Scam of the day – July 31, 2016 – Pennsylvania Revenue Department data breach

Earlier this month the Pennsylvania Revenue Department announced that it was notifying 865 taxpayers by mail that their unencrypted personal information was contained on one of four laptop computers stolen from a car used by Pennsylvania Revenue Department auditors while in California performing an audit.  The letters being sent to the Pennsylvania taxpayers affected by this data breach will provide information about free credit monitoring services through Experian for which the affected taxpayers are eligible.  Although this particular data breach is quite limited in scope, it once again points out the problems that numerous both state and federal government agencies have had in recent years, most notably, the massive data breach at the Office of Personnel Management (OPM) that resulted in the loss of personal data of more than four million people.

Too often basic security precautions have not been followed by these various government agencies including lack of password protection for laptops, lack of encryption and lack of proper security software.


Even if you are extremely careful in following security precautions on all of your own electronic devices including your computer and smartphone, you are only as safe from identity theft as the places that have your information with the worst security.  Therefore, as much as you can, limit the amount of personal information you provide to any company or governmental agency to that which you absolutely must provide.  For instance, hospitals and medical care providers routinely ask for your Social Security number although they have no real use for it.  Provide them whenever possible with alternative forms of identification.

Scam of the day – April 6, 2015 – Guilty pleas in 20 million dollar military identity theft scam

Following a joint investigation by the IRS and U.S. Army investigators, nine women from Alabama and one woman from Georgia have pleaded guilty to identity theft involving 7,000 soldiers, many of whom were deployed in Afghanistan.  The personal information stolen was used to file phony income tax returns and resulted in the criminals receiving more than 20 million dollars in bogus refunds from the IRS.  One of the criminals, Tracy Mitchell worked at a military hospital at Fort Benning, Georgia where she had access to military records that included the Social Security numbers of the military patients of the hospital.  Fraudulent refund checks were cashed at a Wal-Mart money center where one of the other criminals worked.  The scam went on for almost three years before law enforcement was able to shut it down.  Sentencing will occur for most of the defendants in June and each faces a long prison sentence.


This case is just another example of the fact that regardless of how good you are at protecting your personal information, you are only as safe from identity theft as the places with the weakest security that hold your information.  This also is another example of the problems that the IRS still has with income tax identity theft to a great extent because it still does not compare W-2s filed by employers with those filed with the tax returns of taxpayers before sending out refunds.  About the best thing you can do to protect yourself from income tax identity theft is to file your income tax return as early as possible to beat an identity thief to the punch.

Scam of the day – March 1, 2015 – Bank teller convicted of identity theft

Recently, Nadia Figueroa, a bank teller at a JP Morgan Chase bank in White Plains, New York was convicted of being part of an identity theft ring that stole $850,000  from the accounts of innocent depositors in the bank.  Figueroa obtained personal and account information of hundreds of the bank’s customers with accounts of more than $50,000 and then provided that personal and account information to two accomplices, Tyrone Lee and Anthony Davis who created fraudulent checks and identification documents which they used to impersonate the real account holders and withdraw funds from their accounts at other branches of JP Morgan Chase in New York, Connecticut and Massachusetts.  Lee and David had already been convicted of grand larceny, identity theft, criminal possession of a forged instrument and scheming to defraud.


This case serves as a reminder that it is not just foreign hackers who are attacking banks through cyberattacks, but also criminal, rogue employees who steal from banks by misusing their positions and the information to which they have access.  This should be a wake up call to banks and other financial institutions to provide constant security programs to minimize the opportunity for this type of crime.  It also is another reminder to all of us that the price of security is eternal vigilance.  Everyone should regularly monitor all of their financial accounts for any evidence of anything out of the ordinary.  The sooner you recognize a problem, the easier it is to fix.

Scam of the day – September 25, 2014 – GAO report on income tax identity theft and the IRS

Earlier this week, the General Accountability Office issued a new report dealing with income tax identity theft and what the IRS should be doing to reduce this problem which, last year alone cost taxpayers more than 5 billion dollars in fraudulent refunds paid to identity thieves who stole the Social Security numbers of innocent taxpayers and filed phony income tax returns along with counterfeited W-2s.  A report last year done by the Treasury Department predicted that the IRS will pay out more than 21 billion dollars in fraudulent tax refund checks over the next five years.  As for the innocent taxpayers whose Social Security numbers were used in these fraudulent returns, it sometimes takes as long as a year for the IRS to correct the problem and pay to the real taxpayer his or her legitimate refund.   In its report this week the GAO singled out a significant failing in the way that the IRS processes income tax returns, namely under the present system, W-2s are sent by employers not to the IRS, but to the Social Security Administration who often does not get around to forwarding these to the IRS for matching with already filed income tax returns until July, well after most tax refunds have been paid.  A simple solution would be to require e-filing or simultaneous filing with the IRS of the W-2s before refunds are sent out.  Regular readers of may remember that I exposed this problem and made the same recommendation more than a year ago in my Scam of the Day of August 3, 2013.


