Scam of the day – April 5, 2017 – iCloud phishing scam

Reports are surfacing of scammers posing as Apple employees calling people and telling them that there has been a security breach of their iCloud accounts.  They are then instructed to provide their login information in order to receive help in fixing the problem.  Unfortunately, these telephone calls are not from Apple, but from scammers who, when provided with the personal information from their victim, are able to access all of the information and material contained in the victim’s iCloud account for purposes of identity theft, extortion or other nefarious goals.

It was through a similar iCloud phishing scam done through emails that many celebrities including Jennifer Lawrence had nude photos stolen from their iCloud accounts when they turned over their usernames and passwords to hackers.

In the present phone call phishing incarnation of the scam, many of the calls are coming from the 844 area code which is a toll free number used in many instances by scammers.

TIPS

Apple does not contact its customers by phone if there is a security problem.  It is also important to remember that whenever you are contacted by telephone, you can never be sure who is actually making the call which is why you should never provide personal information to anyone over the phone whom you have not called.  Even if your Caller ID indicates the call is legitimate, scammers can use a technique called spoofing to trick your Caller ID into indicating that the call is from a trusted source when, in truth, it is coming from a scammer.

If you do have a problem with any Apple product, you can call Apple tech support at 800-275-2273.

Scam of the day – February 17, 2017 – Company hit twice by W-2 scam

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

I have been warning you for a year about identity thieves tricking companies into providing employee W-2s to them.  These stolen W-2s contain all of the information the identity thieves need to file a fraudulent income tax return.  The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

This scam continues to plague companies both big and small and recently, Monarch Beverage, Indiana’s biggest beer and wine distributor acknowledged that not only had it recently become a victim of this scam turning over W-2s of more than 600 employees to identity thieves, but that in the course of its investigation into the matter, it had been victimized last year by the same scam.

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – February 5, 2017 – Whats app phishing scam

WhatsApp is a mobile messaging app for your smartphone that allows you to send text messages, photographs, videos and audio.  With more than a billion people using WhatsApp, it is not surprising that it has become attractive to scammers seeking to use its popularity to lure people into becoming scam victims.   I have reported to you for years about the various scams targeting WhatsApp users.    The most recent WhatsApp scam starts with an email reproduced below that appears to be from WhatsApp requiring you to click on a link to receive a message. DON’T CLICK ON THE LINK.   Although it looks legitimate, it is a scam with the first indication of this being the email address sending the message is an address that has nothing to do with WhatsApp.  Most likely it is from an innocent victim whose computer has been hacked and made a part of a botnet to send out malware.   If you click on the link you will end up downloading keystroke logging malware that can steal the information from your smartphone to be used to make you a victim of identity theft.

WhatsApp
New voice mail.
Information
Feb 2 10:01 PM
05 sec
Listen

TIPS

Never click on a link in an email or text message until you have independently confirmed that it is legitimate.  The risk of downloading malware is too great.  Even if your computer or other electronic device is protected with anti-virus and anti-malware security software, the best security software is always at least thirty days behind the latest malware. Trust me, you can’t trust anyone when it comes to clicking on links.  Even if the link is contained in a communication that appears to come from a person or company you trust, you should always verify that it is legitimate before clicking on the link.

Scam of the day – January 31, 2017 – Apple phishing scam

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.

Reproduced below is a copy of an Apple phishing email that uses the common ploy of indicating that there is a security problem that requires you to verify personal information for security purposes.   There are a number of telltale flaws in this particular   Although the email address from which it was sent appears to be legitimate, upon closer examination you can determine it is not an official email address of Apple.  Also, although the email is quite short, it contains numerous grammatical errors.  In addition, the salutation reads “Dears” rather than “Dear” and the email concludes with “Worm regards” rather than “Warm regards.”   Most telling, the email is not directed to you by name and does not contain your account number in the email.  It is important to remember that merely because the email contains an Apple logo, which is not reproduced below, the exact logo of Apple does not mean that the communication is legitimate.  It is easy to obtain a copy of the logo on the Internet.

