Scam of the day – May 27, 2017 – Target pays $18.5 Million to 47 states to settle security breach claims

Many people trace the era of major data breaches by hackers to the massive data breach at Target during the holiday shopping season of 2013. Credit card and debit card data on approximately 40 million Target customers was stolen as well as other information including email addresses of approximately 70 million Target customers.

Recently 47 states and the District of Columbia settled civil charges against Target related to the data breach with Target agreeing to pay 18.5 million dollars to each of these states and the District of Columbia. California will receive 1.4 million dollars which is the largest amount that any state will receive.  None of this money is to returned to consumers.

This settlement is very significant because it is part of an escalating trend of companies whose negligence leads to data breaches being held responsible for the harm caused to consumers.

Pursuant to the settlement, Target will implement a comprehensive security program which will include the use of whitelisting analytic software that helps prevent unauthorized malware programs from being downloaded, segmenting of credit card information from other parts of Target’s computer networks and increased use of encryption.


This is a very positive step and, having reviewed in detail the security requirements that Target will be required to implement, I believe these provide a good guide for other companies to use to enhance their data security.

As for all of us as consumers, the best thing we can do is to refrain from using our debit cards from any use other than as an ATM card because the laws protecting us from unauthorized use of debit cards are not as strong as those protecting us from unauthorized use of credit cards.  In addition, whenever possible use your credit card as a chip card rather than as a magnetic strip card for increased security.

Scam of the day – February 28, 2017 – Religious leaders being hacked by scam artists

As many of you know, one of my mottos  is “trust me, you can’t trust anyone.”  I mention this because of a recent story in the news about a Denver church pastor whose Facebook account was hacked.   When a parishioner messaged the pastor about difficulties she was having, her pastor messaged her back telling her about a grant of substantial money he had recently received and gave her the contact information for the grant issuer so she could apply for the money she so desperately needed. Of course the grant was a scam and the message to her came from the scammer who had hacked into the pastor’s Facebook account. Fortunately, in this instance, the parishioner called her pastor prior to making the payment demanded of the phony grant issuer and managed to avoid being scammed.  However, other people have not been so lucky.


Trust me, you can’t trust anyone.  It bears repeating.  Whenever you get an email, text message or phone call, you can never be sure that the communication is coming from who appears to be sending the communication.  It is relatively easy to hack an email account, Facebook account or cell phone.  Therefore, you should never click on a link, download an attachment or provide personal information in response to any communication unless and until you have absolutely confirmed that it is indeed legitimate.

Scam of the day – February 19, 2017 – WhatsApp adds dual factor authentication

WhatsApp is a mobile messaging app for your smartphone that allows you to send text messages, photographs, videos and audio.  With more than a billion people using WhatsApp, it is not surprising that it has become attractive to scammers seeking to use its popularity to lure people into becoming scam victims.  Also, like many popular apps, it has been a target of hackers seeking to take over the accounts of legitimate users of the app and send out malware filled messages that appear to be trustworthy because the messages look like they are coming from someone the victim trusts.

Mere passwords have not proven to be a particular secure method of authentication.  Many people use simple to guess passwords and even what may appear to be complex passwords can often be identified by sophisticated hackers using password cracking software.  However, more and more companies such as Facebook, Twitter, Google, Tumblr, Yahoo and others are using dual factor authentication by which when your password is used to access you account, a special code is sent to your smartphone that must be used in order to complete access to the account. This provides dramatically enhanced security.  Now WhatsApp has become the latest app to offer dual factor authentication.


Passwords are just too vulnerable to be the sole method of authentication for important apps or accounts.  Whenever you are able to use dual factor authentication for a particular website, account or app, you should take advantage of this.  Some dual factor authentication protocols do not require it to be used when you are accessing the account from the computer or smartphone that you usually use, but only if the request to access the account comes from a different device, which still provides security without even having to use the special code.

Scam of the day – October 9, 2016 – Microsoft phishing email

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Microsoft on behalf of Outlook.  DO NOT CLICK ON THE LINKS.  Microsoft is a popular target for this type of phishing email because its products including Outlook are used by millions of people.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond or your account will be deleted.   As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Microsoft and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good although there are a couple of minor capitalization mistakes and a missing comma.  Also, as so often is the case, the email is not directed to you by name.  It carries a professional looking photograph, but that is meaningless..


Your Services Agreement and Privacy Statement made clearer

Dear User.

we’re updating the Microsoft Services Agreement and the Microsoft Privacy Statement. We want to take this opportunity to notify you about these updates for your safety.
If you do not update your Microsoft account within 24 hours your account will be deactivated and deleted from our server and you will no longer have access to many of the features for improved Conversations.
Take a minute to update your account for a faster, safer and full-featured Microsoft Outlook experience and to avoid your account being De-Activated. 

