Scam of the day – September 18, 2016 – Work at home reshipping scams

Postal inspectors are again warning people about reshipping scams. Reshipping scams sound appealing.  You get to work at home and all you have to do is receive goods your new employer sends you, which are often electronics, inspect them and reship them to an address provided to you by your new employer.  The problem is that these goods have been purchased with stolen credit cards and you have just become an accomplice to the crime when you ship them to someone else who will then sell them to turn the merchandise into cash.  The term scammers use to describe the people doing the reshipping is a “mule” and it can get you into a lot of trouble.  It makes you an accomplice to the crime and participating in money laundering.   The companies offering this type of work may seem legitimate, but they are not.   Often the advertisements for these work at home scams appear in legitimate media that have not properly checked out the legitimacy of the advertisements they run so you can’t rely on the fact that the advertisement  appears in a trusted media source.

TIPS

As always, if it sounds too good to be true, it usually is.  Check out any work at home scams with the big three – your local attorney general, the Better Business Bureau and the FTC.  And as always, you can Google the name of the particular company offering you the work at home program with the word “scam” next to it and see what turns up.  You also can use Google Earth to look into the physical address of the potential employer to see if it matches what the advertisement and communications with this employer indicate.  As for reshipping scams, they are always a scam and you should steer clear of them.

Scam of the day – September 17, 2016 – National Australia Bank phishing scam

Phishing scams by identity thieves posing as your bank are not limited to the United States. Reproduced below is a phishing email that is presently being sent to customers of the National Australia Bank that is consistent with the pattern for such phishing emails around the world.  The email looks official and even has an easily counterfeited logo of the bank.  Such emails often indicate that unless you verify your account information, your account will be suspended.  In this particular phishing email, if the customer clicks on the link provided it will take the customer to an official looking page that asks for personal information including bank account and credit card information.  After filling in the form the victim is actually directed to the real National Australia Bank website, but by then, it is too late.  The victim has already turned over his or her information to an identity thief who can use it to access the victim’s bank account and credit card.

You should always ignore any email like this.

TIPS

Although the good rule to follow is to never click on any links or download attachments in emails and text messages unless you have absolutely confirmed that they are legitimate, phishing emails such as this have telltale indications that they are phony.  In this instance, the email is addressed to “Dear Customer.”  Any legitimate email that you would get from your bank would use your name and provide the last few digits in your account number.  In addition, no bank will ask you to verify account details by way of a link in an email or a text message.  If you receive an email or text message such as this and are concerned that it might be real, you should merely call your bank at a telephone number that you know is accurate where you can confirm that the email was merely a phishing scam.

Scam of the day – September 16, 2016 – Critical new updates to Adobe Flash

After a one month break, new security updates have just been issued for Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.

Beginning on October 11th Microsoft will begin blocking outdated versions of Adobe Flash from running in Internet Explorer on Windows 7.  If you use Windows 8.1, Windows 10 or Windows Server 2012R2, this will not affect you because these systems automatically install Adobe Flash security patches.

It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.    Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.

TIPS

Here is the link to the latest Adobe Flash security update which I urge you to download as soon as possible if you wish to continue to use Adobe Flash: https://www.us-cert.gov/ncas/current-activity/2016/09/13/Adobe-Releases-Security-Updates

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/ while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Scam of the day – September 15, 2016 – What the data breach at the World Anti-Doping Agency means to you

The World Anti-Doping Agency (WADA), the international agency that enforces the rules regarding the use of performance enhancing drugs and other prohibited substances by athletes around the world was hacked, apparently by Russian hackers who released the medical files of American athletes Simone Biles, Venus Williams, Serena Williams and Elena Delle Donne.  In each case, the records show that these athletes used drugs that were permitted under the Therapeutic Use Exemptions for legitimate medical reasons.  In the case of Simone Biles, the records indicated that she took Ritalin for ADHD.  None of the use of these drugs appeared to be related to improper drug use for performance enhancement.

Perhaps the bigger aspect of this story and one that is being overlooked in much of the media is how the hacking was accomplished.  Once again it appears that the hacking was done by exploiting information obtained through spear phishing.  Spear phishing occurs when you receive an email or text message specifically tailored to you with a link in it that the victim clicks on and unwittingly downloads keystroke logging malware that enables the hacker to be able to steal all of the information from the victim’s computer or smartphone including passwords and other critical information.

