Scam of the day – April 25, 2016 – Ecuador and Japan earthquake charity scams

April 25, 2016 Posted by Steven Weisman, Esq.

The problems following the recent devastating earthquakes in Ecuador and Japan continue to increase with affected people in those areas of the world in great need of help.   This kind of natural disaster brings out the best in us as many people are quick to make donations to charities to help the earthquake survivors and the families of the victims.  This kind of natural disaster also brings out the worst in scammers  who are quick to take advantage of the generosity of people by contacting them, posing as charities, but instead of collecting funds to help the victims of these natural disasters, the scam artists steal the money for themselves under false pretenses.   Charities are not subject to the federal Do Not Call List so even if you are enrolled in the Do Not Call List, legitimate charities are able to contact you.  The problem is that whenever you are contacted on the phone, you can never be sure as to who is really calling you so you may be contacted either by a phony charity or a scammer posing as a legitimate charity.  Similarly, when you are solicited for a charitable contribution by email or text message, you cannot be sure as to whether the person contacting you is legitimate or not.

TIPS

Never provide credit card information over the phone to anyone whom you have not called or in response to an email or text message.  Before you give to any charity, you may wish to check out the charity with www.charitynavigator.org where you can learn whether or not the charity itself is a scam.  You can also see how much of the money that the charity collects actually goes toward its charitable purposes and how much it uses for fund raising and administrative costs.  If you do wish to make a donation to a charity, go to the real charity’s website or call them at a telephone number that you know is accurate in order to make your donation rather than responding to a telephone call or electronic communication.  Charitynavigator.org lists some highly rated charities involved with earthquake relief, which you may wish to consider if you are thinking about making such a charitable gift.  They are Global Giving, Helping Hand for Relief and Development, and the International Medical Corps.  Below are links to their pages on Charitynavigator.org that describes the charities in detail as well as provide a link to make a donation if you are so inclined.

http://www.charitynavigator.org/index.cfm?bay=search.summary&orgid=11648#.Vxt5gfkrIkU

http://www.charitynavigator.org/index.cfm?bay=search.summary&orgid=12691#.Vxt5uPkrIkU

http://www.charitynavigator.org/index.cfm?bay=search.summary&orgid=8158#.Vxt59fkrIkU

 

Scam of the day – April 24, 2016 – Scams involving the death of Prince

April 23, 2016 Posted by Steven Weisman, Esq.

It is a sad fact of life that the deaths of celebrities, such as the recent untimely death of Prince, particularly when they occur unexpectedly, are exploited by scammers seeking to lure curious unwary people to dangerous websites or click on links containing malware.  It is important to never click on links in text messages or emails unless you have absolutely confirmed that they are legitimate because they may contain keystroke logging malware that can steal all of the information from your computer, laptop, smartphone or other device and use that information to make you a victim of identity theft.  In addition, a particularly insidious type of malware can be installed on your computer or other device merely by going to an infected website.  Therefore as tempting as it may be for some people to respond to emails, social media posts or other communications promising unseen videos of Prince’s last moments, photographs, you should avoid clicking on those links and going to websites promising this information.  If you want reliable information, you should stay with legitimate news websites.

In addition, it is important to point out that even if you have the most up to date versions of anti-malware security software on your computer and other devices, you will always be at least thirty days behind the newest malware.  It takes that long for the security software companies to come up with new security software to combat newly discovered computer vulnerabilities, sometimes referred to as “zero day” exploits.

TIPS

These types of scams, capitalizing on the deaths of celebrities, such as Whitney Houston, Michael Jackson, Paul Walker and Robin Williams have become far too common and predictable.  Don’t be a victim of these scams.  Never click on links in emails or text messages promising you photographs, videos or even new information about events such as these and don’t even go to websites with which you may be unfamiliar to find such information because your computer may get infected merely by going to the website without clicking on any links.  For reliable information, limit your searches to reliable sources.

April 23, 2016 – Steve Weisman’s latest column for USA Today

April 23, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today.  It contains startling information about how vulnerable we all are to having our bank accounts hacked by rogue employers at the banks we use.

http://www.usatoday.com/story/money/columnist/2016/04/23/how-vulnerable-our-bank-data-cyber-heist-very/83085352/

Scam of the day – April 23, 2016 – Google doubles bounty for white hat hackers

April 23, 2016 Posted by Steven Weisman, Esq.

Last month, I advised you about the new  “bug bounty” program announced by the Department of Defense in which it is offering a “bug bounty” to vetted hackers who are able to identify vulnerabilities in its web pages and computer networks.  However, private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal black hat hackers, who identified vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has recently announced that it has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.

TIPS

This is a positive strategy for businesses and  government to follow to enhance cybersecurity.  As for we as individuals, the best things we can do to protect our cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – April 22, 2016 – Epidemic of ATM skimmers

April 22, 2016 Posted by Steven Weisman, Esq.

