Scam of the day – January 18, 2016 – Identity theft dangers of social media

January 18, 2016 Posted by Steven Weisman, Esq.

Social media is as much a part of modern day life as a morning cup of coffee.  Facebook, Twitter, Instagram and many other social media sites are the primary way that many people communicate.  With more than 500 million people on Facebook alone, you can expect that identity thieves will be there taking advantage of the opportunities for identity theft presented by social media.  Although many social media scams involve luring people into clicking on links containing keystroke logging malware that will steal the information from your computer or smartphone and use it to make you a victim of identity theft, a major source of identity theft involving social media involves people posting too much personal information about themselves that can be manipulated by identity thieves for their illegal purposes.

Recently the Niagara County New York County Clerk Joseph A. Jastrzemski issued a warning about people putting photographs of their driver’s licenses on Facebook and other social media.  Too often, a young person who just got his or her driver’s license will post a photo of the license on social media without realizing that he or she is providing information, such as address and birth date than can be used to either contribute toward their becoming a victim of identity theft or for purposes of creating phony driver’s licenses which can be sold on the black market that can result in the victim of the identity theft having motor vehicle offenses that turn up on his or her  own driving record.

TIPS

When it comes to posting personal information on social media, often the less you provide the better. Don’t ever post driver’s licenses or other forms of personal identification.  Too much personal information in the hands of an identity thief can make his job easier to target you for spear phishing emails or text messages that use the information they have harvested from their intended victim’s social media to make their spear phishing communications seem legitimate.  This can result in the victims trusting the communications and downloading keystroke logging malware.

Don’t befriend everyone that asks.  Identity thieves will contact you with phony profiles to lure you into providing information they can use to make you a victim of identity theft.  Also, check out the privacy policy of the various social media sites you use.  You may be providing more information than you want to share with other people.

Scam of the day – January 17, 2016 – Another mystery shopper scam

January 17, 2016 Posted by Steven Weisman, Esq.

Although there is nothing new about secret shopper scams or mystery shopper scams as they are sometimes called, they are scams that remain popular and  are still constantly finding new victims.  I picked today to make this the Scam of the day because I received a scam secret shopper email that I am reproducing below.  I have blocked out the email address and website address included in the email:

“Description-Job
You will be assigned to visit a shop.
You will then finish an online questionnaire to share with us your customer experience.
Requirements
17 year old or above,can read and write English.
No Experience needed like Shopping.
Pay Job
You will get U$325 for each assignment.
Most of the time you will only need to spend 17 minutes on the visit.
Names:
Address Line:
City:
State:
Zip Code:
Mobile Phone Number:
For more details> Email > ********************
You can go to our site to apply:  **************************************
Jordan Miller
Paid Surveys
Secret-Shopper”

The manner in which the scam works is that when you answer an advertisement or an email to become a secret shopper, you are sent a bank check to deposit and use for your shopping.  You spend some of the money on the goods that you purchase which you are allowed to keep and also are directed to keep some of the balance of the check as payment for your services.   You are instructed to return the remaining funds by a wire transfer.  The problem is that the check is counterfeit, but the money you send by wire from your own bank account is legitimate and that money is gone from your bank account forever.

TIP

One reason why this scam snares so many people is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you.  If you want to find out if a mystery shopping company is legitimate, you can contact the Mystery Shopping Providers Association which is a trade organization of legitimate mystery shopping companies.  Their website is www.mysteryshop.org.  Other indications that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit  which is given after a few days, but which can be rescinded once a check bounces and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.

January 16, 2016 – Steve Weisman’s latest column from USA Today

January 16, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column from USA Today which contains more important tips to help protect you from identity theft in the new year.

http://www.usatoday.com/story/money/columnist/2016/01/16/weisman-simple-steps-foil-identity-thief/78760064/

Scam of the day – January 16, 2016 – Turkish hacker sentenced to 334 years in prison

January 16, 2016 Posted by Steven Weisman, Esq.

While American judges struggle with finding proper sentences for cybercriminals, Turkish judges don’t appear to be having the doubts that American judges in some instances do.  In the United States, the federal Computer Fraud and Abuse Act (CFAA) provides for a maximum sentence of ten years for a first offender and 20 years for repeat offenders, however there are a number of factors that judges are required to consider that could reduce the length of the sentence.  Recently Deniss Calovskis, who was involved in a major computer attack had his sentence set at the mere 21 months he had already served prior to his trial.  Meanwhile in Turkey, Onur Kopcak, who had already been serving 199 sentence for computer crimes which he had been convicted of in 2013, was sentenced to an additional 135 years in prison for hacking the credit card information of 11 people and selling the information to other criminals.

TIPS

One of the reasons for the proliferation of cybercrimes has been that the sentences for major cybercriminals have not been sufficiently harsh to serve as a disincentive to criminals from committing these crimes.  Obviously this is not the case in Turkey.  Other reasons for the dramatic increase in scams and cybercrimes in recent years include the ease with which they can be accomplished from anywhere in the world and the difficulty in apprehending the criminals.  Meanwhile, when it comes to protecting yourself from scams, cybercrimes and identity theft, the best place to look for a helping hand is at the end of your own arm and one of the best ways to do this is by following the basic steps regularly provided here on Scamicide.

