Scam of the day – May 26, 2017 – Latest USAA phishing scam

USAA is the insurer of millions of members of the military as well as many veterans so it is no surprise that it is the basis for a new phishing email presently being circulated.  As with so many phishing emails, this one tells you  that you need to click on links in the email in order to resolve security issues.  The truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.   In another scenario, clicking on the link will download dangerous ransomware.

Here is a copy of the new phishing email that is presently circulating.  DO NOT CLICK ON THE LINKS.  As phishing emails go, the graphics are pretty impressive.   It should be noted that the email is directed to “Dear Customer” rather than your name and no account number is provided. These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – April 17, 2017 – PayPal phishing scam

PayPal is a popular payment service used by many people particularly with eBay.  Therefore it can seem plausible when you receive an email that purports to come from PayPal asking you to clear up an undisclosed problem with your account.  However, anyone responding to the email copied below would either end up providing personal information to an identity thief or merely by clicking on the link could download keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  DO NOT CLICK ON THE LINK.

This particular phishing email is not particularly sophisticated. Although it came with what appears to be a legitimate PayPal logo, that logo is easy to counterfeit.  More importantly It came from an email address of a private person rather than that of PayPal.  The address used, most likely, is that of someone whose email account and computer was hacked in order for the identity thief to send out these phishing emails in mass quantities through a botnet. It also is not directed to you personally as PayPal would do with all of its legitimate communications which is an indication that this is a phishing scam.   Additionally, the salutation is spelled incorrectly where it reads “Dear Costumer.”

TIPS

The primary question we all face when we receive such an email asking for personal information or urging us to click on a link is how do we know whether to trust the email or not.  The answer is, as I always say, trust me, you can’t trust anyone.  Regardless of how legitimate such emails appear, you should not provide any personal information or click on any links until you have independently verified by phone call or email to an email address that you know is accurate that the request for personal information is legitimate.  In the case of PayPal, if you have a question about your account, you can contact PayPal online here https://www.paypal.com/re/selfhelp/home

Scam of the day – January 1, 2017 – Phony FTC complaint phishing email

The Federal Trade Commmission ( FTC) does a pretty good job of protecting consumers from fraud.  Unfortunately the latest fraud about which the FTC recently issued a warning involves an email that appears to come from the FTC, but is actually the work of an identity thief.  This scam has been appearing periodically for about three years and is having a new resurgence. The phony email contains a good copy of the FTC’s logo and looks quite official.  It is not.

Here is a copy of one version of this email.

“This notification has been automatically sent to you because we have received a consumer complaint, claiming that your company is violating the CCPA (Consumer Credit Protection Act).
According to our policy, we have initiated a formal investigation before taking legal action. You can download the document containing the complaint and the plaintiff contact information, from…” followed by a link.

If you receive such an email, do not click on the link.  The email is phony and if you click on the link, you will only end up downloading a keystroke logging malware program that will steal the information from your computer including your Social Security number, credit card numbers, bank account numbers and passwords and end up making you a victim of identity theft.

TIPS

When you receive an email you can never be sure of who sent it.  Sometimes you can immediately tell that the email address of the sender is not a legitimate email address for the company or person that it purports to be, however, other times a legitimate email account may have been hacked into and used to send the phishing email.  Never click on a link or download an attachment in an email unless you are absolutely positive that it is legitimate and the only way to do that is to confirm that the email is legitimate such as by calling on the telephone the person who sent it to you to confirm that it is indeed legitimate.  In the case of this email, your should be immediately skeptical because the email is not directed to you personally and does not contain your name anywhere.  If you have even the slightest thought that the email might be legitimate, contact the FTC at its dedicated line to deal with these kind of scams 877-382-4537 and you can confirm that it is a scam.  Trust me, you can’t trust anyone.

