Scam of the day – June 18, 2017 – Identity thieves hack Federal Student Aid website

The Free Application for Federal Student Aid (FAFSA) is a part of the U.S. Department of Education used by college students to apply for much needed financial aid to assist them in furthering their education.  Some of the forms used in the application process require inserting information from past income tax returns.  To make the process more convenient, FAFSA provided for a data retrieval service directly to the IRS to obtain the necessary information, however scammers, such as two recently indicted men from Indiana and Georgia are alleged to have hacked into the data retrieval system of FAFSA applicants to get the tax information which they then used to commit income tax identity theft, attempting to steal approximately 12.7 million dollars in phony income tax refunds.

In response to these problems, FAFSA suspended its data retrieval system until two weeks ago when they reinstituted the Data Retrieval Tool with the IRS in a manner that the tax return information will be encrypted and hidden from view of even the borrower as well as someone hacking into the borrower’s account.

TIPS

Quite often, as Shakespeare said, the fault is not in the stars, the fault is in ourselves. Too often we become victims of identity theft when the security of particular websites, companies or government agencies that have our personal data is compromised because we provide our passwords and user names to identity thieves by falling prey to spear phishing emails or downloading malware.   It is important to never click on a link in an email or download an attachment unless you have confirmed that it is legitimate.  Also, never provide personal information to anyone unless you have confirmed that the request is legitimate.

As for students seeking to use the Data Retrieval Tool of the IRS for filing a FAFSA form, you can safely use this service by going to StudentLoans.gov.

Scam of the day – June 17, 2017 – Father’s Day scams

Tomorrow is Father’s Day which for many people is an opportunity to show our fathers how much we love and appreciate them, for scam artists, it is yet another opportunity to scam people.

One of the most common Father’s Day scams involves e-cards which are great, particularly for those of us who forget to send a Father’s Day card until the last minute.  Identity thieves send emails purporting to contain a link to an electronic Father’s Day card, but instead send malware that becomes downloaded when the victim clicks on the link. This keystroke logging malware enables an identity thief to steal personal information from the victim’s computer that can be used for purposes of identity theft.

TIPS

Never click on a link to open an e card unless the e card specifically indicates who sent the card. Phony e cards will not indicate the name of the sender.  Even if the sender is someone you recognize, you should independently confirm with that person that they indeed sent you an e card before clicking on the link.

Scam of the day – June 3, 2017 – Hackers and scammers turning to social media

Recent reports by various security companies are indicating that state-sponsored Russian hackers, such as those that managed to plant fake news stories in an effort to disrupt the 2016 presidential election are increasingly turning to targeting social media accounts to download malware and spread disinformation.  This is a complex story and one worth knowing more about, however, as an individual, you are also susceptible to scams, ransomware and malware downloaded through clicking on links in social media postings.

We have long known that phishing emails and the more personally targeted spear phishing emails are how most malware gets downloaded on to the computers of individuals, companies and government agencies. However, as successful as phishing is in spreading malware, postings on social media, according to cybersecurity firm ZeroFOX are twice as successful in spreading malware.

And it makes sense.

In my May 5, 2017 Scam of the day I warned you about the risks of the Facebook “10 concerts, but there is one act that I haven’t seen live” quiz.   I highlighted the fact that scammers use social media to gather personal information that can later be used to tailor a message sent through social media such as Facebook or Twitter that you are more likely to trust and click on links in the messages that will download malware.

TIPS

Trust me, you can’t trust anyone.  Always be skeptical when you receive any kind of electronic communication that requires you to click on a link in the message.  Always confirm it before clicking on the link regardless of how trustworthy it may seem.  Further, you may well consider limiting the amount of personal information that you post on social media that can be used to tailor spear phishing emails to lure you a victim of identity theft or some other scam by appealing to something in which you are known to be interested.

Scam of the day – June 2, 2017 – Trump gift card scam

It is hard to win any lottery. It is impossible to win one that you have not even entered and yet scam artists, the only criminals we refer to as artists have found that it is extremely lucrative to scam people by convincing them that they have won various lotteries.   Reproduced below is a unique lottery scam using President Trump as the hook.

As with many effective scams, the pitch of the scammer seems legitimate. Income taxes are due on lottery winnings, but with legitimate lotteries they are either deducted from the lottery winnings before you receive your prize or you are responsible for paying the taxes directly to the IRS. No legitimate lottery collects taxes on behalf of the IRS from lottery winners.  Other times, the scammer tell the “winners” that in order to collect their prizes, they need to pay administrative fees. No legitimate lottery requires you to pay administrative fees in order to claim your prize.   Additionally, some phony lotteries ask for personal information which is then used for purposes of identity theft.

