Scam of the day – November 11, 2014 – New study on effectiveness of phishing

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at tHE most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – May 24, 2014 – iTunes phishing scam

Phishing is a common start to many scams.  Phishing occurs when you respond to an email that appears to be from a legitimate company with which you do business only to learn that the official looking communication was a counterfeit, the sole purpose of which was to lure you into clicking on a link that in turn either, unknown to you, downloaded a keystroke logging malware program on to your computer by which the scammer is able to steal all of the information from your computer and use that information to make you a victim of identity theft or to lure you into providing personal information that also is used to make you a victim of identity theft.  Many large scale scams, including the Target hacking often start when employees are victimized by phishing scams that in turn give the scammers access to the information in their companies’ computers.

A recent phishing scam that is going on at this time involves a phony email that appears to be from Apple telling the victim that his or her iTunes account has been improperly accessed and that the account is now locked.  In order to access the account the victim is told, he or she is required to provide information that ends up being used to make the phishing victim a victim of identity theft as well.

TIPS

Remember my motto, “Trust me, you can’t trust anyone.”  Never provide information in response to an email, text message or telephone call you receive unless you have absolutely confirmed that the communication to you is legitimate and there is a legitimate need for providing that information.  If you receive such an email, do not click on any links contained within it, but rather call the company at a telephone number that you know is accurate to find out whether or not the original communication to you is legitimate or not.

Scam of the day – February 16, 2014 – Latest Target information – what it means to you

Although we have known for some time that the hacking of Target was accomplished through the initial hacking of Fazio Mechanical, a heating and air conditioning company that does business with Target and  had access to Target’s computers for billing and ordering purposes, it was not until recently that we learned that the way that Fazio was hacked was through a common technique called “spear phishing” where the victim receives an email directed to them by name that appears legitimate or promises something enticing, such as free pornography or videos of a newsworthy or otherwise intriguing event. Once the victim clicks on the link in the email or downloads the attachment in the email, malware is downloaded on to the victims’ computer that provides access to the all of the information in the victim’s computer, which in this case included the information necessary to access the Target computer system.  Even though Fazio’s computers were protected by anti-malware programs, either its program was not as good as necessary or it was merely not current with the latest malware threats.  Anti-malware software programs are generally at least thirty days behind the latest malware threats.

Also criticism is now being made of Target’s offer of one year’s worth of free credit monitoring service through Protect MyID.  The problem is twofold.  First, credit monitoring merely helps to inform you that you have already become a victim of identity theft.  It does nothing to prevent identity theft.  But even further Target’s program which is done through the credit reporting bureau Experian only provides you with credit monitoring of your Experian file.  It does not provide you with monitoring of your file with the other two credit reporting agencies, Equifax and Transunion, which makes the monitoring incomplete.  Experian does offer you the additional monitoring for a year, but for a fee that can be as much as $75.

TIPS

The first lesson is that you should never click on links or download attachments unless you are absolutely sure that the links or downloads are legitimate.  Always confirm before you download.  Second, you cannot rely on your anti-malware software to be 100% effective.  Ultimately it is up to you not to download questionable material.  All of that being said, you should make sure that you have anti-malware and anti-virus software on all of your electronic devices and make sure that you keep the software up to date with the latest security patches and updates.

Finally although credit monitoring does offer some benefits, preventing identity theft through pro-active steps such as putting a credit freeze on your credit reports at each of the three major credit reporting agencies is a better way to protect yourself from identity theft in the event your personal information is compromised.  You can find how to put a credit freeze on your credit report by going to the section on “credit freezes” on the right hand side of this page.

 

Scam of the day – February 9, 2014 – How the Target Hackers did it and what it means to you

It is being reported that forensic computer investigators have discovered how the Target hackers managed to infiltrate the Target point-of-sale computer devices and systems, enabling them to steal credit and debit card information of more than a hundred million people.  Apparently the hackers first managed to hack into a less secure HVAC company (heating and air conditioning) Fazio Mechanical Services, Inc. that worked for Target and steal that company’s access to the Target computer systems.  You might ask why a HVAC company would need computer access to Target.  The reason is that through Target’s computers, the HVAC company could monitor and control the heating and air conditioning systems in individual Target stores.  However, Fazio presently denies that it does such remote monitoring.  A company spokesman did say, however, that it did submit bills and contract proposals electronically to Target and it is possible that it was those such documents which were corrupted by the hackers to gain access to Target’s computer system  Unfortunately, the security used by smaller companies, such as the HVAC company here leave much to be desired and it is there lax security that appears to have been exploited by the hackers who were able to exploit that vulerability to get access to the internal network of Target’s computers.

