Identity theft can be high tech, low tech or no tech. Here is a link to a column I wrote for the Saturday Evening Post about the dangers of identity theft posed by your regular snail mail.
On June 5th I reported to you about the data breach at a Lithuanian cosmetic surgery clinic and now we have learned about a similar, but significantly different data breach suffered by prominent Beverly Hills plastic surgeon Dr. Zain Kadri whose patients include people from many states and four countries.
The data breach, which law enforcement says, affects approximately 15,000 people includes tremendous amounts of data, information and documents including before and after surgery photographs, patient records, credit card information and patient contact information. It appears that Dr. Kadri’s practice was both electronically hacked and physically burgled by a person, who police say, was a former employee.
The patients victimized by this crime face blackmail, extortion and identity theft as a result of the data breach.
Medical practices continue to be a prime target for identity thieves because they are often quite vulnerable to cyberattacks, but as this case apparently shows, data breaches can be done through old fashioned burglaries as well and it is important for all entities that store personal data to take steps to secure data both physically as well as electronically and to limit access to such information to only such employees as have a need to have access to the information.
Unfortunately, there is little that we as consumers and patients can do other than to limit the amount of personal information we provide, as best we can. For example, your doctor does not need your Social Security number. We should also inquire of anyone or any entity that retains our personal information about what they do to secure that information.
The Free Application for Federal Student Aid (FAFSA) is a part of the U.S. Department of Education used by college students to apply for much needed financial aid to assist them in furthering their education. Some of the forms used in the application process require inserting information from past income tax returns. To make the process more convenient, FAFSA provided for a data retrieval service directly to the IRS to obtain the necessary information, however scammers, such as two recently indicted men from Indiana and Georgia are alleged to have hacked into the data retrieval system of FAFSA applicants to get the tax information which they then used to commit income tax identity theft, attempting to steal approximately 12.7 million dollars in phony income tax refunds.
In response to these problems, FAFSA suspended its data retrieval system until two weeks ago when they reinstituted the Data Retrieval Tool with the IRS in a manner that the tax return information will be encrypted and hidden from view of even the borrower as well as someone hacking into the borrower’s account.
Quite often, as Shakespeare said, the fault is not in the stars, the fault is in ourselves. Too often we become victims of identity theft when the security of particular websites, companies or government agencies that have our personal data is compromised because we provide our passwords and user names to identity thieves by falling prey to spear phishing emails or downloading malware. It is important to never click on a link in an email or download an attachment unless you have confirmed that it is legitimate. Also, never provide personal information to anyone unless you have confirmed that the request is legitimate.
As for students seeking to use the Data Retrieval Tool of the IRS for filing a FAFSA form, you can safely use this service by going to StudentLoans.gov.
Tomorrow is Father’s Day which for many people is an opportunity to show our fathers how much we love and appreciate them, for scam artists, it is yet another opportunity to scam people.
One of the most common Father’s Day scams involves e-cards which are great, particularly for those of us who forget to send a Father’s Day card until the last minute. Identity thieves send emails purporting to contain a link to an electronic Father’s Day card, but instead send malware that becomes downloaded when the victim clicks on the link. This keystroke logging malware enables an identity thief to steal personal information from the victim’s computer that can be used for purposes of identity theft.
Never click on a link to open an e card unless the e card specifically indicates who sent the card. Phony e cards will not indicate the name of the sender. Even if the sender is someone you recognize, you should independently confirm with that person that they indeed sent you an e card before clicking on the link.
Crystal Candiece Cooper recently pleaded guilty in California to stealing mail and using the stolen mail for purposes of identity theft. At her sentencing, scheduled for September 12th she faces a prison sentence of as long as thirty years. Identity theft is a high tech, low tech and no tech crime and while we often tend to focus our attention on high tech identity theft tactics such as spear phishing, no tech tactics such as fishing for mail with a plastic bottle covered in glue that is lowered into blue public mailboxes to capture mail being sent with checks is making a comeback.
I have warned you for years about leaving mail with checks or credit card information in your personal mailbox outside of your home with the flag raised to alert your postal carrier that there is mail in your box to be retrieved is a bad idea because it also alerts identity thieves who can easily steal the mail. Once they have the checks, they can “wash” the name or even the amount of the check and make the check payable to the thief. They also can use the account number of your check to create counterfeit checks to access your checking account.
Mail thieves also will steal incoming mail from your own personal mailbox which may contain credit card bills, checks and other information and documents that can readily be used for purposes of identity theft.
This is an easy crime to avoid. In regard to paying your bills, the best course of action is to pay your bills electronically and avoid the problem altogether. However, if you cannot do so or prefer to send a paper check by mail, you should use a gel pen that is not easily “washed” to write your checks and you should mail envelopes with checks in them directly from inside the post office. You also should consider a locked mailbox for your personal mailbox to avoid identity thieves from easily accessing your mail before you do.
