Scam of the day – October 31, 2017 – FTC Consumer Response Center spoofing scam

Spoofing is a funny sounding word, but there is nothing funny about spoofing, which is the name for the scam tactic used by scammers by which they are able to manipulate your caller ID such that when you receive a call, it appears to come from a legitimate company, governmental agency, such as the IRS, or even your own telephone number.

According to the Federal Trade Commission (FTC) scammers have spoofed the telephone number of its Consumer Response Center to contact people asking for personal information or a payment.  This telephone number 877-382-4357 is the telephone number consumers can call to report a scam.  It is not, however, used by the FTC to call consumers so if you get a call from this number, you should not trust the caller.  It is also important to remember that the FTC will never ever ask you for money or personal information such as your Social Security number or bank account information.

TIPS

There are some basic precepts to remember to help protect you from being scammed by spoofed calls.  Remember that your caller ID is not fool proof.  You cannot trust your caller ID to accurately inform you as to who is really calling you.  You should never provide personal information to anyone over the phone whom you have not called.  If you ever receive a call requesting personal information and you think it might possibly be legitimate, merely hang up and call the entity back at a number that you know is accurate and even then do not provide personal information unless there is a real need for it.

It is important to note that although the telephone number 877-382-4357 has been spoofed by scammers, it is still safe to call that number to report a scam to the FTC.

Scam of the day – October 29, 2017 – Twelve people indicted in gas pump skimmer scam

The U.S. Attorney’s Office for the Northern District of Ohio recently announced the indictment of twelve people alleged to have installed skimmers at gas pumps in Ohio, Colorado, Maryland and Utah in order to steal credit card information used to create phony credit cards with which they made fraudulent purchases.

Skimmers are small electronic devices that are easily installed by an identity thief on gas pumps,  ATMs and other card reading devices.  The skimmer steals all of the information from old style magnetic strip credit card or debit cards which then enables the identity thief to use that information to access the victim’s bank account when the skimmer is used on a debit card.  If a credit card is used, the identity thief can use the stolen information to access the victim’s credit card account.  Each skimmer can hold information on as many as 2,400 cards.

MasterCard and Visa announced in December of 2016 that the deadline for the installation of EMV chip card readers on gas pumps was being delayed three years to October 1, 2020.  Credit card rules required EMV smart chip credit card equipment be installed by retailers to process these cards by October 1, 2015 in order for the retailer to avoid liability.   Wider implementation of the use of EMV chip cards at retailers has resulted in a dramatic reduction in data breaches and credit card fraud at retailers using this equipment.   The deadline for the installation of EMV chip card readers at gas pumps was originally scheduled for October 1, 2017.  Around the country there has been an increase in the use of skimmers installed by criminals at gas pumps.

TIPS

Always look for signs of tampering on any machine you use to swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if the theft is not promptly reported and even if the victim reports the theft immediately, the victim loses access to his or her bank account while the matter is investigated by the bank. Debit cards should not be used for purchases at gas pumps or for other retail purchases because the legal liability laws related to stolen debit card information are not as protective to consumers as the laws relating to fraudulent credit card use.

Scam of the day – October 28, 2017 – Infamous hacking group hacks British plastic surgery clinic

The Dark Overlord an infamous hacking group that has been behind many high profile hackings including the hacking into a production studio connected to Netflix has apparently hacked London Bridge Plastic Surgery (LBPS), one of the leading cosmetic surgery clinics in the UK and is threatening to release the names and photographs of patients of LBPS  including those of genitalia and breast enhancement surgeries.  The services of London Bridge Plastic Surgery has been used by many celebrities and even, supposedly, by members of the Royal family.

At this time an extortion demand has not been made, but, assuming The Dark Overlord follows his usual pattern, a demand can be expected shortly.

TIPS

This is yet another example of the fact that regardless of how vigilant you are at protecting your privacy, you are only as secure as the places with the weakest security that have your personal data, photographs or anything related to you.  The key, in particular, when you do business with any person, company or other entity that will have anything you would want to keep private, is to inquire as to what they do to protect your privacy and security.  Too many companies and other entities fail miserably at taking basic security precautions including encryption.

Scam of the day – October 27, 2017 – Guilty plea in celebrity nude photo hacking case

Earlier this week, Emilio Herrera agreed to plead guilty to hacking the personal information including nude photos of more than fifty celebrities in 2013 and 2014.  Although the names of the specific celebrities whose nude photos were stolen were not contained in the federal complaint, it is believed that among the hacked celebrities was Jennifer Lawrence whose nude photos were stolen and shared on the Internet.

Herrera is the third person to have been independently charged for such hacking.  Edward Majerczyk and Ryan Collins were both charged, convicted and sentenced to federal prison for similar hacking of celebrities personal photos.

While at the initial time that the celebrity photos were stolen from their iCloud and Gmail accounts there were questions about the security of the Cloud and Gmail, eventually it became known that all three hackers used spear phishing emails to their victims posing as as the victims’Internet Service Providers, Apple, Yahoo and Hotmail to trick their victims into providing their user names and passwords to the hackers enabling them to readily access the photos in the Cloud or in their Gmail accounts.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.

Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.

It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – October 26, 2017 – Beware of Bad Rabbit ransomware

Ransomware is the name for malware that once installed on a computer, often unwittingly through clicking on links in spear phishing emails, encrypts and locks all of the victim’s data.  The cybercriminal then threatens to destroy the data unless a bounty is paid.  Earlier this year we  experienced two massive ransomware attacks against millions of computers around the world.  These were the infamous WannaCry and Peta ransomware attacks.  Now cybercriminals are launching a new strain of ransomware that carries the name “Bad Rabbit.”  Reproduced below is what appears on your screen if you become infected with the Bad Rabbit ransomware.  While to date the ransomware attacks using Bad Rabbit appear to be limited to Russia, Ukraine, Turkey and Germany, you can expect the use of Bad Rabbit to spread.

