Posts Tagged: ‘security software’

Scam of the day – March 30, 2015 – A new wrinkle on income tax identity theft

March 29, 2015 Posted by Steven Weisman, Esq.

Income tax identity theft is a 5.9 billion dollar problem that the IRS and Congress have still not responded to sufficiently.  Most income tax identity theft involves a criminal filing an income tax return with phony W-2 information using a victim’s Social Security number.  If undiscovered by the IRS, as many of these phony returns are, the IRS sends the refund and the person whose Social Security number was stolen has his or her legitimate income tax return flagged when it comes in as a second income tax return using the same Social Security number.  It often takes many months before the victim is able to get his or her true refund.

But now, a new twist has come to income tax identity theft.  Where most income tax identity theft, as described above relies on the identity thief filing an income tax return before the victim files his or her legitimate tax return, now we are seeing a number of people who file their income tax returns electronically using TurboTax having their refunds stolen after the victim has electronically filed their legitimate income tax return.

People who have been victimized by this new type of income tax identity theft all filed electronically and had their electronic filing fees deducted from their refunds.  Generally the refunds are deposited with Tax Products Group a bank owned by the Green Dot Corporation where the fees are taken out and the balance sent to a bank account designated by the tax filer.  What has been happening is hackers are hacking into the accounts of their victims and changing the bank account into which the refund is to be deposited.  It is not clear yet if the breach of security is with TurboTax, Tax Products Group or the individual taxpayers although it would appear from the relatively small numbers of people so far affected by this scam that the security breach is with the individual taxpayers whose own computers were most likely hacked.


Filing income tax returns online through TurboTax and other similar companies is still a safe way to file your taxes.  In response to this problem, TurboTax has already made security changes including requiring users of TurboTax to answer security questions before they are able to access their accounts or refunds.  TurboTax is also considering flagging customers who attempt to change their bank account information.  These are good steps to help stop this type of identity theft, but we have to do our part as well.  Protecting the computers and other electronic devices you use for financial transactions with regularly updated security software and avoiding clicking on links and downloading attachments unless you are absolutely sure that the links or attachments are legitimate are important steps that everyone should take.

Scam of the day – December 31, 2014 – ICANN suffers data breach

December 31, 2014 Posted by Steven Weisman, Esq.

Many of you may not be familiar with the acronym ICANN which stands for the Internet Corporation for Assigned Names and Numbers, however everyone is familiar with what they do.  ICANN is the international organization that administers all website domain names.  ICANN recently disclosed that it had been hacked since November.  Fortunately, the extent of the hacking and data breach was minimal and passwords were not stolen since they were maintained in an encrypted manner by ICANN.  The hackers did, however, manage to obtain the names, addresses, email addresses and phone numbers of ICANN customers.  ICANN is in the process of notifying those people whose data was compromised.  The danger posed by this information falling into the hands of scammers is that it can be exploited by a technique called “spear phishing” where specific people are targeted in emails that appear to be from legitimate sources and directed to them personally by name, such that the victim is more likely to trust that the email is legitimate and be lured into clicking on links contained in the email or text message that contain malware that will enable the scammer to steal the personal information of the victim and use that information to make the person a victim of identity theft.


Remember my motto, “trust me, you can’t trust anyone.”  Regardless of whether an email or text message appears to be legitimate, you should never click on links until you have absolutely confirmed that the message is legitimate and the link is legitimate.  Even if the email or text message is addressed to you personally and appears to come from someone or some business or agency with which you have a relationship, you can never be sure that the communication is legitimate and the risk of downloading keystroke logging malware is too great to trust such communications until you have absolutely confirmed that such communications are legitimate.  Additionally, it is important to keep your anti-malware and anti-virus software up to date remembering that your security software will always be at least a month behind the latest malware threats.

Scam of the day – December 9, 2014 – Banks win first round in Target lawsuit

December 9, 2014 Posted by Steven Weisman, Esq.

