Posts Tagged: ‘Identity Theft’

Scam of the day – February 5, 2016 – Data breach at the University of Central Florida

February 5, 2016 Posted by Steven Weisman, Esq.

The University of Central Florida has announced that its computer system had been hacked and data on as many as 63,000 present and former students, faculty and staff was taken.  The stolen data includes data on employees of the University going back as far as the 1980s  Included in the compromised data were names and Social Security numbers which can be used by hackers for purposes of identity theft.  Although the data breach was discovered last month, it was only announced yesterday in order to give the University time to conduct an investigation into the matter. Everyone affected by the data breach will receive a letter in the mail with information about how to sign up for free credit monitoring and identity theft protection services.  The University will not be contacting people by email or text messages, so if you do receive such a communication related to this data breach, it is a scam.

TIPS

The initial letters to those affected by the data breach will be going out today, but you can also call a special hot line set up by the University for more information at 877-752-5527 or go to the website set up by the University to provide information and assistance to those involved in the data breach.  The website is http://www.ucf.edu/datasecurity/

Although in this instance, the Social Security numbers of those affected by the data breach legitimately needed to be obtained by the University because the bulk of those whose data was compromised were employees of the University including students involved in work-study programs, colleges and and universities are notorious for both gathering personal information that they often do not need as well as storing and maintaining that information long after the need for that information no longer exists.  So long as colleges and universities continue to both gather large amounts of personal information and fail to adequately protect that information, they will continue to be targets of hackers and identity thieves.

January 16, 2016 – Steve Weisman’s latest column from USA Today

January 16, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column from USA Today which contains more important tips to help protect you from identity theft in the new year.

http://www.usatoday.com/story/money/columnist/2016/01/16/weisman-simple-steps-foil-identity-thief/78760064/

Scam of the day – January 10, 2016 – Bethpage federal credit union phishing scam

January 10, 2016 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes from my own email account and I am sure it, or something similar, has turned up in yours.  It appears to be a notice from Bethpage federal credit union that a new payee has been added to my online banking account.  It is common when you do add a new payee to your online banking account to receive a notice from your bank confirming that indeed you did add the new payee and it is not a scam.  In this case, particularly because I do not have an account with Bethpage federal credit union, it was clear to me that this was a scam.  Had I been concerned that the email was legitimate and clicked on the links provided in this phishing email, I would have either been prompted to provide personal information that would have led to my identity being stolen or, even worse, I would have automatically downloaded keystroke logging malware that would have stolen my personal information directly and made me a victim of identity theft.

Here is a copy of the email I received.  DO NOT CLICK ON ANY OF THE LINKS.

Greetings from Bethpage Bill Pay!
The following payee was added to your Bethpage Bill Pay account.

Payee Information
Payee name: Ashlyn a Prato
Account number: *3480

If you did not add this payee on your account, please Logon immediately.

If you have any questions, please contact us at bethpagefcu@billsupport.com or call us at 855-358-8264.

Sincerely,
Bethpage Bill Pay
Alert: (1154293202)
Document Reference: (309351382)

TIPS

This particular phishing email is filled with flaws.  First and most notably, the email address from which it was sent is a private email account, most likely that of someone whose email had been hacked and used as a part of a botnet to send out phishing emails such as this.  The email address from which it was sent had absolutely no relationship with the Bethpage federal credit union.  In addition, the email salutation is merely “Greetings from Bethpage Bill Pay” rather than being addressed to me by name.  Finally, no logo of the bank appears in the email as well.  If you ever do receive this or a similar email that you think might be legitimate,  you still should not click on the links in the email or call the phone numbers that appear in the email.   Rather you should call the bank at a telephone number that you know is correct in order to find out what the truth is.

Scam of the day – December 29, 2015 – Data on 191 million American voters exposed online

December 29, 2015 Posted by Steven Weisman, Esq.