Update Your Account

Thank you for using Microsoft services.

Microsoft respects your privacy. To learn more, please read our Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052


There are a number of indications that this is not a legitimate email from Microsoft, but instead is a phishing email. Legitimate companies would specifically direct the email to you by your name. This one has a generic  “Dear User.” As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call Microsoft’s customer service department at 1-800 – 642-7676  where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for companies to trap you if you make a mistake in dialing the real number.

Scam of the day – March 1, 2016 – Kohl’s cash loyalty program scam

Many of you are probably familiar with Kohl’s, a national department store chain.  Like many companies, it has a loyalty program.  Kohl’s loyalty program which is called “Kohl’s Cash” credits registered Kohl’s customers with ten dollars for every fifty dollars that customers spend at the store which can then be used for subsequent Kohl’s purchases.  Recently a number of Kohl’s customers Kohl’s Cash accounts were hacked and the hackers used the customers’ credit cards which were also registered with Kohl’s Cash to order large and expensive items that were then delivered to the Kohl’s customers whose accounts were hacked.  Although this might initially seem puzzling as to how a hacker could profit from the scheme, the effectiveness of the scheme becomes more apparent when you realize that what the hackers are really after is the Kohl’s cash generated by the purchases.  The Kohl’s cash is emailed to the hacker who has changed the account’s email address when he or she hacked into the account and upon receiving the Kohl’s cash credits use them to buy other products which he or she can then sell on the black market.  The reason the hackers initially order large sized items is to make it more inconvenient for the hacked customers to return the unordered merchandise to the store, which would cancel the corresponding issuance of Kohl’s cash on the transaction.

It does not appear that Kohl’s as a company has suffered a data breach as much as it appears that it is the accounts of individual Kohl’s customers whose accounts were hacked because the hacker had access to or was able to guess the customers’ passwords.


This scam again highlights the importance of having strong, unique passwords for each of your online accounts.  Often companies with weak security are hacked and the hackers steal passwords accessed in the data breach to access other accounts of the victims of the data breach when the same passwords are used.  Other times it is the victims themselves who have had their data stolen directly from their computer, laptop, smartphone or other electronic device when they have unwittingly downloaded keystroke logging malware, most often as a result of phishing that lured the unsuspecting victim into clicking on a link containing the malware.  Thus it is important to use strong, unique passwords for each of your accounts as well as maintain up to date security software on all of your devices as well as refrain from clicking on links in emails or text messages unless you have absolutely confirmed that the email or text message is legitimate.

Scam of the day – January 13, 2016 – The Cybersecurity Act of 2015 explained

Deep in the trillion dollar federal spending bill that President Obama signed into law on December 18, 2015 was the Cybersecurity Information Sharing Act of 2015 (CISA) which establishes a voluntary cybersecurity information sharing program for the public and private sectors to share information about cyberthreats.  This law was, as many are, a compromise version of competing House and Senate versions of the cybersecurity bill.

The sharing of information about cyberattacks, data breaches and hacks by corporations and others with applicable federal agencies is seen by many as a critical step in protecting the public from these types of attacks, however, many companies were hesitant to share information after they had suffered a data breach or other cyberattack for many reasons including concerns about the privacy rights of people whose information would be included in the information provided to the government as well concern about possible liability on the part of the companies.

The new law provides for individuals, companies, groups, state governments and local governments to share with the federal government both cyber threat indicators and defensive measures.  The law specifically indicates that personal information of individuals is to be removed from the data before being shared.  The law provides for the information to be initially provided to the Department of Homeland Security, which will then, in turn, share the information with other appropriate federal agencies and other entities that have appropriate security clearances.  The federal government is specifically prohibited by provisions in CISA from using this information for any purpose other than cybersecurity purposes and the data will not be available to the public through the Freedom of Information Act.  As an incentive to private companies to share this type of information, the law specifically protects them from any liability related to the monitoring of their information systems or the sharing of the information.


This law, which is Congress’ first major cybersecurity legislation is indeed a modest start to dealing with a major problem.  The program is purely voluntary and many privacy advocates are concerned that the law does not provide enough protection of personal data and its misuse by the federal government.  Whether the critics are correct is not immediately apparent from the specific wording of the legislation, but will only become known after the law is fully implemented.  However, the importance of Congress finally taking some, albeit small steps toward dealing with a major threat to us all should not be minimized.