Last year’s massive data breach at Target was the first of a series of data breaches that continue unabated to this day with no end in sight.  While millions of Target customers were inconvenienced by the theft of their credit card or debit card information, banks that issued those cards and had to replace those stolen cards suffered financial losses involved with replacing the stolen cards as high as 400 million dollars.  Five of these banks, Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings filed a class action in federal court on behalf of themselves and other affected banks seeking payment from Target for the losses they incurred as a result of the Target data breach.  Target responded to the lawsuit by filing a Motion to Dismiss the lawsuit arguing that it was not responsible for the data breach, however Judge Paul A. Magnuson, in denying Target’s motion ruled that there was sufficient evidence of Target’s negligence to warrant a trial.  Specifically, the judge said that Target ignored security software program alerts that there was a problem and also actually disabled some of its own security features which contributed to the data breach.  According to Judge Magnuson, “Plaintiffs have plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.”


The importance of this early ruling in the case of the banks against Target cannot be overestimated.   While in the past retailers were not held responsible for the occasional data breach occurring in the processing of credit and debit card transactions, an ultimate verdict in favor of the banks could signal a major change in how retailers conduct business in general and in particular what security steps they will need to take in order to avoid financial responsibility for future data breaches.  Coupled with regulations shifting responsibility for data breaches to retailers who fail to switch to new smart credit cards with computer chips by October of 2015, this ruling may signal a new paradigm for company electronic security.

Scam of the day – June 25, 2014 – World Cup scams

June 25, 2014 Posted by Steven Weisman, Esq.

With an estimated 46% of the planet’s population eagerly watching the FIFA World Cup tournament it should come as no surprise that this event will also spawn scams and identity theft schemes concocted by criminals around the world.  One of the most common scams involves an email informing you that you have won tickets to the tournament in Brazil.  However, if you click on the link in the email, you will only succeed in downloading malware on your computer that will steal your information which will then be used to make you a victim of identity theft.  Another common scam being seen now is one in which you are promised that by clicking on links in the email you will either be able to get free access to the games streamed on the Internet or free news and highlight videos.  Again, however, if you click on the links, you will end up installing malware on your computer.


The advice is the same as always, never click on links in emails unless you are absolutely sure that they are legitimate.  It is impossible to win a contest you have not entered so that should be warning enough not to click on links in emails regarding contests you apparently have won although you never entered.  It is impossible to know if any of these emails that you receive regarding the World Cup are legitimate, so do yourself a favor and stick to either the official FIFA website, or other sports websites that you know are legitimate, such as ESPN’s  Also, make sure that your anti-malware and anti-virus security software is up to date.

Scam of the day – June 15, 2014 – Russian iPhone hackers arrested

June 15, 2014 Posted by Steven Weisman, Esq.

It was only a few days ago that I warned you about some iPhone scams threatening users of Apple’s iPhone through a manipulation of the Find My Phone feature of the iPhone.  The Find My Phone feature allows iPhone owners to track and lock their phones if they are lost or stolen.  However this feature was allegedly misused by two Russians who used phishing techniques to get access to their victims’ Apple ID accounts where they activated the phone locking feature.  They then sent messages to their victims indicating that they would remotely delete the data in their phone and keep the phone locked unless they paid a ransom.  Another technique allegedly used by the pair of criminals to gain access to the phones was to place online ads offering to provide access to much media content to be accessed through the victim’s iPhone.  Once the victim linked his or her iPhone to the scammer’s account, the scammers activated the Find My Phone feature to lock the phone.


The best way to resolve a problem is to avoid the problem altogether.  As I constantly warn you, never click on links in emails unless you are absolutely sure that they are legitimate.  It is always safer to confirm first that the email with a link is legitimate first before considering clicking on the link.  You also should make sure that you always backup whatever content you keep on all of your electronic devices.  All of your electronic devices should also be protected with anti-virus and anti-malware software although it is important not to rely to heavily on these security programs because they are always a bit behind in protecting you from the latest malware and viruses.  Finally, If you are unlucky enough to have had your iPhone hijacked, you can correct the problem yourself through a “hard” reset.  Here is a link to instructions from Verizon as to how to do a hard reset:

You also can to to your Apple store with your iPhone and proof of purchase to have Apple resolve the problem.