TIPS

Spear phishing has been used successfully by hackers in most of the major data breaches of the last few years including Sony, Target and the Office of Personnel Management (OPM).  Spear phishing is distinguished from the usual phishing email that can be easily spotted because, unlike ordinary phishing emails and text messages, spear phishing emails and text messages often appear to come from a trusted source and contain sufficient personal or relevant information that they appear to be genuine.  Often, we are our own worst enemies because we provide too much personal information on social media that can be used by clever cybercriminals to fashion spear phishing emails and text messages.  It is for this reason that you should never click on any links in an email or text message until you have confirmed that the email is legitimate.  You should also use security software and make sure that it is constantly updated with the latest patches although even doing that won’t protect you from the newest zero day exploits which exploit computer vulnerabilities that have previously not been discovered.  It usually takes the security software companies about a month to come up with defenses against the latest zero day exploits.

Scam of the day – September 14, 2016 – Steps to take when getting a new smartphone

According to the advertising slogan, diamonds are forever.  However, smartphones definitely are not.  Most people update to a new smartphone about every two years.  We use our smartphones for many purposes from doing banking to taking photos and our smartphones contain large amounts of personal information including passwords, account numbers and other information that we should take care to keep private when we turn in our phones.  The first thing, however,  that you should be doing even if you do not intend to turn in your phone soon is to backup all of the data from your phone on to your computer, a portable hard drive or the cloud.

TIPS

When you are going to turn in your phone for a new one, you should clear your old phone of all app data and use a factory reset that is intended to clear your device of information stored in the phone.  Generally, your service provider can transfer the information to your new smartphone before you delete it from your former phone.  Check the owner’s manual, the provider’s website or the website of your phone’s manufacturer for instructions about how to do a hard reset of your phone before you dispose of it.  It is also important to remove or delete the data contained on your phone’s SIM or SD card which contain important data and photos.  Even if you have cleared and reset your phone, your SIM or SD card will retain information so it is critical to remove your SIM or SD card from your old phone or have the data on these cards deleted.

Scam of the day – September 13, 2016 – Phony Hillary Clinton video contains malware

A common way that hackers manage to trick people into downloading malware used to steal the information from your computer or smartphone and enable them to make you a victim of identity theft is to send the malware disguised as an attachment for a video of something of great interest to many people.  It may be something related to a celebrity, such as purported nude videos or it may be of an event in the news, such as a video purporting to show formerly unavailable footage of, for instance, the shootings in the Orlando nightclub.  The presidential election is tremendous fodder for people seeking videos of candidates in compromising situations and scammers are taking advantage of this with malware attached to emails promising to provide newsworthy events. Such is the situation, as reported by computer security company Symantec, with an email presently circulation promising that the attached video shows Hillary Clinton accepting money from an ISIS leader in 2013.  In addition to being a totally outrageous accusation not based in any fact, the email is fraught with poor grammar.  However, that is not stopping some people who are clicking on the link and unwittingly downloading malware that can result in their becoming a victim of identity theft.

TIPS

Regardless of who sends you an email or a text message with a link attached, you should never click on the link until you have confirmed that the communication is legitimate.  Even if the message appears to come in the email or text message from a trusted friend, you can’t be sure that your friend has not had his email or smartphone hacked and used by a scammer to spread malware.  You should have security software on all of your electronic devices including your computer and smartphone and make sure that you keep your security software up to date with the latest security patches, but you cannot totally rely on that software to protect you from all malware dangers because it generally takes the software security companies about a month to catch up with the latest strains of malware.  Finally, in regard to communications promising startling videos or pictures of celebrities or newsworthy events, you should be particularly skeptical as to their authenticity.   Instead, it is better to rely on legitimate news sources that you can trust to be safer and more accurate.

