Scam of the day – June 18, 2017 – Identity thieves hack Federal Student Aid website

The Free Application for Federal Student Aid (FAFSA) is a part of the U.S. Department of Education used by college students to apply for much needed financial aid to assist them in furthering their education.  Some of the forms used in the application process require inserting information from past income tax returns.  To make the process more convenient, FAFSA provided for a data retrieval service directly to the IRS to obtain the necessary information, however scammers, such as two recently indicted men from Indiana and Georgia are alleged to have hacked into the data retrieval system of FAFSA applicants to get the tax information which they then used to commit income tax identity theft, attempting to steal approximately 12.7 million dollars in phony income tax refunds.

In response to these problems, FAFSA suspended its data retrieval system until two weeks ago when they reinstituted the Data Retrieval Tool with the IRS in a manner that the tax return information will be encrypted and hidden from view of even the borrower as well as someone hacking into the borrower’s account.

TIPS

Quite often, as Shakespeare said, the fault is not in the stars, the fault is in ourselves. Too often we become victims of identity theft when the security of particular websites, companies or government agencies that have our personal data is compromised because we provide our passwords and user names to identity thieves by falling prey to spear phishing emails or downloading malware.   It is important to never click on a link in an email or download an attachment unless you have confirmed that it is legitimate.  Also, never provide personal information to anyone unless you have confirmed that the request is legitimate.

As for students seeking to use the Data Retrieval Tool of the IRS for filing a FAFSA form, you can safely use this service by going to StudentLoans.gov.

Scam of the day – June 17, 2017 – Father’s Day scams

Tomorrow is Father’s Day which for many people is an opportunity to show our fathers how much we love and appreciate them, for scam artists, it is yet another opportunity to scam people.

One of the most common Father’s Day scams involves e-cards which are great, particularly for those of us who forget to send a Father’s Day card until the last minute.  Identity thieves send emails purporting to contain a link to an electronic Father’s Day card, but instead send malware that becomes downloaded when the victim clicks on the link. This keystroke logging malware enables an identity thief to steal personal information from the victim’s computer that can be used for purposes of identity theft.

TIPS

Never click on a link to open an e card unless the e card specifically indicates who sent the card. Phony e cards will not indicate the name of the sender.  Even if the sender is someone you recognize, you should independently confirm with that person that they indeed sent you an e card before clicking on the link.

Scam of the day – June 16, 2017 – Woman pleads guilt to identity theft through mail theft

Crystal Candiece Cooper recently pleaded guilty in California to stealing mail and using the stolen mail for purposes of identity theft.  At her sentencing, scheduled for September 12th she faces a prison sentence of as long as thirty years.   Identity theft is a high tech, low tech and no tech crime and while we often tend to focus our attention on high tech identity theft tactics such as spear phishing, no tech tactics such as fishing for mail with a plastic bottle covered in glue that is lowered into blue public mailboxes to capture mail being sent with checks is making a comeback.

I have warned you for years about leaving mail with checks or credit card information in your personal mailbox outside of your home with the flag raised to alert your postal carrier that there is mail in your box to be retrieved is a bad idea because it also alerts identity thieves who can easily steal the mail.  Once they have the checks, they can “wash” the name or even the amount of the check and make the check payable to the thief. They also can use the account number of your check to create counterfeit checks to access your checking account.

Mail thieves also will steal incoming mail from your own personal mailbox which may contain credit card bills, checks and other information and documents that can readily be used for purposes of identity theft.

TIPS

This is an easy crime to avoid.  In regard to paying your bills, the best course of action is to pay your bills electronically and avoid the problem altogether.  However, if you cannot do so or prefer to send a paper check by mail, you should use a gel pen that is not easily “washed” to write your checks and you should mail envelopes with checks in them directly from inside the post office.  You also should consider a locked mailbox for your personal mailbox to avoid identity thieves from easily accessing your mail before you do.

Scam of the day – June 15, 2017 – Microsoft issues new security patches for outdated operating systems

The huge ransomware attack using WannaCry malware that exploited vulnerabilities in the outdated Windows XP operating system prompted Microsoft to take the unprecedented step of issuing security patches to address this issue even though one of the primary reason for its movement to newer operating systems was due to the fact that it was no longer manageable to attempt to continually patch these flawed programs. In another unusual move, Microsoft has just issued new security updates for Windows XP, Windows Vista and other no longer supported operating systems on an emergency basis because of new warnings of a risk of another similar attack.  These new security updates can be downloaded for free.

