message is not from the company you do business with, but rather it is from a scammer who has just typed in your user name and password, but can’t get access to your account protected by dual factor authentication until he enters the code about to be sent to your smartphone to verify the legitimacy of the hackers attempt to access your account.  If you fall for the scam and reply to the text by sending the code you receive from the company with which you use dual factor authentication, you will have turned over access to your account to a scammer.

TIPS

Whenever you use dual factor authentication, you will only be sent the code to verify an attempt to log into your account so if you have not attempted to log into your account and you receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is attempting to access your account.  Never provide that code to anyone.  It should only be used by you to input into your smartphone or computer when you log into a dual factor authentication protected account.  Never provide sensitive information, such as your Social Security number, credit card numbers or dual factor authentication codes in response to an email or text message because you can never be sure who is actually communicating with you.

Scam of the day – June 8, 2016 – 2016 Rio Olympic lottery scam

June 8, 2016 Posted by Steven Weisman, Esq.

Scammers are constantly capitalizing on popular events and the upcoming 2016 Summer Olympics in Brazil is no exception.  People are receiving letters informing them that they have won an international lottery being used to promote the Rio Olympics.  When you call the telephone number provided in the notice to claim your prize, you are told that all you need to do is pay some required fees before receiving your prize.  Of course, the lottery is a scam and the fees the victims of this scam pay are lost forever and their “winnings” never appear.

TIPS

As I have often told you, it is difficult to win any lottery you enter.  It is impossible to win one that you have not even entered.  You should always be skeptical about being told that you have won a lottery you never entered.    It is also important to remember that it is illegal to play foreign lotteries unless you are present in the other country.  While it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  You also should never pay a fee to collect a legal lottery prize.