Scam of the day – October 20, 2015 – Update on Dow Jones data breach

October 20, 2015 Posted by Steven Weisman, Esq.

A week ago in the October 13th Scam of the day I informed you about the hacking of Dow Jones & Co., the publisher of The Wall Street Journal, MarketWatch and Barron’s. This data breach went all the way back to August of 2012 but was not identified until July of 2015.  There has been much speculation about the goal of the hackers as they did not attempt to reach much in the way of personal information.  Now Bloomberg is reporting that the FBI, Secret Service and SEC are investigating the possibility that the hacking, which they are presently attributing to unidentified Russian hackers may have been done to obtain insider information that could be used before it would be made public for purposes of profitably trading stocks.  This certainly is not as far fetched as it may initially appear.  As regular readers of Scamicide will remember, in the September 20th Scam of the day I reported to you about the SEC settling civil charges against two defendants who used this same type of tactic of stealing inside information to make stock trades.  In that case, the defendants made 23 million dollars by hacking into public relations companies Marketwired, PR Newswire and Business Wire to learn  inside corporate information before these companies could release the information to the public through press releases.  In regard to Dow Jones’ publications, early access through hacking to information about mergers and acquisitions as well as other corporate information could well be exploited to make profitable stock trades based on this inside information before it became known by the public.

TIPS

Scam artists are the only criminals whom we refer to as artists and they are constantly coming up with new ways to turn hacking into profits.  Companies have got to start doing a better job of recognizing that they are targets and protect their data better.  I will report to you about future developments in this story as they occur.

Scam of the day – October 19, 2015 – Phony IRS phone calls continue to scam taxpayers

October 18, 2015 Posted by Steven Weisman, Esq.

Although I have been warning you about this particular scam for years, another warning is warranted in the light of the IRS and the Treasury Inspector General for Tax Administration disclosing last week that since October of 2013 there have been reports of approximately 736,000 people being called by scammers posing as IRS agents demanding immediate payment of overdue taxes by credit card,  prepaid debit cards or wired funds.    Often the scammers threaten their victims with criminal charges, deportation or loss of a driver’s license.  According to J. Russell George, the Treasury Inspector General for Tax Administration, the IRS is aware of about 4,550 victims who have paid more than 23 million dollars to these scammers.  Unfortunately, the real figure of victims and money lost is most likely far in excess of these figure.

TIPS

This scam is easy to spot.   The IRS will never initiate communications with a taxpayer by phone so if someone calls you purporting to be from the IRS in an initial effort to collect overdue taxes, you should hang up because it is a scam.   Even if your Caller ID appears to show that the call is from the IRS, this does not mean that the call actually is from the IRS.  Through a technique called “spoofing” a scammer can make the call appear to be legitimate, but it is not.  The IRS will never demand payment by credit card, debit card, cash card or wired funds through an initial telephone call.  If you think that you really may owe taxes, call the IRS at 800-829-1040 to speak to a real IRS employee.  If you receive a scam call, you may wish to report the call to the Treasury Inspector General for Tax Administration at 800-366-4484.

Scam of the day -October 18, 2015 – Phishing alert

October 18, 2015 Posted by Steven Weisman, Esq.

Phishing is the name for the scam where an identity thief lures you through a phony email that purports to be from a  legitimate source such as your bank, a company with which you do business or even the IRS or some other governmental agency to a phony website that looks like the website of that legitimate company, but actually is just a scam intended to entice you into providing personal information that can lead to your identity being stolen.  Often there will be links in these phishing emails or text messages which you are advised to click on which will take you to a legitimate looking page where you are prompted to provide your personal information.  In other instances, clicking on the link will download malware such as keystroke logging programs that, once installed on your computer, will provide the scammer with all of your personal information from your computer. This information can be used to make you a victim of identity theft or even to empty your bank accounts if you use your computer for online banking.

In almost all of the major data breaches of recent years, the malware was downloaded when unwary employees clicked on links in phishing emails.  Phishing emails are always trying to convince you to open the email and click on the link with subject lines designed to get you to open the email.  Here is a list compiled by Fraudwatch International, a leading online protection company of some of the most effective phishing emails indicating from whom they are purported to be sent and the content of the subject line.

Bank of America – Important Notice

Westpac Bank – Your Account Has Been Blocked

PayPal – Resolve remote access

Chase Bank – INFORMATION ABOUT YOUR ACCOUNT

Apple Store  – About your last Transaction

Wells Fargo Bank – Deposit Hold Alert

TIP

Never click on a link to a website unless you are totally sure that it is legitimate.  Trust me you can’t trust anyone.  Even if you receive an email from someone you trust, it may not be from them at all, but rather from someone who has hijacked their email or even if it is from them, they may have, in turn, fallen prey to a scam artist and may be passing along dangerous malware without even knowing it.  Never click on a link unless you have confirmed that it is legitimate.  Another good preventative step is to install antiphishing software on your computer to warn you before going to a website that may be tainted.  A good, free antiphishing software program can be found at http://toolbar.netcraft.com/

Steve Weisman’s latest USA Today column

October 17, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today entitled “Why You Should Have a Credit Freeze.”  http://www.usatoday.com/story/money/columnist/2015/10/17/weisman-credit-freeze/73383650/

Scam of the day – October 17, 2015 – Jamaican lottery scam drives victim to suicide

October 17, 2015 Posted by Steven Weisman, Esq.

