Scam of the day – October 3, 2015 – 15 million T-Mobile customers in danger of identity theft

October 3, 2015 Posted by Steven Weisman, Esq.

T-Mobile has announced that personal information on 15 million of its customers has been stolen as a result of a data breach that occurred between September 1, 2013 and September 16, 2015.  The stolen information includes names, birth dates and Social Security numbers.  This type of information can readily be used by a criminal to steal the identities of the people whose personal information was compromised.  Because identity theft can be a devastating crime, this is a major problem if you were a customer of T-Mobile during that time.  It is important to note that it was not T-Mobile’s computers that were hacked.  Rather it was a server used by the credit reporting agency Experian that was hacked to steal this customer information.  T-Mobile used the services of Experian to run credit checks on people applying for T-Mobile services or devices.  A number of questions are brought up by this hacking including why Experian continued to store this personal information long after the determination of creditworthiness had been done.  Also, there are questions about the encryption program Experian used to protect its data because the encryption proved ineffective.

TIPS

T-Mobile is offering free credit monitoring services through ProtectMyID to affected customers for two years.  However, it should always be noted that credit monitoring does not help prevent identity theft, but merely helps you learn sooner when you do become a victim of identity theft.  Somewhat ironically, it should also be noted that ProtectMyID is owned and operated by Experian, the same company responsible for the data breach.  For more information about obtaining the free credit monitoring services if you have were affected by this data breach, click on this link which provides instructions from T-Mobile about signing up for the service. http://www.t-mobile.com/landing/experian-data-breach

Meanwhile, everyone should consider putting a credit freeze on their credit reports to actually help prevent identity theft.   With a credit freeze in place, an identity theft who has your personal information including your Social Security number will be prevented from accessing your credit report to obtain credit or make purchases in your name.   For more information about credit freezes, go to the archives of Scamicide.com and type in “credit freeze.”

Scam of the day – October 2, 2015 – Update on data breach at Trump hotels

October 2, 2015 Posted by Steven Weisman, Esq.

It has just been disclosed by the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York that its hotels had been hit with a Target-like credit card and debit card data breach that appears to have occurred between May 19, 2014 and June 2, 2015.  Although the Trump Hotel Collection is just announcing this now and much of the media is reporting this as a new story, here at Scamicide, we reported to you about this data breach in our Scam of the day on July 5, 2015.  As with so many data breaches, it was discovered not by the company hacked, but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.    The malware used to perform this data breach was installed on computers at Trump hotels front desk terminals as well as as payment card terminals in the hotels’ restaurants and gift shops.  This type of hacking and data breach could have been prevented had the Trump Hotel Collection switched to the modern EMV smart chip credit cards now being required to be used according to credit card regulations that just went to effect yesterday.  Instead the Trump Hotel Collection, as many companies still do, used the old fashioned credit and debit cards with magnetic strips which are so susceptible to hacking.

TIPS

If you used your credit and debit card at one of the affected Trump hotels between May 19, 2014 and June 2, 2015, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.  The Trump Hotel Collection is offering free credit monitoring for people who used their cards at their hotels during the time period indicated above.  For more information about this offer, call them at 877-803-8586.  Here also is a link to the statement of the Trump Hotel Collection about this data breach. https://www.trumphotelcollection.com/cc-security-faq

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.

Scam of the day – October 1, 2015 – EMV smart chip card scams

October 1, 2015 Posted by Steven Weisman, Esq.

Scammers always are taking advantage of whatever current events are going on.  Today is the deadline for retailers and credit card issuing companies to switch over to using the new EMV credit cards containing a computer chip that creates and encrypts a new number every time the card is used.  Unlike credit cards in other parts of the world, American credit cards still mostly use magnetic strip technology that has been around since the 1960s in which personal information is contained on a magnetic strip on the back of the card.  When the information on this strip is stolen as through a hacking, the identity thief has access to the credit of the victim.  However in more than 80 other countries around the world, the magnetic strip card technology has been replaced with cards embedded with a microchip.  This technology is often referred to as EMV which stands for Europay, MasterCard and Visa, the originators of the card.  With EMV cards, the chip creates and encrypts a new number every time the card is used.  Thus hacking into the credit and debit card processing terminals used by the cardholder is a worthless exercise in trying to access the credit card or debit card.  For cost reasons, credit card companies and retailers have resisted updating the credit card system in the United States although changes in regulations in regard to liability for fraudulent credit card use will prompt credit card companies and retailers to switch to this technology.   Under these new rules, after October 1st if a retailer does not switch its card processing machines over to EMV card processing of sales, in the event of a data breach, the retailer will be held financially responsible for any losses incurred.  Previously, in the event of data breaches, it has generally been the credit card issuing banks that have been held responsible for such credit card fraud.