As regular readers of Scamicide know, skimmers are small electronic devices that are easily installed by an identity thief on ATMs and other card reading devices, such as at gas pumps.  The skimmer steals all of the information from the credit card or debit card used which then permits the identity thief to use that information to access the victim’s bank account when the skimmer is used on a debit card.  If a credit card is used, the identity thief can use the stolen information to access the victim’s credit card account.  Each skimmer can hold information on as many as 2,400 cards.  Recently, FICO Card Alert Service, a company that monitors ATM activity on behalf of banks issued a report indicating that last year the use of skimmers on ATMs increased by 600% over the previous year.

TIPS

Always look for signs of tampering on any machine you use to swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if they do not report the theft promptly and even if they report the theft immediately, they will lose access to their bank account while the matter is investigated by the bank.  Skimmers at ATMs are often coupled with a thin, clear electronic device that goes on top of the keyboard to capture the victim’s PIN to enable the identity thief to access the account of the victim whose account number was captured through the skimmer.  Debit cards should not be used for purchases at gas pumps or for other retail purchases because the legal liability laws related to stolen debit card information are not as protective as the laws relating to fraudulent credit card use.  The FICO Card Alert Service report noted that 60% of the skimmer attacks were done on private, non-bank ATMS so you may wish to avoid those ATMS when possible.

Credit card rules required the use of new EMV smart chip credit card equipment by retailers to process these cards by October 1, 2015 in order for the retailer to avoid liability.   These rules, however, do not apply to the use of credit or debit cards at ATMs and gas pumps where the deadline to switch to the EMV smart cards is not until October 1, 2017 so you can expect identity thieves to continue to focus their attention on gas pumps and ATMs.

Scam of the day – April 21, 2016 – Criminals steal nuts

April 21, 2016 Posted by Steven Weisman, Esq.

Stealing nuts may not sound like a profitable criminal enterprise, but with the worldwide popularity of  nuts as a healthy snack and truckloads of nuts such as walnuts, almonds or pistachios valued as high as $500,000, criminals, particularly in California have increasingly targeted the nut industry in the last few years.  Last year alone the number of cases of truckloads of nuts being stolen exceeded the total number of the previous three years with the cost to nut companies reaching 4.6 million dollars.

Today’s thieves often use technology as part of their arsenal with criminals using spear phishing techniques to hack into the computers of the nut companies to find out when shipments are ready to be picked up.  Sometimes the criminals arrive at the nut warehouses with counterfeit shipping papers and pick up truckloads of these valuable products.  Other times, the criminals pose as legitimate companies and hire a legitimate trucking company to pick up the nuts and then tell the truck driver that there has been a change of plans and divert the shipment.

Nuts are a valuable commodity on the black market, particularly in Europe and Asia.  In addition, it is hard to track nuts.  They contain no serial numbers and are easy to transport leaving little evidence of a crime.

TIPS

The nut industry is busy adapting to these new threats while the criminals continue to adapt to new security measures.  Better data security at nut companies will help.  In addition, many companies are now requiring photo IDs and fingerprint identification of drivers picking up nuts for delivery.  Confirmation of orders is also something that will help.  But for now the criminals seem to be getting much more than peanuts out of this crime.

Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

Scam of the day – April 19, 2016 – Business email scam

April 19, 2016 Posted by Steven Weisman, Esq.

The FBI recently issued a warning about a dramatic increase in what it calls the Business email compromise scam (BEC).   The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learnthe protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees all in an effort to adapt their message to seem more legitimate.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts.  Finally, employees should be educated about this scam in order to be on the lookout for it.

 

Scam of the day – April 18, 2016 – New York identity theft ring busted

April 17, 2016 Posted by Steven Weisman, Esq.

New York police recently indicted twelve people from Brooklyn and Queens, charging them with an intricate identity theft conspiracy by which they are alleged to have leveraged easily obtained personal information to obtain credit cards in their victims’ names.  They are then alleged to have used these cards to go on shopping sprees at stores, such as Barneys New York, Saks Fifth Avenue, Louis Vuitton and the Apple Store where they purchased expensive items that they could turn into cash on the black market.

One of the more disturbing element of this identity theft ring is that they obtained enough personal information from public data bases and companies that search those data bases for you to apply for credit cards in the names of their victims.  They also made counterfeit IDs to provide when they purchased items.  Other times they were able to merely add their names to existing accounts.  They also used the fraudulent credit cards to activate “Apple Pay” on their iPhones so they didn’t even have to provide a credit card when making purchases.  After the cards were ordered from the credit card issuers, they would have a member of the ring wait at the address where the cards were to be delivered to intercept the delivery.  They also were able to avoid credit card company fraud alert telephone calls inquiring about suspicious purchases by having their victims’ telephone numbers forwarded to phones they controlled.

TIPS

The ease with which the alleged criminals were able to obtain sufficient personal information in order to obtain credit cards in the names of their victims and forward their victims’ telephone calls points out the importance of companies taking stronger measures to protect our personal information and require more comprehensive security to confirm that they are not dealing with identity thieves.  The best thing that we as consumers can do to protect ourselves from this type of crime is to put a credit freeze on your credit report so that credit cards cannot be obtained in your name without your specific authorization.  For more information about how to put a credit freeze on your credit reports,  go to the section entitled “Search this Website” at the top of this Scamicide page and type in “credit freeze.”