Posts Tagged: ‘Identity Theft’

Scam of the day – February 23, 2015 – Chase Online bill pay scam

February 23, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes from my own email, however, I am sure many of you have received this, as well.  It is a phishing email that is intended to lure the recipient into providing personal information that will be used to make that person a victim of identity theft.  As typical with this type of phishing email, it is intended to make you think there is an emergency to which you must respond.  It looks pretty official, but there are some telltale signs that it is a scam.  First, is that although I did not include the email address of the sender, the email address is that of a private individual, not Chase although often identity thieves will use email addresses that appear to be official.  In this case, undoubtedly the email address used is part of a botnet whereby identity thieves have infiltrated the computers of innocent victims and then use their computers and email accounts to send out the fraudulent email.  Another telltale sign is that the email is directed to me, not by name, but rather as “Dear Customer.”   However, even if the email was directed to you by name, you couldn’t trust it because when JP Morgan Chase was hacked in the last year, the hackers stole names and email addresses.   Finally, the email appears to have been sent by Christopher Polumbo.  Christopher Palumbo is a Vice President at Chase, however, the email to me misspells his name.  However, it is easy to see how people would fall for this scam and provide the information that would enable an identity thief to gain access to your account.

Here  is a copy of the email I received.

“Dear Customer, 
We are writing to let you know that the service(s) listed below will be deactivated and deleted if your profile is not verified within 7 business days. Previous notifications have been sent to the Billing Contact assigned to your account.
As the Primary Contact, you must renew the service(s) listed below:

SERVICE: Chase Online and Bill Pay services. 
What you need to do:

1. Log in to your account through our enhanced security server www.Chase.comby clicking the URL.
2. 
Enter your user ID and Password (that you selected during the online enrollment process). 
3. 
Enter the requested information and your Chase Online and Bill Pay services will be renewed. 
If you have not signed up for online access, you can enroll easily by clicking “Enroll” at the bottom of the Login page. 
Please do not reply to this message directly but click on the URL. For questions, please call Customer Service at the number on the back of your card. We are available 24 hours a day, 7 days a week.

Sincerely,

Christopher Polumbo
Chase Online(SM)
Fraud Prevention Team

This site is directed at persons in the United States only. Persons outside the United States may visit International Banking . 
Links to third party sites are provided for your convenience by JPMorgan Chase. JPMorgan Chase neither endorses nor guarantees any offerings of the third party providers, nor does JPMorgan Chase make any representation or warranty of any kind about the content, use of or inability to use, the third party sites.

© JPMorgan Chase Bank, N.A. Member FDIC ©2015 JPMorgan Chase & Co.; Co”

TIPS

As I have warned you many times, you should never click on links in emails or text messages or provide information in response to such emails or text messages unless you have absolutely confirmed that the communication is legitimate, which is easy to do by merely contacting the company.  In this case, you could just contact Chase at the telephone number on your credit card or bank statement.  Providing information without confirming that the communication is legitimate gives the identity thief all that they need to make you a victim of identity theft.  In other variations of this phishing email, merely by clicking on the links provided will result in keystroke logging malware being downloaded on to your computer which can steal your personal information from your computer and then enable its use for purposes of identity theft.  Even if you have good security software installed on your computer or other electronic device, as you should, this may not protect you from keystroke logging malware because the latest malware is always at least a month ahead of the latest security software updates.  Remember my motto, “Trust me, you can’t trust anyone.”

As for this particular Chase phishing email, if you receive it, Chase requests that you forward it to them at abuse@chase.com.

Scam of the day – February 6, 2015 – Massive data breach at health insurer Anthem, Inc.

February 5, 2015 Posted by Steven Weisman, Esq.

