Scam of the day – April 15, 2017 – A new mystery shopper scam

It has only been a month since I last warned you about mystery shopper scams, however because these scams continue to snare so many unsuspecting victims, I am including the most recent mystery shopper scam email that is presently circulating as today’s Scam of the day. Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control.  Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails.

The manner in which the scam works is that when you answer an advertisement or an email to become a mystery shopper, you are sent a bank check to deposit and use for your shopping.  You spend some of the money on the goods that you purchase which you are allowed to keep and also are directed to keep some of the balance of the check as payment for your services.   You are instructed to return the remaining funds by a wire transfer.  The problem is that the check is counterfeit, but the money you send by wire from your own bank account is legitimate and that money is gone from your bank account forever.

Here is a copy of the email I recently received:

“National Shopping Service Network, LLC  is one of the leading agency specialized in Global Customer Service Research. We are starting a very big research project in USA , This project takes place every week. So, we need to recruit Mystery Shoppers to work as a surveyor. You will get $200 – $300 for each assignment.

JOB DESCRIPTION:

You will be assigned to visit a shop.  You need to “pretend” to be a normal potential customer who is looking for a particular service or product.
You will then finish an on-line questionnaire to share with us your
customer experience.

Payment: Cashier Check or Money Order.

Send information below to get started If you are Interested.

Full_Name
Full Address (No PO BOX):
City:
State :
Zip Code :
Phone_Cell :
Gender_Age :
Email_Address:
Thanks for your participation.
Babb Williams
HR Manager
Customer Service Evaluation Team
The Premier Mystery Shopping Company
Copyright 2017®”

TIP

One reason why this scam fools so many people is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you. An indication that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit  which is given after a few days, but which can be rescinded once a check bounces and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.

Additionally, this particular scam email was sent by the email address of a person entirely unrelated to any mystery shopping company which is generally an indication that you are getting the email sent from an unsuspecting victim of an email hacking whose email address is now being used as a part of a botnet of similarly hacked computers to send out scam emails such as this.

Scam of the day – October 31, 2016 – Amazon phishing email

A new phishing email is presently being circulated that attempts to lure you into clicking on links and provide personal information that can be used to make you a victim of identity theft.  Alternatively, merely by clicking on the links in some phishing emails, you may unwittingly download malware that will steal personal information from your computer or other device and use it to make you a victim of identity theft.  Even if you have the most updated versions of security software protecting your computer, laptop or smartphone you may not be protected from zero day exploits which is the name for the latest malware targeting vulnerabilities that have not yet been protected against by your security software.  It generally takes up to a month for the security software companies to provide patches for the latest strains of malware.

TIPS

In regard to this particular phishing email, there are a number of telltale signs that indicate that it is a scam.  Although the graphics are excellent, the email is not directed to you personally, but rather uses the generic salutation of “Dear Amazon.com Customer.”  In addition, there are numerous grammatical errors that could be attributable to the scammer possibly not having English as his or her primary language.  Also, the email address from which the email was sent was not from Amazon, but from an unrelated individual.  Most likely the email address used was that of another victim whose computer was hijacked and used as a part of a botnet to spread the phishing emails.  Of course, the best course of action is to never click on links or provide information in response to emails or text messages unless you have absolutely confirmed that the request is legitimate.  In this case, a quick telephone call to Amazon would have resulted in your quickly learning that the email was a scam.

Scam of the day – October 26, 2016 – How to protect yourself in the Internet of Things

Distributed Denial of Service (DDoS) attacks against companies that temporarily shut down websites by flooding them with more traffic than they have the capacity to accommodate are nothing new, however, what was unusual about last week’s DDoS against Dyn a prominent Domain Name System (DNS) provider that hosted such popular sites as Amazon, Twitter, Spotify, Netflix and Paypal was that the botnet of hijacked devices used to launch the attack was not made up of hacked computers, but rather was made up of hacked devices such as smart televisions and webcams that make up the Internet of Things which are devices connected to the Internet that one would not generally think of as requiring security.   However, anything that  is connected to the Internet can be hacked and used to become a part of a botnet and therefore requires security precautions.

So what can you do to protect yourself from having your devices hacked and becoming part of a botnet?

TIPS

Your first line of defense is your router so it is important to change the default password with which your router came.  In addition, each of your Internet of Things devices should have its own distinct password.  Unfortunately, particularly for older devices that are a part of the Internet of Things, security was not built into these devices and they may not even be password enabled. Another helpful device is an Internet hub which is a a device that can control multiple Internet of Things devices through a single mobile app that utilizes dual factor authentication and encryption.  The manufacturers of these Internet hubs such as Samsung’s SmartThings also provide regular security updates.  Not all Internet of Things devices are hub certified which is why when buying an Internet of Things device, you should look for hub certification as an indication that the manufacturer is security conscious.

