Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – November 7, 2014 – Bank Call Center scams

November 7, 2014 Posted by Steven Weisman, Esq.

Recently there has been a dramatic increase in Call Center scams involving banks.  All banks have toll free numbers that its customers can use to contact the bank about any banking question or concern.  Scammers have been purchasing telephone numbers that closely approximate the real bank telephone numbers to capture people who inadvertently misdial the bank’s number.  Query, can we still use the term “misdial” when no one uses a rotary phone anymore? In any event, when the customer reaches the telephone number of the scammer, a recorded announcement makes it appear as if they have actually reached the bank’s call center and then the scamming begins.  In one version of the scam, the caller is told that they are eligible for a free Walmart gift card and directed to someone who requests the caller’s credit card number for “verification” purposes.  In many of these scam calls, the supposed bank employee has a thick foreign accent indicating that this scam, as do many others is originating overseas.

TIPS

I have long advised you not to provide personal information to anyone that you have not called at a number that you know is legitimate, but this scam involves a call you make to a number you think is accurate.  In fact, in investigations of some of these scams, the phony telephone number was just a single digit off from the real bank telephone number.  The best way to avoid this scam is to very carefully input the telephone number when you are calling any company or government agency with which you do business, being aware that a simple misdialing can lead to your being scammed.  You also should be wary of anyone asking for personal information when it does not appear to be necessary to answer your question.

Scam of the day – November 6, 2014 – New Smishing scam

November 6, 2014 Posted by Steven Weisman, Esq.

Smishing is the name given to text messages that lure you into clicking on links or providing personal information in response to a text message from what appears to be a trusted source, such as a company with which you do business, such as your bank.  Recently there have been a number of smishing scams in which the messages appear to be from the bank Sun Trust.  In some of the recent Sun Trust smishing scams you are prompted to respond to a feigned emergency by providing personal information such as your account number.  If you provide this or other personal information, it is used by the scammers to make you a victim of identity theft.  In other smishing scams, you are told to call a telephone number that is a toll number with charges as much as $19 per minute.  Often you are put on hold for long periods of time to increase the charges.

TIPS

Your bank is not going to contact you by a text message if there is a problem with your account.  More importantly, as I have warned you many times, you can never be sure who really is sending you an email, text message or phone call and should never provide personal information in response to such communications.  If you think that there is a possibility that the contact may be legitimate, you should call the real company at a telephone number that you are sure is legitimate to learn whether or not the original communication with you was a scam.

Scam of the day – November 5, 2014 – Latest security updates from the Department of Homeland Security

November 5, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates includes many important updates and security patches to prevent serious problems including important security updates for the popular website design software WordPress.

TIPS

Here is the link to the latest Department of Homeland Security software updates and security patches https://www.us-cert.gov/ncas/bulletins/SB14-307

Scam of the day – November 4, 2014 – Instagram counterfeit check scam

November 4, 2014 Posted by Steven Weisman, Esq.

Many years ago there was a popular cartoon character named Pogo, who transformed the famous words, “We have met the enemy and he is ours” spoken by Admiral Oliver Hazard Perry following a naval battle into “We have met the enemy and he is us.”  Pogo’s version may well apply to the many of us who don’t realize that whenever we put too much information online through social media we are providing information that can be used against us in a multitude of ways.  Postings on Facebook and other social media can be used by identity thieves and scammers to learn the answers to your security questions and also provide information to make you a target of spear phishing where you receive an email that appears to come from someone you know or a company with which you do business.  Putting personal information such as your birthdate and address on social media makes it easier for an identity thief to steal your identity.

Recently federal prosecutors in Minnesota brought counterfeiting and other charges against 28 people who created counterfeit checks using the banking information contained on checks that have turned up on Instagram photos with the hashtag #myfirstpaycheck.  It is a simple matter today to create checks with the account number and bank routing information contained on a check.  It is also just as simple for counterfeiters to search Instagram for the popular hashtag #myfirstpaycheck put up by naive new employees.

TIPS

Certainly no one should take a photo of any check and put it up online or on any social media website.  However, you should also limit, as much as possible the personal information you provide online and through social media that in the hands of an identity thief can be used to make you a victim of identity theft.  Don’t include your birth date, mother’s maiden name or other personal information on social media that can be used to make you a victim of identity theft.  Don’t make an identity thief’s work easy.

