Scam of the day – January 5, 2014 – What the Snapchat hacking means to you

January 5, 2014 Posted by Steven Weisman, Esq.

Snapchat has become the latest major company to have been hacked and its data about its users stolen by identity thieves.  More than 4.6 million user names and telephone numbers were taken in the hack.  Snapchat is an app that enables you to send photos and video messages that self destruct after they are viewed, which is one reason the app has been popular with “sexters,” people sending sexually suggestive photographs that the sender may not want to have turn up elsewhere on the Internet at a later time.  A disturbing aspect to this latest hacking is that the security flaw exploited by the hackers was brought to the attention of Snapchat last summer, but the company did not take proper steps to remedy the problem.  Although it may seem like merely having your username and phone number fall into the hands of hackers would not pose a problem, it can lead to identity theft because many people use the same name for many different accounts and the phone numbers can lead to targeted calls from identity thieves who already know your name and can make it appear that they are associated with a company with which you do business such as your bank and lure you into providing personal information that, in turn, can lead to identity theft.

TIPS

Gibson Security, an Australian security firm first uncovered the security flaw in August and brought it to the attention of Snapchat which ignored the warning.  Gibson Security has also set up a website to which you can go if you are a Snapchat user and want to find out if your username and phone number were among those stolen.  The website is www.lookup.gibsonsec.org.  Users of Snapchat can go to that website and find out if they were among the victims of the hacking.  If you were and you wish to continue to use Snapchat, you should change your username.  You also should take this as a lesson that you should not use the same username for all of your accounts.  If indeed you do use the same username for all of your accounts, change them all to different ones for each account.  As for your telephone number, you probably do not need to change your telephone number although it is now in the possession of identity thieves, but you should be on heightened alert if you receive a telephone call in which you are asked for personal information.  Remember, Caller ID can be “spoofed” so the call can appear to come from a legitimate source when, in fact, it is coming from an identity thief.  Don’t trust your Caller ID and never give personal information over the phone to anyone who calls you.  If you think the call is from a legitimate company or entity that does have a need for your personal information, call them back at a number that you know is accurate.

Scam of the day – January 4, 2014 – Iowa lawyer suspended in Nigerian inheritance scam

January 4, 2014 Posted by Steven Weisman, Esq.

Sometimes truth is stranger than fiction and today’s scam of the day is just that.  All of us continue to receive emails which we refer to as Nigerian letters even if they don’t always come from Nigeria.  The scam, which actually has been around since the 1500s begins with a communication that you receive informing you that you eligible to receive a large amount of money without having to do anything to qualify to receive the funds.  Often the funds are promised as a part of an inheritance even though you may well know that you have no relatives in Nigeria or wherever the email appears to originate.  Once the victim is hooked with the promise of “free” money, the demands for fees, administrative costs and other payments begin.  Often these payments required in order to get the “free” money end up in the hundreds of thousands of dollars.  Of course, at the end of the process, the victim receives nothing except an expensive lesson in scams and greed.  Many of us wonder why these scams are still around.  We wonder who could possibly fall for these scams after so much has become known about them.  Well, now we know who falls for this scam – Robert Allan Wright Jr. is an Iowa lawyer whose license to practice law was suspended for one year by the Iowa Supreme Court because he solicited loans from his clients to pay the $177,660 in Nigerian inheritance taxes and “anti-terrorism certificate” required in order to obtain 18.8 million dollars supposedly inherited by one of his other clients.  Of course the entire thing was a scam which should be obvious to anyone, but apparently not to Attorney Wright who, according to the Iowa Supreme Court’s Disciplinary Board “appears to have honestly believed – and continues to believe – that one day a trunk full of … one hundred dollar bills is going to appear upon his office doorstep.”

TIPS

There are no free lunches, nor are there any free inheritances that you are going to receive from Nigeria, particularly if you have had absolutely no connection with anyone in that country.  There also is no such thing as an “anti-terrorism certificate” which would have been clear to anyone who bothered to research the matter.    From time to time, I show you some of the Nigerian letters that I receive in my email on a regular basis so that you can see what the latest incarnations of these scams look like.  Do yourself a favor and never respond to any of these emails.

Scam of the day – January 3, 2014 – Child identity theft update

January 3, 2014 Posted by Steven Weisman, Esq.