Scam of the day – December 18, 2015 – Congress close to passing cybersecurity legislation

For years Congress has been debating much needed cybersecurity legislation without much success.   Now it appears that a cybersecurity bill that includes provisions previously approved by the House of Representatives and the Senate will be included in the omnibus spending bill which is close to passage and needed to maintain the funding of the federal government.  The essence of the cybersecurity proposal is the sharing of information by businesses and the federal government about technical aspects of cyberthreats such as hacking attacks and malware.  Much of the opposition by businesses to this type of legislation over the years has been the concern of businesses that such sharing could make them vulnerable to lawsuits.  In response to this concern, the new proposed legislation provides for protection from certain types of lawsuits, such as lawsuits based upon violations of electronic privacy protections. Meanwhile there continues to be opposition to the proposed law, deemed “The Cybersecurity Act of 2015” by some privacy advocates who believe the proposed law does not do enough to protect personal information when data is shared pursuant to the newly proposed law.  However, supporters of the bill, including President Obama have said that the protections of corporations from liability in data sharing will only apply if the companies remove personal information when sharing cyberthreat information.


I believe that this law is a major step forward in the battle against cybercrime and will help enable companies and the federal government do a better job in fighting the numerous cyberthreats faced by the government and private industry today.  It should also be noted that these threats come not just from cybercriminals and identity thieves, but also from foreign governments and terrorist groups such as ISIS.  It is expected that this law will be passed before the end of the year.  I will keep you updated as to the bill’s progress.

Scam of the day – August 23, 2015 – Ashley Madison class actions

A lawsuit has been filed in Canada against Ashley Madison seeking class action status on behalf of Canadian members of Ashley Madison whose personal information was divulged by hackers recently.  The action is being brought against Ashley Madison for failing to protect the privacy of the data that they compiled and retained regarding its members.  Meanwhile in the United States, the Oklahoma law firm of Abington, Cole & Ellery is also considering filing a class action against Ashley Madison on similar grounds on behalf of American victims of the data breach.


For more information about the Canadian class action, you can go to the website of Charney Lawyers, one of the law firms that filed the action by clicking on this link.

For more information about the possible American class action, you can go to the website of Abington, Cole & Ellery by clicking on this link.

As for the rest of us who never had any involvement with Ashley Madison, this data breach should serve as a cautionary lesson that every company or governmental agency is susceptible to data breaches and that we all should try to limit as much as possible the amounts of personal information provided to any entity with which we do business. In addition, because of the likelihood of a data breach, never provide information to a company that you would be embarrassed to be associated with.

Scam of the day – October 12, 2014 – Dairy Queen latest data breach victim

Dairy Queen announced a few days ago that it had become the latest company to become a victim of a major data breach at 395 of its stores by way of the infamous “Backoff” malware downloaded on to the computer systems of the affected stores by first hacking into a third-party vendor of Dairy Queen that had access to the Dairy Queen computers.  Although the data breach was only recently discovered, the actual breach occurred in August and September.  The information stolen as a result of this data breach included the names of customers, their credit card and debit card numbers as well as the expiration dates of their cards.  This is the same malware and same method of implanting the malware that was first used on a large scale in the Target data breach and repeated in numerous other data breaches since then.  In fact, I wrote a column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Dairy Queen.  Here is a link to that column:


As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

Scam of the day – August 11, 2014 – Identity thief sentenced – what it means to you

Recently, Turkish citizen Alper Erdogan was sentenced to more than nine years in prison and ordered to pay more than a million dollars in restitution after being convicted of aggravated identity theft, conspiracy to commit computer hacking and conspiracy to commit credit card fraud.  Erdogan did not do the actual hacking, but did sell the credit card numbers to other identity thieves.  Often the people who do the hacking of major companies such as Target do not use the stolen credit card numbers themselves, but rather sell them through the Internet to other identity thieves on black market websites.  One such website is called McDumpals, which humorously has a McDonald’s restaurant theme and shows a caricature of Ronald McDonald pointing a gun at the viewer of the screen next to the words “I’m swipin it”   Often payment on these illegal websites is made by bitcoins so that the payments cannot be traced.


One good element of this case is the international cooperation involved in the investigation and prosecution of Erdogan who was extradited by the Republic of Georgia to stand trial in the United States, although it should be noted that it did take almost two years after Erdogan was indicted in Florida for the extradition to occur.  The bigger lesson is that once again, people became victims of identity theft because the United States still is lagging behind the rest of the world in issuing and using smart credit cards with computer chips that create a new number each time the card is used.  The United States largely continues to use outdated magnetic strip credit card technology that is extremely susceptible to identity theft.  It is not expected that retailers and others who process credit cards will switch over to the smart cards until October of 2015 when new regulations will prompt the switch.  In addition, it is important to remember that you are only as safe as the places with the weakest security that hold your personal information, such as a credit card so, don’t leave your credit card on record with an online retailer for convenience sake and monitor your credit card usage regularly so you can report any fraudulent charges as soon as possible in order to avoid problems.