This particular phony lottery scam is filled with indications that it is not legitimate.  It is sent by email, but not addressed to you personally in any salutation.  It also proclaims “congratulation” rather than “congratulations.”  Finally, it is being circulated now although it refers to the “autumn competition.”

TIPS

As I have often told you, it is difficult to win a lottery you have entered.  It is impossible to win one that you have not even entered.  You should always be skeptical about being told that you have won a lottery you never entered.    In regard to taxes, while it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  You also should never pay a fee to collect a legal lottery prize and you certainly should never click on links unless you have confirmed that the communication is legitimate in order to avoid downloading malware.

Scam of the day – May 30, 2017 – Apple iTunes phishing scam

Phishing emails, and the more personally tailored spear phishing emails are the most common way that people and companies are tricked into downloading malware such as ransomware or keystroke logging malware used to steal information from the victim for purposes of identity theft. Effective phishing emails will appear to be legitimate and lure victims into downloading malware filled attachments or clicking on links tainted with malware.

Reproduced below is a new phishing email presently being circulated that is one of the worst examples of a phishing email.   It purports to be from the Apple Store informing the recipient that his or her account has been used to make a purchase and urges the targeted victim to download an attachment if they did not make the purchase.

As regular readers of Scamicide have seen, many of the phishing emails we have shown you over the years are quite convincing, however this particular email is so filled with indications that it is phony, it is hard to imagine someone falling for the scam although I am sure some people will do so.

The email address of the sender has nothing to do with Apple which is an early indication that this is a scam.  There is no logo that appears on the email and the email is not addressed to anyone in particular nor does it indicate an account number.  Finally, their are spelling errors and horrible grammatical errors throughout the email.

Here is a copy of the email that is presently circulating.

“[ApplePay] – iTunes was used to purchase in App Store on Macbook Pro 13
Date and time: 27 May 2017 10.32 hrs
Transaction: 7BA6818XL0333C2U
Order number: MQ3N7F0G8Q
OS: OS X 10.12.4
Browser: Safari
Location: New York, United States of America
If the information looks familiar, you can ignore this email.
If you have not recently purchased an article or in-apps apps on a MacBook Pro 13 “
With its appIe lD and thinking that your account has been accessed,
Please read our binding and follow the instuction to back up your account.
Best regards,
AppIe account department
Copyright @ 1998-2017. 2211 N 1st St, San Jose, CA 95131, USA. All rights reserved.”
TIPS
Whenever you get any email that attempts to lure you into downloading an attachment or clicking on a link, you should be skeptical and never consider doing so unless you have absolutely confirmed that the email is legitimate.  Also, look for telltale signs that the email is a phishing email by examining the address of the sender, the spelling and grammar and a lack of your account number or name appearing although in more professionally done spear phishing emails real account numbers and your name might be used which is why it is always imperative to never click on links or download attachments unless you are totally convinced that the email is not phony.

Scam of the day – May 18, 2017 – DocuSign phishing scam

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures used by many businesses.  Recently DocuSign suffered a data breach in which its customer email data base was hacked.  Shortly thereafter, many DocuSign customers received phishing emails designed to appear as if they were legitimate DocuSign communications and requests the person receiving the email to download an attached Word document.    However, anyone downloading the attachment would also have unwittingly downloaded malware.

TIPS

Never click on a link or download an attachment regardless of how legitimate the email or text message may appear until you have confirmed that the message is legitimate.

You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

Scam of the day – April 19, 2017 – Phony Nintendo Switch emulator scam

The recently launched Nintendo Switch is the latest video game console released by Nintendo.  Software emulators for the Nintendo Switch are being offered online in many places including YouTube where thousands of videos can be found offering Nintendo Switch emulators.  Emulators permit someone to play console-only games on their portable devices such as their smartphones or tablets.  Nintendo does not make such an emulator.  People going to one of these phony Nintendo Switch emulator websites are generally directed to a survey that they must complete in order to receive the code necessary to use the offered emulator, however, this is a scam and while completing the survey provides the scammers with rewards because they are paid by marketers for each completed survey they supply, the person trying to get the emulator ends up with nothing.  Even worse is the very real possibility that someone downloading attachments for what they think is a Nintendo Switch emulator will be downloading malware that can either lead to identity theft or ransomware malware.