“Dears,
Your AppIe id was used in from an unauthorized computer.
As the new protection policy has been followed, we have no choice but to put your id on hold.We advise you to update your id soon to avoid permanent account closing.                                                                                     your code is 4M7801DLLA16A                                                                                       Update Now >
Wondering why you got this email?
It’s sent when someone adds or changes a contact email address for an AppIe ID . If you didn’t do this, don’t worry. Your email address cannot be used as a contact address for an AppIe ID without your verification.
Worm Regards,
AppIe Team”

TIPS

Obviously if you do not have an account with Apple you know that this is a phishing scam, but even if you do have an account with Apple, as I indicated above there are a number of indications that this is not a legitimate email from Apple, but instead is a phishing email. Legitimate companies would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email’s salutation is a generic “Dears” without an “s” that should not be there.

As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number  for Apple where you can confirm that it is a scam.

Scam of the day – October 31, 2016 – Amazon phishing email

A new phishing email is presently being circulated that attempts to lure you into clicking on links and provide personal information that can be used to make you a victim of identity theft.  Alternatively, merely by clicking on the links in some phishing emails, you may unwittingly download malware that will steal personal information from your computer or other device and use it to make you a victim of identity theft.  Even if you have the most updated versions of security software protecting your computer, laptop or smartphone you may not be protected from zero day exploits which is the name for the latest malware targeting vulnerabilities that have not yet been protected against by your security software.  It generally takes up to a month for the security software companies to provide patches for the latest strains of malware.

TIPS

In regard to this particular phishing email, there are a number of telltale signs that indicate that it is a scam.  Although the graphics are excellent, the email is not directed to you personally, but rather uses the generic salutation of “Dear Amazon.com Customer.”  In addition, there are numerous grammatical errors that could be attributable to the scammer possibly not having English as his or her primary language.  Also, the email address from which the email was sent was not from Amazon, but from an unrelated individual.  Most likely the email address used was that of another victim whose computer was hijacked and used as a part of a botnet to spread the phishing emails.  Of course, the best course of action is to never click on links or provide information in response to emails or text messages unless you have absolutely confirmed that the request is legitimate.  In this case, a quick telephone call to Amazon would have resulted in your quickly learning that the email was a scam.

Scam of the day – December 8, 2015 – USAA phishing email

People are reporting a new scam in which you receive a phishing email that purports to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to view important documents.   Like many phishing emails, the scammer tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the identity thief will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the new email that is presently circulating.  DO NOT CLICK ON THE LINKS.  As phishing emails go, this one is pretty convincing and includes a copy of the USAA logo which is easy to copy and include in an email.

 

 

Image result for usaa logo

“View Accounts | Privacy Promise | Contact Us

Dear User,

You have new documents on usaa.com. Log on to view your documents.  If you don’t want to receive this e-mail notification when your new documents are posted to usaa.com, you can change your preferences.
View Your Documents

Thank you,
USAA
P.S. Texting and driving … it can wait. Take the pledge to never text and drive.”

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

 

 

Scam of the day – November 4, 2015 – Online gaming scam

The community of online video gamers is large with many of these people involved in multiplayer online games.  A scam presently targeting these online gamers starts with an email that appears to come from the gaming company threatening to sue the person receiving the email for as much as $2,700 for what it claims is the illegal selling of the intended victim’s online character or virtual goods for real money.  The email also threatens the immediate suspension of the gamer’s online account.  Then comes the hook.  If you want to check the status of your account or challenge the impending suspension, you are told to click on a link and provide information on a verification page.  The verification page will ask for personal information such as your account number and your credit card number.  Of course, once the victim has provided this information to the scammer, it will be used to turn the gamer into the victim of identity theft.

TIPS

These emails can look quite legitimate and often carry the logo of real online gaming companies.  However, it is important to remember that counterfeiting a logo is as simple as going to Google images and making a copy of the company logo.

