Posts Tagged: ‘Identity Theft’

Scam of the day – April 22, 2016 – Epidemic of ATM skimmers

April 22, 2016 Posted by Steven Weisman, Esq.

As regular readers of Scamicide know, skimmers are small electronic devices that are easily installed by an identity thief on ATMs and other card reading devices, such as at gas pumps.  The skimmer steals all of the information from the credit card or debit card used which then permits the identity thief to use that information to access the victim’s bank account when the skimmer is used on a debit card.  If a credit card is used, the identity thief can use the stolen information to access the victim’s credit card account.  Each skimmer can hold information on as many as 2,400 cards.  Recently, FICO Card Alert Service, a company that monitors ATM activity on behalf of banks issued a report indicating that last year the use of skimmers on ATMs increased by 600% over the previous year.

TIPS

Always look for signs of tampering on any machine you use to swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if they do not report the theft promptly and even if they report the theft immediately, they will lose access to their bank account while the matter is investigated by the bank.  Skimmers at ATMs are often coupled with a thin, clear electronic device that goes on top of the keyboard to capture the victim’s PIN to enable the identity thief to access the account of the victim whose account number was captured through the skimmer.  Debit cards should not be used for purchases at gas pumps or for other retail purchases because the legal liability laws related to stolen debit card information are not as protective as the laws relating to fraudulent credit card use.  The FICO Card Alert Service report noted that 60% of the skimmer attacks were done on private, non-bank ATMS so you may wish to avoid those ATMS when possible.

Credit card rules required the use of new EMV smart chip credit card equipment by retailers to process these cards by October 1, 2015 in order for the retailer to avoid liability.   These rules, however, do not apply to the use of credit or debit cards at ATMs and gas pumps where the deadline to switch to the EMV smart cards is not until October 1, 2017 so you can expect identity thieves to continue to focus their attention on gas pumps and ATMs.

Scam of the day – March 27, 2016 – Anonymous non-hacking of Donald Trump

March 27, 2016 Posted by Steven Weisman, Esq.

Following the recent terrorist attacks in Paris by ISIS, the hacktivist group Anonymous declared war on ISIS and claimed to have taken down thousands of its Twitter accounts as well as a number of its websites including a recruitment website.  Now, in the wake of the ISIS terrorist attack in Belgium, Anonymous just posted a video in which it again promised that it would be doing cyberattacks against ISIS Twitter accounts as well as threatening to steal the bitcoins of ISIS.

However, Anonymous has many targets of its wrath and on March 18th, it released what it said, at that time, was personal information of another of its enemies, namely Donald Trump.  In its March 18th posting Anonymous released what it claimed was personal information of Trump including his cell phone number and Social Security number.  The response of Trump, the FBI and the Secret Service  was swift but now appears to be misguided because in another video just posted by Anonymous, it revealed that it did not hack Trump’s various accounts to gain the personal information it previously posted, but merely went to online sources available to everyone from public records and online search engines such as Google.  As for Trump’s cell phone number, the number that was posted by Anonymous was actually one Trump himself had posted in a tweet.

TIPS

Perhaps the biggest lesson from all of this to everyone is recognizing just how much personal information is available about us all from public records, websites and data banks readily available to anyone.  However, it is also important to note that often we are our own worst enemies by posting too much personal information on various social media sites which can be gathered and used by cybercriminals for purposes of identity theft.  It gives us all something to think about when you post your birth date or other personal information on Facebook or other social media.

Scam of the day – March 19, 2016 – TurboTax phishing email

March 19, 2016 Posted by Steven Weisman, Esq.

Turbo Tax is a popular online tax preparation company used by many people so it should come as no surprise, particularly at this time of year, that a phishing email is presently being circulated that appears to come from Turbo Tax with the title “Important Privacy Changes” in an attempt to get people to click on the link contained in the email purportedly to opt out of having their personal information shared with others.  The email is not sent by Turbo Tax.  It is a phishing scam intended to lure people into clicking on the link which will download keystroke logging malware that will steal your personal information from your computer, smart phone or other electronic device and use it to make you a victim of identity theft.

