Scam of the day – November 26, 2016 – Naval records at Hewlett Packard hacked

November 25, 2016 Posted by Steven Weisman, Esq.

In an all too familiar story, it has just been disclosed that personal information including names and Social Security numbers of 134, 386 present and former Navy employees was compromised in a hacking of a laptop of a Hewlett Packard employee.  Hewlett Packard had this information through a contract on which it was working for the U.S. Navy.  Further details of the hacking have not been released, but the fact that such a hacking occurred leads to concerns that the pattern established years ago in hacking of NASA laptops in which the laptops were not password protected and the data contained therein was unencrypted is repeating itself.

TIPS

The continuing negligence of many companies and government agencies in not properly protecting sensitive personal data that can readily be used for purposes of identity theft is disappointing and startling.  There are many simple security steps that are easily taken, such as password protecting laptops and other electronic devices as well as encrypting sensitive data and the use and updating of security software that should be done by all companies and government agencies without exception.

The lesson, however, is one that we should also practice in our own lives.  We as individuals are regularly targeted by identity thieves so al of us should protect each of our electronic devices with a unique password, sensitive data should be encrypted and stored in the cloud or in a portable hard drive, dual factor authentication should be used whenever possible, install and update security software on all of your electronic devices and don’t click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.  These are just a few of the simple protocols we should all follow to decrease the chances of our becoming victims of identity theft.

Scam of the day – November 25, 2016 – Holiday scams

November 25, 2016 Posted by Steven Weisman, Esq.

Today is Black Friday, one of the biggest shopping days of the year and the kickoff to the 2016 holiday shopping season.  There are many scams that attempt to turn our holiday awareness into scams.  They include malware contaminated e-cards, phony charitable solicitations and, of course a myriad of shopping related scams.  Over the next few weeks, I will be warning you about these scams and telling you what you can do to protect yourselves.

TIPS

For those people shopping in the malls and stores around the country today, remember to use your credit card  instead of your debit card. While federal law limits the amount for which you are liable when fraudulent charges are made using your credit card to no more than $50, with a debit card, if you do not recognize that your account has been compromised right away, the identity thief could potentially empty the entire bank account tied to your debit card.  In addition, even if you do notice the fraudulent use immediately, your account will be frozen while the bank does its investigation into the matter, thereby limiting your access to your funds.

Also, if you are using your credit card in a store that is not equipped to take the EMV chip credit card, be on the lookout for skimmers, which are small devices that a criminal uses to steal your credit card information by swiping the card through a portable skimmer before running it through the store’s credit card processing equipment.  In addition, some skimmers are surreptitiously installed on the credit card equipment of the stores and other times, the store’s processing equipment has been hacked to steal this information as your card is being processed. Keep an eye on your credit card every minute that the clerk has it in his or her possession to make sure that he or she only swipes it through the store’s credit card processor and doesn’t do that extra swipe through a skimmer.  Also, check your credit card account balance periodically online to detect if there have been any security breaches.  Don’t wait for your monthly statement.

Scam of the day – November 24, 2016 – Disturbing data breach at HUD

November 23, 2016 Posted by Steven Weisman, Esq.

Earlier this week, the Department of Housing and Urban Development (HUD) disclosed that it had suffered two data breaches occurring on August 29th and September 14 in which personal information including Social Security numbers of approximately 480,000 people was made publicly available on the HUD website.  No hacking was involved by individuals or nation states.  The data breach was done through the negligence of HUD employees who inadvertently posted the information.  The information has been taken down and, at the moment, there is no evidence that the information has been used for purposes of identity theft.   HUD is investigating the data breach to determine the exact extent of the problem, how it occurred and what to do to prevent such data breaches in the future.

Letters are being sent by HUD to affected individuals and HUD is offering a year of free credit monitoring.

TIPS

Identity thieves will be sending letters appearing to come from HUD about this data breach asking for personal information.  You should not provide such information to anyone who calls you, emails you, text messages you or contacts you by mail.   Here is a link to the official HUD website with contact information if you have questions as to your rights in this matter.  http://portal.hud.gov/hudportal/HUD?src=/contact

This incident again highlights that you are only as secure as the places that have your personal information with the weakest security. Therefore, as much as possible, you should limit the amount of personal information you provide to any company, institution or government agency as much as possible.  However, unfortunately, in many instances, such as with HUD there will be times you need to provide your Social Security and other personal information.  Therefore it is important to protect yourself from identity theft as best you can.  The best thing you can do to protect yourself is to put a credit freeze on your credit report so that even if someone obtains your Social Security number, they will be unable to establish credit in your name.  You can learn how to put a credit freeze on your credit reports by going to the Search the Website section of Scamicide in the top of this page on the right hand corner and type in “credit freeze.”

