Scam of the day – June 10, 2016 – Massive identity theft ring through mail theft busted

It was only four days ago that I wrote about a Texas identity theft criminal who stole checks from residential mailboxes, however, although everything is usually said to be bigger in Texas, federal indictments brought against thirteen people in Wichita, Kansas by the U.S. Attorney for Kansas exposed an identity theft ring that was based on stealing mail that enabled the criminals to steal more than 3.5 million dollars.   Unlike the Texas residential mailbox thief, the defendants in Kansas are alleged to have stolen mail not just from residential mailboxes, but also from blue postal collection boxes as well as mail rooms in and around Wichita.  The defendants are alleged to have altered checks to make them payable to themselves as well as create counterfeit checks from the information on the stolen checks and then use the counterfeit checks to steal large sums of money.  They also used personal information stolen from the mail to steal the identities of their victims and access their credit.  According to prosecutors, this mail based crime spree has been going on since October of 2013.


Again, the lesson to be learned here is that you are probably safer paying your bills online than by mail with a check.  Even if you put your mail into the blue postal collection boxes found on many street corners, you run the risk of those mailboxes being broken into and your checks stolen.  Certainly, putting your outgoing mail containing checks in your own mailbox is an even more risky way to pay your bills and puts you in serious danger of identity theft.  If you wish to mail your letters and bills containing checks, you should mail them directly from the Post Office.  This case also highlights that even if you don’t mail checks, but do mail letters or commercial communications containing personal information, that personal information can be used to make you a victim of identity theft so it is best to mail anything with personal information only inside the post office.

Scam of the day – June 9, 2016 – Dual factor authentication scam

Scam artists never cease to amaze when it comes to the creativity and artistry they put into their scams. As I have written many times, scammers will often lure people into providing their user names and passwords to scammers using carefully crafted spear phishing emails or text messages.  This was how the cybercriminal who was able to steal access to the gmail accounts and iCloud accounts of celebrities such as Jennifer Lawrence was able to gain access to their accounts.  One of the ways often advised to avoid this problem is to use dual factor authentication whenever you can.  With dual factor authentication, whenever you are going to access an online account, a special code will be sent to your smartphone after you have typed in your user name and password.  Without this code, you cannot gain access to your account.  Dual factor authentication works well, but nothing is fool proof.  Fools are powerful.

A fascinating way that scammers are now getting access to the accounts of people using dual factor authentication is by sending you a text message posing as the company with which you have an online account and telling you that your account may have been hacked and that if you want to close access to the account for security purposes, you will have to reply to the text message with the 6 digit verification code that you will be sent by the company momentarily.  Of course, the text message is not from the company you do business with, but rather it is from a scammer who has just typed in your user name and password, but can’t get access to your account protected by dual factor authentication until he enters the code about to be sent to your smartphone to verify the legitimacy of the hackers attempt to access your account.  If you fall for the scam and reply to the text by sending the code you receive from the company with which you use dual factor authentication, you will have turned over access to your account to a scammer.


Whenever you use dual factor authentication, you will only be sent the code to verify an attempt to log into your account so if you have not attempted to log into your account and you receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is attempting to access your account.  Never provide that code to anyone.  It should only be used by you to input into your smartphone or computer when you log into a dual factor authentication protected account.  Never provide sensitive information, such as your Social Security number, credit card numbers or dual factor authentication codes in response to an email or text message because you can never be sure who is actually communicating with you.

Scam of the day – June 8, 2016 – 2016 Rio Olympic lottery scam

Scammers are constantly capitalizing on popular events and the upcoming 2016 Summer Olympics in Brazil is no exception.  People are receiving letters informing them that they have won an international lottery being used to promote the Rio Olympics.  When you call the telephone number provided in the notice to claim your prize, you are told that all you need to do is pay some required fees before receiving your prize.  Of course, the lottery is a scam and the fees the victims of this scam pay are lost forever and their “winnings” never appear.


As I have often told you, it is difficult to win any lottery you enter.  It is impossible to win one that you have not even entered.  You should always be skeptical about being told that you have won a lottery you never entered.    It is also important to remember that it is illegal to play foreign lotteries unless you are present in the other country.  While it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  You also should never pay a fee to collect a legal lottery prize.

Scam of the day – June 7, 2016 – Mark Zuckerberg hacked – he should have paid attention to Scamicide

On May 22nd, I told you about the 117 million email addresses and passwords of LinkedIn users captured in a 2012 data breach of LinkedIn  that were being offered for sale on the Dark Web, which is that part of the Internet where cybercriminals buy and sell stolen data.    I also told you that stolen passwords are useful to hackers because too many people use the same password for all of their accounts and therefore a person’s LinkedIn password may be the same as those used for other accounts so that due to a single data breach, your online security for every online account you use becomes in jeopardy. Mark Zuckerberg, the founder of Facebook should have heeded this lesson because his Twitter and Pinterest accounts were hacked and taken over  for a short time because the hackers had found his password “dadada” in the LinkedIn data breach and used it to access his Twitter accounts and Pinterest accounts.


