Scam of the day – June 12, 2015 – Major breakthrough in hacking of nude celebrity photos

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  It has taken almost a year, but it appears the FBI has made a major breakthrough in the case following the execution of a search warrant of the home and computers of a Chicago man whose computers had been used to hack approximately 572 iCloud accounts.  The details of the search warrant also confirmed how the hackings were accomplished which had less to do with Apple’s security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

Using the “forgot password” link on Apple’s iCloud, it appears in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the phones were hacked directly from where the photos were stolen.

TIPS

There are a number of lessons that we all can learn from how easy it was for the hacker to steal these photos.  All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – January 19, 2015 – University employee payroll scam

The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country.  It starts with an email addressed specifically with the name of the intended victim.  The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works.  The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information.  The website is  counterfeit.  The scam is a ruse intended to obtain the login information of the potential victim.  Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief.  In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.

TIPS

Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam.  Remember my mantra, “trust me, you can’t trust anyone.”  Never click on links in emails unless you are sure they are legitimate.  In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device.  You also should never provide personal information in a reply to an email.  Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information.  Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe.  This is not as difficult as it might seem.  In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.

Scam of the day – January 16, 2015 – Airlines frequent flier accounts hacked

American Airlines and United Airlines both have recently announced that last month frequent flier accounts for thousands of their customers were hacked by identity thieves stealing miles to book free trips and upgrades.  Although the hacking occurred in December, the airlines are just now notifying affected customers.  Both affected airlines have informed the victims of the hackings that their stolen miles will be restored to their accounts.   It is important to note the important distinction that the computers of American Airlines and United Airlines were not hacked, but rather individual accounts of customers whose usernames and passwords has somehow been obtained by the identity thieves to gain access to their frequent flier accounts.

TIPS

The lesson of this scam is one that I have previously mentioned many times, namely, you should use complex usernames and passwords and, most importantly, have different usernames and certainly different passwords for all of your accounts.  Otherwise you are at risk for all of your online activities from banking to retail purchases if someone manages to steal just one account’s username and password.  I have written extensively about how to pick a difficult to steal, but easy to remember password many times before, but one tip is definitely worth remembering.  Pick a phrase, such as “IDon’tLikePasswords” and you can use this complex and strong password which has symbols, small letters and capital letters and then strengthen it further by adding a couple of exclamation points at the end to read “IDon’tLikePasswords!!” and then use it as a base password that you distinguish with a few letters for each account.  So, for example, if the password were to be for your American Airlines frequent flier account, you could make the password “IDon’tLikePasswords!!AM.”