Scam of the day – November 13, 2017 – FTC settles charges with online tax preparation service

Between October of 2015 and December of 2015, cybercriminals were able to hack into the accounts of almost 9,000 customers of legitimate online tax preparation service TaxSlayer Online.  The hackers used the information gathered in the data breach to make TaxSlayer Online’s customers victims of income tax identity theft and obtained phony tax refunds using the names and information of their victims.

The Federal Trade Commission (FTC) brought legal action against TaxSlayer for it failure to secure the data of its customers and other security related violations.  Among the more serious charges were that TaxSlayer Online failed to notify its customers when a change was made of the bank account to which their tax refund would be sent.

TaxSlayer Online has come to a settlement with the FTC pursuant to which it will be taking extensive security steps to prevent such data breaches in the future.


This case again emphasizes the fact that we are only as safe as the places with which we do business that have the worst security.  So what should we be doing to help keep ourselves safe?  First and foremost, everyone should use a unique password for each and every online account that you have.  It is not that difficult to do.  In addition, whenever you can, use dual factor authentication.  With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account. Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – February 1, 2017 – St. Louis Cardinals penalized for hacking

In July of 2014 I first reported to you about the hacking of the computers of the Houston Astros baseball team.   Chris Correa of the St. Louis Cardinals was convicted of hacking the private online data base of the Astros called Ground Control that contained tremendous amounts of confidential data including scouting reports and statistics on baseball players.  Correa is presently serving a 46 month prison sentence.  At the time he did the hacking, Correa was the Director of Baseball Development for the St. Louis Cardinals.   Correa was fired by the Cardinals when he first became a suspect in the hacking of the Astros.  A current Astros employee had worked previously for the Cardinals and Correa was able to easily guess the password used by him to access Ground Control by merely using variations of the password the Astro employee had used when he worked for the Cardinals.  Armed with this password, Correa stole data from Ground Control for use by the Cardinals.

Now Major League Baseball Commissioner Rob Manfred has acted in the matter, banning Correa from baseball for life and ordering the Cardinals to pay 2 million dollars to the Astros as well as forfeit to the Astros their two top picks in the June amateur draft.   In his ruling, Commissioner Manfred indicated that the hacking scheme was entirely the work of Correa.


Perhaps the biggest lesson for all of us from this story is the danger of using the same password or slight variations thereof for all of your accounts, which unfortunately is a habit that many people have gotten into.  Hackers will often steal passwords of customers from companies when they commit a data breach and then use those passwords for identity theft purposes at other places such as banks, brokerage houses and other companies where the victim can suffer substantial financial losses.  The best course to follow is to have a difficult to crack password that is unique for every account.

Steve Weisman’s latest column

Here is a link to my column for entitled “How identity thieves target your password.”  In this column I provide information about how to choose a strong password that is easy to remember.

Scam of the day – June 18, 2015 – St. Louis Cardinals accused of hacking Houston Astros

Last July I reported to you about the hacking of major league baseball’s Houston Astros.  At that time it was not known who accomplished the hack of the Astro’s databases that contained discussions of player trades, complicated player statistics and scouting reports.  Now the FBI is indicating that the hacking was the work of employees of the St. Louis Cardinals.  Preliminary reports indicate that the motive may have been to set back the work of Astro’s General Manager, Jeff Luhnow, who previously had been an executive in the Cardinal’s organization where he was in charge of scouting and player development.  The hacking does not appear to be particularly sophisticated.  Apparently the Cardinals’ employees behind the hacking merely used the list of passwords that Luhnow and people working under him had used while employed by the Cardinals to gain access to the Astros’ databases.


The biggest takeaway for all of us from this story is the danger of using the same passwords for all of your accounts, which unfortunately is a habit that many people have gotten into.  Hackers will often steal passwords of customers from companies when they commit a data breach and then use those passwords for identity theft purposes at banks, brokerage houses and other companies where the victim can suffer substantial financial losses.  The best course to follow is to have a difficult to crack password that is unique for every account.  This is easier than it sounds.  Start off with a phrase, such as IDon’tLikePasswords, which combines capital letters, small letters and a symbol.  Then add a couple of additional symbols at the end of the password so it may read, for example, IDon’tLikePasswords!!! and then you can customize it for each of your accounts.  For example, you could make this your Amazon password by making it IDon’tLikePasswords!!!Ama.  This password strategy provides great security and is easy to remember.

