Scam of the day – August 26, 2015 – Bank of America security message scam

August 26, 2015 Posted by Steven Weisman, Esq.

This is another phishing scam that is making the rounds these days.  It appears to be a legitimate email from Bank of America informing you that due to upgrades being done to the Bank of America computer systems, it is necessary for you to confirm personal account information in order to maintain your account.  Of course, if you click on the link contained in the email, you will only succeed in either unwittingly downloading keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft or you will be sent to another website that prompts you to provide your personal information directly, which then wil be used to make you a victim of identity theft.  Either way you lose.  Here is a copy of the email presently being circulated:

“Member:

We need you to confirm your Bank of America account due to our new upgrading. It is mandatory that you confirm your details through our secure link below.

CONNECT
Thank you for your co-operation.
Bank of America Admin
Copyright © 2015 BOA Inc.”

TIPS

There are a number of ways to know that this is a phishing scam.  First of all, if you are not an account holder at Bank of America, you can rest assured that the email is a scam.  Unfortunately, there are so many people that are account holders at Bank of America, the scammers just send out the email in large numbers hoping to reach Bank of America account holders among the random people being sent the email.  The email address from which it is sent was not that of Bank of America, but rather that of a private individual whose email account was hacked, taken over and made part of a botnet to send these emails in large numbers.  Because you can never be sure whenever you receive an email that asks you to provide personal information whether it is legitimate or not, the best thing to do is to remember my motto, “trust me, you can’t trust anyone” and confirm whether it is legitimate or not by calling the real company, in this case Bank of America to learn whether or not the email is phony or not.  Chances are, you will be told that it is a scam.

Scam of the day – August 25, 2015 – American Community Survey

August 24, 2015 Posted by Steven Weisman, Esq.

Many people are receiving letters, phone calls and even visits from people representing that they are with the United States Census Bureau taking a survey known as the American Community Survey.  While it is true that the official United States Census is only done once every ten years, the Census Bureau does a limited survey of randomly selected people in all of the states as well as Washington D.C. and Puerto Rico each year.

So how can you tell if you are being contacted and solicited for information by a legitimate census worker or by a scammer merely using the American Community Survey as a ruse to gather personal information from you in order to make you a victim of identity theft?  First of all, the real American Community Survey does not ask for your Social Security number or credit card information.  If you are asked for that information, it is a scam.

TIPS

If you are contacted about participating in the American Community Survey, it is prudent to confirm that you have been selected to participate in the survey.  You can do this by calling their service line at 800-354-7271.  You can also complete the survey by phone at this number.  If you have been contacted by phone, you can confirm that the phone call is legitimate by calling one of the Census’ telephone centers.  If you want to verify that someone who is visiting your home is a legitimate census worker, you can confirm this by calling the Census Regional Office for your area.  Here is a link with all of that contact information and more from the Census Bureau.  https://www.census.gov/programs-surveys/acs/contact.html

Scam of the day – August 24, 2015 – Plenty of Fish dating site hacked

August 24, 2015 Posted by Steven Weisman, Esq.

Plenty of Fish (pof.com) an online dating website with more than a hundred million members had its website corrupted by hackers who managed to install a keystroke logging malware program known as Tinba that enables the identity thieves to steal credit card and banking information from its victims.  What makes this hacking particularly noteworthy is that the hackers did not hack into the computers of Plenty of Fish to install malware as was done in the recent hacking of Ashley Madison.  Instead, they hacked into the computers of a legitimate advertising company, Improve Digital that distributed online advertisements to Plenty of Fish.  The malware was attached to legitimate online advertisements placed by Improve Digital on the Plenty of Fish website.  And as I always say, “things aren’t as bad as you think, they are worse.”  In this case, it was not even necessary for someone visiting the Plenty of Fish website to click on the infected advertisements to permit the malware to be downloaded on to their computers.  All that was necessary was to merely go to the now infected website to have  your computer, in turn, infected with this dangerous malware.