Anthem, Inc, the country’s second largest health insurance company has announced that it has suffered a massive data breach in which personal information on up to 80 million of its customers and staff were stolen including personal information of its President and CEO, Joseph R. Swedish.  Included in the compromised personal information was names, birthdates, medical IDs, Social Security numbers, street addresses and email addresses.  This is a veritable treasure trove of data for identity thieves.  According to Anthem, no credit card data was stolen, however, this is of little consolation to those people who the victims of this data breach as the amount of information that was stolen on each victim is quite sufficient to be translated into making them victims of identity theft.  Once again, this shows that you are only as safe as the places that hold your personal information.

Particularly troubling is the theft of the medical IDs which brings up the possibility of medical identity theft which occurs when someone uses your information to gain access to your medical insurance and which can cause the identity thief’s medical information to be included on the victim’s medical record.  This can result in someone receiving a transfusion of the wrong blood type or other potentially deadly results.  Correcting medical records tainted by medical identity theft is quite difficult.  You can go to the archives of Scamicide for more information about medical identity theft and what you can do about it.

TIPS

At the moment, we do not know how the breach was accomplished, but the FBI and Mandiant a private cybersecurity firm are investigating the breach.  As soon as it is determined how the breach occurred, I will report it to you.  Meanwhile, if you are an Anthem customer, you should assume that you may be affected.  Anthem has set up a website to which you can go for the latest information about the breach.  it is www.AnthemFacts.com.  Anthem has also set up a toll free number for present and past Anthem customers to call for further information.  That number is 1-877-263-7995.   It is important to remember that you may be contacted by an email or text message that appears to come from Anthem asking you for information or to click on links.  Do not do so.  The communications may be from other identity thieves seeking information.  If you have any questions after receiving such an email, you should go directly to the Anthem website www.AnthemFacts.com or call them at the toll free number indicated above.  Also, this is a good time, if you have not done so, to consider putting a credit freeze on your credit report.  You can find out how to do this in the Archives of Scamicide.  Finally, if you are a Anthem customer, you should also start monitoring all of your financial accounts more regularly for any evidence of fraud.

Scam of the day – January 29, 2015 – Major security flaw discovered in Linux operating system

January 29, 2015 Posted by Steven Weisman, Esq.

Linux is a popular and free computer operating system.  Recently researchers at the cloud security company Qualys discovered a major security flaw in the Linux operating system which they have named GHOST that would enable hackers to remotely take total control of a Linux user’s computer or other device without having to even know a password.  The GHOST security flaw could be exploited merely though an email from a Linux-based system to the victim’s computer or other device.  Fortunately, there is a patch for this security problem.  A link to the patch can be found below.

TIPS

If you are a Linux user it is imperative that you download the security patch immediately.  Here is a link that will take you to the necessary patches.  https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability

This is just another example of how important it is to keep up to date with the latest security patches and updates and install them as soon as possible.  Hackers and identity thieves constantly are taking advantage of people who do not update the software they use on their computers and other devices with the latest security patches.  Here at Scamicide we inform you whenever there are important security patches and updates about which you should be aware.  Make sure that you check out Scamicide every day and let your friends know to do the same.

Scam of the day – January 24, 2015 – Parking lots becoming hotbeds of identity theft

January 24, 2015 Posted by Steven Weisman, Esq.

Maine police are indicating that a series of automobile break-ins occurring in parking lots in various cities throughout the state may be the work of a national gang called the Felony Lane Gang.  The Felony Lane Gang originated in Florida, but is now operating throughout the country.  Their pattern is to break into automobiles and steal purses, wallets and other personal property not for the cash contained, but for the credit cards, checkbooks, driver’s licenses and other forms of personal information and identification that they use for purposes of identity theft.  They will often target parking lots at gyms and fitness centers where the car owner will both be out of the car for an extended period of time and may also leave purses, wallets and other property in the car for the very purpose of what they perceive as enhanced security rather than bring these items with them to the gym or fitness center, where locker break-ins are a constant threat.  Although the most recent reports of the activities of the Felony Lane Gang have been in Maine, this problem is by no means limited to Maine, but is found everywhere.