So how can you tell if you receive an email or a text message that asks you to click on a link or provide personal information by looking at it that the email or text message is legitimate?  The simple answer is you can’t so don’t even bother to try.  Instead, if you think it may be legitimate, merely contact the company from which the email or text message appears to come from at a number you know to be legitimate.  Don’t use the telephone number provided in the email or text message.

Scam of the day – July 13, 2015 – Chase Bank email scam

Today’s Scam of the day again comes directly from my own email.  It appears to be an email from Chase Bank informing me that there are problems with my online banking account that require me to click on a link to correct the urgent problem.  This is a typical phishing email scam by which you are lured into clicking on a link that will either download keystroke logging malware on to your computer and enable the scammer to steal your data and use it to make you a victim of identity theft or entice you into providing the personal information yourself on a phony intake form.  Again, the information will be used to make you a victim of identity theft.

Reproduced below is a copy of the email that I received.  DO NOT CLICK ON THE LINK.  What the copy does not show is the email address from which the message (not “massage,” spelling errors are a good indication of a scam email;  apparently scammers are either bad spellers or bad proof readers) was sent.  It was sent by chasemoorgain#@outlook.com.  If you look quickly at the email address, you might not notice the misspelling of “morgan.”  Other than the misspelling, the email looks pretty legitimate, which is why it often is hard to tell a phishing email from a legitimate email.

Massage from Customer Service

Dear Chase Online(SM) Customer

We have detected irregular activity on your account. For your protection, you must verify this activity before you can continue using your account.

Please visit Online Banking to review and verify your account to remove any restrictions placed on your account.

Linked E-mail:

We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Chase Fraud Department
2015 JPMorgan Chase & Co

TIPS

For me, in addition to the email address sending it and the misspelling of “message,” a big indicator to me that this is a phishing email scam is the fact that I don’t have an online bank account with Chase.  However, if someone receiving such an email did have an online account with Chase, they might be tempted to click on the link or provide the information purported to be necessary to regain access to their account.  But trust me, you can’t trust anyone.  So if you receive such an email and you think it might be legitimate, do not click on links in the email or provide personal information.   Rather call the company at a telephone number that you know is legitimate to confirm whether or not the email was a scam.

Scam of the day – July 12, 2015 – New Amazon email scam

Copied below is an email currently being circulated that is a good example of a social engineering phishing email designed to either get you to provide personal information or to click on a link that will download keystroke logging malware on your computer that will result in your data being stolen and used to make you a victim of identity theft.  The email appears to be an email from Amazon indicating that there is a problem with your account.  In order to remedy the problem, you are prompted to click on a link and either provide the requested personal information or just by clicking on the link you may unwittingly download the keystroke logging malware.  This type of phishing email is so effective because it looks so legitimate.  It also has a higher chance of being effective merely because so many people who receive it will indeed be Amazon customers.

Here is a copy of the email:  DO NOT CLICK ON THE LINK.

Amazon

Confirm your Amazon account.

Hello ,

We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?.
To ensure that your service is not interrupted, please update your billing information today.

Or contact Amazon Member Services Team. We’re available 24 hours a day, 7 days a week.
If you have recently updated your billing information, please disregard this message as we are processing the changes you have made.

f you need further assistance with your order.

Sincerely,
Amazon

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click “Contact Us” at the bottom of any page.

Copyright Å  2014 amzon, Inc. All rights reserved. amzon is located at 2211 N. First St., San Jose, CA 95131.

TIPS

There are a number of telltale signs that this is a scam.  First and foremost, the email address from which it was sent has no relation to Amazon.  Also, the salutation does not refer to the person receiving the email by name.  Finally, there are some misspellings and typographical errors in the email.  However, the quality of this phishing email certainly is good, which is why it is so dangerous.  The key to avoiding becoming a victim of this type of social engineering phishing scam is to follow my motto, “trust me, you can’t trust anyone.”  Never click on a link or provide personal information unless you have absolutely confirmed that the email or text message received by you is legitimate.  In this case, if you had any thought that the email might be legitimate, you should contact Amazon directly at an email address or telephone number that you know is accurate.  Don’t respond to phone numbers or email addresses contained in the email itself.