TIPS

According to the old adage (is there any other kind?), fool me once, shame on you.  Fool me twice, shame on me.  No one should still be operating the older, unsupported Windows operating systems, such as Windows XP. Update your operating system as soon as possible to the newer supported versions of the Windows operating system.  Hackers and cybercriminals are constantly exploiting software vulnerabilities.  Failing to update your software when security updates and patches become available is extremely dangerous.

If, however, you are still using one of the older Windows operating systems, you can go to this link to find the latest security updates which you can download for free https://portal.msrc.microsoft.com/en-us/

Scam of the day – June 14, 2017 – IRS improves its handling of income tax identity theft

Income tax identity theft, by which identity thieves file phony income tax returns with counterfeit W-2s using the Social Security number and name of their victims is still a major problem for the IRS and taxpayers costing us all billions of dollars each year.  However, when someone has stolen your Social Security number and filed an income tax return using your name, the problem becomes particularly personal.

In 2015 I reported to you about a report of the Treasury Inspector General for Tax Administration (TIGTA) in which it disclosed that despite IRS assurances to the contrary, it took the IRS an average of 278 days to resolve individual income tax identity theft cases and return the rightfully owed tax refund to the victimized taxpayer.  In a heartening example of some good news, TIGTA has recently reported that the IRS has lowered the time to resolve the income tax identity theft cases of individual taxpayers to 166 days, which, although to my mind, is still too long, is a significant improvement.

TIPS

Along with protecting the privacy of your Social Security number as much as possible, the best thing you can do to protect yourself from income tax identity theft is to file your income tax return as soon as possible in order to make sure your return is filed prior to that of an identity thief.  Income tax identity theft only works if the identity thief files a tax return before you do.

If you do find yourself a victim of income tax identity theft, you should file a police report immediately and then file a paper tax return with an attached Form 14039 Identity Theft Affidavit along with a copy of the police report to the IRS to hasten the process of recovering your tax refund.

Scam of the day – June 13, 2017 – Russian gang accused of hacking slot machines

Last week federal indictments against members of a Russian gang  alleged to be led by Razhden Shulaya were unsealed in New York.  While many of the indictments were for common racketeering crimes you would expect, the defendants were also accused of developing devices to hack into particular models of slot machines to predict the machine’s behavior thereby enabling the criminal to steal money from particular slot machines.

Long gone are the days of the old-styled one arm bandit slot machines. Today’s slot machines are operated by sophisticated computers and programmed to make pay offs of specific amounts.  This is actually a good thing as all states regulate slot machines  and require that casinos that have slot machines pay a statutorily set minimum pay off for the entire casino.

TIPS

Just about everything we do is computerized and often connected to the Internet in some fashion.  This is what we refer to as the Internet of Things and whether it is a talking doll, a car, a medical device or a smart television, anything that is computerized and connected to the Internet is a potential target for hackers.  This is important for all of us to remember when we use items that are a part of the Internet of Things.  We should make sure that passwords and security settings for these devices are not left on default and are as secure as we can make them.  It only takes a little time to do so and it is well worth it.

Scam of the day – June 12, 2017 – Criminal identity theft

Today’s Scam of the day is prompted by an email I received from a Scamicide reader whose grandson was a victim of criminal identity theft.   Criminal identity theft occurs when someone steals your identity and then commits crimes using your name and Social Security number.  The problems encountered by someone whose identity has been stolen by a criminal who then commits crimes in the name of the identity theft victim are tremendous.   Victims of criminal identity theft have been arrested for crimes they never committed and often have had difficulty having the crimes, committed by someone who stole their identity, removed from their records.  A faulty criminal record can also affect your ability to get a job or various benefits.

TIPS

If you find that you are a victim of criminal identity theft, you should hire a lawyer and contact the police as well as the District Attorney’s office to straighten out the matter.  File a report indicating that you are the victim of identity theft.  It will be necessary for you to confirm your true identity through photographs and fingerprints. In addition, show law enforcement authorities your driver’s license, passport or any other identification that you might have that contains your photograph.  In the case of the Scamicide reader’s grandson, the identity thief is incarcerated in a state far from her.  In situations like that you should go to your local police and ask them to confirm your identity and send the information to law enforcement in the state or states where the criminal identity thief’s criminal violations occurred.

