Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

Scam of the day – April 19, 2016 – Business email scam

April 19, 2016 Posted by Steven Weisman, Esq.

The FBI recently issued a warning about a dramatic increase in what it calls the Business email compromise scam (BEC).   The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learnthe protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees all in an effort to adapt their message to seem more legitimate.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts.  Finally, employees should be educated about this scam in order to be on the lookout for it.

 

Scam of the day – April 18, 2016 – New York identity theft ring busted

April 17, 2016 Posted by Steven Weisman, Esq.

New York police recently indicted twelve people from Brooklyn and Queens, charging them with an intricate identity theft conspiracy by which they are alleged to have leveraged easily obtained personal information to obtain credit cards in their victims’ names.  They are then alleged to have used these cards to go on shopping sprees at stores, such as Barneys New York, Saks Fifth Avenue, Louis Vuitton and the Apple Store where they purchased expensive items that they could turn into cash on the black market.

One of the more disturbing element of this identity theft ring is that they obtained enough personal information from public data bases and companies that search those data bases for you to apply for credit cards in the names of their victims.  They also made counterfeit IDs to provide when they purchased items.  Other times they were able to merely add their names to existing accounts.  They also used the fraudulent credit cards to activate “Apple Pay” on their iPhones so they didn’t even have to provide a credit card when making purchases.  After the cards were ordered from the credit card issuers, they would have a member of the ring wait at the address where the cards were to be delivered to intercept the delivery.  They also were able to avoid credit card company fraud alert telephone calls inquiring about suspicious purchases by having their victims’ telephone numbers forwarded to phones they controlled.

TIPS

The ease with which the alleged criminals were able to obtain sufficient personal information in order to obtain credit cards in the names of their victims and forward their victims’ telephone calls points out the importance of companies taking stronger measures to protect our personal information and require more comprehensive security to confirm that they are not dealing with identity thieves.  The best thing that we as consumers can do to protect ourselves from this type of crime is to put a credit freeze on your credit report so that credit cards cannot be obtained in your name without your specific authorization.  For more information about how to put a credit freeze on your credit reports,  go to the section entitled “Search this Website” at the top of this Scamicide page and type in “credit freeze.”

Scam of the day – April 17, 2016 – Bank insider identity thief pleads guilty

April 17, 2016 Posted by Steven Weisman, Esq.

Great attention is being given by many companies and institutions to protecting themselves from identity thieves attacking them from the outside, but it is also important for companies to pay equal attention to protecting themselves from the threat of identity theft and data breaches from rogue employees within their own companies.  Recently, Ronald Reed pleaded guilty to bank fraud and identity theft in federal court in California.  Reed convinced four Wells Fargo bank employees into providing him with information about Wells Fargo bank customers including their birth dates, bank account numbers and Social Security numbers which he used to steal money from the customers’ accounts as well as use their accounts to cash counterfeit checks.  Reed is scheduled to be sentenced on July 15th and faces as many as 32 years in prison.

Identity theft by bank insiders is a growing problem.  Late last year two bank employees of JP Morgan Chase were indicted for accessing customers accounts through phony ATM cards and stealing approximately $400,000.  Older people with accounts into which their Social Security checks are electronically deposited are particular desirable targets of these criminals.  In addition, many criminal bank insiders, familiar with banking regulations keep their fraudulent withdrawals to less than $10,000, the level at which greater bank scrutiny occurs.

TIPS

There is little that we can do as consumers to protect ourselves from this type of insider identity theft.  The best thing you can do is to monitor all of your accounts and financial dealings often in order to recognize as soon as possible when identity theft has occurred.  The earlier you learn that you have become a victim of identity theft, the easier it is to correct the problem.  Anyone who has become a victim of identity theft should go to the tab at the top of the Scamicide.com website for detailed information about the steps you need to take if you have become a victim of identity theft.

As for the banks themselves, they should do a better job of screening potential employees.  Some banks do little more than a cursory criminal background check.  In addition, banks should limit the access of tellers to customer information.  New York Attorney General Eric T. Schneiderman has advised New York banks to limit the access of tellers to such sensitive customer account information.