The October 1st deadline, however,  has not been met by many credit card issuers and retailers.  More than a billion credit and debit cards will have to be switched to the new EMV cards and only 120 million people have already received a new EMV card.  That number is expected to reach 600 million by the end of 2015.  Meanwhile, many retailers have not yet converted their card processing devices to accept the new EMV cards.  Since under the new regulation regarding liability in the event of credit card fraud, the liability passes to the party that is the least EMV compliant, there is much incentive for the credit card companies to issue new EMV cards and for retailers to convert their credit card processing equipment as soon as possible.

Ingenious scam artists, the only criminals we refer to as artists are taking advantage of the situation by contacting people by email posing as your credit card company and prompting you to either provide personal information in response to the email or click on a link in the email in order to update your account to get a new smart EMV chip card.  If you provide personal information to the scammer, you will end up becoming a victim of identity theft.  If you click on the link, you may also download keystroke logging malware that will steal your information from your computer or smartphone and use it to make you a victim of identity theft.

TIPS

So how do you know if you receive an email purporting to be from your credit card company if it is legitimate?

First check the address of the email sender.  If it appears to come from someone or some company wholly unrelated to your credit card issuer, it is a scam.  Many scammers use hijacked email accounts that become a part of a network of controlled computers referred to as a botnet to send out their emails so that it is difficult to trace the scams back to the scammer.

Merely because the email appears legitimate, is written in proper English and even carries the logo of your credit card company does not mean that it is legitimate.  It is easy to copy the logo of a company on to an email.  If you get an email from your real credit card company it will generally be addressed to you specifically by name rather than a generic greeting of “Dear Cardholder.”  In addition, the email to you will generally reference your account by including the last four digits of your account.  However, even paranoids have enemies so if you do get an email that appears legitimate, but you still have concerns, merely call the company at the number found on the back of your credit card to confirm that the email is legitimate.

Scam of the day – September 30, 2015 – New Dropbox scam

September 30, 2015 Posted by Steven Weisman, Esq.

Dropbox is a popular service that enables you to store photos, documents and other information in the cloud.  In a phishing scam similar to what I wrote about recently, many people are receiving an email purporting to be from Dropbox telling them that Dropbox is doing an update in order to make their service more secure from hacking and that the user needs to click on a link in order to update his or her account.  Of course, this is just a phishing scam intended to lure the victim into clicking on the link in which event the victim will either be told to provide personal information including passwords that will be used by the scammer to make the person a victim of identity theft or merely by clicking on the link, the victim will unwittingly download keystroke logging malware that will enable the identity thief to steal all of the personal information on the victim’s computer or smartphone and use it to make the person a victim of identity theft.

TIPS

The particular phishing email presently being circulated appears to be legitimate, however, it is not sent by a email address used by Dropbox.  If the email does not appear to originate with dropbox.com, dropboxmail.com or other legitimate Dropbox email addresses, which you can find  by going to this link https://www.dropbox.com/help/217#email you can immediately dismiss the email as a phishing scam.  However, even if the email address appears legitimate you should still be skeptical and contact the company at a phone number or email address that you know is legitimate to find out if the email is legitimate.  Here is a link you can use to contact Dropbox about issues with your account.  https://www.dropbox.com/supportChances are with this type of email, it is a scam.  Dropbox is also a company that allows you to use dual factor identification, which dramatically increases your personal safety because even if someone gets your password, they cannot access your account.  If you use Dropbox, I heartily advise you to protect your account by using dual factor authentication.  Here is a link from Dropbox to help set up dual factor authentication. https://www.dropbox.com/help/363

This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered.  In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password.  Dropbox provides for dual factor identification.  If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account. https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/

Scam of the day – September 29, 2015 – Hilton Hotels data breach

September 29, 2015 Posted by Steven Weisman, Esq.