Two days ago, Texas became the latest state to pass a law protecting children from identity theft.  The law is patterned after a Maryland law that became effective a year ago and was the first of its kind in the country.  The Texas law will permit parents of children under the age of sixteen to freeze their children’s credit reports with the major credit reporting agencies, Equifax, TransUnion and Experian.   This is important because in recent years, children have been a prime target of identity thieves who, if they are able to get identifying information on a child such as the child’s Social Security number, can open a credit report on behalf of the child and obtain credit in the child’s name.  The identity thief never pays back the money accessed through the child’s credit and the child is burdened with a bad credit report that can have a deleterious effect on the child when he or she applies for credit, applies for a job, applies for a scholarship or applies for an apartment.  Presently the major credit reporting agencies have not permitted credit reports to be frozen until there is an active credit report.  In the circumstances of a child, this would occur only after the child’s credit had been accessed and abused so it truly would be closing the barn door after the horses are out.

TIPS

Credit freezes are a great way for all of us to protect ourselves from identity theft even in the event that someone has access to your Social Security number.  You can find out more about credit freezes in my book “50 Ways to Protect Your Identity in a Digital Age.”  You can also find the laws about credit freezes in your own particular state by going to this link:   http://www.consumersunion.org/campaigns/learn_more/003484indiv.html

Scam of the day – January 2, 2014 – African organized crime activities in USA

January 2, 2014 Posted by Steven Weisman, Esq.

The FBI has just issued a warning about the actions of organized crime members from Africa who are perpetrating a rather unusual credit card scam in the United States.  Credit cards are processed generally through systems in which the retailer’s processing equipment sends a signal to the credit card authorizer when the card is swiped through the retailer’s card reader.  In the normal case, the authorizer approves the sale and the transaction is completed.  What these African organized crime members have been doing is merely covering with aluminum foil the feed horns, which are the part of the retailers satellite equipment that transmits the messages and thereby blocking the systems from working.  These feed horns are located on the roofs of the retail establishments using this technology.  Unsuspecting retailers have come to learn that while they thought that the credit card transactions had actually been processed, the interference with the transmissions caused the cards never to have been charged and because many retailers do not validate every credit card transaction, the criminals have been able to purchase expensive electronic equipment without paying for them.  The criminals then have been pawning the equipment in New York or sending the equipment back to Africa.  At the present time, this scam appears to have been limited to Indiana, Kentucky, Ohio, Pennsylvania and West Virginia, but is expected to spread rapidly throughout America.

TIPS

Retailers should make sure that they validate every credit card transaction before completing the sale and if their credit card systems appear not to be working, they should make sure that the system is truly malfunctioning rather than merely having been tampered with at their establishment.  The ease with which this particular scam can be accomplished and the low cost involved with perpetrating this fraud  almost guarantees that we will be seeing more of this soon.

Scam of the day – January 1, 2014 – Why Target is wrong about their PINs being safe

January 1, 2014 Posted by Steven Weisman, Esq.

By now many of you may be sick of more information regarding the massive Target data breach of 40 million credit and debit cards, but the cold, hard fact is that much of the information that you are hearing may be misleading and inaccurate.  Even more important is the fact that relying on such information could lead to dire consequences for you if you were one of those people whose card data was breached.

On December 26th, I told you here on Scamicide that most likely Target was playing a semantic game when it said that the PINs used with debit cards were not compromised.  I told you that the reason for that was that Target was probably taking the position that because its PINs were encrypted, they were not compromised.  The next day, Target clarified its position by telling you exactly what I said was the truth which is that indeed PINs were taken, but that they were encrypted.  Now Target is telling everyone that because the PINs were encrypted, there is no risk to the people who used their debit cards to make purchases at Target during the time of the breach.  This is false.  While theoretically, the encryption program used by Target is unlikely to have been compromised, studies have shown that the world’s most popular PIN is 1234 and it does not take a rocket scientist or sophisticated hacker to decipher this PIN. Nor is it very difficult to guess the next most popular PINs which are, in order of popularity, 1111, 0000, 1212 7777, 1004, 2000, 4444, 2222 and 6969.  In fact, 27% of all passwords could be deciphered by trying the 20 most popular combinations.  It also should be noted that the Target hackers are obviously quite technologically sophisticated and it is possible that they may indeed have algorithm solving software that just may be up to the task of deciphering the PINs of  a great number of the stolen debit cards.

TIPS

The first thing for anyone who used a debit card at Target during the affected time period should do is get a new debit card and change the PIN.  When setting a new PIN, make it a random number and not one readily guessable, such as 1234.  Pick a sequence that has a meaning to you, but is unusual or make an unusual four letter word using the keypad that is easy for you to remember.   This should also be a wake up call for everyone who has a PIN that is not sufficiently complex to change it to a safer PIN.  Finally, as I have been advising you to do for a long time, limit your use of your debit card to ATM machines.  The risk when using it for retail purchases is, as I have described in numerous “Scams of the day” much greater than the risk when you use a credit card.

Scam of the day – December 31, 2013 – International hacking network busted

December 31, 2013 Posted by Steven Weisman, Esq.

