Scam of the day – February 6, 2017 – IRS issues urgent alert about evolving W-2 scam

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

A year ago, when this scam first surfaced, I first warned you about identity thieves tricking companies into providing employee W-2s to them.  These stolen W-2s  contain all of the information the identity thieves need to file a fraudulent income tax return.  The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

Now the IRS has issued an urgent alert indicating that the scam has evolved from merely targeting companies to school districts, non-profit organizations, restaurants, temporary staffing agencies and others.  In addition, the IRS is saying that the scammers are now combining this scam with the business email scam by which the employees receiving the email asking for W-2s to be sent are also asking the employees to wire money for various purposes.  According to IRS Commissioner John Koskinen, “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – January 28, 2017 – Hacker of nude photos of celebrities sentenced

In 2014 nude photos of as many as one hundred celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and Hope Solo turned up online on websites such as Reddit.com and 4chan.org.   The photos were taken from both the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts.  The hacker, a 29 year old self-described “computer nerd” named Edward Majerczyk pleaded guilty to one count of unauthorized access to a protected computer to obtain information and was sentenced earlier this week to nine months in prison.

The manner by which Majerczyk accomplished the hacking was simple, but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google security in which, under various pretenses, he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.

Using a similar tactic, Ryan Collins hacked 600 celebrities thereby obtaining nude photos, as well.  He was convicted and sentenced to eighteen months in prison.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – December 31, 2016 – President takes action against Russian hackers

In the last Scam of the day for 2016 it is appropriate that we discuss the issue of Russian hacking of American organizations that occurred in 2015 and 2016 that were intended to influence the Presidential election.  Two days ago, President Obama ordered sanctions against Russia including the ejection of 35 Russians spies that the administration said were posing as diplomats and specific actions against three organizations that it said supported the hacking operations.  The possibility of further covert actions against Russia was also hinted at.

A day prior to the President’s announced sanctions, the Department of Homeland Security and the FBI issued a joint analysis report entitled “Grizzly Steppe – Russian Malicious Cyber Activity” in which it provided details about the hackings.  Here is a link to the report.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

TIPS

Although the report contains important information about Russian hacking of American institutions, the report also provides a long list of specific steps that institutions and individuals can take to avoid being a victim of cybercrime.

Here are just a few of the things that all of us as individuals should consider.

  1. Backup all important information offline.
  2. Be on the alert for spear phishing. The report emphasizes, as I have warned you about for years, that the primary cause of hacking is people clicking on links in spear phishing emails that download malware.  Use both anti-phishing security software as well as your own brain to refrain from clicking on links in emails unless you have absolutely confirmed that they are legitimate.
  3. Use strong firewalls with whitelisting configurations by which only approved applications will be allowed to be downloaded on to your computers.  This is much better than blacklisting because it protects you from threats about which you know nothing.
  4. Limit the personal information you provide on social media.
  5. Use dual factor authentication whenever possible.

Scam of the day – December 9, 2016 – Celebrity hacker sentenced

Since 2014 I have been reporting to you about a string of celebrity hackings in which nude photos, videos and other personal material were stolen by a number of different hackers who have been caught, put on trial and sentenced.  The latest celebrity hacker to be convicted for his crimes is Alonzo Knowles who hacked into the emails of various celebrities and athletes from whom he stole not just nude photos and videos, but also unreleased movie and television scripts, unreleased music and financial documents all of which he tried to sell for profit.  Knowles pleaded guilty and his attorneys asked for a sentence of fourteen months in prison.  Instead the judge sentenced him to five years in prison which was considerably more than the recommended federal sentencing guidelines of 27-33 months.  Contributing to the larger sentence was the fact that while in prison awaiting sentencing, Knowles used the monitored prison email system to send out emails in which he bragged about his plans to write a book including photographs in which he would expose the secrets of his victims.  For a sophisticated cybercriminal, this was an incredibly stupid action that showed a lack of remorse to the sentencing judge.

TIPS

Knowles managed to hack into the email accounts of his victims by first targeting friends of his victims.  He identified friends of his victims through photographs appearing on line and then hacked into the email accounts of these people, taking control of the accounts, gathering personal information including telephone numbers from the accounts and then emailing his celebrity targets with spear phishing emails that enabled him to get information from the celebrity victims.   You may remember that the fact that Hillary Clinton was using a private email server while acting as Secretary of State was disclosed not by a hacking of her email, but by a hacking of the email account of one of her advisers, Sidney Blumenthal.