Hilton Hotels appear to be the latest in a long line of companies that have suffered a significant data breach involving credit cards and debit cards.  The hacking appears to have occurred between April 21, 2015 and July 27, 2015 although it may go back as far as November of 2014.  As is most often the case, the hacking was not discovered by Hilton, but rather by a number of credit card issuing banks that picked up a pattern of fraudulent charges that they were able to trace back to gift shops and restaurants at a number of Hilton properties which include not only Hilton Hotels, but Embassy Suites, Doubletree, Hampton Inn and Suites as well as the Waldorf Astoria Hotels and Resorts.  This type of data breach is something about which I wrote for USA Today in a column a year ago in which I explained the pattern for these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

For its part, Hilton released a statement saying, “Hilton Worldwide is strongly committed to protecting our customers’ credit card information.  We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously and we are looking into this matter.”

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards about which I wrote in detail in September 23rd’s Scam of the day.  New regulations mandate credit card issuers and retailers to switch over to the new smart EMV chip cards by October 1st or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so by October 1st.  If smart EMV chip cards had been used at Hilton, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Hilton and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Hilton properties during the dates indicted above, you should carefully monitor your credit card account and bank account for any indication of a problem.

September 28, 2015 – Steve Weisman’s latest USA Today column

September 28, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s USA Today column from today’s online edition of USA Today entitled “Email Scam Hits Corporate Computers.

http://www.usatoday.com/story/money/columnist/2015/09/28/steve-weisman-cyberthieves-corporate-targets-email/72963040/

Scam of the day – September 28, 2015 – New iTunes phishing scam

September 28, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes right from my own email account although many people are reporting receiving the same email.  It appears to be from iTunes and indicates that in order to continue to use iTunes, I must verify information in my account.  The email is a scam and works in one of two ways, both of which are bad.  In one scenario if you click on the link to provide information, you will be turning over your personal information to an identity thief who will use the information to make you a victim of identity theft.  Even worse is the other possible scenario which is that when you click on the link, you will unwittingly download a keystroke logging malware account that will permit the identity thief to steal all of the information on your computer and use it to access your credit cards, bank accounts and other financial accounts and use that information to make you a victim of identity theft.  This particular email which is reproduced below contains a number of clues that it is a scam.  Often these emails come from botnet zombie computers that have been hacked into to send out these emails and so the email address from which it was sent will not have anything to do with Apple or iTunes, but will carry the address of the unfortunate person whose email was hacked and taken over.  In my case, the email was sent by a non-business account in the United Kingdom  Also, although it is easy to copy logos, identity thieves, particularly when they are from foreign countries do not use proper grammar or proper English.  For instance, in this email the word “cooperation” is spelled incorrectly.  Finally, the email is addressed merely to “Dear iTunes User” instead of using my name in the salutation thereby indicating that this is being sent out widely to many individuals rather than sent merely to people to whom it would apply if it were legitimate.

Here is a copy of the email I received.  DO NOT CLICK ON THE LINK.

“Dear iTunes User,

Your account requires verification due to our recent upgrade. It is mandatory that you confirm your details through our secure link below.

Connect

Thank you for your co-operation.

Sincerely Yours,

iTunes Admin
Copyright © 2015 Apple Inc. All rights reserved”

.

TIPS

Never click on a link unless you are absolutely sure that it is legitimate and unfortunately whenever you receive an email or a text message with a link, you cannot be sure that the message is legitimate.  Many times you will receive emails or texts such as this purporting to be from companies that you do not even do business with and you obviously can ignore these.  But if you have any concerns that the email might be legitimate, you still shouldn’t click on the link.  Instead you should call the particular agency or company at a telephone number that you know is accurate to inquire as to whether the email or text message was legitimate.  Chances are that you will find out that it is a scam.  Once, I received a large invoice from a company with which I do business for goods I did not order, but rather than click on the link provided in the email, I went directly to the company’s website to question the invoice.  When the website came up, the first thing I saw was a large announcement that the invoice was a scam and that many people had received these phony invoices.  If I had clicked on the link, I would have become a victim of identity theft.