TIPS

There is nothing you can do that will guarantee that you will not become a victim of identity theft, but there are simple steps you can take to reduce the risk.  When parking your car, don’t leave purses, wallets or any personal items in plain view and certainly lock the car.  Also either lock your valuables and personal documents in the trunk of your car or take them with you.  Identity thieves are looking for low hanging fruit, which in this instance means unlocked cars or cars with visible purses or other items that can be used for purposes of identity theft.

Scam of the day – January 22, 2015 – Tarrish Tellis convicted of income tax identity theft

January 22, 2015 Posted by Steven Weisman, Esq.

We are just at the start of the income tax identity theft season;  income tax identity thieves file early (and often) in order to get their fraudulent income tax returns to the IRS before the victim files his own legitimate income tax return.  The theory behind income tax identity theft is simple and effective.  The identity thief steals someone’s Social Security number and then files a phony income tax return using that Social Security number with phony W-2s or 1099s that can fool the IRS into sending a large, fraudulent refund.  It doesn’t help matters that the IRS still does not match the legitimate W-2s and 1099s sent by employers with those filed by tax filers until late in the summer, long after theirs has sent refunds, but that is another story.

Tarrish Tellis was recently convicted of filing fraudulent income tax returns and stealing more than $700,000 from the IRS through fraudulent refunds obtained as a result of the phony tax returns.  Tellis obtained the Social Security numbers and names of 700 victims from an employee of the Alabama Medicaid State Agency.  Tellis is scheduled for sentencing on April 15th.

TIPS

The two best things you can do to protect yourself from income tax identity theft are to keep your Social Security number as safe, secure and private as possible and file your income tax return as early as possible to beat the identity thief to the punch.  As shown by the fact that the victims in this case became victims through no fault of their own, but due to the criminal acts of an employee of an agency that had access to their personal information, it is once again abundantly clear that we are only as safe as the places that hold our personal information with the worst security.

Scam of the day – January 21, 2015 – Mailbox identity theft

January 20, 2015 Posted by Steven Weisman, Esq.

Identity theft can be high tech, low tech or, as in the case of Tulsa, Oklahoma native Peter Thomas, distinctly no tech.  Thomas had personal and financial information stolen from mail contained in his mailbox at the apartment complex where he lives.  I have often warned people about the danger of having your mail, such as credit card bills or bank statements stolen from your personal mailbox.  In addition, many people put themselves in great danger of identity theft by putting their outgoing mail in their mailbox and put up the red flag to alert the postman that there is mail to be picked up.  Unfortunately, that is also an alert to identity thieves cruising the neighborhood of mail to be easily stolen.

In the case of Peter Thomas, his mailbox should have been secured as it was locked, however, the locking systems of mailboxes in apartment complexes are often not particularly secure.

TIPS

In order to avoid becoming a victim of identity theft through your mailbox, you should make sure that it is securely locked so that it is not easily accessed by your friendly neighborhood identity thief and when it comes to outgoing mail, don’t put it in your mailbox for your postal carrier to pick up regardless of how convenient it may be to do so.  In fact, identity thieves have been known to steal mail from the U.S. Postal Service mailboxes found on the corners of major streets so, in order to be safe, you should mail your outgoing mail at the post office.   It may seem like this is being a bit excessive when it comes to protecting your mail, but remember, even paranoids have enemies.

Scam of the day – January 19, 2015 – University employee payroll scam

January 19, 2015 Posted by Steven Weisman, Esq.

The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country.  It starts with an email addressed specifically with the name of the intended victim.  The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works.  The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information.  The website is  counterfeit.  The scam is a ruse intended to obtain the login information of the potential victim.  Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief.  In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.

TIPS

Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam.  Remember my mantra, “trust me, you can’t trust anyone.”  Never click on links in emails unless you are sure they are legitimate.  In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device.  You also should never provide personal information in a reply to an email.  Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information.  Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe.  This is not as difficult as it might seem.  In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.

Scam of the day – January 16, 2015 – Airlines frequent flier accounts hacked

January 16, 2015 Posted by Steven Weisman, Esq.

