Posts Tagged: ‘Phishing’

Scam of the day – August 26, 2015 – Bank of America security message scam

August 26, 2015 Posted by Steven Weisman, Esq.

This is another phishing scam that is making the rounds these days.  It appears to be a legitimate email from Bank of America informing you that due to upgrades being done to the Bank of America computer systems, it is necessary for you to confirm personal account information in order to maintain your account.  Of course, if you click on the link contained in the email, you will only succeed in either unwittingly downloading keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft or you will be sent to another website that prompts you to provide your personal information directly, which then wil be used to make you a victim of identity theft.  Either way you lose.  Here is a copy of the email presently being circulated:

“Member:

We need you to confirm your Bank of America account due to our new upgrading. It is mandatory that you confirm your details through our secure link below.

CONNECT
Thank you for your co-operation.
Bank of America Admin
Copyright © 2015 BOA Inc.”

TIPS

There are a number of ways to know that this is a phishing scam.  First of all, if you are not an account holder at Bank of America, you can rest assured that the email is a scam.  Unfortunately, there are so many people that are account holders at Bank of America, the scammers just send out the email in large numbers hoping to reach Bank of America account holders among the random people being sent the email.  The email address from which it is sent was not that of Bank of America, but rather that of a private individual whose email account was hacked, taken over and made part of a botnet to send these emails in large numbers.  Because you can never be sure whenever you receive an email that asks you to provide personal information whether it is legitimate or not, the best thing to do is to remember my motto, “trust me, you can’t trust anyone” and confirm whether it is legitimate or not by calling the real company, in this case Bank of America to learn whether or not the email is phony or not.  Chances are, you will be told that it is a scam.

Scam of the day – August 15, 2015 – Paypal email phishing scam

August 14, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes directly from my own email and I am sure it has turned up in yours as well.  PayPal is a popular payment service used by many people particularly with eBay.  Therefore it can seem plausible when you receive an email that purports to come from PayPal asking you to update your credit card information.  However, anyone responding to the email copied below would either end up providing credit card information to an identity thief or merely by clicking on the link could download keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  DO NOT CLICK ON THE LINK.

“Account User,

The credit card in your account has expired; you are required to update your payment method to keep your account active.

Rectify payment method today by following the link below:

https://www.paypal.com/ca/cgi-bin/webscr?cmd=_add%id3752891

You can always add a new card

Sincerely,
PayPal”

This particular phishing email is not particularly sophisticated.  It comes from an email address of a private person rather than that of PayPal.  The address used, most likely is that of someone whose email account and computer was hacked in order for the identity thief to send out these phishing emails in mass quantities. It is not addressed to me personally, no logo of the company appears anywhere in the email and the language of “rectify payment” is somewhat inappropriate.  It is a pretty amateurish attempt.

TIPS

The primary question we all face when we receive such an email asking for credit card information or other personal information that may appear to be legitimate is how do we know whether to trust it or not.  The answer is, as I always say, trust me, you can’t trust anyone.  Regardless of how legitimate such email appear, you should not provide any personal information until you have independently verified by phone call or email to an email address that you know is accurate that the request for personal information is legitimate.

Scam of the day – August 13, 2015 – Nine charged with hacking and securities fraud

August 12, 2015 Posted by Steven Weisman, Esq.

Earlier this week, five Americans and four Ukrainians were indicted in the largest hacking and securities fraud enterprise in American history.  The nine defendants are made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with four computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the stock traders to make trades based on this inside information before it became known to the public.  It is estimated that between 2010 and 2015, the defendants made profits of 100 million dollars on 800 trades during this time.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us as individuals should also learn in our own lives because identity thieves and hackers use the same phishing technique to steal the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.

Scam of the day – August 5, 2015 – Free scan for Hacking Team vulnerabilities

August 5, 2015 Posted by Steven Weisman, Esq.

Following the embarrassing hacking and data breach at the Italian spyware company Hacking Team which sells spyware to governments, it has been learned that the release of the 400 gigabytes of files, source code and emails stolen and made public has enabled hackers and identity thieves to use that information to construct malware to exploit the vulnerabilities uncovered by creating zero day exploits which are malware for which there are no known security patches yet developed.  These zero day exploit kits are presently being sold on the black market to hackers and identity thieves around the world.

Now Rook Security, a computer security company is offering a free scan that can identify if your computer has already been infected by one of these new malware programs.  Here is the link to their website and the free scan.  https://www.rooksecurity.com/hacking-team-malware-detection-utility/

TIPS

Everyone should make sure that they have all of their computers, smartphones and electronic devices protected by anti-malware and anti-virus software and that your security software is constantly and automatically updated with the latest security updates.  The failure to update security software when new vulnerabilities are discovered and patched is a major factor in many data breaches and identity thefts.  In addition, the primary way that most data breaches and identity thefts are accomplished with malware is through phishing where victims are lured into clicking on links in emails and text messages containing malware.  The lesson is clear.  Don’t click on links unless you are absolutely sure that they are legitimate.

