Scam of the day – March 4, 2017 – New York financial service company regulations go into effect

In September I first told you about the New York Department of Financial Services new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation. Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The regulations were originally to go into effect on January 1, 2017, however the effective date was postponed until March 1, 2017.  Financial firms have an additional 180 days to make the changes necessary to comply with the regulations before any enforcement actions will be taken by New York authorities who have also promised a transitional period for compliance with the rules.


While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.

Scam of the day – November 26, 2016 – Naval records at Hewlett Packard hacked

In an all too familiar story, it has just been disclosed that personal information including names and Social Security numbers of 134, 386 present and former Navy employees was compromised in a hacking of a laptop of a Hewlett Packard employee.  Hewlett Packard had this information through a contract on which it was working for the U.S. Navy.  Further details of the hacking have not been released, but the fact that such a hacking occurred leads to concerns that the pattern established years ago in hacking of NASA laptops in which the laptops were not password protected and the data contained therein was unencrypted is repeating itself.


The continuing negligence of many companies and government agencies in not properly protecting sensitive personal data that can readily be used for purposes of identity theft is disappointing and startling.  There are many simple security steps that are easily taken, such as password protecting laptops and other electronic devices as well as encrypting sensitive data and the use and updating of security software that should be done by all companies and government agencies without exception.

The lesson, however, is one that we should also practice in our own lives.  We as individuals are regularly targeted by identity thieves so al of us should protect each of our electronic devices with a unique password, sensitive data should be encrypted and stored in the cloud or in a portable hard drive, dual factor authentication should be used whenever possible, install and update security software on all of your electronic devices and don’t click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.  These are just a few of the simple protocols we should all follow to decrease the chances of our becoming victims of identity theft.

Scam of the day – September 28, 2016 – Apple iOS 10 vulnerable to hacking

The Russian security firm, Elcomsoft has discovered  a major security flaw in the iOS 10 used to operate Apple’s iPhones that enables hackers to more readily get through the iPhone’s security system and access data stored on a PC or Mac computer.  This is a significant security flaw and Apple has acknowledged its existence and is busy working on a solution.  As soon as a security update for the iOS 10 is released, I will report on it to you.


Meanwhile if you have an iPhone using the iOS 10 operating system, you should make sure your PC or Mac where you store data from your phone is protected with a strong and unique password.  You should also encrypt all of the data stored on your computer to further protect its security.

Scam of the day – September 24, 2016 – Massive Yahoo data breach

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.


As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – August 18, 2016 – Major data breach at health care provider

Recently a Ukranian hacking group called “Pravyy Sector” managed to hack into the server of the Central Ohio Urology Group, which includes twenty-four clinics and posted online literally hundreds of thousands of files that included massive amounts of personal information that could be exploited for identity theft and other illegal purposes.  While you may not be a patient of Central Ohio Urology Group and therefore may not consider this to be a serious matter, but it is very serious because it is just another example of the pervasive lack of security in the health care industry.

As I warned everyone in my USA Today column in which I made my cyberpredictions for 2015, the health care industry is tremendously vulnerable to data breaches and we can expect these data breaches to continue.  Here is a link to that column.

An audit of health care companies and insurers showed that more than 81% of these companies have suffered a data breach in the last two years alone and that number only relates to the data breaches that have been discovered.  There may have been more that remain undiscovered.   The health care industry is the perfect storm for data breaches.  It is a highly digitized industry that has massive amounts of personal information that it shares with numerous offices and institutions and yet has not, in many instances instituted the necessary security precautions to protect the information stored.

The potential consequences of medical company data breaches can be tremendous to affected individuals.  The medical records of an identity thief accessing your medical insurance can become intermingled with your medical records such that you can mistakenly receive improper treatment, such as a potentially deadly blood transfusion of the wrong blood type.  Other information such as your Social Security number which may be stored by a health care provider can be stolen and used for purposes of more traditional identity theft. Finally, the vulnerability of the computer systems of health care providers has made them prime targets for successful ransomware attacks.


The health care industry has got to recognize that it is a prime target of hackers and identity thieves.  Encryption of all data should be the rule and not the exception for health care providers.  Authorization authentication to access records from both on-site and particularly off-site should be enhanced.  As for us as the patients, we should limit the amount of personal information given to health care providers if they do not have a need for it.  Health care providers do not need our Social Security numbers.  Don’t give it to them.  We also should demand that they institute better data security measures.

Scam of the day – July 26, 2016 – Real estate closing scam

On January 20th’s Scam of the day, I first told you about an intricate email scam targeting people involved in the sales of residential real estate that has increased over the past year both in the United States and the UK.  I mention it again today because of recent reports of this scam occurring in the small town of Dewey Oklahoma where Lacey Monday became a victim of the scam.  The scam begins with the hacking into the email account of one of the parties involved with a residential real estate conveyance.  This can be either the buyer, seller, lawyers, title company, real estate agent or banker.  In Lacey Monday’s case it was her title company whose email was hacked.  Unfortunately, hacking into email accounts is a relatively easy thing for a skilled identity thief to do.  The hackers then monitor the communications regarding the progress of the sale of a particular piece of real estate and when the time is right,  generally posing as one of the lawyers, title company or bank mortgage officer, the scammer will email the buyer, telling him or her that funds necessary to complete the sale need to be wired to the phony lawyer’s, title company’s or banker’s account provided in the email.  Everything appears normal so unsuspecting buyers too often are wiring the money to the cyberthieves who then move the funds from account to account to make it difficult to trace the funds.  In Lacey Monday’s case, she lost $25,000 to this scam.  The fact that this scam can occur in small towns as well as large cities show how these types of scams are a threat to you regardless of where you live.