Regular readers of Scamicide.com will remember that I have written about the Jamaica lottery scam for more than three years.  Jamaica is a hot bed of phony lottery scams, victimizing unwary Americans for more than ten years.  Estimates of the amount of money lost by victims of this scam range from a low of 300 million dollars per year to as much as a billion dollars annually.  Generally they way the scam operates is that the targeted victim is told on the telephone  that he or she has won a lottery (that they never entered), but that the victim needs to pay some administrative fees before receiving the huge prize.  The victims of this scam pay the fees, which can run into thousands of dollars, but never get the prize. The telephone call generally comes from the 876 area code which is the area code for Jamaica.   Scammers in Jamaica make as many as 30,000 calls each day to the United States telling people that they have won a non-existent lottery.   Recently CNN reported about the suicide of a victim of the Jamaican lottery scam, Albert Poland Jr. who killed himself  as a result of the stress related to the lottery scam in which he was constantly harassed by scammers seeking more and more money.  Still a believer however, in his suicide note he said he hoped he would be vindicated when his family received the 2.5 million dollar prize from Jamaica.

In the Scam of the day of May 15th I reported to you that following three days of deliberation a North Dakota jury convicted Sanjay Williams, of Montego Bay, Jamaica of conspiracy, wire fraud and money laundering charges related to the Jamaican lottery scam. This particular case was four years in the making and started when an 86 year old North Dakota widow, Edna Schmeets lost her entire life’s savings of $300,000 to Jamaican scammers who telephoned her and told her that she had won a 19  million dollar Jamaican lottery, but that she needed to pay taxes and fees before she could claim her prize.  Sentencing of Williams has been delayed to give Mr. Williams time to consider cooperating with investigators about others involved in return for a lesser sentence.  Williams faces a maximum of forty years in prison

TIPS

As I have often told you, it is difficult to win a lottery you have entered.  It is impossible to win one that you have not even entered.  You should always be skeptical about being told that you have won a lottery you never entered.    In regard to the Jamaican lottery scam, I urge you not to pick up the phone if your Caller ID shows the 876 area code.  Don’t establish any relationship with these scammers.  They will hound you if you do.  It is also important to remember that it is illegal to play foreign lotteries unless you are present in the other country.  While it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  You also should never pay a fee to collect a legal lottery prize.

Steve Weisman’s latest bankrate.com column

October 16, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for bankrate.com entitled “Don’t get hooked by spear phishing.”

http://www.bankrate.com/financing/identity-protection/dont-get-hooked-by-spear-phishing/

Scam of the day – October 16, 2015 – Yet another Adobe Flash security flaw discovered

October 16, 2015 Posted by Steven Weisman, Esq.

I have been writing about the security flaws in Adobe Flash for years and finally in July I advised everyone to disable Adobe Flash and use other video software.   Unfortunately, some popular websites including HBO and Spotify still require the use of Adobe Flash.  In an update on the continuing saga of the danger to all of us presented by continuing vulnerabilities in the  Adobe Flash browser plugin for watching videos, security company Trend Micro  has just discovered a new zero day exploit that is being used by hackers around the world targeting foreign affairs ministries.  However, it can be expected that this new security flaw will make its way to hackers with broader targets soon.  Adobe has been alerted to the flaw and is working on a patch.  When it is ready, I will let you know.  Meanwhile as I told you in July, Mozilla, the maker of the popular Firefox browser has blocked Adobe Flash from use on Firefox as a security protection to Firefox users.  This came just a day after Facebook’s head of security went on record saying that Adobe should stop making Flash because it is too flawed.  Flaws in Adobe Flash have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.

TIPS

Some alternative plugins you may wish to consider include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/ while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Meanwhile, even if you decide not to use an Adobe Flash alternative, it is important for everyone to remember not to click on links in emails or text messages until you have confirmed that they are legitimate.  Otherwise you risk downloading dangerous malware.

Scam of the day – October 15, 2015 – Medicare open enrollment scams

October 15, 2015 Posted by Steven Weisman, Esq.

The open enrollment period for Medicare begins today, October 15th and continues until December 7th.  This is the only time during the year that people enrolled in Medicare can change their Medicare health plans, Medigap plans and their prescription drug plans.  By now, people already enrolled in Medicare should have received an Annual Notice of Change from their health insurance providers describing any changes to their plans such as the dropping of particular drugs from their prescription drug plan.  If you are satisfied with your plans, you do not need to do anything.

Scammers and identity thieves view the open enrollment period as senior citizen hunting season as myriads of Medicare scams are common during this time.  Among the scams are phone calls or emails purporting to be from the Centers for Medicare & Medicaid Services (CMS) informing you that Medicare is issuing new Medicare cards and that in order to continue to receive benefits, you need to obtain a new card which can be done by providing the person contacting you with your Medicare number which is your Social Security number.  If you provide this number, you will end up becoming a victim of identity theft.  What makes this scam particularly troublesome is that there is a kernel of truth to this scam.  Under legislation finally passed this year, Medicare will be required to stop using people’s Social Security number as their Medicare identification number.  Unfortunately however, the legislation does not require Medicare to change the identifying numbers of people presently receiving Medicare benefits until eight years from now.