Scam of the day – November 23, 2016 – Increased threat to ATMs

November 23, 2016 Posted by Steven Weisman, Esq.

For years I have been warning you about the dangers of skimmers, which are small devices installed at ATMs, gas pumps and other card readers that are used to steal the information from your credit card or debit card to gain access to your credit or your bank account respectively.  However, recently a new threat is emerging around the world that poses a greater threat to ATM security.  Cybercriminals including the Russian cybergang known as Buhtrap are using newly developed malware to target not just individual accounts, but the internal networks of banks and ATMs in order to program the ATMs to spit out huge amounts of cash at a specific time.  This technique has been used in Taiwan and Thailand earlier this year to deliver cash to the criminals who go to the infected ATMs at a specific time when the ATM’s programming has been altered  programmed to spit out cash to the awaiting criminals.  The threat to banks around the world is quite real and has been the subject of multiple FBI warnings to financial institutions in the United States since the summer.

TIPS

In the recent attacks against banks in Taiwan and Thailand, the malware infecting the banks’ internal networks and ATM systems was installed when bank employees clicked on links in phishing emails that appeared to come from other banks or ATM vendors and unwittingly downloaded the malware enabling the cybercriminals to take over the banks’ internal systems and ATM systems.    The danger of phishing cannot be overestimated.  According to Jeh Johnson, the Secretary of the Department of Homeland Security, “the most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”

This is a lesson to us all.  Whether at work or at home, the danger of phishing emails is tremendous, but it is easy to avoid.  Install anti-phishing security software on all of your electronic devices, however, you cannot depend on this software to keep you totally safe so the best rule to follow is to never click on any link or download any attachment in an email or text message unless you have absolutely confirmed that it is legitimate.

Scam of the day – November 22, 2016 – Latest security updates from the Department of Homeland Security

November 21, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security include updates for Windows 10, Microsoft Edge, Norton, Symantec and Mozilla Firefox as well as the what seems like a monthly security update to patch newly discovered vulnerabilities in Adobe Flash.

TIPS

Here are the links to  lists of all of the recent security updates as posted by the Department of Homeland Security:

https://www.us-cert.gov/ncas/bulletins/SB16-319

https://www.us-cert.gov/ncas/bulletins/SB16-326

https://www.us-cert.gov/ncas/current-activity/2016/11/18/Symantec-Releases-Security-Updates

https://www.us-cert.gov/ncas/current-activity/2016/11/15/Mozilla-Releases-Security-Updates

Scam of the day – November 21, 2016 – New IRS scam targets tax professionals

November 21, 2016 Posted by Steven Weisman, Esq.

While many of the rest of us are still receiving phone calls from scammers posing as the IRS in order to fool us into sending them money, CPAs and other tax professional are being targeted by sophisticated identity thieves through emails that appear to come from the IRS with the subject line indicating “Security Awareness for Tax Professionals”   The email has a counterfeit IRS logo in the message and tells the intended victim that the IRS is updating its authentication procedures and requires the person receiving the email to log in to update their username and password.  Of course, anyone providing this information would have turned this data over to a scammer who will then use it to access sensitive information in that person’s e-services account with the IRS.

TIPS

Tax professionals receiving this email should already be protecting their security through strong passwords, dual factor authentication, when possible, regularly updated security software as well as using encryption programs for email.  Data should also be stored in the cloud or a portable hard drive.  If someone receiving this email has concerns that it might be legitimate due to the fact that the IRS is constantly trying to update its security, he or she should still not click on any links in the email or provide any information in response to the email, but rather contact the IRS directly at an email address of telephone number he or she knows is legitimate.

Scam of the day – November 20, 2016 – Sex or cybersecurity? That is the question.

November 20, 2016 Posted by Steven Weisman, Esq.

Although the question of whether you would give up sex for a year in return for total cybersecurity seems like an odd question, it is one that was posed to 2,000 adults in a poll taken by the Harris pollsters.  The response to the question might be startling to many people.  According to the poll, 39% of Americans are so fearful of their cybersecurity that they would willingly give up sex for an entire year in return for a lifetime of cybersecurity.

Unfortunately, you can never totally control your own cybersecurity because often people become victims of identity theft and other cybercrimes due to the neglect and failure of companies and government agencies to properly secure our personal information.  However, fortunately, the good news is that there are a number of relatively simple steps you can take to dramatically increase your personal cybersecurity and you don’t have to give up sex for a year in order to implement these steps.

TIPS

Here are a few of the more important steps you can take.  You can find even more things you can do to protect your cybersecurity in my book “Identity Theft Alert,” which you can order from Amazon by merely clicking on the icon on the right hand side of this page.