American Airlines and United Airlines both have recently announced that last month frequent flier accounts for thousands of their customers were hacked by identity thieves stealing miles to book free trips and upgrades.  Although the hacking occurred in December, the airlines are just now notifying affected customers.  Both affected airlines have informed the victims of the hackings that their stolen miles will be restored to their accounts.   It is important to note the important distinction that the computers of American Airlines and United Airlines were not hacked, but rather individual accounts of customers whose usernames and passwords has somehow been obtained by the identity thieves to gain access to their frequent flier accounts.

TIPS

The lesson of this scam is one that I have previously mentioned many times, namely, you should use complex usernames and passwords and, most importantly, have different usernames and certainly different passwords for all of your accounts.  Otherwise you are at risk for all of your online activities from banking to retail purchases if someone manages to steal just one account’s username and password.  I have written extensively about how to pick a difficult to steal, but easy to remember password many times before, but one tip is definitely worth remembering.  Pick a phrase, such as “IDon’tLikePasswords” and you can use this complex and strong password which has symbols, small letters and capital letters and then strengthen it further by adding a couple of exclamation points at the end to read “IDon’tLikePasswords!!” and then use it as a base password that you distinguish with a few letters for each account.  So, for example, if the password were to be for your American Airlines frequent flier account, you could make the password “IDon’tLikePasswords!!AM.”

Scam of the day – January 15, 2015 – Identity thieves buy cars and breast implants

January 15, 2015 Posted by Steven Weisman, Esq.

As a result of a joint investigation by Houston police and federal postal inspectors, four people, Joel Cruz, Darion Wells, Devante Ruffin and Jamonte Booker have been arrested and charged with operating an identity theft ring and using the stolen identities to buy twelve luxury automobiles worth $485,136 as well as breast implants for two of the identity thieves, Devante Ruffin and Jamonte Booker.  According to police, the scam started when two of the accused while attempting to lease an apartment noticed a storage facility on the property that contained unsecured boxes of old paper leasing records for the complex.  Police say the accused identity thieves stole the boxes and used the personal information contained in the records to start their crime spree.  When they were apprehended, the accused identity thieves had information on as many as thousands more people from these stolen rental records that they had not yet used.

TIPS

This is another example of the fact that regardless of how good you are at keeping your personal information safe and secure from identity thieves, you are only as safe as the places that have your information with the weakest security.  Companies should review their stored records and shred documents with personal information that is no longer needed.  We, as consumers should request that companies that have our personal information store it securely and destroy the records of our personal information when it is no longer needed.

Scam of the day – January 11, 2015 – Swiss bank rejects ransom demand after hacking

January 11, 2015 Posted by Steven Weisman, Esq.

Following a pattern I have warned you about in Scams of the Day for more than three years, yesterday the Swiss bank Banque Cantonale de Geneve became a victim of a hacking in which the hackers, a group called Rex Mundi, made public personal information of the bank’s customers including their names, email addresses, phone numbers and account numbers along with copies of customers’ emails to the bank when the bank refused to pay a ransom of ten thousand euros, which is equivalent to about twelve thousand dollars.  It should be emphasized that customers’ accounts were not hacked.  Access to those accounts requires multiple passwords and codes in order to gain access to the accounts and that information was not obtained in the hack of 30,000 emails.

Rex Mundi is a group of hackers from France, Austria and Germany who have hacked other companies in search of ransom, most notably Domino’s Pizza franchises in France and Belgium, which also refused to pay the ransom.

TIPS

The good news is that the information obtained by the hackers did not represent a critical loss to either the bank or its customers and the fact that the hackers were not able to access customers’ accounts is a small testament to the value of the increased security that banks and other companies are employing in an effort to fight cybercrime.  The bad news is that those affected customers may well expect to receive spear phishing communications directed to them by name that appear to come from their bank and even will carry their account number that will be used by the hackers to lure the customers into revealing personal information or trick them into clicking on links to download malware to be used to make the customers victims of identity theft.  As always, you should never supply personal information or click on links unless you are absolutely sure and have confirmed that the communication is legitimate.