Scam of the day – July 17, 2016 – Pokemon Go scam

It hasn’t taken very long for the Pokemon Go app to become the most downloaded phone app in the United States and it is equally popular around the world.   As I am sure you all know, the Pokemon Go app uses the popular Pokemon characters from twenty years ago and has updated them into a virtual reality game and, using GPS, allows gamers to  go out in the real world with their smartphones and catch Pokemon characters in the blended real and virtual worlds.  Of course, anything this popular will be used in some fashion to scam people and Pokemon Go is no exception to this rule.

The Pokemon Go app is free.  Nintendo and Niantic Labs, the developers of the new Pokemon Go app make money when gamers use real money to buy virtual currency called PokeCoins which gamers can use to purchase items to enhance the game experience such as eggs which hatch rare Pokemon or incense to lure Pokemon to their location.  Scam artists, the only criminals we refer to as artists are sending people emails such as the following, attempting to lure their victims into paying them to continue playing Pokemon Go.

“We regret to inform you that due to the overwhelming response to our new Pokemon Go app and the need for more powerful servers we can no longer afford to keep your account as free.  Your account will be frozen in 24 hours if you do not upgrade.”

You are then told to sign up for the new upgraded version at a cost of $12.99 per month.  People signing up for the service risk not only losing money, but turning over passwords and other personal information to a scammer who can use that information to make you a victim of identity theft.


So how do Erica and everyone else playing Pokemon Go protect themselves from these scams?  Here is a list of important steps to take.

  1.  Remember that Pokemon Go is a free app and Nintendo is not charging for upgrades.  Any notices you receive to the contrary are scams and should be ignored.
  2.  Install the updated version of the Pokemon Go app since the original version unintentionally invaded your privacy by providing full access to your Google account.
  3. Use a strong password and make sure that you don’t use the same password for your Pokemon Go account for any other account.
  4. Make sure that your smartphone is protected with security software and keep it up to date with the latest security patches.

July 16, 2016 – Steve Weisman’s latest column from USA Today

With all of the uproar about Hillary Clinton’s email usage, I wondered how careful the rest of us are in our use of email. Here is a column I wrote for today’s edition of USA Today in which I describe how to safely and securely use email.

Scam of the day – July 16, 2016 – Google warning Gmail users about foreign hackers

State sponsored hacking from countries such as China, North Korea and Russia pose a threat to everyone, but Google, which has for years been monitoring hacking attempts by foreign governments, is notifying Gmail customers when Google has reason to believe that their Gmail accounts are being targeted.  If Google finds that you have been targeted you will receive the following message that takes up your entire screen warning you of the danger and urging you to use the more security dual factor authentication.  In its warning, Google indicates that less than 0.1% of all Gmail accounts are targeted, however, it is important to note that this percentage translates into more than a million people who are in jeopardy.

Screen Shot 2016-04-01 at 3.52.40 PM


As I have suggested many times, whenever you have the opportunity to use dual factor authentication, it is a wise choice to make because even if someone manages to steal your password or even trick you into providing it, as was the case with Jennifer Lawrence when she was convinced by a phishing email to provide her password to a cybercriminal who used it to access nude photos of her that she stored in the cloud, the hacker will not be able to access your email or other account because a special code provided to you through your cell phone is required whenever you wish to gain access to your account.

Finally, as I so often say, even paranoids have enemies so I urge you to err on the side of caution if you receive this type of notice and not necessarily trust it.  It could be a phishing communication from a cybercriminal luring you into clicking on a link which will either get you to provide personal information that can be used to make you a victim of identity theft or will download keystroke logging malware or ransomware.  The best course of action would be to merely go to Google directly from your browser without clicking on the link contained in the notification.  Here is a link you can trust that will take you to instructions for enabling dual factor authentication for Gmail

Scam of the day – July 15, 2016 – Omni Hotels data breach

Omni Hotels and Resorts just became the latest hotel chain to suffered a massive data breach joining Hyatt, Hotels, Starwood Hotels, Hilton Hotels and Trump Hotels who all suffered similar data breaches in the last year in which credit card and debit card information of their customers was stolen by unknown hackers.  Although the data breach at Omni was just recently discovered, it goes back to December 23, 2015 and was stealing credit card and debit card data from Omni Hotels up until June 14, 2016.  The Omni data breach affected forty-eight of Omni’s sixty hotels in North America.  As often is the case, hackers who steal the credit and debit card data sell it in large batches to other cybercriminals on a part of the Internet called the Dark Web.    The first batches of stolen credit cards and debit card information started turning up on the Dark Web in February of 2016.  The hotel industry continues to be an easy target for hackers as it is an industry that services large numbers of people and often the hotels are individually operated franchises rather than operating under a central data security system.  It should be noted, however, that Omni does not operate franchises.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Omni hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Omni and its customers face financial problems from this data breach.


Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Certainly if you have been an Omni customer since December 23, 2015 you should carefully review your credit and debit card statements for indications of identity theft and fraudulent charges.  If you were affected by this particular data breach, Omni  is offering free credit monitoring services for a year through AllClear ID.  You can sign up for these services by clicking on this link

Scam of the day – July 14, 2016 – Latest updates to Adobe Flash

After three consecutive months of new security updates being issued for Adobe Flash during the Spring, there were no security updates issued in June, however, now for the fourth time in the last five months, Adobe is issuing a new security update for Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer. Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.


Here is the link to the latest Adobe Flash security update which I urge you to download as soon as possible if you wish to continue to use Adobe Flash:

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: while GNU Gnash can be downloaded free at this link:

Scam of the day – July 13, 2016 – Evil spirit scam

Police in New York are warning people about a resurgence of a scam I first warned you about in the Scam of the day for May 21, 2012.   This particular scam targets Chinese Americans and begins when the scammer who is also of Chinese heritage approaches elderly Chinese women on the streets and tell them that they are plagued by evil spirits and that the only way to get rid of the evil spirits is through a purification ceremony.  They victims are told that they have to bring their cash and jewelry to the ceremony to purify their belongings and protect them from the evil spirits.  The victims’ cash and jewelry is then put in a bag and when the victims are not looking the money and jewelry is taken out of the bag by the scammer.  After the ceremony, the victims are told to take the bag home, but not to open the bag for a few days or the purification will not work.  By the time the victims learn they have been swindled, the scammers are long gone.  This particular scam has been preying upon the Asian communities in cities such as Boston, Seattle, Chicago and San Francisco in addition to New York.  In San Francisco alone, police estimate that the scammers managed to steal more than 2 million dollars worth of cash and valuables from about sixty victims reporting the crime.  This type of scam is also being reported in Haitian and Latino communities as fellow Haitians and Latinos prey upon people within their communities with similar scams.


We tend to trust people who are like us; people who have the same cultural heritage, race, religion or social group.  Unfortunately, “people like us” can be swindlers who take advantage of our trust.  This type of fraud is called affinity fraud.  This was what happened to many of the Jewish victims of Bernie Madoff who preyed upon many victims using their shared religion as an inducement.  Be extra careful when an investment or other offer is made to you by someone who shares an affinity with you.  Check them out as you would anyone else before doing any business with them.

Scam of the day – July 12, 2016 – Instagram Ugly List scam

A recent scam that has been victimizing people starts when you get an Instagram notification telling you that you have been tagged in a post called “Ugly List 2016.”  To make things worse, it appears that it is a friend of yours who tagged you.  The notification contains a link to enable you to see the full post.  If you click on it, it takes you to what appears to be the Instagram log in page where you have to type in your username and password in order to see the full Ugly List 2016.  However, the log in page to which you were directed by the link is a phony and if you type in your username and password, you have just turned over that information to a hacker.  The hacker, in turn, may send out Instagrams that appear to come from you including new Ugly List 2016 tags to your friends.

But why, would a hacker do this?

Certainly sometimes it is just done to embarrass people, but other times it is done to get people to turn over their usernames and passwords to the cybercriminals who count on many people using the same usernames and passwords for all of their accounts including online banking and other online accounts that have information that can be used by the cybercriminal for purposes of identity theft.


In regard to this particular scam, it is important to remember that there is no Ugly List 2016 so do not respond to it.  It is also important to remember when you are contacted by your friends through social media or even through emails or text messages, you can never be sure that any links contained in these communications that you are urged to click on are legitimate.  They may be tainted with malware.  Remember my motto, trust me, you can’t trust anyone.  These messages that appear to come from your friends may indeed come from their accounts which have been hacked and sent by an identity thief.  Never click on links or download attachments in emails, text messages or on social media until you have absolutely confirmed that the communication is legitimate.

As for your passwords, it is important to have a complex an unique password for every online account you have.

