Scam of the day – December 16, 2016 – Yet another major data breach disclosed at Yahoo

It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   However, as I often say, “things aren’t as bad as you think — they are far worse.”  Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.

Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft.  This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked.  You also should encrypt your emails.  There are many simple, free software programs you can use to encrypt your emails.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.

Scam of the day – October 11, 2016 – FTC refunding 20 million dollars to victims of “free” credit monitoring scam

Following the settlement of lawsuits brought by Illinois, Ohio and the Federal Trade Commission (FTC) against One Technologies, a company that offered free credit monitoring and then without the knowledge or assent of its customers charged them $29.95 per month for the “free” service, the FTC is now sending out refunds checks to victims of the scam.  One Technologies marketed their scam through at least fifty websites using the names MyCreditHealth, Score Sense, FreeScore360.com, FreeScoreOnine.com and ScoreSense.com.  One Technologies paid for advertising on Google, Bing and other search engines so that their advertisements would appear near the top of the page when searching for free credit reports and similar terms.

TIPS

For specific information about the refunds, go to the top of this page to the tab entitled FTC Scam Refunds.  People interested in getting a free copy of their credit reports from each of the three major credit reporting agencies, Experian, Equifax and TransUnion should remember that the only government authorized way to access your credit reports free is by going to www.annualcreditreport.com.  Many companies offer what appear to be free credit reports, however, if you read the fine print, you may find that, as in this case, you are unwittingly signing up for a continuing service.  When signing up for any free service, you should never provide your credit card number.  Sometimes scammers lie to you by saying that they need your credit card number merely for confirmation purposes.  Finally, it is important to remember that merely because a company appears high on the page in a search engine inquiry, does not mean that the company is legitimate.  It may only mean that the company either paid for the spot, as One Technologies did, or the company is adept at manipulating the algorithms used by the search engines to determine placement.  It does not mean that the company has been checked out to be legitimate.

Scam of the day – June 27, 2016 – Why you should have a credit freeze

Regular readers of Scamicide are probably familiar with credit freezes, but it is important to remind everyone about the benefits of this tool that is simply the best thing you can do to protect yourself from identity theft.  A credit freeze is, as the name implies, is a freezing of your credit report at your request whereby no one can have access to your credit report even if they have your Social Security number and other personal information about you.  You control access to the credit report through a special PIN that you choose.   Thus, even if someone was able to steal your Social Security number, they could not parlay that into access to your credit report and use it to purchase things or set up accounts using your name.  If you need to thaw out your credit report at such times as you want to apply for credit in the future, it is an easy procedure to do by using your PIN; then, after your new credit has been established, you can freeze your credit report again.

Here is a link to the National Conference of State Legislature’s webpage that describes the credit freeze laws for each individual state.  Because the laws differ from state to state, you should check on the laws for your own particular state when putting on a credit freeze because the costs differ from state to state.  http://www.ncsl.org/research/financial-services-and-commerce/consumer-report-security-freeze-state-statutes.aspx

The credit reporting bureaus and many of the companies offering identity theft protection services advise people to put a fraud alert on their credit reports at each of the three major credit reporting agencies, Experian, Equifax and TransUnion, if you think you are in danger of identity theft rather than use a credit freeze. With a fraud alert in place, you are supposed to be notified if anyone attempts to open a new account or access credit in your name, which sounds like a good thing and it would be if it weren’t often ignored by businesses opening new accounts or granting credit in your name by identity thieves.

And what is the penalty, you might ask for a company failing to contact you before granting someone credit if you have a fraud alert on your credit report? Zero. Zilch. Nada. There is absolutely no penalty whatsoever if a company chooses to ignore a fraud alert and fails to notify you when someone attempts to open a new account using your name.  So why do credit reporting agencies recommend that people use fraud alerts to protect themselves from identity theft?  The answer is simple. The credit reporting agencies make billions of dollars by selling your information to banks and other companies. With a fraud alert in place, they can continue to sell your information however, if you have a credit freeze in place, they cannot sell your information. With a credit freeze in place, even an identity thief who already has your Social Security number will not be able to access your credit reports to use your credit to make purchases or open accounts in your name.

This is important because before opening new accounts, most companies will do a credit check of the applicant. With a credit freeze in place, a credit check cannot be done and consequently an identity thief will be prevented from opening new accounts

Having your credit frozen will not affect your ability to get your annual free credit reports from each of the three major credit-reporting agencies Equifax, Experian and TransUnion.  It is important to put a credit freeze on your credit report at each of the three major credit reporting agencies.  Here are the links to each of them where you can go to freeze your credit.