Medicare has used a person’s Social Security number as his or her Medicare number since the inception of Medicare and despite the rest of the country recognizing that this puts Medicare recipients in serious danger of identity theft, Medicare resisted changing the Medicare number to a safer random number for many years. In the Scam of the day for April 23, 2015 I first reported to you about a new law requiring Medicare to start using randomly generated numbers for Medicare identification. The effective date for that law, however was pushed into the future. Now we are approaching the effective date of the law and scammers are springing up to take advantage of confusion about the switch to new Medicare numbers to make people victims of identity theft.
Starting in 2018, new cards will be sent by regular mail to all 60 million Americans enrolled in Medicare. Between April 2018 and December 31, 2019 a Medicare recipient can use either his or her old number or the new, more secure Medicare number. Starting in 2020 only the new numbers will be used.
Scammers are already taking confusion about this transition to the new Medicare numbers by pretending to be Medicare employees, calling Medicare recipients and telling them that they need to register on the phone to get their new card or they will lose benefits. They then ask for their intended victim’s Medicare number which is the same as their Social Security number and use that information to make them a victim of identity theft. In another variation of the scam, targeted victims are told they need to pay for the new card through a credit card or by giving the caller their bank account number. The truth is that there is no charge for the new card, but anyone providing this information to a scammer will quickly become a victim of identity theft.
If you are a Medicare recipient, you will get your new card in the mail. There is nothing you need to do and nothing you need to pay to get your new card with your new number in the mail. As for phone calls purporting to be from Medicare, you should never provide your Social Security number, credit card number or any other personal information to anyone who calls you on the phone because you can never be sure they are legitimate. Even if your Caller ID indicates the call is from Medicare, the IRS or some other legitimate organization, through a technique called “spoofing” your Caller ID can be tricked into making it appear that the call is legitimate. If you get a call asking for personal information that appears legitimate, merely hang up and call the company or agency at a number that you independently know is legitimate to find out the truth.
Although the headline may seem a little odd, what it is referring to is another data breach at a major Hollywood movie studio, in this case Disney, where the latest sequel in the successful Pirates of the Caribbean movie series has apparently been stolen through a data breach and the hacker is demanding a ransom which Disney is refusing to pay. If the ransom is not paid, the hacker has indicated he will release the movie online in advance of the Theatrical release date of May 26th.
This latest incident comes on the heels of the hacker known as thedarkoverlord, posting nine episodes of the popular Netflix original series, “Orange is the New Black on a publicly available file a few weeks ago as I reported to you on Scamicide at the time. This type of extortion can only be expected to grow as hackers attack the weakest links in movie and television program development.
If the movie is posted online I strongly urge you not to download it. In addition to the morality and ethics of not participating and encouraging this type of crime, you also run the risk of downloading various types of malware including ransomware and keystroke logging malware that can lead to your becoming a victim of identity theft if you go to these rogue websites.
Facebook is very popular with the general public and anything popular with the general public becomes a popular platform for scammers. I have written about many Facebook scams over the years, but the latest one is particularly dangerous because it appears so innocuous. It comes up on your Facebook page under the headline “10 Concerts, but there is one act that I haven’t seen live. Which is it?” While this may appear harmless, the information you provide may tell more about you than the person who appears to be posting it. It may provide information about your approximate age and preferences in music which can then be used by a scammer to send you a phishing email tailored to appeal to your particular interests that you may trust and click on a link contained in the email that contains either keystroke logging malware that can be used to steal your identity or ransomware.
We all tend to put too much personal information on social media that can be exploited by scammers and identity thieves to our detriment. However, if you, as many people do, find this game and other similar games to be fun to play, you may want to just adjust your privacy setting to “friends only” so that you limit who gets to see your answers.
USAA is the insurer of millions of members of the military as well as many veterans so it is no surprise that it is the basis for a new phishing email presently being circulated. As with so many phishing emails, this one tells you that you need to click on links in the email in order to resolve security issues. The truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft. Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft. In another scenario, clicking on the link will download dangerous ransomware.
Here is a copy of the new phishing email that is presently circulating. DO NOT CLICK ON THE LINKS. As phishing emails go, the graphics are pretty impressive, however there are grammatical errors including the word “has” being used instead of “have”. It also should be noted that the email is directed to “Dear Customer” rather than your name and no account number is provided. These are further indications that this is a scam. Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.
Frankly, whenever you get an email, you can never be sure who is really sending it to you. Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate. Remember, even paranoids have enemies.
Mother’s Day is fast approaching and scammers are taking advantage of this with phony $50 Lowe’s coupons that are turning up on Facebook pages luring people with the promise of the free coupon into providing information to a phony survey where the only goal is to gather personal information that will be used by the scammers for purposes of identity theft. Here is a copy of the coupon as it is appearing on Facebook.
While this particular scam uses a free $50 coupon from Lowe’s as the basis of the scam, similar scams have used phony coupons for Home Depot, Target, Ikea and others.
No company could cover the cost of giving away vast numbers of $50 coupons although sometimes participants in legitimate surveys are promised a chance to win a coupon in a drawing. Facebook is a favorite venue for scammers to use for this type of scam because often unwary victims will unwittingly share the scam with their friends. If you have doubts about the legitimacy of a coupon, the best place to go is to the company’s website to see what real coupons are being offered.