Scam of the day – December 17, 2015 – Cellphone insurance scam

December 17, 2015 Posted by Steven Weisman, Esq.

I first learned about this scam from Providence’s NBC 10 News consumer reporter, Emily Volz.  It involves scammers getting access to the cellphone insurance of their victims and putting in claims whereby the scammers receive new cellphones which the scammers then sell on the black market.  Usually the victims do not find out about the misuse of their insurance until they put in a legitimate claim.

Many people purchase cellphone insurance with a premium around $12 per month.  This insurance will cover repairs and replacement cellphones when the cellphone owner encounters a problem with his or her cellphone.  Unfortunately, this insurance can be exploited by identity thieves who steal information about the insurance.   Armed with the victim’s Social Security which they have also stolen, they then put in a claim for a replacement phone which they have sent to addresses controlled by the scammer.

Recently six people in California were sentenced on charges of operating this type of scam on a large scale in which they filed 1,300 claims and  received cellphones and insurance benefits totaling approximately $636,000.  In that particular case, the information necessary to operate the scam was obtained by three of the scammers who were Verizon employees who, through their job, gained access to their victims’ account information which they then used to commit the fraud.

TIPS

There is little that you can do to protect yourself from the misuse of your personal information by rogue employees of companies that have your personal information.  However, other instances of this type of fraud occur when victims’ information, including, most importantly the victims’ Social Security numbers is stolen.  Protecting the privacy of your Social Security number is one of the most important things you can do to help protect yourself from becoming a victim of identity theft.  As much as you can, limit the places that you provide your Social Security number and never carry your Social Security card in your wallet.

Scam of the day – December 16, 2015 – Arrest made in hacking of VTech

December 16, 2015 Posted by Steven Weisman, Esq.

I first reported to you in November 30th’s scam of the day of the hacking of Hong Kong company VTech Holdings Limited. The data breach involved data of almost 12 million people and included personal information on more than 200,000 children.  VTech’s Learning Lodge is an app store for  high tech learning games and other educational toys for children.  Now police in the United Kingdom have announced the arrest of a 21 year old man on charges of unauthorized access to a computer and causing a computer to enable unauthorized access to data.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

An interesting aspect of this arrest is the age of the person arrested and charged with the crime.  A recent study by the UK’s National Crime Agency found that the average age of cybercriminals in the UK has dropped to 17.  Last year, a similar report indicated the average age for British cybercriminals was 24.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – December 15, 2015 – A million OPM data breach victims still not notified

December 15, 2015 Posted by Steven Weisman, Esq.

As you all know by now and as I first reported to you in 2014 and again last summer, the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of more than 21 million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  In October, the OPM began notifying victims of the massive data breach about the identity theft protection services the government will make available to them for the next three years.  The notification process is now completed, but unfortunately 1.5 million people who were affected by the data breach have not been contacted because the OPM no longer has current addresses for these people.     No email notices were sent or are planning to be sent by OPM so if you get an email that purports to be from the OPM, it is a scam.   The federal government has chosen Identity Theft Guard Solutions to provide  three years of identity theft protection to victims.

TIPS

If you believe you were possibly a victim of the OPM data breach, but have not yet received a letter from the OPM informing you about your options, you can go to the OPM’s special website to verify that you were a victim and to obtain a PIN to use in order to apply for identity theft protection services offered by Identity Theft Guard Solutions.  You also can call the OPM at 866-408-4555 to find out if you were a victim.

It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM is offering these services a year after the data breach actually occurred so the danger of identity theft has increased.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – December 14, 2015 – Hospital identity theft arrests

December 13, 2015 Posted by Steven Weisman, Esq.

Although we often think that identity theft is a high tech crime, in fact identity theft is a high tech, low tech and no tech crime.  The Manhattan District Attorney recently arrested a married couple Kyle Steed and his wife Krystle Steed charging them in a 193 count indictment involving identity theft in which fraudulent charges were made in the names of their victims totaling more than $300,000.  The basis for the identity theft was definitely no tech.  The District Attorney is alleging that Kyle Steed who worked at the Lenox Hill Hospital stole personal information of more than 80 emergency room patients.  Among the information stolen were names, birth dates and Social Security numbers of the victims.   However, rather than hack into the hospital’s computers, Kyle Steed is alleged to have done his data theft the old fashioned way by stealing the information from paper records of the hospital.  Krystle Steed used the stolen information to access their victims’ credit card accounts charging more than $300,000 worth of expensive purchases including designer bags.