Get a letter from the District Attorney explaining the situation to have available if you are ever stopped for a traffic violation and your record is checked.  A few states have Identity Theft Passport programs through which anyone whose identity has been stolen by someone who uses it to commit crimes can, upon proving their identity, receive an Identity Theft Passport that protects them and confirms their true identity .  Even if your state does not have an Identity Theft Passport program, get a letter from the law enforcement agency that arrested the person using your name known as a “clearance letter” which indicates that you have not committed the crimes which were done by the identity thief who used your name.  Keep this document with you at all times.

Scam of the day – June 11, 2017 – FTC settles claims with tech support scammers

I have been reporting to you about tech support scams for years.  These scams generally involve pop-ups that appear on your computer screen informing you of a serious, non-existent problem with your computer that requires immediate attention by you and for which you are required to pay money for a service you don’t really need.

Recently the Federal Trade Commission settled tech support scam claims against Global Access Technical Support LLC, Yubdata Tech, Source Pundit LLC, Helios Digital Media LLC, Rajiv Chhatwal, Rupinder Kaur and Narinder Singh.  Under the terms of the settlement, the defendants are banned from marketing and promoting tech support services in the future and are required to pay the FTC more than a million dollars to be used to provide restitution to the victims of the scam.  As details of the restitution program become available, I will report those to you.

In this particular case, the defendants used pop-up ads in the manner I described in the first paragraph of today’s Scam of the day to lure people into calling accomplices in India who represented that they were affiliated with Microsoft and Apple.  They would mislead the victims into thinking there was a problem and charge them for unnecessary remedies.

TIPS

It is always important to have anti-virus and anti-malware software and keep them up to date with the latest security patches.

It is important to remember that neither Microsoft nor Apple will contact you by way of pop up ads offering tech support for which you will be charged.  It should be noted, however, that Microsoft does regularly issue software security updates, but they do this in automated updates if you have enrolled for this service.  If you receive a pop up ad purporting to be from Microsoft or Apple and have any thought that it might be legitimate, you should merely contact Microsoft or Apple directly at a telephone number you know is accurate to confirm the pop up was a scam.

Scam of the day – June 10, 2017 – FTC sending more refund checks regarding weight loss supplements

In June of 2016 I reported to you that the FTC had settled a lawsuit with Genesis Today, Pure Health and Lindsey Duncan regarding false and misleading claims that they made about their green coffee bean extract weight loss products.  I first reported to you about this FTC action in the Scam of the Day for January 27, 2015.    Duncan and his companies claimed green coffee bean extracts would enable users to lose 17 pounds and 16% of their body fat in 12 weeks without diet or exercise.  Duncan also referred to a severely flawed clinical study which he claimed supported his claims.  Helping his sales of the weight loss product were his television appearances on legitimate shows such as The View and The Dr. Oz Show.  Dr. Oz received much criticism while testifying before Congress regarding the recommending of green coffee bean extracts for weight loss on his show.    In 2016 the FTC mailed checks to people who bought the supplements online and for whom the FTC had addresses.  Now the FTC is mailing 38,533  more refund checks totaling 1.9 million dollars to victims of the scam who bought the supplements from retailers such as Walmart.   If you bought the supplements at a retail store, you can apply for a refund by going to the tab at the top of the page designated “FTC Scam Refunds” for the forms you need.

TIPS

The truth is that there are no quick fixes when it comes to weight loss and you should be wary of any product that promises you can lose tremendous amounts of weight quickly without dieting or exercise.  You should also be wary of any weight loss product that is sold exclusively either over the Internet or through mail-order advertisements.  It is also important to remember that no cream that you rub in your skin can help you lose substantial weight and no product can block the absorption of fat or calories.  The best course of action is to ask your physician about the effectiveness of a particular weight loss product or program before you reduce your wallet in an effort to reduce your waistline.

If you bought the supplements at a retail store, you can get information about the refunds by going to the tab at the top of the page designated “FTC Scam Refunds.”

Scam of the day – June 9, 2017 – Ukranian hacker sentenced to prison

I have been reporting to you for two years about developments in this ingenious and massive stock fraud since the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  Now Ukranian hacker Vadym Iermolovych was sentenced to thirty months in prison and ordered to pay more than 3 million dollars in restitution for his role in this scheme.

The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the defendants have already pleaded guilty to charges related to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.