In order to avoid income tax identity theft personally, you should file as soon as possible to beat a potential identity thief to the punch.   You should also try to protect the privacy of your Social Security number as much as possible to minimize the opportunity for an identity thief to file an income tax return using your name and number.

Scam of the day – September 22, 2014 – College students and identity theft

Identity theft is a major problem for everyone, however college students are five times more likely to become a victim of identity theft than the general public.  There are two primary reasons for their vulnerability.  They live in close quarters with lax security and they do not take sufficient precautions to protect themselves in their dorm rooms or online.  Identity theft can be high tech, low tech or no tech and college students are victimized in all three ways.  They become victims of identity theft because, too often, they fail to protect their smartphones with security software or even a proper password.  They click on links in emails, text messages and social media that promise to provide free music, video games, alluring photos or gossip without realizing that a large number of these communications are sent by identity thieves and that the links only download keystroke logging malware that steals their personal information from their computers, smartphones and other electronic devices and use this information to make them victims of identity theft.  They download free apps from questionable sites and again end up downloading malware.  They use free wifi in public locations without proper encryption and security software on their electronic devices not knowing that the free wifi they are using may be set up by an identity thief eavesdropping on their communications and stealing their information.  They leave the computers in their dorm rooms unprotected by a good password and they leave important documents with personal information unprotected in their room.


On the low tech and no tech side of things, they should lock up all their important papers that contain personal information.  They should also shred papers with personal information that they do not need to keep.  They should install security software and encryption software on all of their electronic devices including their smartphones, computers and tablets.  They should use strong passwords and different passwords for all of their accounts and devices.  They should never click on links in emails, text messages or social media postings unless they have confirmed that the links are legitimate.  Be wary of wifi and don’t use it for financial transactions.

Scam of the day – May 19, 2014 – Blackshades hacking ring busted

Any day now the FBI will be announcing that in coordination with foreign law enforcement agencies it has raided illegal users of a  software program  called Blackshades.  Blackshades is the name for a type of software that goes by the interesting acronym RAT which stands for Remote Access Tool.  This type of software enables someone to control a computer from a distance.  Blackshades can be used legitimately by businesses to permit accessing of a work computer while the employee is at home, but it has also been used many times by hackers who use it as keystroke logging malware by which the hacker steals information from the victim’s computer and makes him or her a victim of identity theft, or take control of the victim’s webcam for blackmail purposes or lock the victim’s computer and then refuse to permit the victim to have access to his or her computer unless a ransom is paid.  In this raid, the FBI and other international law enforcement agencies also shut down the website which was a part of the black market on which the program was sold, often for bitcoins to maintain the anonymity of the purchase.


This is a good sign that international law enforcement is cooperating in the war against cybercriminals.  However, for all of us, it is important to remember that in order for us to become victims of malware such as Blackshades, the software has to be installed on our computers or other devices and the main way that the is still done is through phishing, so it is still as important as ever not to click on links unless you are absolutely sure they are legitimate.

Scam of the day – April 5, 2014 – Shredding company employee implicated in identity theft

For years I have advised everyone to shred any documents they have containing personal information before discarding them.  Identity thieves have been known to go through the trash of individuals, companies and government agencies looking for documents that contain personal information such as credit card numbers or Social Security numbers that can be used for identity theft purposes.  Mere horizontal shredding may not be sufficient to protect you.  There have been many instances where identity thieves were able to piece together horizontally shredded documents to get the information they seek. It is far better to use a cross shredder that will render the documents unusable by anyone seeking to obtain information from the documents.  Although, many individuals will have their own shredders at home, many companies use the services of shredding companies that will come to the company’s location and either pick up the materials to bring back to the shredding company’s headquarters to be shredded or shred the material right at their customer’s location using a truck with shredding machinery incorporated into the truck.  Recently some identity theft was traced back to a Texas shredding company Cintas Document Management that picked up documents to be brought back to the Cintas’ headquarters to be shredded.  Police are investigating one particular rogue employee who it is thought took the documents he was supposed to bring back to Cintas for shredding and instead used the documents to get information which he used to make some customers victims of identity theft.


If you are doing shredding of your documents at home, you should use a cross-shredder.  If you are having your documents shredded by a shredding company, you are better off hiring a company that sends a truck to your company to shred the documents at your company’s site while you watch.