TIPS

Lenox Hospital is notifying patients who were affected by the data breach which occurred between January of 2014 and February of 2015.  This crime again illustrates the importance of companies that retain personal information doing a better job of protecting their data in whatever form it is stored.  It also illustrates the importance of limiting the amount of data that you provide companies with which we all deal as much as possible.  Although hospitals commonly require people to provide their Social Security numbers, they generally do not have a need for doing so and often do so merely to make it simpler to collect overdue bills.

Scam of the day – December 13, 2015 – A new version of the Nigerian email scam

December 13, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes right from my email and I am sure that it has appeared in the email boxes of many of you, as well.  This is just another version of the Nigerian email scam although this one appears to have originated in Ghana.   Although it may seem that the Nigerian email scam began in the era of the Internet, the basis of the scam actually goes back to 1588 when it was known as the Spanish Prisoner Scam.  In those days, a letter was sent to the victim purportedly from someone on behalf of a wealthy aristocrat who was imprisoned in Spain under a false name.  The identity of the nobleman was not revealed for security reasons, but the victim was asked to provide money to obtain the release of the aristocrat, who, it was promised would reward the money-contributing  victim with great sums of money and, in some circumstances, the Spanish prisoner’s beautiful daughter in marriage.

Today’s scam of the day is yet another variation of what has come to be known as the Nigerian letter scam.  In the various versions of this scam circulating on the Internet today, you are promised great sums of money if you assist a Nigerian in his effort to transfer money out of his country.  Variations include the movement of embezzled funds by corrupt officials, a dying gentleman who wants to make charitable gifts or a minor bank official trying to move the money of deceased foreigners out of his bank without the government taking it.  The example below of the email I received involves a shady consignment deal.  Although generally, you are told initially that you do not need to contribute anything financially to the endeavor, you soon learn that it is necessary for you to contribute continuing large amounts of money for various reasons, such as various fees, bribes, insurance or taxes before you can get anything.  Of course, the victim ends up contributing money to the scammer, but never receives anything in return.

Here is a copy of the email, I recently received:

“I am B. Komeng, Director, Aviation Security (GHANA AIRPORT COMPANY) in Greater Accra field International Airport West Africa, During one of my investigation I discovered An abandoned shipment of two Metallic Trunk Boxes that was transferred from US International Airport (JFK) back to our Airport facility here in Accra Ghana and when scanned it revealed an undisclosed Funds and about 50Kilos of Gold in Metal Trunk Boxes weighing approximately 50 and 40kg each. These consignments was abandoned because the Content was not properly declared by the delivery shipping agent as above mentioned items rather it was declared as personal effect to avoid diversion and tax. On my assumption, the very box that contains Funds amounted US$5.Five Million United States of American Dollars and the consignments are still left in the Storage House till today. Friend, I want you and I to transact this deal together and share the profit together since the shipper has abandoned it and ran away due to improper declaration and improper documentation. I want front you as the beneficiary and Consignee to these boxes, As you can see, I am still an officer with airport company, I cannot be found to be associated with these consignment hence I cannot call for its delivery, if it is discovered that I have a particular interest in these consignments, it will be seized by Government indefinitely. I can arrange for the boxes to be moved out of this Airport to your address if you agreed to accept the delivery and we work together in procuring necessary legal paperwork to back you up as the legal beneficiary, once we are through I will deploy the services of a secured shipping Company geared to provide the security it needs to deliver these consignments to your address. I am willing to work with you on the understanding of a partnership basis, We shall share the profit 50% 50% upon the completion of this transaction, I can assure you of no trouble in this transaction and my guarantee to you is that we can actualize our goal within four working days if we can work in one accord also to be honest with you, we can only work in partnership to realize this goal, reasons being that as I have stated above to you that one of the very crucial reasons why they agent failed in having the consignments delivered was due to the improper documentation. Thanks. B. Komeng.”