In a disturbing discovery, security researcher Chris Vickery announced that he found a database of information on more than 191 million American voters from all fifty states available and exposed on the Internet due to an incorrectly configured database.  The information includes the names, addresses, phone numbers, dates of birth and political affiliations of the people contained in the database.  Chris Vickery, you may remember was the researcher who also recently found a similar data vulnerability with the Hello Kitty website.  There is no indication at this time that the information had been accessed by identity thieves and scammers who could use the information to advance any number of illegal activities such as spear phishing to lure people into downloading keystroke logging malware that would enable the identity thief to steal the victim’s personal information from their computer and use it to make them a victim of identity theft.  As I write this Scam of the day, the vulnerable database remains available online.

Generally, voter registration data is a matter of public record in most states.  The various states have differing rules limiting the use of the data.  For instance, South Dakota requires that such data not be provided to people for use commercially.  Compiling all of the data from all of the states is a time consuming effort, but the effort is worthwhile for companies that gather the data and sell it to political campaigns to assist them in getting their message out in an effective and targeted manner.

TIPS

This is just another example of the need for greater regulation regarding access to the vast amounts of personal information about us all that is so accessible in the computer age.  This also serves as a warning to everyone to follow my motto of “trust me, you can’t trust anyone.”  Scammers and identity thieves with access to personal information about you can tailor their messages and scams to make them appear more legitimate because of the information about you that they have, which is why you should never provide personal information such as credit card numbers, bank account information or Social Security numbers to anyone who contacts you unless you have confirmed that they are legitimate.  Too often they may be a scammer or identity thief who is just using personal information he or she gained elsewhere to entice you into providing personal information under some legitimate sounding guise that will, in turn, be used against you to make you a victim of identity theft or the victim of a scam.

Scam of the day – December 17, 2015 – Cellphone insurance scam

December 17, 2015 Posted by Steven Weisman, Esq.

I first learned about this scam from Providence’s NBC 10 News consumer reporter, Emily Volz.  It involves scammers getting access to the cellphone insurance of their victims and putting in claims whereby the scammers receive new cellphones which the scammers then sell on the black market.  Usually the victims do not find out about the misuse of their insurance until they put in a legitimate claim.

Many people purchase cellphone insurance with a premium around $12 per month.  This insurance will cover repairs and replacement cellphones when the cellphone owner encounters a problem with his or her cellphone.  Unfortunately, this insurance can be exploited by identity thieves who steal information about the insurance.   Armed with the victim’s Social Security which they have also stolen, they then put in a claim for a replacement phone which they have sent to addresses controlled by the scammer.

Recently six people in California were sentenced on charges of operating this type of scam on a large scale in which they filed 1,300 claims and  received cellphones and insurance benefits totaling approximately $636,000.  In that particular case, the information necessary to operate the scam was obtained by three of the scammers who were Verizon employees who, through their job, gained access to their victims’ account information which they then used to commit the fraud.

TIPS

There is little that you can do to protect yourself from the misuse of your personal information by rogue employees of companies that have your personal information.  However, other instances of this type of fraud occur when victims’ information, including, most importantly the victims’ Social Security numbers is stolen.  Protecting the privacy of your Social Security number is one of the most important things you can do to help protect yourself from becoming a victim of identity theft.  As much as you can, limit the places that you provide your Social Security number and never carry your Social Security card in your wallet.

Steve Weisman’s latest column from USA Today

December 12, 2015 Posted by Steven Weisman, Esq.

Here is a link to my latest column from today’s version of USA Today.  It deals with the timely topic of scams and identity theft dangers found in online shopping.

http://www.usatoday.com/story/money/columnist/2015/12/12/weisman-online-shopping-cybersecurity/77012780/

Scam of the day – November 11, 2015 – Indictments unsealed in major cybercriminal enterprise

November 11, 2015 Posted by Steven Weisman, Esq.