Scam of the day – November 7, 2016 – Regions Bank phishing email

Regions Bank is a large bank based in Alabama with more than 1,700 branches throughout the South, Midwest and even into Texas. Recently, I received a phishing email  that appeared to come from Regions Bank.  Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.   The Regions Bank phishing email uses the common ploy of indicating that the bank needs you to verify personal information for security purposes.   As phishing emails go, this one is pretty good, but it does have some telltale flaws.   Although the email address from which it was sent appears to be legitimate, upon closer examination you can determine it is not an official email address of Regions Bank.  Also, although the email is quite short, it contains numerous grammatical errors and the word “Sincerely” is spelled wrong.  Most telling, the email is not directed to you by name and does not contain your account number in the email.  It is important to remember that merely because the email contains the exact logo of the bank does not mean that the communication is legitimate.  It is easy to obtain a copy of the logo on the Internet.

TIPS

Obviously if you do not have an account with Regions bank, you know that this is a phishing scam, but even if you do have an account with this bank, there are a number of indications that this is not a legitimate email from Regions Bank, but instead is a phishing email. Legitimate banks would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email’s salutation is a generic “Dear customer” without even capitalizing the word “customer.”  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number  for your bank where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to purchase phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Regions to trap you if you make a mistake in dialing the real number.

 

Scam of the day – August 2, 2016 – Netflix phishing scam

The popularity of Netflix makes it a preferred subject for phishing emails sent to people appearing to come from Netflix in which you are told you need to update your credit card information.  Reproduced below is a copy of an email presently being circulated.  It looks legitimate, but it is easy to counterfeit the Netflix logo and make the email appear to be legitimate when it is not.  Two things can happen if you click on the link in the email.  Either you will be directed to a phony but legitimate looking website where you will be prompted to input your credit card information and thereby turn it over to an identity thief or, even worse, merely by clicking on the link, you will download keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.

netflix phising.jpg

TIPS

As I always say, “trust me, you can’t trust anyone.”  You can never be truly sure when you receive an email seeking personal information such as your credit card number whether or not the email is a scam.  The risk of clicking on a link or providing the requested information is just too high.  Instead, if you think that the email might be legitimate, you should contact the company at a telephone number that you know is legitimate and find out whether or not the email was a scam.

Scam of the day – May 2, 2016 – Another new USAA phishing scam

Yet another phishing email is turning up purporting  to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to resolve security issues.  Like many phishing emails,this one tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the newest phishing email that is presently circulating.  DO NOT CLICK ON THE CONTINUE BUTTON.  As phishing emails go, the graphics are pretty impressive, however there are several grammatical errors including the word “temporal” being used instead of “temporary”.  It also  should be noted that the email is directed to “Dear Valued Customer” rather than your name and no account number is provided.  These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – March 7, 2016 – Bank of America phishing scam

Here is another good example of a phishing email that is presently being circulated.   It makes for compelling reading, but it is a scam.  Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  As always, they lure you by making it appear that there is an emergency that requires your immediate attention or else dire consequences will occur.  Here is a copy of a new phishing email that appears to come from Bank of America that is presently circulating.  This particular one came with particularly good looking graphics and a Bank of America logo, but it is a scam.  DO NOT CLICK ON THE LINK.

http://
Online Banking Alert
Unauthorized Sign-In
As part of our security measures, during our system regularly scheduled account maintenance and verification procedures, we have detected a slight error in your online banking information. Our system requires account verification for more security and protection to your account.

To confirm this verification log into Online Banking and update your information.

Once you have verified your records, your Account Services will not be interrupted and will continue as normal.
Security Checkpoint: This email includes a Security Checkpoint. The information in this sectionnlets you know this is an authentic communication from Bank of America.
Bank of America, N.A. Member FDIC. Equal Housing Lenderhttp://
© 2016 Bank of America Corporation. All rights reserved.

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with Bank of America, but most likely was from a computer that was part of a botnet of computers hacked into and controlled remotely by the scammer.  In addition, legitimate emails from your bank would include the last four digits of your account.  This email does not use the customer’s name or account number anywhere in the email.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call your bank at a telephone number that you know is accurate and you will be able to confirm that it is a scam.

Scam of the day – December 31, 2015 – American Express phishing email scam

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links  or downloading attachmentscontained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from American Express that is presently circulating.  This particular one is not particularly convincing.   It does not address the person receiving the phishing email by name, but rather by the generic “Dear American Express User.”  In addition, as is common with many scams which often originate out of the country where English may not be the first language of the scammer, the grammar is not good.