TIPS

This is a simple scam to avoid.  It preys upon people whose greed overcomes their good sense.  The first thing you should ask yourself is why would you be singled out to be so lucky to be asked to participate in this arrangement.  Since there is no good answer to that question, you should merely hit delete and be happy that you avoided a scam.  As with many such scams, which are originating outside of the United States, the punctuation and grammar are often not good.

Many people wonder why cybercriminals and scammers send out such ridiculously obvious scam letters that anyone with an ounce of sense would recognize as a scam, but that may be intentional on the part of the scammer because if someone responds to such an obvious scam, they are more likely to fall prey to the scam.

 

Steve Weisman’s latest column from USA Today

December 12, 2015 Posted by Steven Weisman, Esq.

Here is a link to my latest column from today’s version of USA Today.  It deals with the timely topic of scams and identity theft dangers found in online shopping.

http://www.usatoday.com/story/money/columnist/2015/12/12/weisman-online-shopping-cybersecurity/77012780/

Scam of the day – December 12, 2015 – Georgia voters at risk of identity theft

December 12, 2015 Posted by Steven Weisman, Esq.

Not all data breaches are caused by hackers breaking into the computers of companies and governmental agencies in an effort to steal personal information that can be used for purposes of identity theft.  Sometimes the data breaches that expose personal information of people involved with companies and governmental agencies occurs due to the negligence of those holding the information.  This, however, is of little consolation to those people whose personal information has been exposed and made available to people who can then use that information for purposes of identity theft.  In October the Georgia Secretary of State’s office mistakenly distributed CDs containing personal data including Social Security numbers and birth dates on 6.2 million registered voters to twelve organizations that regularly purchase voter lists maintained by the Secretary of State.  Among the groups receiving the CDs were state political parties, news media organizations and Georgia GunOwner Magazine.  An investigation is ongoing as to how this occurred.  The Secretary of State has indicated that all twelve CDs have been retrieved, but at this time, no one knows who may have gotten access to the personal information contained on those CDs before they were retrieved.  Now Georgia Secretary of State Brian Kemp has announced that those affected voters will be provided with a year of free credit and identity theft monitoring services through CSID services.  Those people affected by the data breach will be able to sign up for these services within the next few weeks.

TIPS

If you are a registered voter in Georgia, you can contact the Secretary of State’s office for updated information about the data breach and what you can do to protect yourself from identity theft by calling the Secretary of State’s office at 404-654-6045.  A link to CSID’s website where affected people can sign up for credit and identity theft monitoring services will be provided on the Secretary of State’s website www.sos.ga.gov as soon as the services are available.  Meanwhile, if you are a registered voter in Georgia and therefore in danger of identity theft due to this information being distributed, you should consider putting a credit freeze on your credit report at each of the three major credit reporting agencies as a proactive measure that will provide you with greater protection from identity theft than you will get from credit and identity theft monitoring services.  Go to the archives of Scamicide and type in “credit freeze” for information as to how to set up a credit freeze on your credit reports.

Scam of the day – December 11, 2015 – FTC and Wyndham Hotels settle charges of lax security

December 11, 2015 Posted by Steven Weisman, Esq.

I first reported to you about the Federal Trade Commission (FTC) bringing legal action against Wyndham Hotels and Resorts for failing to protect their customers’ personal information including credit and debit card information in 2012.   Earlier this year I reported to you about the upholding of the FTC’s action by the Appeals Court.  Now, Wyndham and the FTC have settled the case.  Wyndham has agreed to establish a comprehensive data security program intended to protect customer information including credit and debit card numbers.  The FTC took action against Wyndham for failing to “maintain reasonable and appropriate data security for consumers’ sensitive personal information”  following a series of three major data breaches by Russian hackers affecting more than 600,000 credit and debit cards of Wyndham customers.  Wyndham had argued in court that the FTC did not have the authority to punish a business for having lax security practices and further argued that the FTC was punishing the victim not the perpetrator of the data breach.  Wyndham argued that punishing Wyndham was akin to taking legal action against a supermarket for being “sloppy about sweeping up banana peels.”  The Appeals Court judges were not convinced by this argument and in their opinion they wrote that this argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under the FTC Act.”

