Scam of the day – January 31, 2016 – Amazon customer service exploited by identity thief

January 31, 2016 Posted by Steven Weisman, Esq.

Amazon customer, Eric Springer was understandably concerned when he got an email from Amazon customer service thanking him for contacting them because Springer had not contacted Amazon customer service.  Unfortunately, an identity thief posing as Springer contacted Amazon for an online chat and merely by providing Springer’s name, email address and verification through a street address of Springer that he had used with Amazon was able to convince the Amazon employee to provide Springer’s real home address and phone number.   The identity thief did not even have to log in to Springer’s account in order to access the customer service representative thereby negating the protections provided by Springer’s password.  The identity thief took the information provided by the customer service representative and was able to parlay it into more information which he then used to trick Springer’s bank into issuing the identity thief a new credit card in Springer’s name.  This is not an isolated incident and it happens at more places than just Amazon.  We all are potential victims of identity thieves who troll for personal information from wherever they can get it and then use that information to make us victims of identity theft.


The less information that you share anywhere, the safer you will be.  This even means limiting the places, particularly social media, where you provide your phone number or home address.  If you can use different addresses for different accounts, it is a good thing to do.  Having multiple email accounts can also be a good idea.    Making your shipping address and home address different can also make it a little more difficult for an identity thief.  Finally, make sure that all of the places with which you have financial dealings, such as your bank, credit card company and even retailers, such as Amazon will notify you if unusual transactions occur or changes are made to your account in order to alert you as soon as possible when problems do occur.

January 30, 2016 – Steve Weisman’s latest column for USA Today

January 30, 2016 Posted by Steven Weisman, Esq.

Here is a link to an important column I wrote for USA Today that tells you about what the IRS and Congress are doing (and not doing) about income tax identity theft.

Scam of the day – January 30, 2016 – Massachusetts lawyer convicted of income tax identity theft

January 30, 2016 Posted by Steven Weisman, Esq.

Attorney R. David Cohen was recently convicted of sixteen charges related to an income tax identity theft scam he operated since 2011 which provided Cohen and his accomplices a million dollars of fraudulent federal income tax refunds.  As is typically the case, Cohen used stolen names and Social Security numbers to file income tax returns and had the refund checks sent to various addresses he controlled. The checks were then attempted to be laundered through his attorney escrow account.  One of the interesting aspects of this case was that Cohen used Social Security numbers of citizens of Puerto Rico which are particularly valuable to income tax identity thieves because although citizens of Puerto Rico are American citizens, they are not required to file federal income tax returns.  This makes it easier for identity thieves to avoid detection as the people whose Social Security numbers they steal don’t file their own returns and thereby alert the IRS that  crime had been committed.  Cohen is scheduled to be sentenced on April 26th.


Along with protecting the privacy of your Social Security number as best you can, the best thing you can do to protect yourself from becoming a victim of income tax identity theft is to file your income tax return as soon as possible in order to get your return filed first before an identity thief has an opportunity to do so.

Scam of the day – January 29, 2016 – Wendy’s suffers apparent data breach

January 29, 2016 Posted by Steven Weisman, Esq.

Fast food hamburger chain Wendy’s announced that it had discovered “reports of unusual activity involving payment cards” at some of its restaurants and is presently investigating the matter in order to determine the full extent of the apparent data breach and where it occurred.    This story was first reported by Krebs on Security.  Wendy’s operates 5,600 company owned and franchised restaurants around the world although initial reports do not tend to indicate that the apparent data breach affected all stores.  As is so often the case, the apparent data breach was first discovered not by Wendy’s itself, but by credit card processing banks noticing a pattern of fraudulent use of credit and debit cards that could be traced back to Wendy’s restaurants.  In fact, at this time, the incident appears to follow the pattern that I described in a column I wrote for USA Today in September of 2014.

Wendy’s still uses the old fashioned magnetic strip credit cards which are much easier targets for hackers than the EMV chip cards which have been required to be used by companies since October of 2015.  The rules requiring companies to switch to the new smart cards carry no specific penalty, but in the event of a data breach can result in the company not using the EMV chip cards to be responsible for the costs of fraudulent use of stolen card information.  It should also be noted that although October 1, 2015 was the deadline for retailers to switch to EMV smart card processing for credit cards and debit cards to avoid liability in the event of a data breach, the deadline for ATMs and gas station pumps to switch to the EMV smart cards is not until October 1, 2017.


As consumers the best thing we can do is to use your EMV chip card whenever possible.  Stores such as WallMart and Target have switched to the new cards.  If you have not yet received a new EMV chip card from your credit card company, contact them and get one as soon as possible.  It still is a good idea to not use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Wendy’s during the last year, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.


Scam of the day – January 28, 2016 – Student sentenced to 24 years for romance scams

January 28, 2016 Posted by Steven Weisman, Esq.