“Dear American Express User,

During our server routine  update we noticed you enter wrong detail. We implore you

to download the attached file  to re-verify your details.

NOTE: You are strictly advised to match your information correctly to avoid service suspension.

Thank you for your continued Card Membership

Sincerely,

American Express Customer Care”

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with American Express, but most likely was from a computer that was part of a botnet of computers controlled remotely by the scammer.   As with all phishing emails, two things can happen if you click on the links or download the attachments provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call American Express at the telephone number found on the back of your card and you will be able to confirm that it is a scam.

Scam of the day – December 9, 2015 – Is the letter you received from OPM real or a scam?

As you all know by now and as I first reported to you in 2014 and again last summer, the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of more than 21 million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  In October, the OPM began notifying victims of the massive data breach about the identity theft protection services the government will make available to them for the next three years.  The notification process is taking about three months with many notification letters only recently having been sent.  I have been contacted by clients of mine inquiring as to whether the notices they received are real.   It is important to remember that the official notice is only being sent by regular mail.  No email notices will be sent so if you get an email that purports to be from the OPM, it is a scam.   The federal government has chosen Identity Theft Guard Solutions to provide  three years of identity theft protection to victims. In the notification letter you are urged to contact the OPM’s security website to enroll in the free identity monitoring program and you are provided a PIN to use in order to enroll.

Identity thieves have been copying the letter and changing the website address where you are directed to go to enroll in the identity theft protection services, directing people to a phony website where they will be prompted to provide personal information purportedly to enroll in the program.  If you provide personal information to these scammers, you will end up a victim of identity theft.  Here is a link to the official website for enrolling in the credit monitoring services being offered by the OPM:  https://www.opm.gov/cybersecurity/#Services

Once there you will be prompted to input your PIN and only the last four digits of your Social Security number.

TIPS

If you were a victim of the OPM data breach, you should be on the lookout for a notification letter with information about how to apply for benefits under the program.  The OPM is only notifying people by regular mail.  If you have been notified by email, text message or telephone, the notice is a scam and you should ignore it.  Even if you receive a letter, you should make sure that the web address you go to is accurate.  For convenience, you can use the web address I have indicated above.  In any event, remember, the legitimate website will not ask for your complete Social Security number.  It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM is offering these services a year after the data breach actually occurred so the danger of identity theft has increased.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – December 1, 2015 – Email security update scam

Today’s Scam of the day comes from the inbox for my own email.  It is a common phishing scam that attempts to lure the victim into clicking on a link contained in the email.  If the intended victim clicks on the link, he or she will unwittingly download keystroke logging malware that will enable the scammer to steal all of the personal information from your computer or smartphone and use it to make you a victim of identity theft.  This particular phishing email follows a common pattern at educational institutions or businesses where the email is made to appear as if it originated with your school’s or company’s IT department requiring you to verify your account in order to continue to use your email account. It appears to be legitimate, but it is not. Here is a copy of the email.  DO NOT CLICK ON THE LINK.

“To All Faulty\Staff
We currently upgraded our Server to 50GB inbox space. Please verify your account to validate E-space.
​Your emails won’t be delivered by our server, unless email account is verified. Protecting your email account is our primary priority. For account verification  Click on Outlook Web Access
should you have any questions please contact the IT Helpdesk.
INSTITUTE OF EDUCATION.
Copyright ©2015 ITS Help Desk.”
TIPS
Whenever you receive an email or a text message, you can never be sure who is actually sending you the email or text message.  Even if the email address of the sender is one that you know is from someone or some company you know, their email account may have been hacked and being used by the hacker to send out phishing emails.  It is just too risky to click on a link in any email or text message until you have independently confirmed that it is legitimate and, of course, you should always keep your anti-virus and anti-malware software up to date with the latest patches on all of your electronic devices, however, it is important to remember that you cannot totally depend on your security software because the best security software is always at least thirty days behind the newest malware.