TIPS

If you are a user of Plenty of Fish, you should monitor your bank accounts and credit card accounts closely.  You also would be wise, if you already have not done so, to put a credit freeze on your credit report.  You can find information as to how to do this here on Scamicide.  Just go to the archives and enter the words “credit freeze.”  You also should make sure that you are using the latest anti-virus and anti-malware software on your computer and run a scan for any viruses or malware.

Scam of the day – August 23, 2015 – Ashley Madison class actions

August 22, 2015 Posted by Steven Weisman, Esq.

A lawsuit has been filed in Canada against Ashley Madison seeking class action status on behalf of Canadian members of Ashley Madison whose personal information was divulged by hackers recently.  The action is being brought against Ashley Madison for failing to protect the privacy of the data that they compiled and retained regarding its members.  Meanwhile in the United States, the Oklahoma law firm of Abington, Cole & Ellery is also considering filing a class action against Ashley Madison on similar grounds on behalf of American victims of the data breach.

TIPS

For more information about the Canadian class action, you can go to the website of Charney Lawyers, one of the law firms that filed the action by clicking on this link. http://www.charneylawyers.com/Charney/ashleymadisonclassaction.php

For more information about the possible American class action, you can go to the website of Abington, Cole & Ellery by clicking on this link. http://abingtonlaw.com/Ashley-Madison-Data-Breach-class-action-lawsuit.html

As for the rest of us who never had any involvement with Ashley Madison, this data breach should serve as a cautionary lesson that every company or governmental agency is susceptible to data breaches and that we all should try to limit as much as possible the amounts of personal information provided to any entity with which we do business. In addition, because of the likelihood of a data breach, never provide information to a company that you would be embarrassed to be associated with.

Scam of the day – August 22, 2015 – Target and Visa settle data breach dispute

August 21, 2015 Posted by Steven Weisman, Esq.

Visa and Target have come to an agreement by which Target will pay 67 million dollars to settle claims brought by Visa card issuers for losses suffered as a result of the massive data breach at Target in 2013 that affected more than 40 million customers.  Unlike a similar proposed settlement about which I reported to you in Scams of the day in April and May 2015, this settlement was approved by the major Visa card issuers.  A proposed settlement between Target and MasterCard was negotiated between the parties that would have paid MasterCard more than 19 million dollars to settle all claims by the MasterCard issuing banks against Target.  However, a condition of the settlement was that 90% of the banks involved had to approve the settlement and this did not happen.  The banks that rejected the settlement believed that the 19 million dollar settlement was far too low considering that the banks lost about 160 million dollars consisting of 79 million dollars in fraudulent purchases and 88 million dollars to reissue replacement cards.  This rejection of the settlement send the case back to the Federal District Court in Minnesota where that case is scheduled to go to trial unless a settlement more agreeable to the injured banks is reached.

TIPS

The same vulnerability to hacking of the credit and debit card processing equipment that was used in the Target hacking still exists today in most retailers who have been slow to adapt smart card technology and you can expect criminals to increasingly exploit this vulnerability.  The problem is essentially caused by the fact that the United States still uses outdated magnetic strip technology for the most part on credit and debit cards rather than the smart computer chip cards used throughout most of the rest of the world.  Regulations prompting companies to switch to the smart computer chip cards do not go into effect until October of 2015 and even then there is expected to be a further delay in implementing the new cards, which some credit card companies are already issuing and the switch to the card processing machines required to process the new cards.

So what should we as consumers do in the meantime?

First of all, never use your debit card for retail purchases.  Federal law does not provide the same level of consumer protection from liability that you get with the use of a credit card.  Second, you should get a new smart chip card as soon as possible and use it whenever possible. WalMart has already installed the new card readers and is processing the new smart cards.   These new cards also have magnetic strips so you can still use the same card through the old style credit card processors if the store where you are shopping does not yet have card readers capable of processing the sale using the computer chip.

Scam of the day – August 21, 2015 – Emergency security update for Internet Explorer

August 20, 2015 Posted by Steven Weisman, Esq.

Microsoft Edge is the new browser being tied to the new Windows 10 operating system just recently launched by Microsoft.  It is replacing the popular Internet Explorer browser, which many people continue to use although it has proven to have a number of vulnerabilities that have been exploited by hackers.  The latest vulnerability is one that is particularly dangerous because it allows a hacker to take over your computer system merely by luring you to a malicious website or a legitimate website that had itself been hacked.  You do not even need to click on an infected link or advertisement to become a victim.  Merely going to an infected site is enough to infect your own computer.