Scam of the day – November 3, 2014 – 12 million websites hacked in Drupal attack

November 3, 2014 Posted by Steven Weisman, Esq.

Many of you may not be familiar with Drupal, but website developers certainly are.  Drupal is a software company whose software is used by a billion websites to manage images, text and video on websites.  On October 15th, Drupal announced that it had discovered a major security flaw that could be exploited by hackers to not only steal data from targeted websites, but also to set up a backdoor application that would permit the hacker to return to retrieve more data.  All of this could be done without any indication that a hacking had occurred.  Most companies responded to Drupal’s announcement and its security update, however, according to Drupal, any website that did not download the Drupal security patch within seven hours of its October 15th announcement should assume that they have been hacked and their sensitive information compromised.  Drupal estimates that about 5% of the billion websites that use Dropal software did not install the necessary security patch in a timely fashion and although this number may seem small, this means that the number of affected websites that may have personal information on you and me is as high as twelve million websites.

TIPS

Part of the problem is that unlike many software companies that provide automatic updates for you to install, Drupal does not do so.  Many companies, to their own detriment are slow to install important security updates and this delay puts them and their customers in serious danger of identity theft and being scammed.  This is why here at Scamicide we provide security updates as, in turn, provided by the U.S. Department of Homeland Security as they are announced.  The Drupal security problem is also a warning again to us all that we are only as secure as the companies and governmental agencies with which we do business with the least effective security.

Here are links to Drupal’s original warning as well as a security update that instructs Drupal users how to remedy the problem.

https://www.drupal.org/SA-CORE-2014-005

https://www.drupal.org/PSA-2014-003

Scam of the day – November 2, 2014 – Dangerous flaw in Samsung phones

November 2, 2014 Posted by Steven Weisman, Esq.

Samsung is one of the biggest makers of smartphones including the popular Samsung Galaxy phones.  Recently, the National Institute of Standards and Technology (NIST) reported that the Find My Mobile remote control service, which is a security feature that permits the phone owner, among other things, to lock their phone, wipe out stored personal information and make the phone ring at maximum volume for a full minute.  These features are helpful if your smartphone is lost or stolen.  Unfortunately, according to the NIST, hackers can use the same tool to remotely lock the phone or destroy stored information quite easily since the service does not require any authentication.  There is a concern that hackers will lock your phone and threaten to destroy your information unless you pay a ransom.

TIPS

At the present time Samsung has not found a remedy for this problem so the best thing you can do to protect yourself is to disable the Find My Mobile feature.

Scam of the day – November 1, 2014 – Scammers pose as Publishers Clearing House

November 1, 2014 Posted by Steven Weisman, Esq.

It is hard to win any lottery. It is impossible to win one that you have not even entered and yet scam artists, the only criminals we refer to as artists have found that it is extremely lucrative to scam people by convincing them that they have won various lotteries. Most lottery scams involve the victim being told that they need to pay taxes or administrative fees directly to the lottery sponsor; however no legitimate lottery requires you to do so.
As with many effective scams, the pitch of the scammer seems legitimate. Income taxes are due on lottery winnings, but with legitimate lotteries they are either deducted from the lottery winnings before you receive your prize or you are responsible for paying the taxes directly to the IRS. No legitimate lottery collects taxes on behalf of the IRS from lottery winners.  Other times, the scammer tell the “winners” that in order to collect their prizes, they need to pay administrative fees. Often, the victims are told to send the fees back to the scammer by pre-paid gift cards or Green Dot MoneyPak cards. Prepaid cards are a favorite of scammers because they are the equivalent of sending cash. They are impossible to stop or trace. Again, no legitimate lottery requires you to pay administrative fees in order to claim your prize.

Everyone is familiar with the Publishers Clearing House sweepstakes from television commercials where the winners are shown being surprised by the delivery of their giant check. Publishers Clearing House is a real company that operates a legitimate lottery that many people enter which is one reason that scammers pose as representatives of Publishers Clearing House. Coming up in November will be another major Publishers Clearing House drawing and scammers will be contacting their victims by telephone, email and text messages to inform them of their good luck in having been selected as a Publishers Clearing House sweepstakes winner.   Once the contact is made with the potential victim, the scammers use the same tried and true lottery scam techniques described above to cheat their victims out of their money.