Scam of the day – January 15, 2016 – Powerball lottery scams

January 15, 2016 Posted by Steven Weisman, Esq.

By now everyone is aware that three winning tickets for the 1.6 billion dollar record Powerball lottery were sold in California, Florida and Tennessee.  However, merely because the lottery drawing has been completed, does not mean that scams related to the drawing have ended.  Year after year, lottery scams are one of the most common and profitable scams for scam artists, the only criminals we refer to as artists.  What is now happening is that people are being contacted by emails or phone messages and told that although they did not win the top prize, they did win one of the lesser prizes which can be as much as a million dollars.  The only catch is that you need to prepay administrative fees or income taxes on your winnings before your prize will be sent to you.

TIPS

Because hundreds of millions of tickets were sold for this latest Powerball drawing it is a good chance that when you are contacted by a scammer posing as a Powerball lottery agent, that you may have purchased a ticket or two, however, it is important to remember that the lottery commissions that operate Powerball do not have any information as to who purchased particular tickets so if you get a call or an email from someone saying that your ticket is a winner, it is a scam.  In addition, administrative fees are never assessed as a condition of receiving a legitimate lottery prize.  As for income taxes, legitimate lotteries never collect taxes from you as a condition of claiming your prize.  Either,as Powerball does, the taxes are deducted from your prize before you receive the prize or, as some lotteries operate, the entire prize is sent to you and you are responsible for paying the taxes yourself to the IRS. Finally, it is important to remember that even if your Caller ID indicates that the call you receive is from the lottery commission, scammers can use a technique called spoofing to make it appear that their call is coming from the lottery commission when it is really coming from a scammer.

Scam of the day – January 14, 2016 – Documentary movie scam

January 14, 2016 Posted by Steven Weisman, Esq.

Montana state judge Mike Menahan has frozen the assets of Matthew McClintock and also issued a permanent injunction freezing the assets of McClintock, who also uses the name Michael Willis following charges of securities fraud brought by the Montana State Auditor.  The charges relate to McClintock’s soliciting of investors for a documentary about cowboys that would be narrated by Clint Eastwood and broadcast on PBS and Fox.  In the course of his soliciting investors, McClintock told them that the movie would have a prominent University of Montana history professor advising the film and a portion of the movie’s profits would be given to the Western Montana Breast Cancer Fund.  Unfortunately, neither Clint Eastwood nor the history professor were involved with the project, PBS and Fox had never heard of the movie and the Western Montana Breast Cancer Fund does not exist.  According to Montana security officials, the money collected from swindled investors went primarily to McClintock’s own use with some going for interest payments to other investors which is a telltale sign of a Ponzi scheme.  McClintock has also been charged criminally in regard to the movie project and is presently already on probation in Montana following a 2010 conviction for a money-raising scam.   He had been previously convicted of securities fraud in Oklahoma.

TIPS

Investing in anything carries risk.  Investing in the making of a movie is incredibly risky even when the movie project is legitimate.  No one should ever consider investing in anything that they do not understand.  This is a rule that would have saved Bernie Madoff’s victims millions of dollars because as Madoff himself later admitted, if people had carefully looked into what he said he was doing, they would have recognized it could not have been done.  In addition to investigating the particular investment, you should also investigate the company and, most importantly in this case, the person selling the investment to you.  Had McClintock’s investors checked him out, they would have found that he had already been convicted of securities fraud.

Scam of the day – January 13, 2016 – The Cybersecurity Act of 2015 explained

January 13, 2016 Posted by Steven Weisman, Esq.

Deep in the trillion dollar federal spending bill that President Obama signed into law on December 18, 2015 was the Cybersecurity Information Sharing Act of 2015 (CISA) which establishes a voluntary cybersecurity information sharing program for the public and private sectors to share information about cyberthreats.  This law was, as many are, a compromise version of competing House and Senate versions of the cybersecurity bill.

The sharing of information about cyberattacks, data breaches and hacks by corporations and others with applicable federal agencies is seen by many as a critical step in protecting the public from these types of attacks, however, many companies were hesitant to share information after they had suffered a data breach or other cyberattack for many reasons including concerns about the privacy rights of people whose information would be included in the information provided to the government as well concern about possible liability on the part of the companies.

The new law provides for individuals, companies, groups, state governments and local governments to share with the federal government both cyber threat indicators and defensive measures.  The law specifically indicates that personal information of individuals is to be removed from the data before being shared.  The law provides for the information to be initially provided to the Department of Homeland Security, which will then, in turn, share the information with other appropriate federal agencies and other entities that have appropriate security clearances.  The federal government is specifically prohibited by provisions in CISA from using this information for any purpose other than cybersecurity purposes and the data will not be available to the public through the Freedom of Information Act.  As an incentive to private companies to share this type of information, the law specifically protects them from any liability related to the monitoring of their information systems or the sharing of the information.