Scam of the day – April 16, 2016 – Apple ends support for QuickTime for Windows

April 16, 2016 Posted by Steven Weisman, Esq.

I am always advising you to update the software that you use with the latest security patches and updates because cybercriminals exploit newly discovered vulnerabilities in the software programs that we all use to deliver malware such as ransomware and keystroke logging malware that can steal the information from your computer and use it to make you a victim of identity theft.  Too often, criminals are successful in using malware against which there are already issued security patches, but that many people fail to install in a timely fashion.  It is for this reason that I am constantly providing you with the latest security updates as issued by the Department of Homeland Security.

However, sometimes when it becomes just too difficult to plug the holes in particular software, the software maker will abandon the particular software and not issue any further updates.  This was the case with the Windows XP operating system.  Continuing to use that system puts you in significant danger of being hacked.  Now, Apple has announced that it will no longer produce security updates for its QuickTime media player which handles video, audio and interactive content.  This is a major announcement and if Apple is abandoning QuickTime, so should you.

TIPS

The risk of continued use of QuickTime is too great.  Not only should you cease to use it, you should also uninstall it.  Here is a link to Apple’s instructions for uninstalling QuickTime.  https://support.apple.com/en-us/HT205771

Here also is a link to the announcement by the Department of Homeland Security about Apple ending its support for QuickTime for Windows.  https://www.us-cert.gov/ncas/alerts/TA16-105A

Also, in keeping with my advice to update your computer software programs with the latest patches as soon as they become available, here are links from the Department of Homeland Security to important updates for  Microsoft software and Google Chrome.

https://www.us-cert.gov/ncas/current-activity/2016/04/12/Microsoft-Releases-April-2016-Security-Bulletin

https://www.us-cert.gov/ncas/current-activity/2016/04/13/Google-Releases-Security-Update-Chrome

Scam of the day – April 15, 2016 – Tax scams multiply as filing deadline approaches

April 15, 2016 Posted by Steven Weisman, Esq.

Today, April 15th is the usual deadline for filing your federal income tax return, however, as many people know, if the 15th falls on a weekend, the filing deadline is pushed back to the next Monday.  If April 15th is a holiday, the filing date is also pushed back.  This year, April 16th is Emancipation Day, which is a legal holiday in Washington D.C. and because it falls on a Saturday, federal employees have the preceding Friday, April 15th, off from work which pushes the filing deadline to the next business day, which is Monday, April 18th.  If that isn’t complicated enough, if you live in Massachusetts or Maine, you have until April 19th to file your tax returns because April 18th is Patriot’s Day, a state holiday in those two states.

In any event, scammers and identity thieves don’t take off holidays and the IRS is warning people again about an increase in income tax scams that are occurring in the final days before the income tax filing deadline.  There are a number of various scams tied to income tax filings, but they generally fall into four categories.  The first is when you get a telephone call purporting to be from the IRS informing you that if you don’t send them money right away, you will be arrested or suffer some other serious penalty.  The second is when you receive an email or text message apparently from the IRS requiring you to verify information in order to receive your refund.  You supply this information by clicking on a link.  The third is when you receive a telephone call apparently from the IRS asking you to confirm personal information over the phone in order to receive your refund.  The fourth is when you receive a call, text message or email from your online tax preparation company requiring you to confirm personal information.

All of these are scams that will either directly steal your money or provide the identity thieves with personal information they can use to make you a victim of identity theft.

TIPS

The IRS will not call you and threaten you in order to collect outstanding taxes and they will not require you to wire money to them.  Even if your Caller ID indicates it is the IRS calling, scammers using a technique called “spoofing” can make it appear on your Caller ID that it is the IRS calling when it is not.  If you get a call from someone purporting to be from the IRS initiating contact about collecting overdue taxes, it is a scam.  It is that simple.  Just hang up.

The IRS will not be contacting you by phone, email or text messages to confirm information regarding your tax return, so never provide personal information in response to being contacted in these ways by someone pretending to be with the IRS.  In addition, merely by clicking on a link contained in such electronic messages could download malware that could steal your personal information from your computer and use it to make you a victim of identity theft.