Finally, and perhaps of greatest importance in protecting yourself from becoming part of a botnet is to do what you already should be doing which is refraining from clicking on links or downloading attachments in emails that may contain the malware enabling a hacker to access first your computer and move through it to your entire network of Internet enabled devices.  Never click on links or download attachments unless you have absolutely confirmed they are legitimate.

Scam of the day – October 22, 2016 – Massive DDoS attack hits Eastern United States

For a few hours yesterday many Internet users on the East Coast of the United States were unable to access some of the most popular destinations on the Internet including Amazon, Twitter, Spotify, Netflix and PayPal as a result of a massive Distributed Denial of Service (DDoS) attack on Dyn a prominent Domain Name System (DNS) provider that hosts the attacked companies’ websites.  Domain Name System providers permit you to type in a simple web address such as anycompany.com which then gets translated into the long, complicated numeric Internet address of the company and connects you to their website.  A DDoS occurs when the DNS provider gets flooded with an overwhelming amount of traffic which causes the website to shut down.  Often the traffic comes from an army of botnet computers which are computers of unsuspecting people that become infected and can be remotely used to send the huge amounts of communications necessary to cause a DDoS.  This problem has become magnified as the cybercriminals infiltrate and incorporate into their botnet not just computers, but also the myriad of devices that make up the burgeoning Internet of Things.  Anything that  is connected to the Internet can be hacked and used to become a part of a botnet.  Too often, many of these devices that make up the Internet of Things are poorly protected with weak passwords and are easily hacked.

While this particular DDoS was remedied after a few hours, the threat of DDoS attacks continues to increase.  Banks and other financial institutions have found themselves particularly targeted in the last year by DDoS attacks.  The potential for major disruption of the Internet by DDoS attacks is significant.

TIPS

While there is nothing that we as consumers can do to stop DDoS other than to maintain the security of our own computers and devices connected to the Internet to keep them from becoming a part of a botnet, there are a number of steps that companies should be taking to protect themselves from future DDoS attacks in addition to the regular Firewalls and routers configured as best they can be to reject malicious traffic including the use of load balancers to spread traffic across multiple servers within a network to create additional capacity to handle the traffic as well as cloud based programs to identify and divert malicious traffic.

Already we have seen the threats of DDoS attacks used to extort money from companies and the threat that DDoS attacks pose is increased because cybercriminals are now selling the malware necessary to carry out such attacks on the Dark Web which is that part of the Internet where cybercriminals do business.  In addition, cybercriminals can also rent the use of botnets on the Dark Web as well to assist them in carrying out their crimes.

Scam of the day – October 9, 2016 – Microsoft phishing email

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Microsoft on behalf of Outlook.  DO NOT CLICK ON THE LINKS.  Microsoft is a popular target for this type of phishing email because its products including Outlook are used by millions of people.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond or your account will be deleted.   As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Microsoft and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good although there are a couple of minor capitalization mistakes and a missing comma.  Also, as so often is the case, the email is not directed to you by name.  It carries a professional looking photograph, but that is meaningless..

 

Your Services Agreement and Privacy Statement made clearer

Dear Outlook.com User.

we’re updating the Microsoft Services Agreement and the Microsoft Privacy Statement. We want to take this opportunity to notify you about these updates for your safety.
If you do not update your Microsoft account within 24 hours your account will be deactivated and deleted from our server and you will no longer have access to many of the outlook.com features for improved Conversations.
Take a minute to update your account for a faster, safer and full-featured Microsoft Outlook experience and to avoid your account being De-Activated. 

 
Update Your Account

Thank you for using Microsoft services.

Microsoft respects your privacy. To learn more, please read our Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

TIPS

There are a number of indications that this is not a legitimate email from Microsoft, but instead is a phishing email. Legitimate companies would specifically direct the email to you by your name. This one has a generic  “Dear Outlook.com User.” As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call Microsoft’s customer service department at 1-800 – 642-7676  where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for companies to trap you if you make a mistake in dialing the real number.