  1.  Use strong unique passwords for each of your online accounts so that even if there is a data breach at one account, all of your accounts will not be in jeopardy.  A strong password contains capital letters, small letters and symbols.  A password base made up of a phrase such as “IDon’tLike Passwords!!!” is strong and can be personally adapted for each  of your accounts by merely adding a few letters at the end to distinguish the particular account, such as  adding “Ama” to the base password to become your Amazon password.
  2. Install security software on your computer, smartphone and all of your electronic devices.
  3. Use dual factor authentication whenever possible.
  4. Don’t click on links or download attachments without confirming that the links or attachments are legitimate.  They may contain malware.
  5. Trust me, you can’t trust anyone.  Don’t provide personal information to anyone who contacts you by email, phone or text message unless you have confirmed both the legitimacy of the communication and the need for the information.
  6. Limit, as much as possible, the places that have your personal information.  Your doctor doesn’t need your Social Security number.
  7. Put a credit freeze on your reports at each of the three major credit reporting agencies.
  8. Only download apps from legitimate app stores and check the reviews and the privacy rules regarding the app before downloading them.
  9. Protect your smartphone with a password.
  10. Store important data on a portable hard drive to reduce the danger of ransomware.
  11. Avoid public WIFI for anything requiring personal information.  Use a Virtual Private Network (VPN).
  12. Monitor all of your accounts online regularly.

Scam of the day – November 19, 2016 – FTC refunding funds to victims of debt collection scam

November 19, 2016 Posted by Steven Weisman, Esq.

The Federal Trade Commission (FTC) has settled its complaint against Centro Natural Corp. and Sumor LLC who used international telemarketers to call Spanish speaking Americans threatening them with arrest if they did not pay non-existent debts.  Under the terms of the settlement, the two companies are banned from further debt collection and telemarketing activities.  The FTC is refunding funds  to the victims of the scam.  Victims should get their checks shortly and must deposit their checks within 60 days.

TIPS

If you were a victim of this scam and receive a check from the FTC, you must cash the check within sixty days of the date of the mailing.  You do not need to provide any personal information or pay any fee in order to be eligible for this refund.  Anyone asking for such information or asking for such a fee is just another scammer.  If you have questions about this case you can contact the FTC’s refund administrator at 1-844-499-3585.

Subject to strict federal laws, legitimate debt collectors are permitted to call debtors, however, the law prohibits them from threatening imprisonment for the failure to pay a debt.  It can be difficult to know when someone calls attempting to collect a debt if indeed they are legitimate or not, so the best course of action if you receive such a call is to not discuss the debt with the person calling, but instead demand that they send you a written “validation notice” by regular mail which describes the debt they allege you owe and includes a listing of your rights under the Federal Fair Debt Collection Practices Act.  Never give personal information over the phone to anyone who calls you attempting to collect a debt.  You can never be sure who they are.  If you receive the validation notice and it appears to be legitimate, you may be better off contacting your creditor directly because the person who called you may not be representing the creditor, but may merely have information about the debt.

Scam of the day – November 18, 2016 – Yet another Chase phishing scam

November 18, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank.  I have taken out the name of the addressee, but it was directed to the email address of the person receiving the email.  I also have removed the link directing the person to click on to receive an important security message.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   As so often is the case with these type of phishing emails, it does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Dear ******************

You have 1 new Security message From Chase Online Bank.

Click your email here to view the message *****************

As this e-mail is an automated message, we can’t reply to any e-mails sent by return.

JPMorgan Chase Bank, N.A. Member FDIC
©2016 JPMorgan Chase & Co

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would direct the email to you by name rather than directing it to your email address.   As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – November 16, 2016 – Friend Finder Network hacked again

November 16, 2016 Posted by Steven Weisman, Esq.

For the second time in two years Friend Finder Network , the parent company of a number of online dating services including AdultFriendFinder.com, which is described by itself as the “world’s largest sex and swinger community” appears to have been hacked according to Leaked Source.  The hacked data includes information from the accounts of 339 million AdultFriend Finder.com accounts, 15 million deleted accounts where information was still stored by the company, 62 million accounts from Cams.com and 7 million accounts from Penthouse.com which is also a part of the Friend Finder Network.  Included in the compromised information were  user names, email addresses and passwords, some of which were encrypted, but using an encryption program readily hackable.

TIPS

This hacking again emphasizes what I have been telling you for years.  You are only as safe and secure as the places with the weakest security that have your personal information.  It is for this reason that you should limit the amount of personal information that you provide the companies with which you do business as much as possible.  You also should use a unique password for each of your online accounts so that in the event of a breach, such as this, the security of your other accounts is not jeopardized.

In regard to this particular hacking.  If you were a member of any of FriendFinder Networks’ sites, you should be particularly be wary of spear phishing, which is when specifically targeted emails and text messages are sent to you with personal information obtained through the hacking that make the messages appear legitimate.  These messages lure you into clicking on links with malware that will steal the information from your computer and use it to make you a victim of identity theft.