Phony emails or text messages from your online tax preparation company requesting personal information is a very prevalent scam this year.  Whenever you get an email or text message from anyone asking for personal information, do not provide it unless you have independently confirmed that it was legitimate.  Trust me, you can’t trust anyone.

Here is a link to the IRS’ recent warning.  https://www.irs.gov/uac/Newsroom/IRS-Warns-of-Continued-Scams-and-Varied-Tactics-as-the-Tax-Deadline-Nears

Scam of the day – April 14, 2016 – United Nations compensation board scam

April 13, 2016 Posted by Steven Weisman, Esq.

Today’s scam of the day comes, as many do, from my own email although I am sure many of you have seen this as well popping up in your own email.  It appears to be an email from the non-existent United Nations Scam Compensation Board, which promises to compensate scam victims for everything they may have lost.  In addition, these full service scammers also provide loans if you need one.  As counterfeit emails go, this one appears pretty good as it comes under an official United Nations logo.  Somewhat puzzling are places to click at the bottom of the email to like them on Facebook and follow them on Twitter.  Here is the text of the letter

“Have you been scammed? Are you talking to a scammer? Have you ever lost a property online to fraudsters?  We have created a Board to compensate all your loss 100%.  We Have agents ready to help you file your loss case and get a FULL refund. If your COMPANY have been also scammed whether a small or big business, we will help you get a compensation.  We listen to all scam cases e.g Romance scam, Email Fraud, Hacked bank account scams, Basically all kind of scams. Our Agents will create a case ID for you immediately and collect the necessary requirements. You will be forwarded to the reimbursement team within 24 hours.

WE ALSO PROVIDE LOAN TO BUSINESS(ES) AND INDIVIDUALS

Do you need loan for your business or for personal purposes? We have a partner loan company that will take your requests.  Reply this email with your loan requirements and a loan agent will take your request, forward it to the loan team and you will get a response all within 24 hours. If you need a very big loan, add that to your request, we will collect the required information, verify and endorse your request for faster approval.  Thanks

Scott James (UNSCB)”

TIPS

Anyone clicking on the links provided in the email to be connected to an agent would only end up providing personal information to a scammer that would enable the scammer to make the person responding to the email a scam victim again.  A Google search would easily show that there is no United Nations compensation board.  In addition, no agency can possibly guarantee that they can refund you the entire amount that you lost to a scammer.  Also, if the board was able to provide you with the entire amount that you had lost to a scam, why would you need to apply to them for a loan.  This scam is a good example of an email that looks legitimate, but when you read what it says, there is nothing that would  give the slightest indication that it is to be trusted.

If you find yourself a victim of a scam, you should report the scam to your local police, the consumer protection of your state attorney general,  and the Federal Trade Commission (FTC).    Never provide personal information to anyone unless you are absolutely sure they are legitimate.

 

Scam of the day – April 13, 2016 – Federal government settles with Goldman Sachs

April 13, 2016 Posted by Steven Weisman, Esq.

Not all scams are perpetrated by Nigerian email writers, Chinese hackers or Ponzi schemers like Bernie Madoff.  Sometimes they are done by large corporations.  The financial meltdown of the economy that happened in 2008 was largely caused by subprime mortgages issued by lenders such as Countrywide Financial which, in turn, sold these unsound mortgages to financial institutions such as Goldman Sachs, JP Morgan Chase, Citibank, Bank of America and Morgan Stanley, who, in turn rated these risky loans as secure investments bundled them into bonds and sold them to unwary investors who ended up losing trillions of dollars.

On Monday, it was announced that Goldman Sachs settled civil charges brought against it by the federal government and agreed, pursuant to the settlement to pay 5.1 billion dollars.  This amount may seem large, but certainly far less than the 13.3 billion dollars paid by JP Morgan Chase to settle similar charges.  However, as I always say, rarely is there anything “fine” in fine print and in the fine print of the settlement are various government incentives and tax breaks that can reduce the cost to Goldman Sachs by as much as a billion dollars.