This week Spanish law enforcement working closely with American law enforcement broke up a major international hacking effort that had been responsible for stealing more than sixty million dollars from ATMs throughout the world.  Among those arrested were six Romanian citizens and two Moroccan citizens, all of whom were arrested in Spain.  When arrested, the individuals had a large amount of cash, jewelry, computers and approximately 1,000 counterfeit ATM cards.

This same criminal group, it is alleged stole 40 million dollars throughout the world in a coordinated and swift attack that took place in just four hours in 23 different countries early in 2013.  It is alleged that the data breach necessary to obtain the card information was done through hacking into the data bases of credit card processing companies, which in recent years have become known to be the weakest link in the electronic payment system.

TIPS

This particular story underscores that regardless of how careful you are, you are only as safe from identity theft as the places holding your personal information with the weakest security.  Unlike many other major ATM security breaches, the information necessary to accomplish the scam was not obtained through skimmers capturing card data when cards were inserted into tampered ATMs.  Rather the information was stolen from credit card processing companies and then used to make counterfeit cards which were then taken to ATMs to access the accounts of the people whose identities were stolen.

Certainly you should follow good personal security steps as described in my book “50 Ways to Protect Your Identity in a Digital Age,” but you should also recognize that merely following those steps will not totally protect you.  You should limit the use of your debit card to ATMs and not use the card for retail purchases where you do not receive the same level of protection from fraudulent charges that you have with a regular credit card.  In addition, you should monitor your credit card regularly for fraudulent charges to catch any security breach early.

Scam of the day – December 30, 2013 – Nelson Mandela scams

December 30, 2013 Posted by Steven Weisman, Esq.

The recent death of former South African President Nelson Mandela was both a sad occasion due to the loss of this great man, but it was also a time to celebrate a long life well lived.  Unfortunately, it also has turned into an opportunity for scam artists to turn people into scam victims as a number of different Mandela based scams are appearing in emails, text messages and social media.  Although they are all different, most share the same basic format which is that following Mandela’s death, the person receiving the email, text message or other communication is lucky enough to have been chosen to receive a substantial payment from the Mandela estate.  Other scams are tied to the fund raising efforts of the Nelson Mandela Foundation and promise the potential victim a share of the funds raised by or on behalf of the foundation.  Similar to the Nigerian letter scam, the funds which are initially promised to be free and unconditional end up costing the victim large amounts of money for various fees and administrative costs that the victim is told must be paid before the victim can receive his or her funds, which, of course never come.

TIPS

Scammers are always adapting their scams to whatever is newsworthy and is holding the public’s attention.  Again, as always, when you receive any communication offering you free money under any pretext, the first question is why would the person or entity offering you the money randomly choose you.  You should also remember a couple of my mottoes, namely, “if it sounds too good to be true, it is” and “trust me, you can’t trust anyone.”  In regard to scams directly related to Nelson Mandela, you can check out the website of the Nelson Mandela Foundation which keeps track of the many scams related to the great man’s name.  Here is a link to the foundation’s website with a list of Mandela related scams:

http://www.nelsonmandela.org/content/page/public-scams

Never give money to any scheme until you have confirmed the legitimacy of both the scheme itself and the people involved with it.  Generally, it will not take long to discover that these type of free money offers are nothing more than scams.

Scam of the day – December 29, 2013 – Phony lottery scam

December 29, 2013 Posted by Steven Weisman, Esq.

Phony lotteries continue to be one of the most common scams and with good reason.  Each year Americans lose more than 120 million dollars to phony lotteries.  The appeal of lotteries are obvious.  For a small price you get a chance to win a huge amount of money.  With phony lotteries the initial appeal is even greater because when you are notified by phone, email or snail mail that you have won a phony lottery, you haven’t even had to pay for a lottery ticket.  What could be better than that?  Of course, with phony lotteries, you do end up paying large amounts of money to claim your “winnings,” however ultimately, you end up with nothing.  Actually, you end up with less than nothing because you lose your own money in your attempt to claim your prize.  Generally, the scams start with the initial notification that you have won a lottery that you never entered.  When you go to claim your prize, you are then told that you need to pay taxes or processing fees before you can get your prize money.  Of course after you have made these payments, you never get anything except a lesson in life.

Some of the emails that you receive informing you of your lottery winnings are written quite well and appear to be quite official and convincing.  Recently, however, I received a notification in my email that was so poorly written that it was an insult to true scam “artists.”  The notification I received merely stated, “You won the lottery. Contact me for details.”  There was no description of what lottery this referred to nor was there even a signature of anyone.  It is hard to imagine anyone falling for this scam, but unfortunately, some people will indeed end up becoming a victim of this.