Even if you are not involved in buying or selling a home, it is always a good idea to protect your email account from being hacked.  This means having a strong password and security question.  You can find information about how to pick strong passwords and security questions here in the Scamicide archives as well as in my book “Identity Theft Alert.”  Maintain good anti-virus and anti-malware software on all of your electronic devices including your computer as well as your smartphone and keep your security software up to date with the latest security patches as soon as they are made available.  Don’t click on links in emails or text messages that may contain malware that can steal your personal information from your electronic devices and remember, your security software is always at least thirty days behind the latest malware.

Don’t use public wifi for any financial or business purposes.  Use a virtual private network to encrypt your data when using your electronic devices in public.  Never provide personal information in response to an email regardless of how legitimate it may appear until you have independently confirmed that the email is legitimate.  Finally, whenever you are asked through an email or text message to wire funds as a part of a real estate or other business transaction, don’t do so until you have confirmed that the request and the account to which you are being asked to wire the funds are legitimate.  Appearances can be deceiving so always confirm.  It may seem a bit paranoid, but remember, even paranoids have enemies.

Scam of the day – November 30, 2015 – Data breach at VTech Learning Lodge

Hong Kong company VTech Holdings Limited has announced that its Learning Lodge app store has been hacked.  The data breach may involve as many as 4.8 million accounts and include personal information on more than 200,000 children which brings a new level of concern about this particular data breach.  Learning Lodge is an app store for  high tech learning games and other educational toys for children.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.


Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – October 21, 2015 – Investment scam update

Late last week, the director of the Securities and Exchange Commission’s Division of Enforcement warned brokerage houses and other financial companies that they risk serious SEC enforcement action if they fail to implement proper cybersecurity plans.  This comes on the heels of the data breach at Discount brokerage firm Scottrade which I told you about in the Scam of the day for October 4th as well as the SEC’s fine of R.T. Jones Capital Equities Management in September for failing to take adequate steps, such as encryption, to protect their customers data.

Like so many cybersecurity problems, this one is not as bad as you think.  It is far worse.  According to an SEC survey, 88% of broker-dealers and 74% of investment advisers suffered cyberattacks in the last year.  Making the problem even worse, according to the SEC, only 15% of broker dealers and 9% of advisers guarantee that they will totally reimburse their customers for losses due to cyberattacks.  In particular, many of these companies have fine print in their contracts that passes the liability on to the customers if the customers are considered negligent in the loss of their data.


So what can you do to keep your investments safe?

As always, the first place to look for that helping hand is at the end of your own arm.  Make sure that you use a unique and complex password for your investment accounts.  You can go to the Scamicide archives for instructions as to how to pick a strong and secure password.  Also important is to use dual factor authentication whenever possible so that even if someone manages to steal your password, they will not be able to access your account.  With dual factor authentication, a one-time code is sent to your smartphone whenever you need to access your account.  In addition, you should make sure that all of your electronic devices including your computer and smartphone are protected with the most up to date anti-virus and anti-malware software.  Too many people fail to protect their smartphones with a password or security software.  Finally, monitor your accounts regularly for indications of security breaches.

But what about your investment broker or adviser?  How do you know if they are trustworthy?

Make sure you understand your broker’s policy for reimbursement of customers if a data breach occurs and consider taking your business somewhere else if the answer is unsatisfactory.  Ask them what measures they take to ensure cybersecurity including the use of encryption and dual factor authentication.  Also, find out how they limit access to data to only those people who have a need to see your information.  Finally, find out if they are covered by cyberinsurance.

Scam of the day – June 3, 2015 – Heartland Payment Systems data breach

If the name Heartland Payment Systems seems familiar, it should.  Heartland, which processes credit and debit card payments for retailers as well as payroll processing was the target of one of the first major data breaches in 2008 when information on 130 million credit cards and debit cards were stolen by hacking into Heartland’s computer system.  Now Heartland, as required by California law, has reported to the California Attorney General that it had become a victim of a data breach on May 8th at its offices in Santa Ana, California.  This time, however, the thieves physically broke into the office and along with televisions and other personal property took eleven computers, four of which contained personal information used to process payrolls.  Sensitive personal information on approximately 2,200 people was included on those computers which, although the computers were password protected did not encrypt the data, thereby leaving these people in danger of identity theft if the computers end up in the hands of sophisticated identity thieves.


Those people whose personal information was compromised by the robbery have already been personally notified by Heartland.  However, this is a good lesson to individuals, companies and governments everywhere that data security is not just a matter of securing your computer systems, but also physically securing your computers.  This case also highlights the need for computers with sensitive information to encrypt the data so that if the actual computer is stolen, the information would remain safe.  This same precaution applies to your smartphone and other electronic devices.