Scam of the day – November 27, 2016 – Holiday package delivery scams

Today’s scam of the day is one that is with us throughout the year, but becomes much more common during the holiday shopping season.  It involves package deliveries from UPS, Federal Express or other delivery services and has a number of different variations.  In one variation, you receive an email that looks quite official and may even carry the logo for UPS, Federal Express or some other courier service.  The email tells you that there is a package for you, but you need to make delivery arrangements.  You then are instructed to either provide personal information, such as your credit card number or merely to click on a link.  If you provide personal information, you have just turned over that information to an identity thief.  If you click on the link, you will be downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.

In another variation of the scam, a notice of attempted delivery is left on your door with a telephone number for you to call and arrange for delivery of the package.  Once you call, the person answering requires you to provide personal information in order to confirm the order.  Of course, no delivery service needs any personal information from someone to whom they are delivering a package.  If they ask for such information, it is a scam.  And think about it.  Why would a deliver service need your Social Security number or credit card number if you are receiving a package?

TIPS

As I have told you many times, you cannot trust any link in an email until you have confirmed that the email is legitimate.  In this case, you should call the delivery service at a number that you know is accurate to confirm whether or not the email was legitimate.  You will then find that the email was a scam.  Delivery services do not send emails to the people receiving packages.  They don’t even know your email.  As for a telephone call from someone purporting to be a delivery service employee, you can never be sure whether someone really is who they say they are on the phone, so once again, you should call the delivery company at a number that you know is accurate to confirm whether or not the call was legitimate.  Finally, remember, no delivery service ever needs your personal information such as credit card number, Social Security number or birth date.  Anytime anyone asks for that information on a phone call to you, you should just hang up.

Scam of the day – November 26, 2016 – Naval records at Hewlett Packard hacked

In an all too familiar story, it has just been disclosed that personal information including names and Social Security numbers of 134, 386 present and former Navy employees was compromised in a hacking of a laptop of a Hewlett Packard employee.  Hewlett Packard had this information through a contract on which it was working for the U.S. Navy.  Further details of the hacking have not been released, but the fact that such a hacking occurred leads to concerns that the pattern established years ago in hacking of NASA laptops in which the laptops were not password protected and the data contained therein was unencrypted is repeating itself.

TIPS

The continuing negligence of many companies and government agencies in not properly protecting sensitive personal data that can readily be used for purposes of identity theft is disappointing and startling.  There are many simple security steps that are easily taken, such as password protecting laptops and other electronic devices as well as encrypting sensitive data and the use and updating of security software that should be done by all companies and government agencies without exception.

The lesson, however, is one that we should also practice in our own lives.  We as individuals are regularly targeted by identity thieves so al of us should protect each of our electronic devices with a unique password, sensitive data should be encrypted and stored in the cloud or in a portable hard drive, dual factor authentication should be used whenever possible, install and update security software on all of your electronic devices and don’t click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.  These are just a few of the simple protocols we should all follow to decrease the chances of our becoming victims of identity theft.

Scam of the day – November 18, 2016 – Yet another Chase phishing scam

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank.  I have taken out the name of the addressee, but it was directed to the email address of the person receiving the email.  I also have removed the link directing the person to click on to receive an important security message.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   As so often is the case with these type of phishing emails, it does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Dear ******************

You have 1 new Security message From Chase Online Bank.

Click your email here to view the message *****************

As this e-mail is an automated message, we can’t reply to any e-mails sent by return.

JPMorgan Chase Bank, N.A. Member FDIC
©2016 JPMorgan Chase & Co

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would direct the email to you by name rather than directing it to your email address.   As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – November 15, 2016 – Post election scams

Merely because the presidential election is over doesn’t mean that scammers are not using the election as a further opportunity to scam people out of their money.  Scammers are always exploiting whatever is foremost in the minds of people and with a close election exposing how deep the divide is between many Americans, scammers are utilizing new scams designed around the election.

Both President Elect Trump supporters as well as his detractors will legitimately be doing fund raising at this time for their respective causes while emotions are running high.  You can expect to be contacted by phone, text messages, social media and email about contributing to various organizations claiming to advance your cause, whatever it may be.  Many of these people contacting you will be scammers.  Trust me, you can’t trust anyone.