This case serves as another reminder of the important cybersecurity steps we all need to take, particularly in regard to using email.  For personal emails you may wish to use a separate email account than the one you use generally that may be more easily discovered.  You should also use a security question that is not easily guessed or obtained through research.  Colin Powell and many others became victims of email hacking because their security questions were easily guessed enabling the hacker to change their passwords.  I suggest using a nonsensical answer to the email question, such that if the question is what is the maiden name of your mother, you indicate something totally unrelated, such as “firetruck.”  Another option, as cleverly suggested by a regular Scamicide reader is to just add some digits at the end of the answer so, for example, your mother’s maiden name could be “Smith1234.”

It is also important not to store sensitive data in your email folder.  To protect yourself from hackers, you may wish to both encrypt sensitive information on your computer and store it in a portable USB hard drive to protect it from ransomware attacks.  It is important to recognize that anytime you are asked for personal or sensitive information in an email, you can’t be sure if the person contacting you is someone you know and trust or whether their email account had been hacked as was done in this case so never provide personal information in response to an email or text message unless you have confirmed the identity of the person contacting you.   Trust me, you can’t trust anyone.

Dual factor authentication for all accounts where you may have sensitive information is also important.

 

Scam of the day – September 26, 2016 – Arrest made in hacking of Pippa Middleton’s iCloud account

It only took a day from the news becoming public that someone had hacked into the iCloud account of Pippa Middleton, the sister of Princess Kate, the Duchess of Cambridge for authorities to make an arrest.  According to Scotland Yard, a thirty-five year old man has been arrested on suspicion of a Computer Misuse Act Offense related to the hacking.  The hacker claimed to have stolen about 3,000 private photographs including some of her sister Kate as well as her children Prince George and Princess Charlotte along with nude photos of her fiance James Matthews.  Someone purporting to be the hacker contacted several media outlets offering to sell the photographs for approximately $65,000.  At the present time, it is not known how the security breach occurred. You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In those instances, the hacker obtained the usernames and passwords of his victims by merely sending phishing emails to his victims that appeared to come from Apple in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple.  Once they entered their information, the hacker had all the information that he needed to access his victims’ accounts.  Although Kate Upton and Jennifer Lawrence as well as a number of other hacked celebrities did not use it, Apple has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of Kate Upton, Jennifer Lawrence and other hacked celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.

TIPS

For anyone who uses iCloud, you should first protect yourself from phishing attacks, such as the one that was used against Kate Upton and Jennifer Lawrence by always being skeptical when you are asked to provide personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified the message by contacting the real company that purportedly is sending the message.  In addition, you should also use dual factor authentication, which is another tool that would have prevented the Kate Upton and Jennifer Lawrence hacking.

Scam of the day – September 24, 2016 – Massive Yahoo data breach

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – September 1, 2016 – International banking system continues to be hacked

In February, cybercriminals hacked into Bangladesh’s Central Bank and managed to steal approximately 81 million dollars.  As a result of this attack, SWIFT, which is a cooperative association of member banks that provides an international messaging system for banks has been investigating the security of SWIFT members and earlier this week it told its members that since the attack on the Bangladesh Central Bank there have been a number of other cyberattacks on banks around the world.   According to the letter, an undisclosed number of attacks against banks around the world were successful although SWIFT did not indicate how many banks were successfully hacked and how much money was lost.

It appears in the hacking of the Bangladesh Central Bank, as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate. Armed with this information, the cybercriminals sent dozens of account transfer requests using the international SWIFT banking messaging service from the Bangladesh Central Bank to the Federal Reserve Bank of New York where the Bangladesh Central Bank has accounts containing billions of dollars.  The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.

Late last year banks in the Philippines and Vietnam also suffered similar cyber attacks.  Now cybersecurity investigators are saying that the same type of malware used in all three attacks was the same used by state sponsored North Korean hackers against South Korean banks in 2013 and Sony in 2014.

Although SWIFT is pressing member banks to increase their security, SWIFT has no regulatory authority to mandate such actions, however, in its recent letter to SWIFT member banks, SWIFT indicated that if member banks fail to update their security to meet SWIFT standards by November 19th, SWIFT might report them to bank regulators.  In particular the suggested security measures include better password management and authentication procedures as well as installing better procedures to recognize hacking attempts.