Yesterday federal prosecutors unsealed a 23 count 68 page indictment of three men, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein on charges related to a massive and intricate list of cybercrimes including, security fraud, identity theft, computer hacking, wire fraud and money laundering that earned them hundreds of millions of dollars.  Among the companies they are accused of hacking into are J. P. Morgan Chase, from which they stole personal information of 83 million people, E*Trade, Scottrade and Dow Jones.  They are accused of using the stolen data to advance securities frauds in which they manipulated the price of the stocks.  They also are accused of operating illegal online gambling websites from which they made millions of dollars every month and running their own financial operations by which they processed millions of dollars of illegal transactions for other criminals for a fee.  Their money was laundered through more than 75 shell companies, banks and brokerage accounts around the world. The indictments trace back their criminal activities to 2007.  Their actions were extremely complex and we can expect more and more details to emerge in the days and weeks ahead.

TIPS

This case again emphasizes the fact that each of us is only as secure as the places with the weakest security that hold our personal information.  However, many of the victims of the stock frauds the defendants are alleged to have committed became victims when they trusted emails that appeared to be legitimate urging them to invest in various stocks.  The lesson is to never trust an email with a stock tip regardless of from whom it appears to come.  Never invest in a stock until you have thoroughly and independently investigated it.

Scam of the day – November 8, 2015 – More AOL phishing scams

November 8, 2015 Posted by Steven Weisman, Esq.

I have written about AOL phishing scams many times, but an abundance of AOL phishing emails that are presently being circulated make this a topic worth writing about again. Reproduced below are three of them, the last of which is a phishing email about a generic account that doesn’t even attempt to tell you the name of your email carrier.   Scammers and identity thieves send out phishing emails to lure people into clicking on links in these emails that will either download keystroke logging malware on to the victim’s computer that will enable the identity thief to steal personal information from the victim’s computer and use it to make him or her a victim of identity theft or by clicking on the link, the victim will be directed to an official looking page requesting personal information under some legitimate sounding guise.  If the victim provides the requested personal information, it is used to make him a victim of identity theft.

“Aol!
Dear Member,Your mail-box might be shutdown within 24hrs due to your recent termination request. To cancel RE-SET , Log-in and wait response from Aol.

Sincerely

Webmail 2015 Security Team”

and

“​​A0l.​
​​​​​​​​​​​​​​Account Termination

​Dear A0L User,

We received your request to terminate your A0L Mail Account and the process has started by our A0L Mail Team, Please give us 2 working days to close your A0L Mail Account.
​​please if you did not wish to termination , click below and sign in to cancel the termination request :”

This last one is not specific to AOL, but contains many of the same phishing elements:

Dear User,
Your E-mail has exceeded the storage limit. You can not send or receive new messages until you re-validate your mail.  To re-validate the mailbox:- = Click to restore

Thank you!
Mail Administrator.”

TIPS

Phishing emails such as these always wish to create a sense that immediate action is required in order to avoid some negative event such as your account being closed.  These particular emails are easy to identify as scams.  None of them came from an email address that was connected with an email provider.  In fact, they all came from personal email addresses that were probably those of innocent victims of a botnet where a cybercriminal takes control of the computers of innocent people and uses those computers to send out phishing emails and other such communications.  None of the emails reproduced above carried a company logo although, this is easy to counterfeit and shouldn’t be something that makes you consider such emails to automatically be legitimate if you do receive an email with an official corporate logo.  Finally, such phishing emails often contain, as these do, grammatical or spelling errors.  You should never click on any link or provide any personal information in response to an email unless you are absolutely sure that it is legitimate and safe to provide the requested information.  The best thing you can do is to contact the company that is purporting to be sending the email and inquire as to the legitimacy of the email you received.
​​

Scam of the day – October 30, 2015 – Florida identity thief nabbed by own stupidity

October 30, 2015 Posted by Steven Weisman, Esq.