TIPS
Fortunately, there is an easy way to know when you are contacted by Publishers Clearing House by phone, email or text message informing you that you have won one of its multi-million dollar prizes whether you have been contacted by the real Publishers Clearing House. Publishers Clearing House only contacts major prize winners in person. They do not contact such winners by phone, email or text message so if you do receive a notification of your winning one of their multi-million dollar prizes in this fashion you know it is a scam.   As for other lotteries, remember, you can’t win a lottery you haven’t entered and no legitimate lottery asks you to pay them administrative fees or taxes.

Scam of the day – October 31, 2014 – Free credit score scams

October 31, 2014 Posted by Steven Weisman, Esq.

Based on the information contained in your credit reports, your credit score can have a significant effect on whether you are granted a loan and at what interest rate, whether you will be hired for a job, whether you will be sold insurance, whether you can rent an apartment or many other purposes.  We all have a right to an annual free credit report from each of the three major credit reporting agencies, however, your free credit report will not provide you with your credit score.  Recently many people are receiving emails with offers to provide a free copy of your credit score.  Unfortunately, as with any other email or text message that requires you to provide personal information such as your Social Security number which is required to obtain your credit report or credit score, you cannot be sure that the offer is legitimate.  In some instances, companies offering to provide “free” credit reports or scores are actually signing you up for a continuing service that you may not either desire or need.  These sites generally ask for your credit card number, but tell you that they only need the credit card number for verification purposes.  Of course, that it is a lie.  If you were getting something free, you would not need to provide a credit card number.   They are getting your number to use it to charge you monthly fees for services that you may not have thought you ordered.  Even worse however, are scams in which the company offering to provide you with your free credit score is actually just scamming you in order to get your Social Security number which they will use to make you a victim of identity theft.

TIPS

As I always say, you cannot trust any email or text message to be legitimate.  Never click on links, download attachments or provide personal information in response to unsolicited emails or text messages.  The risk is too great.  If you want your free credit reports from each of the three major credit reporting agencies, Equifax, Transunion and Experian, the only place to go is the website www.annualcreditreport.com.  It is important to monitor your credit report not just to find evidence of identity theft, but also to find mistakes that may appear on your report that can adversely affect your credit score.  As for your credit score, the website www.creditkarma.com is a legitimate website that you can trust, that encrypts your data and provides your credit score for free.

Scam of the day – October 30, 2014 – Gallup poll shows hacking of retail stores is the crime most feared

October 30, 2014 Posted by Steven Weisman, Esq.

A recent Gallup poll shows that the hacking of retail stores and the resulting theft of credit and debit card information is the crime that is feared most by Americans – and with good reason.  Identity theft, including the fraudulent use of credit cards by identity stealing hackers accounts for more dollars lost than all other property crimes combined.  Soon we will be heading into the holiday shopping season when credit card shopping both at brick and mortar stores and online will dramatically increase as will the attempts by hackers to steal credit card and debit card information so it is particularly important for everyone to be vigilant when using their credit and debit cards.  The bad news is that there is nothing that we, as individuals can do to reduce the chances of a major data breach at large and small retailers with which we do business, however, the good news is that there is a lot we can do to minimize our exposure.

TIPS

First and foremost, do not use your debit card for any purchases.  Limit its use to ATMs.  The consumer protection laws regarding fraudulent debit card use are not as strong as the laws pertaining to fraudulent use of credit cards.  Potentially, you could lose the entire bank account tied to your debit card if you are not carefully monitoring its use.  In addition, even if you do notify your bank immediately upon promptly noticing fraudulent use of your debit card, your access to your bank account will be frozen while your bank investigates the crime.

Also, when shopping in brick and mortar stores, you may wish to patronize those stores, such as Wall Mart which are ahead of the pack when it comes to transitioning from the old magnetic strip credit cards to the new smart cards with computer chips that would eliminate the risk of your credit card number being captured by a hacker and used for fraudulent purchases.  You also may wish to consider using the new Apple iPay system which also provides greater protection from hackers.

When shopping on line, limit your shopping to the websites of stores that you know are legitimate and make sure that your communications with the website including the providing of your credit card number is encrypted. You can confirm this by looking at the website address and making sure that it begins with “https” rather than merely “http.”  It is important to note that even if you are using a smart card with a computer chip you are not protected from hackers when shopping online because in this instance you are not generating a new number each time you shop.

As we get closer to the holiday season, I will providing you with more tips to avoid holiday scams and identity theft schemes.