TIPS

All businesses and governmental agencies have got to do a better job at cybersecurity in general.  In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management.  The international banking system is under attack and although the  security of the SWIFT system itself appear not to have been breached, that is little consolation when individual banks are hacked thereby obtaining the authorizations necessary to utilize the SWIFT system to steal money.  Although SWIFT continues to say that its messaging system is secure, it is apparent that just as the individual banks need to increase their security, so does SWIFT have to recognize the security vulnerabilities that exist in banks around the world and pressure member banks to use dual factor authentication and confirmation protocols in order to protect the security of the international banking system.

Scam of the day – July 7, 2016 – How to protect yourself when using email

The recent decision by FBI director James Comey not to bring criminal charges against Hillary Clinton in regard to her insecure use of email while she was Secretary of State is a good reminder to all of us that we should be more careful when it comes to our emails.  Email accounts are frequent targets of hackers and identity thieves who use access to email to steal personal information not just from politicians and celebrities, but also from business people and ordinary citizens that can be used for purposes of identity theft.  Many of the biggest data breaches and scandals including the Target data breach, the  massive data breach at the Office of Management and Budget and the stealing of nude photos from celebrities such as Jennifer Lawrence can be traced back to email security issues.  Fortunately, there are many simple things you can do to protect the security of your email.

TIPS

Here is a list of simple tips that you can follow to make your email more secure.

  1.  Having a strong password is still the starting point to being more secure with anything you do online.  Go to the Search the Website tab at the top of this page and put in June 7, 2016 which will take you to a Scam of the day in which I tell you how to pick a strong password.  Also, make sure you use a unique password for your email account.
  2. You may wish to use dual factor authentication by which when you log on to your email account, a special code is sent to your smartphone that you must input before you can have access to your account.  This provides greatly enhanced security.
  3. Use a nonsensical answer to your security question so that if someone tries to change your password or get access to your account by answering your security question, they won’t be able to do so.  Finding your mother’s maiden name may be easy for a hacker to do online, but not if you make the answer to  that security question “grapefruit.”
  4. Don’t store sensitive information, data, photos or videos on your smartphone or email account.
  5. Encrypt your emails when you are sending sensitive messages or information.  There are many good, free encryption services such as Infoencrypt https://www.infoencrypt.com/ and Virtru https://www.virtru.com/
  6. Most data breaches are caused by people clicking on links or attachments in phishing or spear phishing emails that contain malware that steals the information from your computer, smartphone or other electronic device.  Never, click on links or download attachments unless you are absolutely sure that they are legitimate.
  7. Install and keep updated security software including anti-phishing software.

Scam of the day – June 7, 2016 – Mark Zuckerberg hacked – he should have paid attention to Scamicide

On May 22nd, I told you about the 117 million email addresses and passwords of LinkedIn users captured in a 2012 data breach of LinkedIn  that were being offered for sale on the Dark Web, which is that part of the Internet where cybercriminals buy and sell stolen data.    I also told you that stolen passwords are useful to hackers because too many people use the same password for all of their accounts and therefore a person’s LinkedIn password may be the same as those used for other accounts so that due to a single data breach, your online security for every online account you use becomes in jeopardy. Mark Zuckerberg, the founder of Facebook should have heeded this lesson because his Twitter and Pinterest accounts were hacked and taken over  for a short time because the hackers had found his password “dadada” in the LinkedIn data breach and used it to access his Twitter accounts and Pinterest accounts.

TIPS

Once again, this serves as a reminder to everyone that you should have unique passwords for all of your accounts.  A strong password contains capital letters, small letters and symbols.  A good way to pick a strong password is to take an easily remembered phrase as your base password.  For instance, you can use the phrase IDon’tLikePasswords as your base password.  Add a couple of !! at the end of the password and you have a strong password.  Since you should have a unique password for each of your accounts, you can adapt this base password for particular accounts by merely adding a couple of letters to distinguish each account at the end of the password so it may read, for instance for a Bank of America account, IDon’tLikePasswords!!BnkoAm.

In addition, Twitter provides for dual factor authentication as an option to be used as an additional security measure when accessing your Twitter account whereby a one-time code will be sent to your smartphone for you to use in order to access your Twitter account.  Zuckerberg failed, however, to take advantage of this option.