You also may be contacted by scammers posing as people either taking a political survey or petitioning about current issues, such as the electoral college.  The danger here is that the scammers lure people into trusting them and then ask for personal information, such as birth dates and Social Security numbers that can be used for purposes of identity theft.

TIPS

Whenever, you are contacted by phone, text message, email or through social media, you cannot be sure who is really contacting you so you should never give out personal information including credit card information to anyone contacting you in those ways unless you have independently verified that the contact is legitimate.

No legitimate pollster and no one asking you to sign a legitimate petition needs your Social Security number so never give it to anyone asking you to sign a petition.

Scam of the day – November 13, 2016 – Important update for victims of the OPM data breach

I initially reported to you in 2014  that  the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of  what was initially thought to be the personal information of about four million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  At that time, the OPM offered free credit restoration services and credit monitoring to the victims through Winvale/CSID.  Then in 2015,  the OPM discovered a much larger data breach affecting more than twenty-one million people and again offered free credit restoration services and credit monitoring services.   Now the contract of  OPM with Winvale/CSID to supply those free credit restoration and monitoring services will end on December 1st.  If you were affected by the initial breach and had availed yourself of the free services offered by OPM, you will need to re-register with the new company, ID Experts.  You can do so by clicking on this link. https://www.opm.gov/cybersecurity

Victims of the second OPM data breach who applied for free credit restoration and monitoring services were already covered by ID Experts so they need not reapply.

TIPS

If you were a victim of the first  OPM data breach,  you should click on the link above and sign up for the free services.

It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM offered these services a year after the data breach actually occurred so the danger of identity theft is significant.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – November 8, 2016 – PayPal email phishing scam

PayPal is a popular payment service used by many people particularly with eBay.  Therefore it can seem plausible when you receive an email that purports to come from PayPal asking you to clear up an undisclosed problem with your account.  However, anyone responding to the email copied below would either end up providing personal information to an identity thief or merely by clicking on the link could download keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  DO NOT CLICK ON THE LINK.

This particular phishing email is not particularly sophisticated. Although it came with what appears to be a legitimate PayPal logo, that logo is easy to counterfeit.  More importantly It came from an email address of a private person rather than that of PayPal.  The address used, most likely is that of someone whose email account and computer was hacked in order for the identity thief to send out these phishing emails in mass quantities. It also is not directed to you personally as PayPal would do with all of its legitimate communications which is an indication that this is a phishing scam.  Finally, the words “recent” and “activity” improperly appear as “Recentactivity” without a space between the two words.

TIPS

The primary question we all face when we receive such an email asking for personal information or urging us to click on a link is how do we know whether to trust the email or not.  The answer is, as I always say, trust me, you can’t trust anyone.  Regardless of how legitimate such emails appear, you should not provide any personal information or click on any links until you have independently verified by phone call or email to an email address that you know is accurate that the request for personal information is legitimate.

 

.

Scam of the day – November 7, 2016 – Regions Bank phishing email

Regions Bank is a large bank based in Alabama with more than 1,700 branches throughout the South, Midwest and even into Texas. Recently, I received a phishing email  that appeared to come from Regions Bank.  Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.   The Regions Bank phishing email uses the common ploy of indicating that the bank needs you to verify personal information for security purposes.   As phishing emails go, this one is pretty good, but it does have some telltale flaws.   Although the email address from which it was sent appears to be legitimate, upon closer examination you can determine it is not an official email address of Regions Bank.  Also, although the email is quite short, it contains numerous grammatical errors and the word “Sincerely” is spelled wrong.  Most telling, the email is not directed to you by name and does not contain your account number in the email.  It is important to remember that merely because the email contains the exact logo of the bank does not mean that the communication is legitimate.  It is easy to obtain a copy of the logo on the Internet.

TIPS

Obviously if you do not have an account with Regions bank, you know that this is a phishing scam, but even if you do have an account with this bank, there are a number of indications that this is not a legitimate email from Regions Bank, but instead is a phishing email. Legitimate banks would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email’s salutation is a generic “Dear customer” without even capitalizing the word “customer.”  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number  for your bank where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to purchase phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Regions to trap you if you make a mistake in dialing the real number.