Scam of the day – May 13, 2014 – Bank of America email phishing scam

May 12, 2014 Posted by Steven Weisman, Esq.

It was just last week that I provided you with the worst attempt at a phishing scam I had ever seen. In a phishing scam you are lured into clicking on a link or providing information to an identity thief who sends you an email that generally appears to be from a trusted source and tricks you into responding to a phony emergency.  Many phishing scams are not very well done, as was the case last week with a phishing letter that combined an email address that was obviously phony, poor grammar and no logo of the company purporting to be sending the email.  However, today I received an email which is copied below that may be one of the best phishing scams I have ever encountered.  The email address from which it was sent appears legitimate, it is written with proper grammar and spelling and it contains excellent counterfeit versions of the Bank of America logo.  As usual it describes a believable emergency to which I must respond and carries the tainted link for me to click on to proceed to remedy the situation.  DO NOT CLICK ON THE LINK in this copy or in a version you may receive because if you do, one of two things will happen and either is bad.  Either you will be prompted to provide personal information about your bank account which will lead to your account being emptied by the identity thief or, by clicking on the link, you will unwittingly download a keystroke logging malware program that will steal all of your personal information from your computer and use it to make you a victim of identity theft.


Never click on links or download attachments contained in emails or text messages because you can never be sure of whether they are legitimate or not and the risk of downloading malware is too great.  If you have any thought that the email or text message might be legitimate, you should call the real company, in this case, Bank of America at a telephone number that you know is accurate to confirm whether or not the communication was legitimate.  You should also make sure that all of your electronic devices including your computer, laptop, tablet and smartphone have current anti-virus and anti-malware software, but remember, you cannot totally rely on these security software programs because they are generally ineffective against the latest viruses and malware.

“To ensure delivery, add to your address book.
Exclusively for: |
Online Banking Alert
Your Account Security Check
Security Checkpoint:
You last signed in to Online Banking on 05/10/2014.
Remember: Always look for your SiteKey® before entering your Passcode.
To: Bank Of America Account Holders
Date: 05/11/2014
Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on your account. So we have decided to put an extra verification process to ensure your identity and your account security. Please click on Sign in to Online Banking to continue to the verification process and ensure your account security. It is all about your security. Thank you.
Security Checkpoint: This email includes a Security Checkpoint. The information in this section lets you know this is an authentic communication from Bank of America. Remember to look for your SiteKey every time you sign in to Online Banking.
Email preferences
This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.
Privacy and security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please visit the Bank of America website to read our Privacy Policy. You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself.Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St., Charlotte, NC 28255-0001Bank of America, N.A. Member FDIC. Equal Housing Lender
© 2014 Bank of America Corporation. All rights reserved.”

Scam of the day – May 8, 2014 – Windows tech support scam increasing

May 8, 2014 Posted by Steven Weisman, Esq.

Recently there has been an upswing in a scam that has been with us for some time about which I have repeatedly warned you going back years. The scam starts with a telephone call that you receive purportedly from technical support at Microsoft.  The caller informs you that Microsoft has diagnosed problems with your computer, such as viruses. Sometimes they convince you to check your Windows log which will often show many harmless errors that may appear to the uninformed as significant.   They then either ask for remote access so that they can fix the problem at no cost to you or they ask for personal information.   In both situations the caller is up to no good.  If you provide remote access to your computer you will have effectively turned over all of the information in your computer to the caller who can and will then use that information to make you a victim of identity theft.  If you provide personal information by phone, that information too will be used to make you a victim of identity theft.  With increased public attention being focused on the Microsoft no longer updating the Windows XP operating system and recent security problems with Internet Explorer, more people are falling for this scam.