Unlike previous settlements, where the companies were allowed to neither admit nor deny wrong doing, this settlement was accompanied by an agreed statement of facts in which Goldman Sachs specifically acknowledges that it knowingly made false and misleading representations to investors that induced them into purchasing these bonds which Goldman Sachs knew were highly questionable.

This settlement continues the pattern of not a single person from any financial institution charged criminally regarding the bundling and selling  of these risky bonds, however, hopefully and significantly, the agreement preserves the right of the federal government to bring criminal charges against Goldman Sachs and its individual employees.  Further, the agreement requires Goldman Sachs to cooperate in any such investigations.  Only time will tell if this is  truly significant or not.

The actions of Goldman Sachs seem even more appalling when you consider that they had the gall to take ten billion dollars in federal TARP bailout money.

TIPS

Could  a  similar economic catastrophe triggered by greed, malfeasance, criminal actions and negligence of so many people happen again?  Some economic reforms that happened as a result of the 2008 financial debacle have reduced that possibility, however, the question is by how much has that possibility been reduced?  It is hard to say.  For us, as individual investors we should always remember to never invest in anything unless you absolutely understand what you are investing in and when it comes to taking investment advice, you should investigate any conflicts of interest that may be present in the people and companies encouraging you to buy a particular investment.  There is nothing you can do to guarantee that you will not be a victim of investment fraud, but these are things we all can do to reduce our risk.

Scam of the day update – April 12, 2016 – Adobe Flash update

April 12, 2016 Posted by Steven Weisman, Esq.

In April 9th’s Scam of the day, I explained to you about the extreme danger of ransomware posed by further use of Adobe Flash software without updating the software with the latest security updates. Today new updates were issued in addition to those I provided in April 9th’s Scam of the day.  Here is a link from the Department of Homeland Security to new Adobe Flash security updates just issued today.

https://www.us-cert.gov/ncas/current-activity/2016/04/12/Adobe-Releases-Security-Updates-Creative-Cloud-Desktop-Application

I should emphasize, however, that my advice is to replace Adobe Flash with other comparable software to avoid further danger.

Scam of the day – April 12, 2016 – Progress of switch to smart chip credit cards

April 12, 2016 Posted by Steven Weisman, Esq.

Many of you may remember that the apparent deadline for credit card companies to issue new EMV chip credit cards to replace the old style magnetic strip credit cards and for merchants to install new card processing equipment to handle those transactions was October 1, 2015, yet here we are in April of 2016 and according to a recent study by CardHub only 33% of retailers have upgraded at least 90% of their payment terminals.  In addition 30% of American consumers still have not been issued an EMV chip card.  There are many reasons for this failure of both credit card companies and merchants to adhere to the new regulations pertaining to EMV cards, but most prominent is that the deadline date of October 1, 2015 was not a date by which credit card companies and merchants were required to create and use the EMV cards respectively, but rather a date, after which, the credit card companies and merchants failing to create and use the new EMV cards would merely have greater risk of liability in the event of credit card fraud.

EMV stands for Europay, MasterCard and Visa, the companies that created the credit cards with a computer chip that generate a unique, randomly generated token for each transaction thus making the kind of massive data breaches and credit card fraud that we saw in the Target data breach in 2013 all but impossible to achieve.  The rest of the world has been using EMV cards for many years, but the United States, until recently continued to use the old technology of credit cards with magnetic strips on the back that contained account information that was extremely vulnerable to theft through skimmers on processing equipment or data breaches at merchants.

TIPS

The EMV card is not a panacea by any means to protect us from credit card fraud.  The EMV card offers no protection from online credit card fraud where the chip is not used.  In addition, the EMV cards in the United States generally are tied to a signature for verification rather than the more secure use of a PIN which is what the rest of the world does to authenticate use of the card. However, the EMV card still represents a major step forward in the battle against credit card fraud in the United States.  If you do not have an EMV card yet, you should demand one from your credit card company.  You should also encourage the merchants with which you do business to switch over their processing equipment to the new EMV equipment.