TIPS

Whether it is the Jamaican Lottery which is a scam that has been stealing millions of dollars from Americans in recent years or any other phony lottery, it is important to remember that you do not win a lottery that you have not entered.  It is also important to remember that although lottery winnings are subject to income taxes, you will never be asked to pay your income taxes to the lottery sponsor.  Either the lottery sponsor will deduct the taxes from your winnings, as is done with state sponsored lottery winnings or you are responsible for paying income taxes on the winnings directly to the IRS and your state department of revenue.  Never will a legitimate lottery collect taxes from winners.  Neither will they charge you administrative fees that you must pay before you can collect your winnings.  Don’t get blinded by greed.

Scam of the day – December 28, 2013 – Target reloading scam

December 28, 2013 Posted by Steven Weisman, Esq.

Many of you may be wondering why I have been writing about the Target hacking so often recently.  Certainly it is true that 40 million people are affected by the Target scam and the more information that I can provide to those people, the better they will be, but even if you are not one of those people directly affected by the Target hacking, the lessons provided by this hacking apply to us all.

Reloading is the name for the scam when scammers go back to victims of scams, identity theft or hacking purporting to provide assistance in straightening out the mess created when the victim was first harmed, when in fact, what the scammers are actually doing is getting more money out of the victim under the guise of helping the victim or getting more personal information from the victim that leads to further identity theft of the victim.   This is just starting to happen in response to the Target hacking.  Although, Target has legitimately been contacting its customers by emails, so have identity thieves either purporting to be Target or a consumer protection agency.  In both cases, the identity thieves attempt to lure the victims into clicking on links in the emails which either download malware on to the victim’s computer and permit the identity thief to steal all of the information from the victim’s computer and lead to the person becoming a further victim of identity theft or the link will lead to a page in which the victim is prompted to provide personal information directly which will lead to identity theft.  In other circumstances, the victim is told that he or she must pay for assistance from the phony consumer protection agency.

TIPS

No legitimate consumer protection agency such as the Federal Trade Commission or your local state attorney general’s consumer protection division ever requires you to pay for their services.  Also, as I constantly warn you, do not click on links in email regardless of how legitimate the emails look until you have confirmed that they are indeed legitimate.  In the case of Target, as with other companies, don’t click on the links in their emails, but rather go directly to their legitimate website at an address that you know is accurate for further information.  Also, do not provide personal information to anyone until you have confirmed that the person, company or agency is both legitimate and has a real need for the information.  Finally, make sure that your computer, laptop, tablet and smartphone are all protected with the latest anti-malware software and keep that software up to date.

Scam of the day – December 27, 2013 – Syrian Electronic Army update

December 27, 2013 Posted by Steven Weisman, Esq.

I first reported to you about the Syrian Electronic Army last summer when this organization hacked into the New York Times, the Washington Post and a number of other major American companies.  More recently, in October I told you about the SEA’s hacking into President Obama’s Twitter and Facebook accounts.  In perhaps its most disruptive attack, the SEA hacked into the Associated Press’ Twitter account this past April and sent out a phony tweet about explosions at the White House.  The response to this phony and false tweet included a temporary drop in the stock market as the market responded to the fake news story with panic.  This group, which may or may not be sponsored or controlled by the Syrian government of President Bashar al-Assad, certainly is philosophically aligned with his government.

Earlier this week, the FBI warned many companies about new cyberattacks being made by the SEA at this time.  The cyberattacks begin with an innocuous looking email that purported to contain a link to a CNN article about the Syrian revolution.  The email also directed the recipients of the email to a phony Google log-in page which required the person receiving the email to input his or her username and passwords.  This phishing type scam appears to be how the SEA manages to gain access to the websites and data bases of their targets.  Once the SEA has the usernames and passwords, it is able to often use that information to infiltrate the computers of the companies of their victims.

TIPS

The lesson here is not just for major companies that may be targets of the Syrian Electronic Army, but is one for all of us.  This tactic used by the SEA is also used by scammers and identity thieves whose goal it is to get access to the information in your computers, laptops and smartphones for purposes of identity theft.  By luring you to click on a tainted link or download or tricking you into providing usernames and passwords, these identity thieves and hackers manage to get you to turn over the keys to your kingdom.  As I often say, “trust me, you can’t trust anyone.”  Never click on links or download attachments which may be riddled with malware unless you are absolutely sure that they are legitimate.  Merely because a link or attachment is in an email that appears to come from someone you know, you cannot be sure that your friend’s email has not been hacked by an identity thief.  Always confirm that a link or attachment is indeed accurate before ever clicking on the link or downloading.  Also, jealously guard your username and passwords.  Again, make sure that anytime you are asked for them, that the inquiry is legitimate and not just a cleverly worded phishing attempt.