Microsoft will not and does not contact you by phone in regard to diagnosing software problems.  If someone contacts you by phone unsolicited by you indicating that they are from Microsoft tech support and they are calling to help you with a problem that you did not contact them about, you should immediately hang up.  You are talking to a scammer.  It should be noted, however, that Microsoft does regularly issue software security updates, but they do this in automated updates if you have provided for this service or on their website.  Installing the latest security software updates and patches is a critical part of fighting identity theft and scams because hackers exploit vulnerabilities that they discover in commonly used software to make you a victim of identity theft or scams.  Software companies are just as constantly coming up with software to correct these vulnerabilities so it is important to install the latest security patches as soon as possible.  It is for this reason that I regularly provide you with links to the latest security patches for the software that you use.  I assemble this information from the Department of Homeland Security.  It is therefore to check Scamicide each day to make sure that you do not miss important information.

Scam of the day – January 11, 2014 – AOL password reset scam

January 11, 2014 Posted by Steven Weisman, Esq.

Although, America Online (AOL) has decreased in popularity somewhat in recent years, about 2.5 million people still use it and with numbers that high, AOL users are a large target for scammers and identity thieves.  A recent scam that has surfaced is an email that purports to be from AOL informing the receiver of the email that a request had been made to reset the password and the person receiving the email is provided two links upon which to click to either agree that the password change was legitimate or to cancel the requests because it was a scam.  The problem is that the email does not come from AOL, it comes from a scammer, and not a very good one.  If you click on either link, you will either be prompted to provide personal information that can make you a victim of identity theft or merely by clicking on either link you will download a keystroke logging malware program on to your computer, laptop, tablet or smartphone that will steal all of the personal information from your device lead to your becoming a victim of identity theft.  This particular scam was not a very convincing one because the address from which it comes is not an official AOL address, nor does it contain AOL logos.  Here is a copy of the email presently being circulated.  DO NOT CLICK ON EITHER LINK.


“Dear AOL Customer,


The AOL Team

We received a request on 1/10/14 to reset the password for your AOL Online Account. Please confirm this request to complete the password reset:

Yes, I would like to reset my password

I did not make this request, cancel the password reset
To make additional edits to your account, sign in to
Thankyou,                                                                                                                                                                                                             The AOL team”


Never click on links or download attachments unless you are absolutely sure that they are legitimate.  If you have any concerns that the email might be legitimate, contact the company, in this case AOL, at a telephone number or online through a phone number or an address that you know is correct to inquire about the email.  Also, make sure that all of your electronic devices are protected by security software against viruses and malware and keep your security software updated with the latest patches.


Scam of the day – November 25, 2013 – Smartphone banking scam

November 25, 2013 Posted by Steven Weisman, Esq.

Many of us use our smartphones for so many more tasks then merely speaking on the phone.  Smartphones have become the fast and convenient way for 300 million people to do their banking.  They also have become the fast and convenient way for scam artists and identity thieves to steal the money from your bank account by planting (with your assistance) malware on your smartphone that not only can read all of the information on your smartphone including your banking passwords and other personal information, but can even change the way your bank account balances appear to you on your smartphone so you are not aware that your account has been stolen by an identity thief.


The primary way that identity thieves and scammers install the necessary malware to get access to your bank account and steal your money is by luring you into unwittingly downloading the malware that gives them control over and access to the information in your smartphone.  Most often they do this by a technique called phishing which I have described many times previously in Scamicide.  Phishing occurs when you are lured into clicking on a link or downloading an attachment that appears to be legitimate, but in fact is riddled with malware.  The malware is contained in the link or download material that is often contained in an email that appears to be from a company with which you do business or a trusted friend when in fact, the email is from an identity thief.  It is for this reason that I am constantly warning you not to click on links or download attachments unless you are absolutely sure that they are legitimate.  Just because it appears to come from a friend of yours does not make it legitimate.  His or her email could have been hacked making it appear that the communication and the link are legitimate when they are not.  This technique is called spear phishing.  That is why I always tell you to confirm that the email is legitimate regardless of how good it looks before you download anything or click on a link.

In addition, you should make sure that your smartphone as well as all of your electronic devices are protected with the latest anti-virus and anti-malware software and that you keep these security programs constantly updated with the latest security patches and updates.  In addition, you may even want to consider having a separate smartphone for online banking and other financial transactions on which smartphone you do not do any text messaging or emails in order to avoid falling prey to phishing.