According to comedian Ron White, there is no cure for stupid, which can explain the recent arrest of an identity thief in Florida who attempted to use a phony Florida driver’s license as the photo identification required by a Verizon clerk when the identity thief attempted to purchase four iPhones at a cost of $2,600.  When the clerk got suspicious after looking at the license, the identity thief made a hasty retreat.  The clerk turned the driver’s license over to police officer Alan Correa who immediately knew that regardless of how legitimate looking the license appeared, it was a fake.  Officer Correa knew because the date of birth indicated on the license was September 31, 1989.  As any school child knows, thirty days have September, April, June and November.  There is no September 31st.  When later arrested, the identity thief, the true identity of whom, the police are still trying to determine, was found to have in his possession six other fake Florida driver’s licenses and seven phony credit cards with names matching each of the six licenses in his possession and the one left at the Verizon store.

TIPS

Counterfeit identifications and credit cards can be obtained that look quite legitimate, but simple mistakes such as this identity thief made will often become the criminals downfall.

Scam of the day – October 23, 2015 – Sun Trust phishing email

October 23, 2015 Posted by Steven Weisman, Esq.

As phishing emails go, the email reproduced below is very legitimate looking.  This email comes directly from my own email account. DO NOT CLICK ON THE LINK.    The email is a scam and if you click on the link, you will either be prompted to provide personal information that will be used to make you a victim of identity theft or alternatively, merely by clicking on the link, you will download keystroke logging malware that will steal your personal information from your computer or smartphone and use it to make you a victim of identity theft.  The email address from which it was sent is close enough to the real email address of Sun Trust to make it appear genuine.  The logo which was on the email I received also was a good copy, but it is important to remember that it is a simple matter to counterfeit a logo.  One indication that it is a scam is that it is addressed to me as a Sun Trust Client rather than by name, however, for all intents and purposes, this is a well constructed phishing email tailored to induce the person receiving it to click on the link and provide the requested information.

Here is a copy of the email.

Image result for suntrust logo

“Dear SunTrust Client:
SunTrust has developed a number of online and offline security measures to help protect you and your identity. In addition to using advanced security technologies, such as encryption, firewalls and virus protection, we employ teams of security experts focused solely on fraud protection and identity theft prevention.
SunTrust is committed to helping you keep your online transactions safe and secure. By following our recommended best practices, you can help mitigate the risk of fraud and unauthorized access. Use this checklist to verify that you are following our recommended security standards and best practices.
Authentication/Computer Security
Click on Sign on to confirm your personal and account information.
Install and keep anti-virus and security software up to date on your computer.
Security software helps protect your personal and account information from unauthorized access.
Consider using a personal firewall as it can help prevent attacks against your computer.
Install software patches, operating system updates, legitimate third party application updates, and hotfixes.
Secure your home or office wireless network.
 
 
Please do not reply to this email. You received this email because you signed up for SunTrust Online Delivery Service. You can update your online preferences anytime within Online Banking.By replying to this email, you consent to SunTrust’s monitoring activities of all communication that occurs on SunTrust’s systems.  This is a service email sent by SunTrust Bank. If you no longer wish to receive messages of this type, please unsubscribe here.SunTrust Bank, Member FDIC. ©2015 SunTrust Banks, Inc. SunTrust is a federally registered service mark of SunTrust Banks, Inc. How can we help you shine? is a registered service mark of SunTrust Banks, Inc.
 This email was sent on behalf of SunTrust Customer Care, 1575 Lemon Farris Road, Cookeville, TN 38506″
TIPS
Although this email looks legitimate it is important to remember that your bank is not going to ask you to confirm your personal and account information, however an identity thief will.  In addition, emails from your bank directed to you will come addressed to you by name rather than generically as “Dear Customer.”  Finally, you should never click on any link in an email or text message or provide information in response to an email, phone call or text message until you have confirmed that it is legitimate and the only way to do this if you receive such an email is to contact the company by phone at a number that you know is accurate to find out for yourself whether or not the communication is a scam.  In this case, because I am not a customer of Sun Trust, I already knew it could not be anything but a scam. Trust me, you can’t trust anyone.