Equifax  https://www.freeze.equifax.com

TransUnion:  https://transunion.com/securityfreeze

Experian   https://www.experian.com/freeze/center.html

Scam of the day – May 13, 2015 – What to do if your email is hacked

Yesterday I told you about a scam which starts when you receive an email that appears to come from one of your friends, but in actuality is coming from a scammer who has hacked into your friend’s email account is sending out messages that appear to come from your friend touting a product.  We have all received these emails and hopefully, you just immediately delete them after informing your friend that his or her email account has been hacked and scam emails are being sent to everyone on his or her email address list.

But what do you do if you are the person whose email has been hacked?

TIPS

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact the people on your email list and tell them you have been hacked and not to click on links in emails that appear to come from you. 5.  Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
7. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.com

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at tHE most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – October 5, 2014 – More banks hacked by suspected hackers of J.P. Morgan Chase

With news of the massive data breach at J.P. Morgan Chase in which names, addresses, phone numbers and email addresses of 76 million households and 7 million small businesses were stolen by what appears to be Russian hackers who may or may not be affiliated with the Russian government dominating the news, it seems perfectly appropriate to wish you a happy National Cybersecurity Awareness month.  As frightening as the spectre of a major American bank being vulnerable to vulnerable to such a massive data breach, you may remember that when the story broke last August of the possible data breach at J.P. Morgan Chase, reports were that there were as many as four other banks that had similarly been hacked.  Now, according to a report in the New York Times, that number is actually risen to nine other major financial institutions that may have suffered data breaches at the hands of the same hackers.  Therefore even if you are not a customer of J.P. Morgan Chase, you should be extra vigilant in regard to all of your financial accounts.

TIPS

Now is the time to implement a eight step approach to protecting yourself from identity theft and data breaches.  The first step is to change your password regularly, such as every six months.  A good password has a mixture of capital letters, small letters, symbols and digits.  Don’t use any word in the dictionary because hackers have computer programs that can guess your password. Instead use a phrase, such as IHate2UsePasswords!!.  This is a very secure password.  You should also have a separate and distinct password for each of your accounts, but you can merely adapt this basic password by adding a couple of distinguishing letters for each account.  For example, you could make this your Amazon password by adding the letters “Am” at the end of your basic password so it reads IHate2UsePasswords!!Am.  This is easy to remember.

You should also use dual factor authentication on your accounts when available.  Dual factor identification provides you with an extra level of security by which more than a password is necessary to gain access to your account.  Generally, when you log in through your password to an account a code is then sent to your smartphone which you then must input in order to access your account.

You also should change the answer to your security question to something completely nonsensical.  Answering a security question is required if you forget your password or if you want to change your password.  Unfortunately the answers to common security questions, such as your mother’s maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information.  So instead of the answer to your mother’s maiden name being “Jones,” change it to “Grapefruit.”  No identity thief will find it or guess it and it is silly enough for you to remember.

Don’t click on links or download attachments in any email, text message or social media posting unless you have absolutely confirmed that it is legitimate.  Identity thieves and hackers lure people into clicking on links in such communications that results in the victims downloading keystroke logging malware that can steal all of the information from your computer.

Don’t provide personal information over the phone to anyone whom you have not called.  You can never be sure if the person calling you is legitimate regardless of how compelling the reason he or she gives for you to provide personal information.  Don’t rely on your Caller ID because through a technique called “spoofing” an identity thief can make it appear that his or her call is from the IRS, your bank or some other legitimate entity.  If you think the call may be legitimate, hang up and call the company or agency at a number that you know is real, not the number the caller gives you.

Review all of your accounts regularly and carefully to note the smallest charge that should not be there.  Sometimes identity thieves will put regular reoccurring charges on your credit card or phone bill in the hope that you will not bother to look further into it because the charge is so small.  The earlier you catch identity theft, the easier it is to deal with.

Check your credit report from each of the three major credit reporting agencies every year for evidence of fraud or even mistakes that need to be corrected.  Here is the link to the only official place to get your free credit report https://www.annualcreditreport.com/index.action

Put a credit freeze on your credit report so that even if an identity thief obtains your Social Security number, he or she cannot gain access to your credit report.  Yesterday’s Scam of the day contains the links to the credit reporting agencies to use to freeze your credit.