TIPS

Fortunately, Microsoft has issued an emergency security patch to remedy this problem.  Here is a link to the Microsoft Security Advisory with that provides access to the free security patch.  https://technet.microsoft.com/en-us/library/security/ms15-093

Whenever security patches are issued for the software that you use, it is critically important that you download and install these security updates as soon as possible to protect your safety online.  Too often people become victims of hacking and identity theft by failing to protect themselves from malware and viruses for which security patches have already been made available.

Scam of the day – August 20, 2015 – Ashley Madison hackers release stolen information

August 20, 2015 Posted by Steven Weisman, Esq.

Impact Team, the hackers who hacked into Avid Life Media, the company that owns and operates Ashley Madison, the dating site for married people seeking to have an affair, followed through with their threat and have released 9.7 gigabytes of the stolen data including email addresses, credit card transaction details, partial credit card numbers, addresses and even dating profiles.   Among the email addresses were 10,000 US military email addresses and hundreds of US government email addresses although it is important to note that the email addresses used to set up an account with Ashley Madison were not verified by Ashley Madison when accounts were set up so anyone could set up an account using someone else’s email address.  Ashley Madison is not the first dating website to be hacked and have sensitive information released to the public.  In May, Adult Friend Finder, was hacked and personal information of 3.5 million members was released to the public.   Ashley Madison claims to have 40 million users. Impact Team released the information on various  dark web website with the announcement copied below.  Although these dark web websites are encrypted and not generally available, it can be expected that the information will become public soon.

TIPS

One of the key lessons here is that your personal information is only as safe as the places with the weakest security that have your information.  It is for this reason that you should never leave your credit card on file for convenience with a website.  Enter it anew each time you make a purchase on Amazon or any other website that you may go to frequently.  As for Ashley Madison in particular, it is a good lesson to remember that you should never give information to any website that would be a source of embarrassment to you if it were to become public after a data breach.

Customers of Ashley Madison can go to a number of websites that have been recently set up to see if their personal information was among the information compromised.  Here is a link to one of them.   https://ashley.cynic.al/

Scam of the day – August 19, 2015 – IRS hacking worse than originally reported

August 19, 2015 Posted by Steven Weisman, Esq.

Earlier this week, the IRS announced that the hacking of its “Get Transcript” program, which they had originally announced in May and which was the subject of my Scam of the day for May 28th was far worse than they originally disclosed.  While originally, the IRS stated that 104,000 people were affected by the IRS data breach, now the IRS is saying that the number of people affected is more than 300,000.  As a result of the data breach, the IRS indicated it paid more than 50 million dollars in fraudulent returns filed using the information stolen from the IRS’ “Get Transcript” program.  The”Get Transcript” program enables taxpayers to get copies of their federal income tax returns from previous years.  People often use this service to get copies of earlier income tax returns for uses such as when they apply for a mortgage or financial aid for college.  The IRS shut closed this service when it became aware that vulnerabilities in the system resulted in hackers attacking the system from mid February until May posing as legitimate taxpayers and getting copies of  income tax returns which could provide information that would enable the hackers to steal the identities of their victims and file phony income tax returns in the names of their victims and claim bogus refunds.

Although many people were surprised at this hacking, Scamicide readers were not among them because here at Scamicide, we exposed this vulnerability in the “Get Transcript” program in our Scam of the day for April 3, 2015.  Apparently, the IRS doesn’t read Scamicide.  Maybe it should.

The problem with the system was in the authentication process used by the IRS to limit access to this information to the taxpayer who is seeking his or her own income tax returns.  In order to access the income tax returns, the system required the inquirer to provide his or her name, Social Security number, birth date, address and other personal identity verifications, such as what was your high school mascot or when you got a mortgage. The problem is that, in many instances, this information can be gathered by a diligent hacker from public data bases, social media where people provide this information to hackers, and data breaches.