Wyndham also argued that it should not be punished because its standards for cybersecurity were different from that of the FTC, however again, the Appeals Court judges were unconvinced, saying, “the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords.  Rather, it alleges that Wyndham failed to use any firewall at critical network points…did not restrict specific IP addresses at all… did not use any encryption for certain customer files… and did not require some users to change their default or factory-setting passwords at all.”

Having lost in the Appeals Court, Wyndham agreed to a settlement rather than continue the litigation with little chance of success.  Under one of the terms of the settlement Wyndham must perform annual security audits that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program for the next twenty years.

TIPS

This is a major victory for consumers and a warning to companies that they must do more than give lip service to cybersecurity and protecting the personal information of their customers.  As FTC Chairwoman Edith Ramirez said following the settlement, “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security.  Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”   There is little that we as individual consumers can do to encourage companies to do a better job of protecting our personal information although recent class actions against companies suffering data breaches alleging negligently inadequate security is a start.  However, having the weight of the federal government come to bear on companies on behalf of consumers is a very positive development.

Scam of the day – December 10, 2015 – FTC refunding money to victims of online Yellow Pages scam

December 10, 2015 Posted by Steven Weisman, Esq.

The FTC, through its refund administrator for this case, Gilardi & Co. LLC is sending checks to victims of  a scam involving Your Yellow Book which sent out invoices bearing a logo like the famous walking fingers logo used by the legitimate Yellow Pages to various companies.  The invoices indicated that they were only verifying or updating an already existing business relationship when in fact there was no prior business relationship and no prior contract for a listing in the Your Yellow Book’s online business directory, which had no relationship with the legitimate Yellow Pages.  Many people paid the invoices that ranged up to $487 not realizing that the bill was a total misrepresentation.   Victims that initially refused to pay the phony invoices were harassed by phony debt collectors.  Many small businesses, doctor’s offices, retirement homes and charitable organizations were victimized by this scam.

TIPS

If you were a victim of this scam and have not yet received your check, click on the tab at the top of this page marked “FTC Scam Refunds” for information as to how to claim your refund.   Refund checks must be cashed by February 2, 2016. However, everyone else should take a lesson from this common scam and never pay an invoice merely because you get what appears to be a legitimate looking bill until you have confirmed that the bill is indeed legitimate and that you or your company actually received the services for which you are billed.  This particular scam is both simple and effective so it is up to you to be on the lookout for it.

Scam of the day – December 9, 2015 – Is the letter you received from OPM real or a scam?

December 9, 2015 Posted by Steven Weisman, Esq.

As you all know by now and as I first reported to you in 2014 and again last summer, the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of more than 21 million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  In October, the OPM began notifying victims of the massive data breach about the identity theft protection services the government will make available to them for the next three years.  The notification process is taking about three months with many notification letters only recently having been sent.  I have been contacted by clients of mine inquiring as to whether the notices they received are real.   It is important to remember that the official notice is only being sent by regular mail.  No email notices will be sent so if you get an email that purports to be from the OPM, it is a scam.   The federal government has chosen Identity Theft Guard Solutions to provide  three years of identity theft protection to victims. In the notification letter you are urged to contact the OPM’s security website to enroll in the free identity monitoring program and you are provided a PIN to use in order to enroll.

Identity thieves have been copying the letter and changing the website address where you are directed to go to enroll in the identity theft protection services, directing people to a phony website where they will be prompted to provide personal information purportedly to enroll in the program.  If you provide personal information to these scammers, you will end up a victim of identity theft.  Here is a link to the official website for enrolling in the credit monitoring services being offered by the OPM:  https://www.opm.gov/cybersecurity/#Services

Once there you will be prompted to input your PIN and only the last four digits of your Social Security number.

TIPS

If you were a victim of the OPM data breach, you should be on the lookout for a notification letter with information about how to apply for benefits under the program.  The OPM is only notifying people by regular mail.  If you have been notified by email, text message or telephone, the notice is a scam and you should ignore it.  Even if you receive a letter, you should make sure that the web address you go to is accurate.  For convenience, you can use the web address I have indicated above.  In any event, remember, the legitimate website will not ask for your complete Social Security number.  It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM is offering these services a year after the data breach actually occurred so the danger of identity theft has increased.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”