Scam of the day – December 21, 2013 – What to do if you were a Target hacking victim

With 40 million credit and debit cards affected by the recent hacking of Target, there is a good chance that many Scamicide readers are a part of that group that includes my own wife.  The hacking of Target once again shows that regardless of how careful you are, you are only as safe from identity theft as the place with the weakest security that holds or processes your personal information such as credit cards.  Today I am going to provide the simple steps that you should take if your credit card or debit card was compromised.

TIP

First of all, resolve not to use your debit card for purchases.  Reserve its use for ATMs.  The maximum that you are possibly liable for in regard to fraudulent charges on your credit card is only $50 and most credit card issuers won’t charge you anything.  However, with a debit card, if you don’t notice the illegal withdrawals from your bank account in a timely fashion, you risk losing all of the money in the account and even if you do report the fraudulent activity right away, you will not be made whole by the bank until they have completed an investigation of the matter.

The next thing you should do is check your credit card statement for illegal activity.  Do this online for both speed and to see the most recent transactions.  If fraudulent purchases appear, notify the credit card company to have them remove the charges.  Also file a police report.  You should then cancel the card and have the credit card company issue you a new card.  Even if you have not yet noticed illegal activity, you shouldn’t be complacent because generally in these situations, the thieves sell the stolen credit card information on black market websites and there may be a long time lag before you would see illegal activity on your card.  Why wait for the inevitable?  Cancel the card and get another one.

You also should use this opportunity to obtain your free credit report in order to make sure that there is no evidence of identity theft.  Go to www.annualcreditreport.com.  This is the only source for the free credit reports that you have a right to have by law.  Many other websites with similar names may provide you with a free credit report, but in the fine print, you may find that you have unwittingly signed up for a costly service that you do not want or need.

Finally, you may wish to consider putting a credit freeze on your credit report so that even if someone has sufficient personal information about you to otherwise gain access to your credit report in order to use it to make a large purchase, they would not be able to get access to your credit report because it is frozen and can only be made available by you using a PIN.  You can find all the information you need about credit freezes here on Scamicide.  Just go to the column on the right and click on “credit freezes.”

 

Scam of the day – November 5, 2013 – Email hacking

Two close friends of mine had their email accounts hacked this week and they are not alone by any means.  Email hacking is a common occurrence and it can represent a serious security threat or a benign inconvenience, however, in either event, it is important to act promptly to remedy the situation. Sometimes your email is hacked and used as part of a botnet, which is a zombie network of computers used by scammers to send out spam.  Other times, however, when you are hacked, malware is installed on your computer without your becoming aware of it. One particularly troublesome type of malware is keystroke logging malware that can steal all of the information from your computer and make you a victim of identity theft.  Often you only become aware that you have been hacked when someone on your email list informs you that that you have received an email that appears to have been sent by you, but is strange and arouses suspicion.

TIPS

Here are some tips for what to do if you have been hacked.  For more detailed information, check out my book “50 Ways to Protect Your Identity in a Digital Age.”  You can order it by clicking on the link on the right hand side of this page.

1.  Change your password on your email account.  If you use the same password for other accounts, you should change those as well.

2.  Change your security question.  I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”

3.  Report the hacking to your email provider.

4.  Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you.

5.  Scan your computer thoroughly with an up to date anti-virus and anti-malware program.  This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.

6.  Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.

7.  Get a free copy of your credit report.  You can get your free credit reports from www.annualcreditreport.com.  Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.

8.  Consider putting a credit freeze on your credit report.  You can find information about credit freezes on my blog www.scamicide.com.

 

 

Scam of the day – March 19, 2013 – Philadelphia identity thief sentenced

The FBI recently announced that identity thief Lawrence Fudge was convicted and sentenced for running an identity theft ring in Philadelphia for at least six years before being caught.  Fudge obtained personal information  from rogue employees he bribed in banks and insurance companies who accessed their company’s records and gave the information about their customers to Fudge who used it to both steal money directly from the victims’ bank accounts as well as use their names and credit to open accounts in his victims’ names which he used to make purchases for himself.

TIPS

You are only as secure as the weakest security of a company with which you do business.  This is an unfortunate fact of life.  However, recognizing this fact, it is important to both limit the personal information you provide companies with which you do business as much as possible as well as make sure that you regularly monitor all of your accounts such as bank accounts on a monthly basis, at least.  You also should get a free copy of your credit report from each of the three credit reporting agencies as is your right under federal law.  The law permits you to get a free copy from each of these companies, TransUnion, Experian and Equifax once a year, however, a smart tactic is to get a free report from one of them and then four months later a free report from one of the remaining companies and finally four months after that a free copy from the last of the companies so that you can get free copies every four months.  Review these reports carefully to uncover any signs of identity theft.