TIPS

If you are one of the people affected by this data breach, you will get a letter, not an email, from the IRS and will be offered free credit monitoring services.  These letters will not require you to provide any personal information in response.  Any communication you get that purports to be from the IRS that requests that you provide personal information is not from the IRS, but from another scammer.

A lesson for all of us is to remember to try to protect the privacy of your Social Security number as best you can.  Most identity theft starts with the identity thief obtaining and exploiting the victim’s Social Security number.  Don’t provide it to companies with which you do business unless you absolutely must do so.  Medical care providers routinely ask you to provide this, but they have no need for this and the health care industry has been among the worst in protecting its data from being hacked.

The verification process of using personal identity verification information is fundamentally flawed in today’s world.  Better systems should be used, such as dual factor authentication where a code is sent to your smartphone when you need to access an account.

Scam of the day – August 18, 2015 – 32 gang members indicted for income tax identity theft

August 18, 2015 Posted by Steven Weisman, Esq.

A good indication as to how pervasive income tax identity theft has become is the recent indictments filed in California against 32 members of the Long Beach gang called the Insane Crips.  Among the charges were 299 counts of identity theft.  Filing income tax returns using names and stolen Social Security numbers of their victims, the gang managed to obtain more than 3 million dollars in refunds loaded on to prepaid debit cards, which is an option offered by the IRS.  The fact that young, unsophisticated gang members are able to steal this much money from the IRS filing fraudulent income tax returns is a good indication of how easy this crime is to accomplish.

TIPS

The best place to find a helping hand is always at the end of your own arm.  Do not depend on the IRS protecting you from income tax identity theft.  Protect the privacy of your Social Security number as best you can and file your income tax return as early as possible so that an identity thief cannot file one before you and get a refund before you file your return.  If you are a victim of income tax identity theft, it can take many months before the IRS will complete its investigation of the matter and send you your proper refund.

Scam of the day – August 17, 2015 – New IRS regulation to reduce identity theft is worthless

August 17, 2015 Posted by Steven Weisman, Esq.

Income tax identity theft is a major problem.  It costs the federal government and therefore the legitimate taxpayers an estimated 5 billion dollars per year.  The IRS is fully aware of the problem and therefore has just issued final and temporary regulations  that will go into effect two years from now that remove the automatic thirty day extension of time for employers to file W-2s in an effort to help curb income tax identity theft.  Identity thieves often file their fraudulent income tax returns using counterfeit W-2s that indicate a large refund is due.   Under the law, employers who file paper W-2s must file W-2s on the last day of February and if they file electronically, they must file the W-2s on March 31st, so the new regulations will prevent employers from extending those deadlines automatically to the end of March and end of April depending upon whether the employer is filing W-2s by paper or electronically.

However, the regulation is utterly useless and ineffective because under the present law, when an employer files W-2s, they are not filed with the IRS.  They are filed with the Social Security Administration, which does not get around to forwarding them to the IRS for matching against submitted income tax returns to verify whether or not the W-2 filed with the individual’s income tax return is legitimate until July or August, which is long after the IRS has already sent out refunds without ever matching the W-2s filed by taxpayers with those filed by employers.  The new regulation does not improve the situation at all.  A far better solution would be for Congress to merely enact legislation requiring employers to file their W-2s with the IRS at the same time they file them with the Social Security Administration and for the IRS to match the W-2s filed by employers with those filed by taxpayers before the IRS sends out refunds.  This simple and inexpensive step would dramatically reduce the amount of income tax identity theft.  Congress and the IRS have been advised for years to do this, but they still have done nothing.

TIPS

The best steps you can take to protect yourself from becoming a victim of income tax identity theft are to maintain the privacy of your Social Security number and file your income tax return as early as possible in order to beat an income tax identity thief from filing an income tax return in your name before you do.  Meanwhile, we all should contact our Senators and Representatives to urge them to change the law to require employers to file W-2s with the IRS at the same time they file them with the Social Security Administration and for the IRS to match those W-2s with those filed by taxpayers before sending out refunds.

Here is a link to a website that will provide you with the email addresses of your Senators and Congressmen.  http://www.contactingthecongress.org/