TIPS

According to security company Kaspersky Labs this ransomware attack was primarily launched when victims downloaded fake Adobe Flash programs from infected websites.  However, quite often ransomware attacks as well as other types of malware attacks are spread  through phishing emails that lure unsuspecting people into clicking on malware infected links or downloading attachments tainted with malware.  As I am constantly reminding you, never click on links or download attachments until you have confirmed that they are legitimate.

You also should update all of your electronic devices with the latest security updates and patches as soon as they become available, preferably automatically.  Many past ransomware attacks exploited vulnerabilities for which patches had already been issued.

As for protecting yourself specifically from ransomware, you should back up all of your data on at least two different platforms, such as in the Cloud and on a portable hard drive. Companies and agencies which can afford to do this, should also use Whitelisting software which prevents the installation of any unauthorized computer software programs.

October 25, 2017 – Steve Weisman’s latest column for the Saturday Evening Post

While we are all familiar with the Equifax data breach, many people are not aware of the many ways our credit reports are used and our rights in regard to our credit reports.  Here is a link to an article I wrote for the Saturday Evening Post that tells you what you need to know about your credit reports.

Con Watch: Why Your Credit Report Is So Important

Scam of the day – October 25, 2017 – Phony customer service and tech support phone numbers

Recently a Netflix customer called what he thought was the company’s customer service number that he obtained through a Google search, but actually ended up calling a scammer who had managed to set up a phony website and manipulate Google’s algorithms to get the first position in a search.  The customer ended up giving his credit card information to the scammer who used it to steal from the customer.

Clever scam artists, the only criminals we refer to as artists are increasingly setting up phony websites that appear to be for customer service or tech support of many of the companies with which we do business or purchasing telephone numbers that are a single digit off of the legitimate phone numbers for many companies’ tech support or customer support in order to take advantage of common consumer misdials.

Compounding the problem is the fact that for much social media, you will not readily find a telephone number to call and speak to a real person about your problem.  They only provide online support.

TIPS

The best place to look for a telephone number for customer support or tech support is right on your bill or the legitimate website for the company.  When calling, take extra care to make sure that you are dialing correctly.

Among the social media services that do not provide tech support by phone are Facebook, Instagram, Snapchat and Twitter.  Here are links to tech support for those social media services:

Facebook:  https://www.facebook.com/help/

Instagram: https://help.instagram.com/

Snapchat: https://support.snapchat.com/en-US

Twitter: https://support.twitter.com/

Scam of the day – October 24, 2017 – Phony kidnapping scam

I have been warning you about phony kidnapping scams for four years, but recently there has been a resurgence of this particular scam around the country and the FBI has issued a warning to everyone about this scam.

The scam starts with a telephone call informing the person answering the phone that a child or other relative has been kidnapped and if they do not respond by wiring money right away, the relative will be killed.  As with so many scams, we are often our own worst enemy and this scam is no exception.  In many instances, the scammers gather personal information about the intended scam victims from information that the intended victims  or members of their families post on social media.  Information harvested from social media may indicate that someone is traveling on vacation making it easier to make the phony kidnapping appear legitimate.

Armed with  personal information gathered from social media, a scammer can describe the supposed kidnapped victim or provide personal information that would make it appear that indeed they actually do have the person in their custody.

Many of the fake kidnapping scams, according to the FBI are originating with calls from Mexico, where in many instances the calls are being made by prisoners who have bribed guards to supply them with cell phones.

TIPS

Always be skeptical if you receive such a call.  Never wire money to anyone for anything unless you are totally convinced that what you are doing is legitimate because unlike paying for something with a credit card, once your wired funds have been sent, they are impossible to get back.  Talk to the alleged kidnapper as long as possible, thereby giving someone else with you the time to call  or text the alleged kidnap victim on his or her smartphone.   If the purported kidnapping victim is a young child, call the school to confirm that he or she is safe.   You also could ask the kidnapper to describe your relative as well as provide information, such as his or her birth date, which could be found on a driver’s license, however, it is important to remember that much of this kind of information may be available through social media or elsewhere on the Internet.

Many of these kidnapping scams are originating in Puerto Rico or Mexico so be particularly skeptical if you receive the telephone call from Puerto Rico area codes 787, 939 or 856.  Also be wary of calls from Mexico which has many area codes which can be found by clicking on this link.  http://dialcode.org/North_America/Mexico/

Scam of the day – October 23, 2017 – Social Security cost of living adjustment scam

Last Friday, the Social Security Administration (SSA) announced a 2% cost-of-living adjustment (COLA) for Social Security recipients beginning in January  of 2018, however, scammers are already taking advantage of this news  and making calls to unwary seniors in which the scammers purport to be representatives of the Social Security Administration.  They tell their intended victim  that in order to receive  the new cost-of-living adjustment (COLA), they must confirm personal information including their name, birth date and Social Security number.   The truth is that this information is not required for a person to receive a cost-of-living adjustment which is automatic and if the person does provide this personal information, the scammer will use it to make the person a victim of identity theft.

TIPS

You do not have to confirm information or apply for any cost-of-living adjustment.  It is automatically added to a Social Security recipient’s payment.  In addition, you should never give out personal information on the phone to someone you have not called unless you are absolutely sure that the call is legitimate and there is a legitimate need for that information.  Scammers can trick your Caller ID through a technique called spoofing into making it appear that the call is from the Social Security Administration or any other entity they wish.

Here is a link to the press release of the SSA describing the upcoming COLA.

https://www.ssa.gov/news/press/releases/#/print/10-2017-1