Scam of the day – July 13, 2015 – Chase Bank email scam

July 13, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day again comes directly from my own email.  It appears to be an email from Chase Bank informing me that there are problems with my online banking account that require me to click on a link to correct the urgent problem.  This is a typical phishing email scam by which you are lured into clicking on a link that will either download keystroke logging malware on to your computer and enable the scammer to steal your data and use it to make you a victim of identity theft or entice you into providing the personal information yourself on a phony intake form.  Again, the information will be used to make you a victim of identity theft.

Reproduced below is a copy of the email that I received.  DO NOT CLICK ON THE LINK.  What the copy does not show is the email address from which the message (not “massage,” spelling errors are a good indication of a scam email;  apparently scammers are either bad spellers or bad proof readers) was sent.  It was sent by chasemoorgain#@outlook.com.  If you look quickly at the email address, you might not notice the misspelling of “morgan.”  Other than the misspelling, the email looks pretty legitimate, which is why it often is hard to tell a phishing email from a legitimate email.

Massage from Customer Service

Dear Chase Online(SM) Customer

We have detected irregular activity on your account. For your protection, you must verify this activity before you can continue using your account.

Please visit Online Banking to review and verify your account to remove any restrictions placed on your account.

Linked E-mail:

We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Chase Fraud Department
2015 JPMorgan Chase & Co

TIPS

For me, in addition to the email address sending it and the misspelling of “message,” a big indicator to me that this is a phishing email scam is the fact that I don’t have an online bank account with Chase.  However, if someone receiving such an email did have an online account with Chase, they might be tempted to click on the link or provide the information purported to be necessary to regain access to their account.  But trust me, you can’t trust anyone.  So if you receive such an email and you think it might be legitimate, do not click on links in the email or provide personal information.   Rather call the company at a telephone number that you know is legitimate to confirm whether or not the email was a scam.

Scam of the day – July 12, 2015 – New Amazon email scam

July 12, 2015 Posted by Steven Weisman, Esq.

Copied below is an email currently being circulated that is a good example of a social engineering phishing email designed to either get you to provide personal information or to click on a link that will download keystroke logging malware on your computer that will result in your data being stolen and used to make you a victim of identity theft.  The email appears to be an email from Amazon indicating that there is a problem with your account.  In order to remedy the problem, you are prompted to click on a link and either provide the requested personal information or just by clicking on the link you may unwittingly download the keystroke logging malware.  This type of phishing email is so effective because it looks so legitimate.  It also has a higher chance of being effective merely because so many people who receive it will indeed be Amazon customers.

Here is a copy of the email:  DO NOT CLICK ON THE LINK.

Amazon

Confirm your Amazon account.

Hello ,

We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?.
To ensure that your service is not interrupted, please update your billing information today.

Or contact Amazon Member Services Team. We’re available 24 hours a day, 7 days a week.
If you have recently updated your billing information, please disregard this message as we are processing the changes you have made.

f you need further assistance with your order.

Sincerely,
Amazon

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click “Contact Us” at the bottom of any page.

Copyright Å  2014 amzon, Inc. All rights reserved. amzon is located at 2211 N. First St., San Jose, CA 95131.

TIPS

There are a number of telltale signs that this is a scam.  First and foremost, the email address from which it was sent has no relation to Amazon.  Also, the salutation does not refer to the person receiving the email by name.  Finally, there are some misspellings and typographical errors in the email.  However, the quality of this phishing email certainly is good, which is why it is so dangerous.  The key to avoiding becoming a victim of this type of social engineering phishing scam is to follow my motto, “trust me, you can’t trust anyone.”  Never click on a link or provide personal information unless you have absolutely confirmed that the email or text message received by you is legitimate.  In this case, if you had any thought that the email might be legitimate, you should contact Amazon directly at an email address or telephone number that you know is accurate.  Don’t respond to phone numbers or email addresses contained in the email itself.

Scam of the day – July 4, 2015 – Update on hacking of Office of Personnel Management

July 4, 2015 Posted by Steven Weisman, Esq.

It was a month ago that I first reported to you about the hacking of the federal Office of Personnel Management (OPM) in which personal information on anywhere between 4 million and 14 million people was compromised.  The large discrepancy in the number of people who may have been affected by the hacking is due to the fact that although files on 4 million people were accessed, there was information on many millions more within those files.  The risk of identity theft is quite high for those affected by the data breach.  Meanwhile, as they always do, other scammers are taking advantage of people’s legitimate concern about their risk of identity theft and sending out emails that purport to be from the Office of Personnel Management appearing to offer help when all they really are doing is phishing for personal information that can be used to make the targeted person a victim of identity theft.  OPM has hired CSID, a company that provides identity theft protection and fraud resolution services and is offering 18 months of free credit report access, credit monitoring, identity theft insurance and recovery services to those people affected by the data breach.  However, be very skeptical of emails that appear to come from CSID offering assistance, but asking for information.  CSID’s URL for this purpose is opm.csid.com.  Be particularly wary if you receive an email purporting to be from CSID that is not from that address.  In fact, it is a good idea not to trust any email that asks for personal information without confirming first that it is legitimate.