I have written many times in and in my book “The Truth About Avoiding Scams” about romance scams.  Most of these online dating and romance scams involve some variation of the person you meet though an online dating site quickly falling in love with you and then, under a wide variety of pretenses, asking for money. As Valentine’s Day approaches there will certainly be an upswing in various romance scams.   One romance scammer who will not be threatening vulnerable people looking for love is college student Olusegun Aroke who was recently sentenced in Nigeria to 24 years in prison for his online romance scams.


There are various red flags to help you identify romance scams.  I describe many of them in detail in my book “The Truth About Avoiding Scams.” The most important thing to remember is to always be skeptical of anyone who falls in love with you quickly online without ever meeting you and early into the relationship needs you to wire money to assist them with a wide range of phony emergencies.  Here are a few other things to look for to help identify a romance scam.  Often their profile picture is stolen from a modeling website on the Internet.  If the picture looks too professional and the person looks too much like a model, you should be wary.  Particular phrases, such as “Remember the distance or color does not matter, but love matters a lot in life” is a phrase that turns up in many romance scam emails.  Also be on the lookout for bad spelling and grammar as many of the romance scammers claim to be Americans, but are actually foreigners lying about where they are and who they are.  Of course you should be particularly concerned if someone falls in love with you almost immediately.  Often they will ask you to use a webcam, but will not use one themselves.  This is another red flag.  One thing you may want to do is ask them to take a picture of themselves holding up a sign with their name on it.  In addition, ask for a number of pictures because generally when the scammers are stealing pictures of models from websites, they do not have many photographs. Ask for the picture to be at a particular place that you designate to further test them.

Scam of the day – January 27, 2016 – New WhatsApp scams

January 26, 2016 Posted by Steven Weisman, Esq.

It has been more than two years since I last wrote about scams involving the popular mobile messaging service WhatsApp  WhatsApp is a mobile messaging app for your smartphone that allows you to send text messages, photographs, videos and audio.  With more than a billion people using WhatsApp, it is not surprising that it has become attractive to scammers seeking to use its popularity to lure victims into becoming victims of scams.  The most recent WhatsApp scam starts with an email you receive that appears to come from WhatsApp telling you that you have missed a WhatsApp call or voice message on your smartphone and provides a link for you to click on in order to access the missed message.  Unfortunately, however, if you click on the link you risk downloading malware such as keystroke logging malware that will steal personal data from whatever electronic device you are using and use that information to make you a victim of identity theft.


Never click on a link in an email or text message until you have independently confirmed that it is legitimate.  The risk of downloading malware is too great.  Even if your computer or other electronic device is protected with anti-virus and anti-malware security software, the best security software is always at least thirty days behind the latest malware.  Trust me, you can’t trust anyone when it comes to clicking on links.  Even if the link is contained in a communication that appears to come from a person or company you trust, you should always verify that it is legitimate before clicking on the link.  As for this specific scam, WhatsApp never contacts you by email and doesn’t even have your email address, so if you receive an email that purports to be from WhatsApp, you can be confident that it is a scam and you should delete it without clicking on any links contained therein.

Scam of the day – January 26, 2016 – Jury duty scam with a twist

January 26, 2016 Posted by Steven Weisman, Esq.

I have been warning you about the jury duty scam for more than three years.  The scam involves a telephone call that you receive purportedly from a law enforcement officer informing you that you have failed to appear for jury duty and that a warrant has been issued for your arrest.  You are told, however, that you can avoid arrest and greater fines by paying a fine through a credit card or or prepaid cash card.  Of course, the phone call is a scam, even if you have missed jury duty, you will never be called by legitimate court officers and shaken down for a payment.

Now, however in a new twist on this old scam, federal prosecutors in Georgia have indicted 51 people who, it is alleged were operating jury duty scams from inside the Autry State Prison where the prosecutors say prison inmates made the calls on cellphones smuggled into the prison by guards and other prison officials who were a part of the scam.


Initial contacts from the courts regarding jury duty are always in writing through the mail although some systems will permit you to receive future notices through email.  Under no circumstances will you receive telephone calls or text messages indicating that you have failed to report for jury duty.  No court will demand payment over the phone for failing to appear for jury duty.  If you do receive such a call and you think that there is even the possibility that you might have forgotten to report for jury duty, merely call the local clerk of courts where you can find accurate information.

Scam of the day – January 25, 2016 – Cracka strikes again

January 25, 2016 Posted by Steven Weisman, Esq.