The phony Nintendo Switch emulator scam was uncovered by Symantec, a security company.

TIPS

There presently is no emulator for the Nintendo Switch, so any online offer of one at this time is a scam.  Being directed to a survey when you are attempting to locate something free on the Internet is always a source of concern for while there are legitimate surveys that will provide you something in return, such as a chance at winning a gift card, many of these surveys are scams providing nothing in return.  Finally, as always never click on links or download attachments unless you have absolutely confirmed that the link or download is legitimate.  The risk of downloading dangerous malware is too great.

Scam of the day – March 27, 2017 – eFax phishing scam

Phishing scams in which you are lured to click on links or download attachments full of malware rely on your trusting the initial communication.  Reproduced below is an email I recently received that appeared to come from eFax a real company that sends faxes digitally formatted as PDF files.  Don’t click where it says “View your document” because if you do you will end up downloading malware.

You have got a 3 page fax at Thu, 24 March 2017 8:17:28

Your personal new Fax reference ID is vnj-48956824

View your document!

Take your faxes online with eFax®, the world's #1 internet fax service.

While the email appears to be legitimate, the email address sending the email had no relation to eFax which was an immediate indication that this was a scam.

TIPS

The risk of downloading malware by clicking on unverified links or downloading unverified attachments is too great.  Never click on any links or download any attachments regardless of where they may appear to originate until you have independently confirmed that the communication is legitimate.  In this case it would have been simple to determine that this was not a true communication from eFax.

Also, as often is the case, the grammar of scammers is not always the best as where this phishing email states “You have got.”

Scam of the day – January 24, 2017 – Utility bill scams

Scams regarding payments of utility bills are occurring with greater frequency now that Winter has arrived.  The Nebraska Public Service Commission is warning consumers about a number of these scams, but these scams are certainly not limited to Nebraska.

In one version of the scam, potential victims receive telephone calls purportedly from their utility company informing them of a special company promotion for which they are eligible.  They just need to provide some personal information.

In another version, potential victims are called on the phone and told that their utility service will be terminated for non-payment unless they pay by credit card over the phone.

In a third version of this scam, potential victims receive an email that has a link to take them to their bill.

All of these are scams.  In the first, there is no special promotion and the victim ends up providing personal information that leads to identity theft.  In the second, the victim is coerced into giving their credit card information to a scammer and in the third, merely by clicking on the link to go to the phony bill, the victim ends up downloading keystroke logging malware or ransomware that can lead to identity theft or worse.

TIPS

You can never be sure when you get an email or a telephone call if it is really from a legitimate source.  Email addresses can be hacked to appear legitimate and even if you have Caller ID, a scammer can use a technique called “spoofing” to make it appear that the call is from a legitimate caller.

Trust me, you can’t trust anyone.  Never provide personal or financial information to anyone in response to a telephone call, text message or email until you have independently confirmed that the communication was legitimate.  In the case of a utility bill, merely call the number on the back of your bill and you will be able to confirm whether or not the communication was legitimate.  Also, never click on links unless you have confirmed that they are legitimate.  The risk is too great.

Scam of the day – November 26, 2016 – Naval records at Hewlett Packard hacked

In an all too familiar story, it has just been disclosed that personal information including names and Social Security numbers of 134, 386 present and former Navy employees was compromised in a hacking of a laptop of a Hewlett Packard employee.  Hewlett Packard had this information through a contract on which it was working for the U.S. Navy.  Further details of the hacking have not been released, but the fact that such a hacking occurred leads to concerns that the pattern established years ago in hacking of NASA laptops in which the laptops were not password protected and the data contained therein was unencrypted is repeating itself.

TIPS

The continuing negligence of many companies and government agencies in not properly protecting sensitive personal data that can readily be used for purposes of identity theft is disappointing and startling.  There are many simple security steps that are easily taken, such as password protecting laptops and other electronic devices as well as encrypting sensitive data and the use and updating of security software that should be done by all companies and government agencies without exception.

The lesson, however, is one that we should also practice in our own lives.  We as individuals are regularly targeted by identity thieves so al of us should protect each of our electronic devices with a unique password, sensitive data should be encrypted and stored in the cloud or in a portable hard drive, dual factor authentication should be used whenever possible, install and update security software on all of your electronic devices and don’t click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.  These are just a few of the simple protocols we should all follow to decrease the chances of our becoming victims of identity theft.