Scam of the day – April 21, 2015 – 14 year old charged with felony hacking

Domanik Green a 14 year old, eighth grader from Florida has been charged with a felony for hacking the computer of one of his teachers and changing the desktop background to a picture of two men kissing.  The hacking was easy to accomplish because the teacher used an easily guessed password.  The hacking itself was more of an innocuous prank than a serious hack.  The student made no attempt to change grades or even access other data.  Yet under Florida law, Green was charged with a felony, which, if he is convicted of, could have a serious effect on his ability to get a job or go to college.  More than anything else, the incident highlighted the school’s security failings.  It has been reported that the particular school attended by Green used weak passwords and that students were even able to view the teachers entering their passwords.


Hopefully, a more appropriate sanction other than a felony conviction will be done in this case.  This case also, once again, highlights the importance of using strong passwords and keeping them secret.  It is also important for people to use unique passwords for every account that they have.  A strong password will combine capital letters, small letters and symbols.  A good way to pick a password is to choose a short phrase, such as IDon’tLikePasswords and then add a couple of symbols so it reads IDon’tLikePasswords!!! which can then be used as a base password to be adapted by a few letters to indicate a particular account so, for instance using this password for an Amazon account would make it IDon’tLikePasswords!!!Ama.  That would be a strong and unique password.

Scam of the day – March 29, 2015 – Video gaming network Twitch hacked

Twitch, a live streaming video platform has been hacked putting users in danger of identity theft.  Twitch,  which has been around since 2011 and was bought by Amazon in 2014 capitalizes in the exploding interest in video games and broadcasts video game competitions and other video game related content.  It is hugely popular.  Unfortunately, anything popular will be a target for hackers and identity thieves so it came as no surprise that Twitch accounts appear to have been hacked.  Twitch is retiring users passwords and stream keys as well as disconnecting accounts from Twitter and YouTube.


Perhaps the biggest threat is to Twitch users who, as many people do, use the same password for all of their online accounts.  Hackers often take advantage of this fact by hacking into websites with weaker security, stealing personal information and passwords and use that information to access accounts that can be exploited for greater financial gain.  The lesson, of course is to use unique and complex passwords for each of your online accounts.  This is not as difficult as it may sound because a good way to choose a password is to pick a phrase such as IDon’tlikepasswords, which combines both capital letters, small letters and a symbol, which in turn makes it a complex password.  Then add a couple of symbols to this base password so it reads, for example, IDon’tLikePasswords!!! and then uniquely adapt this password with a few letters that describe the specific account so, for example your Amazon account password would be IDon’tLikePasswords!!!Ama.  That is a strong password and a way to make unique, but easy to remember passwords for all of your accounts.

Scam of the day – January 19, 2015 – University employee payroll scam

The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country.  It starts with an email addressed specifically with the name of the intended victim.  The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works.  The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information.  The website is  counterfeit.  The scam is a ruse intended to obtain the login information of the potential victim.  Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief.  In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.


Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam.  Remember my mantra, “trust me, you can’t trust anyone.”  Never click on links in emails unless you are sure they are legitimate.  In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device.  You also should never provide personal information in a reply to an email.  Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information.  Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe.  This is not as difficult as it might seem.  In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.

Scam of the day – September 22, 2014 – College students and identity theft

Identity theft is a major problem for everyone, however college students are five times more likely to become a victim of identity theft than the general public.  There are two primary reasons for their vulnerability.  They live in close quarters with lax security and they do not take sufficient precautions to protect themselves in their dorm rooms or online.  Identity theft can be high tech, low tech or no tech and college students are victimized in all three ways.  They become victims of identity theft because, too often, they fail to protect their smartphones with security software or even a proper password.  They click on links in emails, text messages and social media that promise to provide free music, video games, alluring photos or gossip without realizing that a large number of these communications are sent by identity thieves and that the links only download keystroke logging malware that steals their personal information from their computers, smartphones and other electronic devices and use this information to make them victims of identity theft.  They download free apps from questionable sites and again end up downloading malware.  They use free wifi in public locations without proper encryption and security software on their electronic devices not knowing that the free wifi they are using may be set up by an identity thief eavesdropping on their communications and stealing their information.  They leave the computers in their dorm rooms unprotected by a good password and they leave important documents with personal information unprotected in their room.


On the low tech and no tech side of things, they should lock up all their important papers that contain personal information.  They should also shred papers with personal information that they do not need to keep.  They should install security software and encryption software on all of their electronic devices including their smartphones, computers and tablets.  They should use strong passwords and different passwords for all of their accounts and devices.  They should never click on links in emails, text messages or social media postings unless they have confirmed that the links are legitimate.  Be wary of wifi and don’t use it for financial transactions.

Scam of the day – June 30, 2014 – Even hackers use weak passwords

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”


Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.