Once again, this serves as a reminder to everyone that you should have unique passwords for all of your accounts.  A strong password contains capital letters, small letters and symbols.  A good way to pick a strong password is to take an easily remembered phrase as your base password.  For instance, you can use the phrase IDon’tLikePasswords as your base password.  Add a couple of !! at the end of the password and you have a strong password.  Since you should have a unique password for each of your accounts, you can adapt this base password for particular accounts by merely adding a couple of letters to distinguish each account at the end of the password so it may read, for instance for a Bank of America account, IDon’tLikePasswords!!BnkoAm.

In addition, Twitter provides for dual factor authentication as an option to be used as an additional security measure when accessing your Twitter account whereby a one-time code will be sent to your smartphone for you to use in order to access your Twitter account.  Zuckerberg failed, however, to take advantage of this option.

Scam of the day – June 6, 2016 – Texas man sentenced for identity theft by stealing mail

Everyone is aware of the dangers of identity theft found on our computers, smartphones and other electronic devices, however, identity theft is a crime that is high tech, low tech and no tech as was shown recently by the conviction of David Burney in federal court in Texas on charges of stealing mail from mailboxes of unwary victims and using the stolen mail for purposes of identity theft. Burney would cruise residential streets looking for the mailboxes of people who had put their outgoing mail into their mailboxes and raised the red flag on the side of the mailboxes to alert the postal carrier to pick up the mail from the mailboxes.  In that mail Burney found letters containing checks by which his victims were paying their bills.  Unfortunately, it is a simple matter for someone who steals a check to have new checks printed using the account information and bank routing information contained on the check, which is what Burney did.  He then used the checks to buy electronics and gift cards which he used to turn into cash.


The lesson to be learned here is that you are probably safer paying your bills online than by mail with a check.  Even if you put your mail into the large  U.S. Post Office mailboxes found on many street corners, you run the risk of those mailboxes being broken into and your checks stolen.  Certainly, putting your outgoing mail containing checks in your own mailbox is a risky way to pay your bills and puts you in serious danger of identity theft.  If you wish to mail your letters and bills containing checks, you should mail them directly from the Post Office.

Scam of the day – June 5, 2016 – Danger when recharging your smartphone

Recently, cyber security company Kaspersky Lab issued a report detailing the dangers posed by the simple act of recharging your phone through someone else’s computer or at a public charging station as are commonly found in airports.  The problem stems from the fact that information is transferred between your smartphone and the charger as soon as you plug your smartphone into the computer or charging station you are using to recharge your smartphone.  Among the information that is transferred is the name of your device, the manufacturer and model, serial number, firmware information, file system and electronic chip ID which would all be shared with a computer that you may be using to recharge your phone.  And while this information may seem to be innocuous, this information is sufficient for a sophisticated hacker to use to gain much further information from your smartphone that could be used to your detriment.  As for the charging stations at airports and elsewhere, they can be either infected with malware or be a fake charging station with the sole purpose of infecting your smartphone.  Once you plug your phone into one of those already infected charging stations or a totally phony charging station, it can install and delete applications, including stealing your data or installing ransomware.


So what can you do?  Obviously, you should never use a strange computer to recharge your phone.  The risk is too great.  As for charging stations, confirm that it is a legitimate charging station and not a fake one before you connect your smartphone.  Make sure that your smartphone is secured with a password, fingerprint or iris scanners and do not unlock the smartphone while it is charging.  Always protect the data on your smartphone with encryption programs and finally, use security software programs for your smartphone and make sure that it is updated with the latest security patches.

Scam of the day – June 4, 2016 – New EMV chip card scams

Although October 1, 2015 was the deadline for retailers and credit card issuing companies to switch over to using the new EMV credit cards containing a computer chip that creates and encrypts a new number every time the card is used, a recent study shows that 30% of Americans still don’t have an EMV chip enabled card.  Ingenious scam artists, the only criminals we refer to as artists, are taking advantage of the situation by contacting people by email posing as their credit card company and prompting them to either provide personal information in response to the email or click on a link in the email in order to update their account to get a new smart EMV chip card.  If you provide personal information to the scammer, you will end up becoming a victim of identity theft.  If you click on the link, you may also download keystroke logging malware that will steal your information from your computer or smartphone and use it to make you a victim of identity theft.

But individual consumers are not the only ones being targeted by EMV chip card scams.  Merchants are also being contacted by phone by scammers posing as employees of MasterCard or Visa who tell the merchant that the merchant’s credit card processing equipment is not compatible with the latest changes to the credit card processing requirements necessary to use the EMV chip cards, but that the credit card processing equipment can be reprogrammed at no cost to the merchant to bring it into compliance.  However, if the merchant cooperates with the reprogramming of the credit card processing equipment what will happen is that each transaction will be redirected to an account of the scammer, which results in double billing to the consumer and major problems for the merchant.


So how do you know as a consumer if you receive an email purporting to be from your credit card company that it is legitimate?

First check the address of the email sender.  If it appears to come from someone or some company wholly unrelated to your credit card issuer, it is a scam.  Many scammers use hijacked email accounts that become a part of a network of controlled computers referred to as a botnet to send out their emails so that it is difficult to trace the scams back to the scammer.