Back in October I told you about CIA Director John Brennan’s personal email account being hacked.  The hacking was not done by Russian, Iranian or Chinese government hackers.  Instead, it was done by a teen aged hacker who calls himself Cracka and his group Crackas With Attitude.  Among the data stolen by the hackers were government documents stored in Brennan’s personal email account.   Now it has been disclosed that Cracka has also recently hacked online accounts of James Clapper, the Director of US National Intelligence and John Holdren, the Director of the White House’s Office of Science and Technology. Policy.  What is particularly troubling about these hackings is how easy it was for Cracka and his cohorts to hack the accounts of top level government officials using basic phishing social engineering techniques.  In the case of John Holdren, Cracka has indicated that he gained access to his accounts merely by sending an email posing as Holdren to Holdren’s wife telling here he lost the password for their Xfinity account and merely asked for it which she supplied him. In the case of the hacking of Brennan,  Cracka started the hack by doing a reverse lookup of Brennan’s smartphone and found that he was a customer of Verizon.   He then called Verizon and posed as as Verizon technician and merely asked for Brennan’s personal information which was provided upon Cracka providing the Verizon employee to whom he was talking with a phony V code assigned to all Verizon employees.  The Verizon employee then provided Cracka with Brennan’s account number, his PIN, the backup cell phone number on the account, his email address and the last four digits of his bank card.  Armed with this information, Cracka then contacted Brennan’s email provider and after answering security questions with the information they had managed to get from Verizon,  changed Brennan’s password and took over the account.


So what does this mean to you?  We all have important and sensitive information in our email accounts and perhaps we shouldn’t.   A better habit would be to store personal information and sensitive information in a secure folder on your computer.  This hacking is also a reminder that whenever possible, you should use dual factor authentication by which when you wish to access a particular account such as your email you can only do so by providing a one time code sent to your smartphone each time you attempt to log in.  Dual factor authentication would have prevented this hacking.  In addition, a problem that has come up time and time again is that when security questions are used to enable someone to change their password,  the answers to many of  the security questions we use can be obtained from a variety of sources including social media and public records.  One way to make your security question stronger is to provide a nonsensical answer to your security question.  So if the question is  what is your mother’s maiden name, an often used and particularly weak security question, pick a nonsensical answer such as “grapefruit.”  You will remember it because it is so ludicrous, but no one is going to be able to obtain the information necessary to answer your security question.  If Brennan had used such a nonsensical security question, the hackers would not have been able to take over his account.  Also, Holdren could have avoided his being hacked had his wife contacted her husband directly before responding to an email posing as him asking for a password.  Trust me, you can’t trust anyone.

Scam of the day – January 24, 2016 – Arrest made in phony job identity theft scheme

January 24, 2016 Posted by Steven Weisman, Esq.

Sharif King was recently indicted in New York on fifteen charges related to allegations that he operated an identity theft scheme in which he posted advertisements for job openings for “Upstate Family Transport LLC” and then required a job applicant to provide him with personal information including his  Social Security number under the guise of needing the information for employment purposes, but instead used the information to steal the job applicant’s identity and purchased a $58,000 Mercedes Benz using his victim’s identity.  Just last June, King was charged in a similar scheme in which he allegedly interviewed job applicants for a non-existent record label “Dower Music Entertainment LLC” and then used the information provided by the job applicants to obtain credit cards.


Always do research on any company for which you are considering working to make sure that they are legitimate.  Find out if they have a physical address and see if they have any history of fraud.  It is also important to remember that no prospective employer needs your Social Security number until you have been hired for the job and you should also restrict the amount of other personal information, such as your birth date or driver’s license number that you provide a prospective employer that are not needed early in the job application process or ever, in many instances.

Scam of the day – January 23, 2015 – Update on automobile cybersecurity

January 23, 2016 Posted by Steven Weisman, Esq.

When white hat hackers, Charlie Miller and Chris Valasek first alerted the automobile industry and the public about the vulnerability of cars to being hacked and taken over electronically as shown by their remote hacking of a Jeep Grand Cherokee through its infotainment system, we all took notice.  The threats posed by the rapidly expanding Internet of Things where so many products we use are becoming connected to the Internet are particularly significant when it comes to automobiles where these threats can be life threatening.    However, the government and the auto industry are responding to this threat. The Department of Transportation and 17 automakers have agreed to share information about cyberattacks on their vehicles. The industry has already set up the Information Sharing and Analysis Center (ISAC) as a clearinghouse for sharing such information.   They also have agreed to develop best practices.  The National Highway Traffic Safety Administration (NHTSA) is also looking to expand its role in the managing of the security of Internet connected vehicles.  However, automakers are concerned that if NHTSA decides to go the route of enacting regulations, the process could take years and have a negative effect on innovation during this process.


To find out if your particular vehicle uses the same Uconnect infotainment system that was exploited by Miller and Valasek as well as to get access to the software security updates necessary to patch those vulnerabilities, click on this link.

You also may want to talk to your car dealer and find out what the manufacturer of your particular car is doing to protect your car from cyberthreats.  Finally, if you are looking into buying a new car, you may want to consider getting one with the Android Auto or Apple CarPlay system that uses your smartphone to operate your car’s entertainment system.  This will give you greater control over the security systems you should already have built into your smartphone.