Scam of the day – July11, 2016 – FBI warns about extortion tied to data breaches

Data breaches have become a modern fact of life as too many places that retain our personal data have been successfully targeted by hackers seeking information from which they can profit.  Often the information is credit card and debit card numbers that can quickly be used to make purchases for goods that are then sold on the black market to convert into cash.  Other times, it is personal information that allows the hacker to access our various online accounts including bank accounts or to use the information to set up new accounts that the cybercriminals can exploit.  None of these scenarios are good for the victims of these data breaches.  Sometimes the fault is with ourselves such as when we use easy to guess passwords or the same password for multiple accounts.  Other times the fault may be with the companies that hold your data that have not instituted proper security measures.

In any event, the FBI has recently noted that now cybercriminals are exploiting data breaches by threatening to  expose the victim’s personal information to others unless the targeted person agrees to pay a ransom in bitcoins which are an easy way to money launder criminal activity.  At the present time the ransoms range from approximately $250 to $1,200.  Here are some of the extortion emails presently being circulated.

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Part of the problem is that sometimes, the cybercriminals are bluffing and merely are contacting people after a noteworthy data breach without actually having the information they claim to have.


The best way to avoid this problem is to limit the places that hold your personal information as much as you can.  For instance, hospitals do not need to have your Social Security number.  Use complex and unique passwords for each of your accounts and use dual factor authentication whenever possible.  Also, do not store personal information or sensitive photos or videos on your smartphone.  You also may wish to consider limiting the amount of personal information you provide on your social media accounts that can be used against you by being leveraged to gain access to your various accounts or trick you into clicking on links in emails or text messages that may download keystroke logging malware on to your computer, smartphone or other electronic device.  You also should limit the use of your debit card to use as an ATM card because the rules regarding protection from unauthorized use of your credit card provide much more protection than the rules regarding protection from unauthorized use of your debit card.

Scam of the day – July 10, 2016 – Wall Street executive pleads guilty to Ponzi scheme

Wall Street executive Andrew Caspersen pleaded guilty earlier this week to charges that he scammed investors out of millions through a scam in which he lured investors with representations that he would earn 15% or more on their investments by lending money to private equity funds through secured loans that he claimed were “practically risk free.” Instead he used the millions he collected from investors to fund his personal option buying, pay out earlier investors with the money gained by later investors, the hallmark of a Ponzi scheme, and support his self proclaimed “pathological gambling problem.  Ultimately, his losses totaled more than a hundred million dollars.


The rules for protecting yourself from investment scams are always the same.  Before investing in anything, you should make sure you understand the investment and carefully investigate both the investment and the person advising you to make the investment.  In addition, a red flag present in both the Bernie Madoff scam and the Ponzi scam allegedly operated by Caspersen is when the person advising you to make the investment is also the custodian of the account.  They should never be the same person.  Always have a broker-dealer separate from your individual adviser.  This way the actual funds and investments are monitored by a third party.

Scam of the day – July 9, 2016 – Ashley Madison update

It was just about a year ago that the Ashley Madison dating service was hacked.    Ashley Madison, the website for people seeking to have extra-marital affairs formerly used the slogan, “Life is short, have an affair” has been busy reinventing itself and now uses the slogan “Single, attached, looking to explore or just curious” in an attempt to expand its reach.  Ashley Madison was hacked by a group calling itself Impact Team.  Impact Team released information on thirty million users of Ashley Madison including names,  addresses, sexual interests and credit card details of Ashley Madison’s members.  Class actions have been filed against Ashley Madison in both Canada and the United States on behalf of members whose information was stolen and made public.

Now the FTC is investigating Ashley Madison on various grounds apparently including charges that Ashley Madison used computer programs sometimes called fembots to impersonate female members to lure in male members.  According to an  Ashley Madison company spokesman, there are five male members for every female member of Ashley Madison.  In 2014 the Federal Trade Commission (FTC) settled a case against JDI Dating, Ltd, a British company that operated a number of dating websites including and that similarly used phony computer generated female profiles to lure in male members.


Perhaps the biggest takeaway from this matter as millions of Ashley Madison customers suffered the consequences of having their involvement with the dating service made public is that your personal information is only as safe as the places with the worst security that have your personal information.  It also is obvious that the more places that have your personal information, the more at risk you are.  Therefore you should limit the places that have your personal information as much as possible.  In addition, you should not leave your credit card on record with a company for convenience sake even if it is a company with which you regularly do business.  Unless you agree to have your credit card information saved, companies with which you use your credit card are not allowed to store that information.