Scam of the day – September 12, 2016 – Four year old data breach revealed

It was recently disclosed that Brazzers, a porn website had been hacked four years ago.   Personal information of users of its forum in which subscribers communicated about porn movies was stolen and is now available on the Internet.  The information stolen included not only user names, email addresses and passwords, but also the substance of their  conversations in the forum, which could be embarrassing to Brazzer subscribers if the information became public leading to concerns about blackmail by cybercriminals with access to this information.  This data breach is reminiscent of the data breach at Ashley Madison, which proved to be extremely embarrassing to customers of that website that dealt with extra-marital affairs.  Of course, any data breach in which user names, email addresses and passwords are compromised poses a threat to the victims of the data breach who can be more seriously victimized by cybercriminals using that information to advance spear phishing schemes targeting the victims and luring them to click on links that will download keystroke logging malware that will steal personal information from the victim’s computer, smartphone or other electronic device and use that information to make the person a victim of identity theft.  In addition, many people use the same password for all of their accounts and once their password at one website becomes known, it can lead to attacks at other places such as online banking.

TIPS

The website Have I Been Pwned https://haveibeenpwned.com/ is a good place to go to find out if you have been victimized in a data breach.  This website gathers information about data breaches and you can put in your email address to find out if you have been a victim of any data breaches such as Brazzers where information is being circulated on the Internet.  It is also important to use a distinct and unique password for each of your online accounts so if you do become a victim of a data breach at one account, the security of your other accounts are not threatened.  Finally, for people who go to websites that they would prefer no one to know about, they should consider using a different user name and separate email address from their usual use name and email address.

Scam of the day – September 11, 2016 – New malware attacking online banking app

Many people find that doing their banking through their mobile devices is quick, efficient and convenient.  Unfortunately, it also carries with it risk of cybercriminals hacking the smartphones and other mobile devices used by their victims to gain access to their victims’ bank accounts and steal their money. In my Scam of the day for June 3, 2016 I gave a number of tips about how to do your online and mobile banking more safely.  Cybersecurity, however, is a never ending process and a few days ago, researchers at cybersecurity company Kaspersky Lab announced it had discovered a new form of malware used to steal banking information and credit card information from the smartphones of Android users that can override the new security features Android had installed in the Android OS version 6 specifically to combat this type of threat and other similar threats.

The new malware which is a modification of the Gugi banking malware starts, as with so many attacks by luring the victim into clicking on a link in a legitimate appearing text message that results in the initial downloading of the malware.  Once it is downloaded, however, the malware creates a display on your screen indicating the need for additional rights to work with graphics and windows.  If the victim clicks on the only link provided, another screen asks them to authorize app overlay and then other permissions. If the victim realizes what is going on and does not provide the requested permissions, the malware blocks the entire smartphone.  The only way to fix the problem at this point is to reboot the smartphone in safe mode and attempt to remove the malware, which  is difficult to do.

If the malware does get fully installed with all of the permissions it requires, it enables the cybercriminal to take total control of the victim’s electronic banking and can readily empty his or her accounts.

TIPS

Along with the basic online and mobile banking precautions I urged you to take in my Scam of the day for June 3, 2016, you can protect yourself from the Gugi malware by never just automatically giving rights and permissions when an app requests you to do so.  Always evaluate why the app would need such permissions.

As always, the two most important things to do to protect yourself from any cybersecurity threat to your mobile phone is to follow my advice of “trust me, you can’t trust anyone” and never click on links regardless of who appears to be sending them until you have absolutely confirmed that the links are legitimate.  Also, make sure you that you not only have security software on all of your mobile devices, but that you keep the security software updated with the latest security patches as soon as they are available.

September 10, 2016 – Steve Weisman’s latest column for USA Today

While it may appear that ATMs are a safe and secure way to get money from your bank account, the truth is that ATMs are vulnerable to being hacked in multiple ways and we, as customers must be vigilant in order to protect ourselves and the security of our bank accounts.  Here is a link to my column from USA Today describing this problem.

http://www.usatoday.com/story/money/columnist/2016/09/10/how-safe-atms-skimming-not-very/89225960/

Scam of the day – September 10, 2016 – A new Chase phishing email

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank.  DO NOT CLICK ON THE LINK.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good, but a minor flaw is the inconsistent capitalization in the phrase, “All Rights reserved.” Also, as so often is the case, the email is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Chase Bank Online® Department Notice:

Your online account has been suspended (Reason: the violation of terms of service).
Update and Restore your online account Now
Log On
Thank you for using Chase Bank.
Member FDIC © 2016 Chase Bank Financial Corporation. All Rights reserved.
TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email has no salutation whatsoever.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.