Scam of the day – March 12, 2014 – More AOL scams

Although it is nowhere near as popular as it once was, America Online (AOL) is still used for email by more than 2.5 million people and that means that it will be a target for identity thieves and hackers who are constantly sending out new “phishing” emails attempting to lure people into clicking on tainted links that are infected with malware.  When the unwary receiver of the email clicks on the link, he or she unwittingly downloads keystroke logging malware on to his or her computer or other device that will steal personal information from the victim’s device and use it to make the person a victim of identity theft.   Phishing is the name for the tactic when an identity thief sends a message that looks like it is from a legitimate source and persuades the victim to respond by either clicking on a link that will download malware or into providing requested personal information that will be used to make the person a victim of identity theft.  Here are a couple of examples of AOL phishing emails presently being circulated.  DO NOT CLICK ON THE LINKS.

Dear Valid User,

Your account was accessed from a device we did not recognize at (Ireland )  09:00 Irish Standard Time). If you did not check it from another device, please CLICK HERE to your account.

Sincerely, Aol Service.”


Click here now to confirm the validity of your account.

 Thanks again for choosing our Service.
Sincerely, America Online Team”
You will notice that the first example had a good reproduction of the AOL logo and what appears to be a legitimate reason to contact you.  The second example is pretty shoddy and does not appear terribly official.  It is also important to note that in both instances, these emails are being sent from email addresses that were stolen by hackers who hacked into and took control of the email accounts of legitimate AOL users.  However, the addresses do not indicate anything to make you think that it is an official address for AOL as a company.  The key lesson to remember, however, is that regardless of how legitimate an email looks that contains an email or an attachment, you should never click on the link or download the attachment until you have confirmed that it is legitimate.  You can never be sure when you receive an email or text message as to who is really sending it.  The best course of action is to always confirm that it is legitimate before clicking on any link or downloading any attachment.  In this case a call or email to the real AOL should have been done by anyone who had the slightest thought that the emails might have been legitimate.

Scam of the day – September 25, 2013 – Critical software security patches

As I have explained to you many times, scammers and identity thieves are constantly exploiting vulnerabilities that they discover in the various software and hardware that we all use to make us victims of scams and identity theft.  Fortunately, software manufacturers are just as constantly working on security updates and patches to eliminate those vulnerabilities as fast as they can.  It is therefore critical to protect yourself by installing and applying the latest security software patches as soon as they are available.  Scammers and identity thieves rely on the fact that many people either don’t know about the necessary patches or delay installing them.  The National Cybersecurity and Communications Integration Center which is a part of the Department of Homeland Security regularly publishes links to the latest security patches.  This week there is a particularly large number of them including patches for iphones, Mozilla Firefox and Internet Explorer.  The security bulletin describing these vulnerabilities and where to go to patch them is reproduced below.  Check Scamicide on a daily basis to not only learn about the latest scams, but also the latest security patches for your computers, smartphones and laptops.


Here is the link to the most recent security bulletin of the National Cybersecurity  and Communications Integration Center with links to the latest security patches.

Scam of the day – September 16, 2013 – Worst areas for Smishing

Those of you have read my books “50 Ways to Protect Your Identity in a Digital Age” or “The Truth About Avoiding Scams” may already be aware of the term smishing which is the name for phony text messages sent by scammers and identity thieves to us in order to lure us into responding with personal information that can be used for identity theft purposes.  A common smishing tactic is when you receive a text message that appears to come from your bank informing you that there has been a security problem with your account and that you need to provide some personal information immediately to either protect your account or to keep it from being frozen and unavailable to you.  Smishing messages can be quite convincing.   You should resist the immediate impulse to provide the requested information because if you do provide the information, it will only be used against you to make you  a victim of identity theft.  Recently the security firm Cloudmark released a list of the worse cities of the county for smishing.  Here are the top ten cities. Fort Lauderdale, Los Angeles, Dallas, Miami, San Francisco, Seattle, San Antonio, New York, Austin, and Everett in the state of Washington.


Even if you are not in one of these cities you should be wary of text messages that you receive that either ask you to click on a link or provide information.  Clicking on a link may unwittingly download keystroke logging malware software that can steal all of the information from your smartphone and use that information to make you a victim of identity theft.  Providing information can also result in your becoming a victim of identity theft.    Never click on links unless you are sure they are legitimate and you cannot be sure until you have investigated whether the message containing the link is legitimate.  Never provide information in response to a text message until you have confirmed that the message was legitimate by calling a telephone number that you know is accurate for the company allegedly contacting you.