TIPS

This law, which is Congress’ first major cybersecurity legislation is indeed a modest start to dealing with a major problem.  The program is purely voluntary and many privacy advocates are concerned that the law does not provide enough protection of personal data and its misuse by the federal government.  Whether the critics are correct is not immediately apparent from the specific wording of the legislation, but will only become known after the law is fully implemented.  However, the importance of Congress finally taking some, albeit small steps toward dealing with a major threat to us all should not be minimized.

Scam of the day – January 12, 2016 – Data on 320,000 customers of Time Warner Cable stolen

January 12, 2016 Posted by Steven Weisman, Esq.

Time Warner Cable is the country’s second largest cable telecommunications company.  Recently the FBI discovered that personal information including email addresses and passwords of 320,000 Time Warner customers had been stolen.  It has still not yet been determined whether the data was lost as a result of a hacking of Time Warner’s computers or of one of the companies it uses to handle account data.  This again points out the problem that your data is only as safe as the security at the companies that hold your data with the weakest security.

TIPS

Time Warner is contacting its customers by email and advising them to change their passwords.  If you are a Time Warner customer, you should change your password even if you do not receive an email from Time Warner urging you to do so.  This is also a reminder to all of us to make sure that we use unique passwords for all of our accounts so that in the event of a data breach such as occurred here, your other accounts are not in jeopardy.  Finally, information stolen in hackings such as this are often used by scammers for spear phishing emails which are phishing emails that appear to come from a company with which you do business in which the email prompts you to click on links within the email or provide personal information.  Because the email has been tailored to you personally, it is easy to fall prey to such a scam, which is why you should remember one of my primary rules, “trust me, you can’t trust anyone.”  Never provide personal information or click on links in emails unless you have independently confirmed that they are legitimate.

Scam of the day – January 11, 2016 – Former St. Louis Cardinals official pleads guilty to hacking the Houston Astros

January 11, 2016 Posted by Steven Weisman, Esq.

In July of 2014 I first reported to you about the hacking of the computers of the Houston Astros baseball team.   Now, after a prolonged investigation, Christopher Correa has pleaded guilty to hacking the private online data base of the Astros called Ground Control that contained tremendous amounts of confidential data including scouting reports and statistics on baseball players.  At the time he did the hacking, Correa was the Director of Baseball Development for the St. Louis Cardinals.   Correa was fired by the Cardinals when he first became a suspect in the hacking of the Astros.  A current Astros employee had worked previously for the Cardinals and Correa was able to easily guess the password used by him to access Ground Control by merely using variations of the password the Astro employee had used when he worked for the Cardinals.  Armed with this password, Correa stole data from Ground Control for use by the Cardinals.  Correa will be sentenced on April 11th which, coincidentally is the day of the Cardinals’ home opener for the 2016 baseball season.

TIPS

Although this story reads like fiction, perhaps the biggest lesson for all of us from this story is the danger of using the same password or slight variations thereof for all of your accounts, which unfortunately is a habit that many people have gotten into.  Hackers will often steal passwords of customers from companies when they commit a data breach and then use those passwords for identity theft purposes at banks, brokerage houses and other companies where the victim can suffer substantial financial losses.  The best course to follow is to have a difficult to crack password that is unique for every account.

 

Scam of the day – January 10, 2016 – Bethpage federal credit union phishing scam

January 10, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes from my own email account and I am sure it, or something similar, has turned up in yours.  It appears to be a notice from Bethpage federal credit union that a new payee has been added to my online banking account.  It is common when you do add a new payee to your online banking account to receive a notice from your bank confirming that indeed you did add the new payee and it is not a scam.  In this case, particularly because I do not have an account with Bethpage federal credit union, it was clear to me that this was a scam.  Had I been concerned that the email was legitimate and clicked on the links provided in this phishing email, I would have either been prompted to provide personal information that would have led to my identity being stolen or, even worse, I would have automatically downloaded keystroke logging malware that would have stolen my personal information directly and made me a victim of identity theft.

Here is a copy of the email I received.  DO NOT CLICK ON ANY OF THE LINKS.

Greetings from Bethpage Bill Pay!
The following payee was added to your Bethpage Bill Pay account.

Payee Information
Payee name: Ashlyn a Prato
Account number: *3480

If you did not add this payee on your account, please Logon immediately.

If you have any questions, please contact us at bethpagefcu@billsupport.com or call us at 855-358-8264.

Sincerely,
Bethpage Bill Pay
Alert: (1154293202)
Document Reference: (309351382)

TIPS

This particular phishing email is filled with flaws.  First and most notably, the email address from which it was sent is a private email account, most likely that of someone whose email had been hacked and used as a part of a botnet to send out phishing emails such as this.  The email address from which it was sent had absolutely no relationship with the Bethpage federal credit union.  In addition, the email salutation is merely “Greetings from Bethpage Bill Pay” rather than being addressed to me by name.  Finally, no logo of the bank appears in the email as well.  If you ever do receive this or a similar email that you think might be legitimate,  you still should not click on the links in the email or call the phone numbers that appear in the email.   Rather you should call the bank at a telephone number that you know is correct in order to find out what the truth is.