Scam of the day – September 27, 2015 – Facebook dislike button scam reappears

September 26, 2015 Posted by Steven Weisman, Esq.

It has been more than three years since I first reported to you about the Facebook dislike button scam.  The scam involves a link on your wall informing you that Facebook now has a dislike button and you can take advantage of this new feature by clicking on a link.   This is a scam.  There is no dislike button on Facebook.  If you click on the link,  a number of things may happen, all of which are bad.  You may be prompted to provide personal information that will be used to make you a victim of identity theft or you may unwittingly be signing up for expensive monthly services on your smartphone or you may automatically download malware that gives the identity thieves access to the personal information in your computer or smartphone which identity thieves then use to make you a victim of identity theft.  Additionally, clicking on the link may give the scammer access to your profile and the ability to send out malware and spam to all of your friends and make it appear that the material is coming from you.

This scam is experiencing a resurgence because last week, Facebook CEO Mark Zuckerberg  spoke about Facebook considering a feature similar to a dislike button.  However, such a feature is a long way from becoming a reality.

TIP

There is no dislike button so if you see a link to one, you can be sure that it is a scam.  If you unwittingly have downloaded this, you should delete it from your Facebook account as soon as possible and report it to Facebook.

Scam of the day – September 26, 2015 – Employment recruiter scams

September 26, 2015 Posted by Steven Weisman, Esq.

Searching for a job is much easier today with all of the resources of the Internet, however, unfortunately, it is also easier for scammers to search for victims posing as employment recruiters using the resources of the Internet.  The phony recruiters often reach out to people on social media such as LinkedIn, Twitter and Facebook.  Many people provide personal information to these scammers who then use that information to make the job seeker a victim of identity theft.  Often the scammers will copy the logo of legitimate companies so that their emails may look legitimate.

TIPS

As I always say, “trust me, you can’t trust anyone.”  You can never be sure when you receive an email, text message or communication by way of social media who is really contacting you.  For this reason, you should never provide personal information to a recruiter unless you have absolutely confirmed they are legitimate.  You can do this by contacting the HR department of the real company they may only be pretending to represent.   Real job postings can also be found on the websites of legitimate companies so if someone claims to be recruiting for a company that does not list such a job as being offered by the company on its website, you can expect that the recruiter is a scammer or identity thief.

Scam of the day – September 25, 2015 – Student loan debt relief scams

September 25, 2015 Posted by Steven Weisman, Esq.

With student loan debt up to 1.2 trillion dollars and many students defaulting on their loans, it is not a surprise that scammers are preying upon desperate former students looking for a way out of debt.  Scammers take advantage of many of these former students who may not be aware of their rights and options.  Some scammers promise dramatic reductions of debt of 50% or more in return for upfront fees of between $500 and $2,500.  Often these scam companies have names that make it appear that they are endorsed by the federal government such as Student Loan Processing.US which is presently being sued by the Consumer Financial Protection Bureau (CFPB).  Part of the problem is that many people seeking relief do a search on Google which turns up advertisements for scam student debt relief companies at the top of the first page.  The CFPB has asked Google to enable searchers to more readily be directed to the U.S. Department of Education’s website where much helpful information is available to help people seeking debt relief without having to pay exorbitant fees for the information.  To date, Google has not cooperated.

Meanwhile the fact is that, according to government studies, 70% of those people in default of their loans actually qualify for income-based repayment plans, but many people are not aware of that fact or how to apply for these programs.  A  recent General Accountability Office (GAO) report faulted the Department of Education for not making people more aware of their repayment options.

TIPS

If you find yourself having difficulties repaying your student loans the first place to turn is the website of the Department of Education which has much information about programs that may provide tremendous assistance without having to pay hefty fees.  Here is the link for the Department of Education’s website section dealing with student loans.  http://www2.ed.gov/fund/grants-college.html?src=go