 

Scam of the day – October 31, 2016 – Amazon phishing email

A new phishing email is presently being circulated that attempts to lure you into clicking on links and provide personal information that can be used to make you a victim of identity theft.  Alternatively, merely by clicking on the links in some phishing emails, you may unwittingly download malware that will steal personal information from your computer or other device and use it to make you a victim of identity theft.  Even if you have the most updated versions of security software protecting your computer, laptop or smartphone you may not be protected from zero day exploits which is the name for the latest malware targeting vulnerabilities that have not yet been protected against by your security software.  It generally takes up to a month for the security software companies to provide patches for the latest strains of malware.

TIPS

In regard to this particular phishing email, there are a number of telltale signs that indicate that it is a scam.  Although the graphics are excellent, the email is not directed to you personally, but rather uses the generic salutation of “Dear Amazon.com Customer.”  In addition, there are numerous grammatical errors that could be attributable to the scammer possibly not having English as his or her primary language.  Also, the email address from which the email was sent was not from Amazon, but from an unrelated individual.  Most likely the email address used was that of another victim whose computer was hijacked and used as a part of a botnet to spread the phishing emails.  Of course, the best course of action is to never click on links or provide information in response to emails or text messages unless you have absolutely confirmed that the request is legitimate.  In this case, a quick telephone call to Amazon would have resulted in your quickly learning that the email was a scam.

Scam of the day – October 24, 2016 – Phony political poll scam

Political polls have been a major part of our election process for many years.  Generally, people are contacted by telephone to answer questions about the candidates and their policies.  Because it is so common at this time of year to be called by a political pollster, scammers also will call posing as pollsters in an effort to trick their victims into providing information that can be used for purposes of identity theft.  Often they will dangle the reward of a gift card or other prize to lure people into participating in the scam poll.  Scammers can also manipulate your Caller ID through a technique called “spoofing” to make it appear that their calls are coming from legitimate pollsters.

TIPS

Legitimate pollsters do not offer prizes or other compensation for participating in their polls.  They also will never ask for personal information such as your Social Security number, credit card number or banking information.  Anyone posing as a pollster asking for such information is a scammer and you should hang up immediately.

Scam of the day – October 2, 2016 – Another state enacts child identity theft law

Ohio became the latest state to enact a law providing for credit freezes for children to protect against child identity theft. Unfortunately, less than half of the states provide this much needed protection of minors from identity theft.  This is important because in recent years, children have been a prime target of identity thieves who, if they are able to get identifying information on a child such as the child’s Social Security number, can open a credit report on behalf of the child and obtain credit in the child’s name.  The identity thief never pays back the money accessed through the child’s credit and the child is burdened with a bad credit report that can have a deleterious effect on the child when he or she applies for credit, applies for a job, applies for a scholarship or applies for an apartment.  Often the identity theft is not discovered until years after it first happens which makes it more difficult to remedy.  A credit freeze is a tremendous tool for fighting identity theft because it prevents an identity thief who even has your Social Security number from accessing your credit report for purposes of establishing credit in your name. Unfortunately, the credit reporting agencies do not generally permit credit freezes for minors except in those states, such as Ohio that have required them to do so by law.

TIPS

If you live in Ohio and have minor children, you should contact each of the three major credit reporting agencies, Equifax, Experian and TransUnion in order to freeze your child’s credit.  If you live in one of the other states that have similar laws, take advantage of the law, set up a credit report for your children and immediately freeze the account. And while you are at it, you should also freeze your own credit reports as your best precaution against identity theft. For information about how to put a credit freeze on your own credit reports go to the Search This Website section of Scamicide at the top of the page and type in “credit freeze.”  If your state does not have such a law, let your state legislators know that you want them to pass such a law.  I am proposing such a law in my own home state.  Parents should, as much as possible, try to limit the places that have their child’s Social Security number and become familiar with the Family Educational Rights Privacy Act which helps you protect the privacy of your child’s school records and lets you opt out of information sharing by the school with third parties.  Finally, the security company AllClear ID (www.allclearid.com) provides a free service called ChildScan which not only searches credit records tied to your child’s Social Security number, but also checks employment records, criminal records and medical records to recognize at an early stage if your child has become a victim of identity theft.