Merely because the email appears legitimate, is written in proper English and even carries the logo of your credit card company does not mean that it is legitimate.  It is easy to copy the logo of a company on to an email.  If you get an email from your real credit card company it will generally be addressed to you specifically by name rather than a generic greeting of “Dear Cardholder.”  In addition, the email to you will generally reference your account by including the last four digits of your account.  However, even paranoids have enemies so if you do get an email that appears legitimate, but you still have concerns, merely call the company at the number found on the back of your credit card to confirm that the email is legitimate.

As for merchants, you cannot trust a phone call purporting to be from your credit card processing company even if your Caller ID indicates that the call is from MasterCard or Visa.  Caller ID can be tricked through a technique called “spoofing” to make a scammers call appear to be legitimate.  Never provide sensitive information to anyone over the phone who calls you unless you have verified that the call is legitimate.  In the case of a call from your credit card processing company telling you to reprogram your credit card terminals, you should hang up and call your credit card processing company at a telephone number that you know is legitimate in order to determine whether the original call was a scam.

Scam of the day – June 3, 2016 – How safe are you doing online and mobile banking?

Just about everyone does some or all of their banking and bill paying through their computers online and more and more people are using their smartphones and other mobile devices to do their banking and bill paying as well.  Not only can electronic banking be fast and convenient, it can also be safe if you take the proper precautions.  Unfortunately, many people do not take the proper security steps necessary to protect themselves when doing online banking on their computers and even fewer people take important security steps when doing their banking and bill paying on their smartphones and other portable devices leaving them in serious danger of having their bank accounts hacked.


Here is a list of important steps you should be taking to make your electronic banking more secure.

  1. First and foremost use a strong password which is one that contains capital letters, small letters and symbols.  Simple and common passwords even when they are encrypted can be cracked relatively easily through the use of sophisticated computer programs.  A good way to pick a strong password is to take an easily remembered phrase as your password.  For instance, you can use the phrase IDon’tLikePasswords as your base password.  Add a couple of !! at the end of the password and you have a strong password.  Since you should have a unique password for each of your accounts, you can adapt this base password for your banking account by merely adding a couple of letters to designate your bank at the end of the password so it may read, for instance, IDon’tLikePasswords!!BnkoAm.
  2. The answers to many security questions used by banks can be easily obtained either from public data bases or from the information that you may unwittingly post online in social media.  A common banking security question is your mother’s maiden name.  A good way to make this a strong security question is to use a nonsensical answer that only you will remember as the answer.  Thus the answer to the question could become “Pomegranate.”  It is silly enough for you to remember, but impossible for a hacker to guess.
  3. Use dual factor authentication by which when your bank account is being accessed online or through your smartphone, a one-time code is sent to you to use to access your account.  Surprisingly, some national banks such as Citibank, PNC Bank and TD Bank do not provide the option for dual factor authentication.
  4. Install and maintain with the latest security updates anti-malware and anti-virus software on both your computer and your portable devices.  Too many people do not use security software on their smartphones and many people do not update their security software promptly.
  5. When using a portable device for electronic banking do not use public Wifi. Instead use a Virtual Private Network which will encrypt all of your electronic communications.  A good VPN is CyberGhost which can be downloaded for free using this link.
  6. Password protect your smartphone and other mobile device and don’t store sensitive information on your mobile devices.

Scam of the day – June 2, 2016 – Why the massive Myspace data breach is relevant

Many younger readers of Scamicide may not even remember Myspace, but at one time Myspace was the biggest social networking website.  By 2009, however, it was overtaken by Facebook and its users have continued to decline in the years since then.  In 2013, it was bought by Time, Inc which is attempting to revitalize it.  When it was announced earlier this week that more than 360 million usernames and passwords from Myspace were being sold on the Dark Web to cybercriminals interested in turning that information into ammunition for identity thieves, many people were not very disturbed by the news.  But they should be.  Even though the usernames and passwords go back to prior to 2013 and, in many instances, much earlier, the problem is that because a lot of people use the same username and password for all of their accounts, this information could put present and former Myspace users in jeopardy of this information being used to gain access to the victims’ other accounts, such as online banking.


A great resource to find out if you have been affected by a data breach is “Have I Been Pawned” which compiles information on data breaches that allows you to find out if your information was contained in particular data breaches.  Here is a link to its website which you can use to find out if the Myspace data breach or other data breaches affect you.

Myspace is notifying users and has cancelled the passwords of affected accounts, however, if you do get an email purporting to be from Myspace asking you to input personal information such as passwords or other information, you have probably been contacted by a scammer merely trying to steal your information through spear phishing.  If you do receive and email from Myspace there is no way to be absolutely sure that it is legitimate, so if you believe you may have been affected by the data breach, you should go directly to Myspace’s website to change your username or password. Here is a link to the applicable portion of the Myspace website.

Finally, for all of us, this data breach is just another reminder that you should use a distinct and unique password for all of your accounts so that in the event of a data breach at one online service you use all of your online accounts will not be in jeopardy.