Here is a copy of the email presently being circulated, DO NOT CLICK ON THE LINK:

TIPS

The first line of defense against phishing emails is to have good anti-virus and anti-malware software installed on all of your electronic devices as well as to take advantage of anti-phishing features in your web browser.  Also, keep all of your security software up to date with the latest security patches as soon as they are available.  However, even if you have the most up to date security software, it will not protect you from the latest malware.  Security software is always at least thirty days behind the newest “zero day” malware.

Never click on links in any text message or email unless you have absolutely confirmed that the link is legitimate and safe.  In a case such as this, the safest route is to avoid the email entirely and go directly to the website of the company, in this case Turbo Tax to find out if the email was legitimate or not.  When going to the company website, don’t go by clicking on links or typing in addresses contained in the text message or email.  Instead, independently type in the name of the website in your browser.

Scam of the day – March 3, 2016 – Identity thieves stealing W-2s

March 2, 2016 Posted by Steven Weisman, Esq.

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

Now, it appears sophisticated income tax identity thieves are stealing large numbers of legitimate W-2s containing all of the information the identity thieves need to file a fraudulent income tax return by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – February 5, 2016 – Data breach at the University of Central Florida

February 5, 2016 Posted by Steven Weisman, Esq.

The University of Central Florida has announced that its computer system had been hacked and data on as many as 63,000 present and former students, faculty and staff was taken.  The stolen data includes data on employees of the University going back as far as the 1980s  Included in the compromised data were names and Social Security numbers which can be used by hackers for purposes of identity theft.  Although the data breach was discovered last month, it was only announced yesterday in order to give the University time to conduct an investigation into the matter. Everyone affected by the data breach will receive a letter in the mail with information about how to sign up for free credit monitoring and identity theft protection services.  The University will not be contacting people by email or text messages, so if you do receive such a communication related to this data breach, it is a scam.

TIPS

The initial letters to those affected by the data breach will be going out today, but you can also call a special hot line set up by the University for more information at 877-752-5527 or go to the website set up by the University to provide information and assistance to those involved in the data breach.  The website is http://www.ucf.edu/datasecurity/

Although in this instance, the Social Security numbers of those affected by the data breach legitimately needed to be obtained by the University because the bulk of those whose data was compromised were employees of the University including students involved in work-study programs, colleges and and universities are notorious for both gathering personal information that they often do not need as well as storing and maintaining that information long after the need for that information no longer exists.  So long as colleges and universities continue to both gather large amounts of personal information and fail to adequately protect that information, they will continue to be targets of hackers and identity thieves.

January 16, 2016 – Steve Weisman’s latest column from USA Today

January 16, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column from USA Today which contains more important tips to help protect you from identity theft in the new year.

http://www.usatoday.com/story/money/columnist/2016/01/16/weisman-simple-steps-foil-identity-thief/78760064/

Scam of the day – January 10, 2016 – Bethpage federal credit union phishing scam

January 10, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes from my own email account and I am sure it, or something similar, has turned up in yours.  It appears to be a notice from Bethpage federal credit union that a new payee has been added to my online banking account.  It is common when you do add a new payee to your online banking account to receive a notice from your bank confirming that indeed you did add the new payee and it is not a scam.  In this case, particularly because I do not have an account with Bethpage federal credit union, it was clear to me that this was a scam.  Had I been concerned that the email was legitimate and clicked on the links provided in this phishing email, I would have either been prompted to provide personal information that would have led to my identity being stolen or, even worse, I would have automatically downloaded keystroke logging malware that would have stolen my personal information directly and made me a victim of identity theft.

Here is a copy of the email I received.  DO NOT CLICK ON ANY OF THE LINKS.

Greetings from Bethpage Bill Pay!
The following payee was added to your Bethpage Bill Pay account.

Payee Information
Payee name: Ashlyn a Prato
Account number: *3480

If you did not add this payee on your account, please Logon immediately.

If you have any questions, please contact us at bethpagefcu@billsupport.com or call us at 855-358-8264.