Scam of the day – June 24, 2016 – EMV chip card update

It has been eight months since the mandate to the credit card companies and merchants to switch to the new EMV chip credit cards which generate a unique randomly generated code for each transaction that renders useless hacking retailers to steal credit card information as we have seen so many times in the past few years, most notably with Target in 2013.  Yet despite the October 1, 2015 deadline for merchants and credit card companies to switch to the new EMV chip credit cards in order to avoid liability for fraudulent credit card purchases, recent surveys indicate that only 70% of American credit card holders have EMV chip credit cards and less than 37% of merchants have adopted the new technology.  Many smaller retailers have made the decision not to switch to the new processing equipment required to process EMV chip credit cards because they have determined that the cost of updating and changing their card processing equipment is more expensive than they perceive their risk of potential liability for fraudulent card use while other retailers have updated their equipment, but have been delayed in having it become operative because it must be certified by each payment network, such as MasterCard and Visa, used by the merchant.  Some merchants have even sued MasterCard and Visa over the delays.

TIPS

The rules regarding the shifting of liability for fraudulent charges do not directly affect consumers, however, that does not mean that consumers can just ignore this matter.  Scammers are still taking advantage of the fact that 30% of Americans still have not received a new EMV chip card by emailing them posing as their credit card companies asking for information in order to process their new EMV chip cards. Unfortunately, people receiving these emails provide the personal information including their credit card number, which is then used to make fraudulent charges in the names of the scammers’ victims.

So how do you know as a consumer if you receive an email purporting to be from your credit card company that it is legitimate?

First check the address of the email sender.  If it appears to come from someone or some company wholly unrelated to your credit card issuer, it is a scam.  Many scammers use hijacked email accounts that become a part of a network of controlled computers referred to as a botnet to send out their emails so that it is difficult to trace the scams back to the scammer.

Merely because the email appears legitimate, is written in proper English and even carries the logo of your credit card company does not mean that it is legitimate.  It is easy to copy the logo of a company on to an email.  If you get an email from your real credit card company it will generally be addressed to you specifically by name rather than a generic greeting of “Dear Cardholder.”  In addition, legitimate emails to you will generally reference your account by including the last four digits of your account.  However, even paranoids have enemies so if you do get an email that appears legitimate, but you still have concerns, merely call the company at the number found on the back of your credit card to confirm that the email is legitimate. but make sure that you dial the number correctly because some enterprising scammers have bought telephone numbers that are quite similar to those of the legitimate customer service numbers for your credit card companies in order to snare people who have misdialed their credit card company.

Scam of the day – March 16, 2016 – New Chase phishing email

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  DO NOT CLICK ON THE LINK.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond.

Dear Chase customer:

As part of our commitment to help keep your account secure, 
we have detected an irregular activity on your account and we are placing a hold on your account for your protection.
 

Please visit the confirmation of accounts system
www.chase.com

Please enter your information carefully


Sincerely, 

Chase Online Banking Team 

 

 

ABOUT THIS MESSAGE:

We sent this email from an unmonitored mailbox. Go to chase.com/CustomerService to find the best way to contact us.

Your privacy is important to us. See our online Security Center to learn how to protect your information. Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

© 2016 JPMorgan Chase Bank, N.A. Member FDIC

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email.  The email address from which it was sent has nothing to do with Chase, but most likely was from a hacked email account that is a part of a botnet of computers controlled remotely by the scammer.  In addition, legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear Chase Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam and make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – February 24, 2016 – FTC settles with fake weight loss merchant

How could Oprah ever steer you wrong?  I first reported to you last May about Sale Slash, a company that sold phony weight loss products such as Premium Green Coffee, Pure Garcinia Cambogia, Premium White Kidney Bean Extract, Pure Forskolin Extract and Pure Caralluma Fimbriata Extracts.  Last year the Federal Trade Commission (FTC) brought legal action against Sale Slash and a number of individuals involved with the scam.  Sale Slash sent spam emails, often from hacked email accounts of your friends who were made part of a botnet of computers sending out emails appearing to come from your friends with messages, such as “hi, Oprah says it’s excellent.”  The message would also have links to phony news sites with videos of phony celebrity endorsements.  Obviously, neither Oprah Winfrey nor your friend whose email was hacked endorsed these phony weight loss products.  Now the FTC has settled the lawsuit with Sale Slash and the other defendants, closing down the scam and requiring them to turn over approximately ten million dollars to the FTC to be returned to the victims of the scam.  As further details become available as to how you can make a claim if you were a victim, I will let you know.

TIPS

The truth is that there are no quick fixes when it comes to weight loss and you should be wary of any product that promises you can lose tremendous amounts of weight quickly without dieting or exercise.  You should also be wary of any weight loss product that is sold exclusively either over the Internet or through mail-order advertisements.  It is also important to remember that no cream that you rub in your skin can help you lose substantial weight and no product can block the absorption of fat or calories.  The best course of action when considering a weight loss product is to ask your physician about the effectiveness of a particular weight loss product or program before you reduce your wallet in an effort to reduce your waistline.