You also may be contacted by someone purporting to be from your insurance company asking to verify information.  Again, this is a common tactic of identity thieves trying to trick you into providing information.  You also may be contacted by people claiming to have supplemental insurance programs that will save you thousands of dollars.  Here too, you cannot be sure that they are legitimate when they contact you by phone, text message, email or even regular mail.

TIPS

Medicare is not issuing new cards to Medicare recipients at this time and they will never contact you by phone and ask for your Medicare number.  Never give personal information to anyone who calls you on the phone because you can never be sure who is actually on the other end of the line.  Through a technique called “spoofing,” a scammer can fool your Caller ID and make it appear that the call is from the government or some legitimate company when in fact, it is from an identity thief who is eager to steal your money.  If you want to get information you can trust about what insurance plans are available to you and at what cost, merely go to the “Plan Finder” section of Medicare’s website www.medicare.gov.  If you want to speak with someone on the phone, call Medicare at its 24 hour hotline 1-800-MEDICARE.

Scam of the day – October 14, 2015 – Trump hotels sued regarding data breach

October 14, 2015 Posted by Steven Weisman, Esq.

As I last reported to you on October 2nd, the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York just disclosed that its hotels had been hit with a Target-like credit card and debit card data breach that appears to have occurred between May 19, 2014 and June 2, 2015.  Although the Trump Hotel Collection just announced this a couple of weeks ago and much of the media is reporting this as a new story, here at Scamicide, we reported to you about this data breach in our Scam of the day on July 5, 2015.    Now, a lawsuit has been filed in federal court in Missouri seeking class action status on behalf of the affected customers of Trump Hotels.  The lawsuit was filed by the lawfirm Hipskind & McAninch, which alleges that Trump Hotels were negligent in failing to remedy basic data security issues at their hotels, not discovering the data breach until long after it occurred and in failing to notify its customers in a timely fashion which put their customers at extreme risk of identity theft.  As with so many data breaches, it was discovered not by the company hacked, but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.    The malware used to perform this data breach was installed on computers at Trump hotels front desk terminals as well as as payment card terminals in the hotels’ restaurants and gift shops.  This type of hacking and data breach could have been prevented had the Trump Hotel Collection switched to the modern EMV smart chip credit cards now being required to be used according to credit card regulations that just went to effect yesterday.  Instead the Trump Hotel Collection, as many companies still do, used the old fashioned credit and debit cards with magnetic strips which are so susceptible to hacking.

TIPS

If you are an affected customer and wish to be a part of the lawsuit, you can contact Hipskind & McAninch at info@hm-attorneys.com or by phone at 618-641-9189.  If you used your credit and debit card at one of the affected Trump hotels between May 19, 2014 and June 2, 2015, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.  The Trump Hotel Collection is offering free credit monitoring for people who used their cards at their hotels during the time period indicated above although this may be of little value this long after the data breach occurred.  For more information about this offer, call the Trump Hotel Collection at 877-803-8586.  Here also is a link to the statement of the Trump Hotel Collection about this data breach. https://www.trumphotelcollection.com/cc-security-faq

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.

Scam of the day – October 13, 2015 – Dow Jones & Co. suffers apparent data breach

October 12, 2015 Posted by Steven Weisman, Esq.

Dow Jones & Co., the publisher of The Wall Street Journal, MarketWatch and Barron’s has just announced that it apparently was the victim of a hacking and resulting data breach which occurred between August of 2012 and July of 2015.  Although it appears that the credit card and debit card information lost may have been limited to fewer than 3,500 Dow Jones customers, all of Dow Jones’ customers may have had their names, addresses, email addresses and phone numbers stolen.  This raises the specter of spear phishing by which targeted individuals receive emails from companies with which they do business that come addressed to them by name and are tailored to appear legitimate and thereby more likely to entice the potential victims to provide personal information or click on links.  Clicking on these links or providing the requested information will lead to identity theft.  In this particular case, the victims may also expect to receive phone calls that appear to be legitimate requesting personal information under various guises.  In some instances, by using a technique called “spoofing” the identity thief can even manipulate your Caller ID to make it appear that the call is from Dow Jones.  Providing personal information in response to these calls will also result in identity theft.

TIPS

If you were one of the approximately 3,500 people whose credit or debit card information was compromised you will receive a letter, not an email, text message or phone call from Dow Jones with information about free credit monitoring services to be offered those people by Dow Jones.   If you wish to contact Dow Jones’ Customer Service department for more information, you can reach them at 800-568-7625.

As for the rest of us, whether you are a subscriber to any of Dow Jones’ publications or not, this is a reminder to never click on links in email or provide personal information in response to an email, text messages or phone calls unless you have confirmed that the communication is legitimate.  Regardless of how legitimate looking the communication may appear, you can never be fully confident that it is legitimate unless you independently confirm this fact.