Sincerely,
Bethpage Bill Pay
Alert: (1154293202)
Document Reference: (309351382)

TIPS

This particular phishing email is filled with flaws.  First and most notably, the email address from which it was sent is a private email account, most likely that of someone whose email had been hacked and used as a part of a botnet to send out phishing emails such as this.  The email address from which it was sent had absolutely no relationship with the Bethpage federal credit union.  In addition, the email salutation is merely “Greetings from Bethpage Bill Pay” rather than being addressed to me by name.  Finally, no logo of the bank appears in the email as well.  If you ever do receive this or a similar email that you think might be legitimate,  you still should not click on the links in the email or call the phone numbers that appear in the email.   Rather you should call the bank at a telephone number that you know is correct in order to find out what the truth is.

Scam of the day – December 29, 2015 – Data on 191 million American voters exposed online

December 29, 2015 Posted by Steven Weisman, Esq.

In a disturbing discovery, security researcher Chris Vickery announced that he found a database of information on more than 191 million American voters from all fifty states available and exposed on the Internet due to an incorrectly configured database.  The information includes the names, addresses, phone numbers, dates of birth and political affiliations of the people contained in the database.  Chris Vickery, you may remember was the researcher who also recently found a similar data vulnerability with the Hello Kitty website.  There is no indication at this time that the information had been accessed by identity thieves and scammers who could use the information to advance any number of illegal activities such as spear phishing to lure people into downloading keystroke logging malware that would enable the identity thief to steal the victim’s personal information from their computer and use it to make them a victim of identity theft.  As I write this Scam of the day, the vulnerable database remains available online.

Generally, voter registration data is a matter of public record in most states.  The various states have differing rules limiting the use of the data.  For instance, South Dakota requires that such data not be provided to people for use commercially.  Compiling all of the data from all of the states is a time consuming effort, but the effort is worthwhile for companies that gather the data and sell it to political campaigns to assist them in getting their message out in an effective and targeted manner.

TIPS

This is just another example of the need for greater regulation regarding access to the vast amounts of personal information about us all that is so accessible in the computer age.  This also serves as a warning to everyone to follow my motto of “trust me, you can’t trust anyone.”  Scammers and identity thieves with access to personal information about you can tailor their messages and scams to make them appear more legitimate because of the information about you that they have, which is why you should never provide personal information such as credit card numbers, bank account information or Social Security numbers to anyone who contacts you unless you have confirmed that they are legitimate.  Too often they may be a scammer or identity thief who is just using personal information he or she gained elsewhere to entice you into providing personal information under some legitimate sounding guise that will, in turn, be used against you to make you a victim of identity theft or the victim of a scam.

Scam of the day – December 17, 2015 – Cellphone insurance scam

December 17, 2015 Posted by Steven Weisman, Esq.

I first learned about this scam from Providence’s NBC 10 News consumer reporter, Emily Volz.  It involves scammers getting access to the cellphone insurance of their victims and putting in claims whereby the scammers receive new cellphones which the scammers then sell on the black market.  Usually the victims do not find out about the misuse of their insurance until they put in a legitimate claim.

Many people purchase cellphone insurance with a premium around $12 per month.  This insurance will cover repairs and replacement cellphones when the cellphone owner encounters a problem with his or her cellphone.  Unfortunately, this insurance can be exploited by identity thieves who steal information about the insurance.   Armed with the victim’s Social Security which they have also stolen, they then put in a claim for a replacement phone which they have sent to addresses controlled by the scammer.

Recently six people in California were sentenced on charges of operating this type of scam on a large scale in which they filed 1,300 claims and  received cellphones and insurance benefits totaling approximately $636,000.  In that particular case, the information necessary to operate the scam was obtained by three of the scammers who were Verizon employees who, through their job, gained access to their victims’ account information which they then used to commit the fraud.

TIPS

There is little that you can do to protect yourself from the misuse of your personal information by rogue employees of companies that have your personal information.  However, other instances of this type of fraud occur when victims’ information, including, most importantly the victims’ Social Security numbers is stolen.  Protecting the privacy of your Social Security number is one of the most important things you can do to help protect yourself from becoming a victim of identity theft.  As much as you can, limit the places that you provide your Social Security number and never carry your Social Security card in your wallet.

Steve Weisman’s latest column from USA Today

December 12, 2015 Posted by Steven Weisman, Esq.

Here is a link to my latest column from today’s version of USA Today.  It deals with the timely topic of scams and identity theft dangers found in online shopping.

http://www.usatoday.com/story/money/columnist/2015/12/12/weisman-online-shopping-cybersecurity/77012780/