TIPS

First, if you are one of the millions of people affected by this data breach, I suggest that you go to the OPM’s website for the latest announcements as to the status of the data breach and what you can and should do to protect yourself.  Here is a link to the OPM’s page with the latest information:  http://www.opm.gov/news/latest-news/announcements/

Also, if you are affected by the data breach, here is a link to CSID’s website where you can safely enroll for services: https://www.csid.com/opm/

As for all of us, a good lesson to avoid becoming a victim of phishing that leads to identity theft, never click on links in emails or text messages or provide information requested in an email or a text message unless you have absolutely confirmed that it is a legitimate.  It is easy to send a phony email that looks quite legitimate.

Scam of the day – May 5, 2015 – Data breach at Las Vegas Hard Rock Hotel and Casino

May 5, 2015 Posted by Steven Weisman, Esq.

Fool me once shame on you, fool me twice, shame on me.  In a repeat of a story we have heard over and over during the last few years, the Hard Rock Hotel and Casino in Las Vegas is notifying its customers of a major data breach that began on September 3, 2014 and was not discovered and stopped until April 2, 2015 at the restaurant, bar and various retail and service stores at its Las Vegas hotel and casino.  The data breach did not extend to charges made on credit and debit cards at the casino and hotel itself nor to some of other businesses operating there including Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tatoo and Reliquary Spa & Salon.  However, numerous other retail stores and services at the Hard Rock Las Vegas property were affected with credit and debit card numbers, customer names, and CVV codes compromised.  Although we still do not know how the data breach was accomplished and the malware necessary to accomplish the data breach was planted in the computers of the affected companies, it is reasonable to speculate that the pattern of Target, Home Depot and so many other data breaches was followed here by which malware was implanted on the computers of the companies that were the victims of the data breaches through phishing emails that enabled the hackers to steal credit card and debit card information that could be used for purposes of fraud and identity theft.  Had the United States broadly adopted the smart card chip technology used throughout the rest of the world instead of the old magnetic strip technology still used in the United States, this type of a data breach would have been of little value to the hackers, but since companies such as those affected here at the Hard Rock continue to use this old technology, they continue to put their customers in danger of identity theft.

Here is a link to a column I wrote about this problem for USA Today in September of 2014 in which I predicted exactly how this would occur.

http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

There is little we, as consumers, can do to convince retailers to move to the more advanced smart credit card chip technology that generates a new number for every transaction so that a data breach that steals that number would be worthless to an identity thief who could not use that number for future purchases.  However, until retailers switch to this technology which is not expected to be widely adopted until October of 2015, the most important things that we can do as consumers is to refrain from using debit cards for retail purchases because they do not provide the same level of protection from liability that credit cards do.  We also should regularly review our credit card bills to look for fraudulent purchases and evidence of identity theft so that we can stop the bleeding as quickly as possible.  If you find that your credit card has been compromised, you should contact your credit card issuer immediately, close the account and have fraudulent charges removed.  Although the law permits credit card companies to hold their customers responsible for up to $50 of fraudulent charges, most companies do not hold their customers responsible for any amount of fraudulent purchases when the fraud is reported promptly.

Scam of the day – May 1, 2015 – FBI warns of cyberthreats to law enforcement officers

May 1, 2015 Posted by Steven Weisman, Esq.

The FBI recently issued a warning to law enforcement personnel and other public officials that they are being targeted by cyberattacks of various hacktivist groups and others who, in many instances are posting on the Internet large amounts of personal information about their intended targets which can be used to threaten the security of the targets as well as put them in imminent danger of identity theft.  The trail to this information often starts with the law officers and government officials themselves and their families who not only have much information about them contained at a myriad of places accessible to the public online, but also put too much information online themselves through social media.

This situation is reminiscent of the Scam of the day from April 2, 2015 in which I told you about an ISIS inspired group that make public personal information about American military personnel.  Although the ISIS aligned group claimed it had hacked into military servers to obtain the information, in fact, the information was readily available merely by Googling public information available throughout the Internet.

This activity of exposing personal information of a targeted victim is called “doxing” and it presents a real threat to the security of the people exposed in this manner.  Information such as home addresses, phone numbers, email addresses, photographs and more are not difficult to obtain on line and this information can be used to obtain further information through phishing attacks against the intended victims.

TIPS

Some of the things the FBI are urging law enforcement personnel and public officials to do include refraining from posting photographs on social media that show they are affiliated with law enforcement or other government agencies.  In addition, they should be more cognizant of establishing the security settings on all of their computers, smartphones and social media to as strong a setting as possible.  The FBI also advises law enforcement personnel and public officials to limit their use of social media.    In addition it is a good idea for people who are potential targets to regularly do online searches about themselves to see what information is available about them online.  Finally, they should take the same precautions in regard to personal security as I describe in my book “Identity Theft Alert” that we all should do.  Privacy is an important thing to be protected.

Although the FBI warning was aimed at law enforcement officers and public officials, the same advice including being extremely careful about the information you make available online through social media and elsewhere, truly applies to us all.