TIPS

Greater attention needs to be given by companies such as Target to providing greater security to important parts of their computer networks, such as its point-of-sale devices, recognizing the real possibility of a backdoor hacking of their computers by criminals, such as those who hacked into Target.  With third party companies, such as HVAC companies routinely having access to the computer networks of large chain stores, such as Target, their financial transactions must be secured better.  We can expect to see1 many more of these point of sale hackings in the days and weeks ahead, which means that many of you will end up having your card information stolen.

So what should you do?

You may wish to switch to cash, but for many of us that is not a viable choice.  Do not use your debit card for any retail purchases.  Limit its use to ATMs.  The consumer protection laws for fraudulent use of a debit card are much less protective than the laws pertaining to fraudulent use of a credit card.  Monitor the use of your credit car regularly and be on the look out for any fraudulent use.  Finally, some credit card issuers are issuing the new chip cards, which are safer than the old magnetic strip cards, if you specifically request one.  You may wish to do so.

Scam of the day – January 26, 2014 – FBI warns retailers of future hacks

Recently the FBI issued a warning to retailers throughout the country warning them that the type of recent hacking of their credit and debit card payment systems that was used against Target and Neiman Marcus can be expected to be used against many more retailers in 2014.  The malware used in these attacks infects point of sale systems (POS) such as credit card swiping devices and, in some instances, cash registers at check-out counters.  This malware, referred to as a “RAM scraper” intercepts the information on the card’s magnetic stripe in the brief moment before the data is encrypted and then transmits the information to the hacker.  This type of malware is presently being sold to identity thieves on the black market for as little as $1,000 or as much as $6,000 for more advanced editions of the malware, which must then be downloaded on to the company’s computer system, most often through sophisticated phishing tactics or an insider co-conspirator.  Presently the retailers do not have security software capable of preventing such attacks.  At the present time they can only attempt to identify the attack as soon as possible in order to then take the steps to remove the malware.  Although Target has gotten most of the publicity for its attack, smaller retailers with less sophisticated systems are probably more at risk and, in fact, may already have had their security breached, but not yet recognized the attack.

So what does this mean to you?

TIPS

You may wish to discontinue using the self-swiping device present at many stores and instead ask the clerk to swipe your card directly through the cash register, which is somewhat more secure.  I say somewhat because the cash registers are also able to be hacked, but they are somewhat less vulnerable and more secure than the credit card self-swiping devices we use in stores.  Perhaps the most important thing you can do is, as I have advised you previously, refrain from using your debit card for shopping because the consumer protection laws regarding debit cards are much weaker than the laws regarding fraudulent use of your credit card.  Potentially the entire bank account to which you have tied your debit card is at risk if you are a victim of a Target-like hacking, not to mention the inconvenience even if you identify the breach immediately.

 

Scam of the day – January 17, 2014 – Credit card technology

The recent hacking of Target resulting in the theft of credit and debit card information on more than 40 million Target customers brought attention to the technology used in American credit cards.  Unlike credit cards in other parts of the world, American credit cards still use a magnetic strip technology that has been around since the 1960s in which information is contained on a magnetic strip on the back of the card.  When the information on this strip is stolen, the identity thief has access to the credit of the victim.  However in more than 80 other countries around the world, the magnetic strip card technology has been replaced with cards embedded with a microchip.  This technology is often referred to as EMV.  With EMV cards, the chip creates and encrypts a new number every time the card is used.  Thus hacking into the data terminals used by the cardholder is a worthless exercise in trying to access the credit card.  Credit card companies and retailers have resisted for cost reasons updating the credit card system in the United States although changes in regulations in regard to liability for fraudulent credit card use will prompt credit card companies and retailers to switch to this technology by October of 2015.  Hopefully, consumers will also insist on the new EMV cards as a way to shop more safely.

TIPS

Some American companies including Chase, Citi, American Express and Discover are issuing the new EMV cards, but you have to ask for them.  Unfortunately, you can expect the rollout of the new cards to be rather slow and consequently you can also expect more major hacking events similar to what happened at Target between now and October of 2015 so you may wish to consider asking for one of the new EMV cards when you get a new credit card.

Scam of the day – January 10, 2014 – Important Target update

Yesterday, Target announced that it had just become aware that its recent hacking went beyond the credit card and debit card data including PINs of 40 million of its customers to also include names, mailing addresses and phone numbers of up to 70 million of its customers.  This disclosure means that unlike previously thought, the hacking was not limited to hacking of the point of sale credit card processing devices found at the checkout stations, but was far more extensive into the data systems of Target.  It also opens up a new avenue of scams where Target customers can expect to get contacted by phone, email or text messages from scammers posing as Target representatives who will be seeking personal information which they will use to make the Target customer a victim of identity theft.  These emails and text messages will be directly addressed to the customer by name prompting the customer to click on links or download attachments for further assistance, however, if the customer does so, he or she will only succeed in downloading a keystroke logging malware program that can steal all of the information from the victim’s computer that will also lead to the customer becoming a victim of identity theft.  Phone calls will also be directed to the customer by name and you should be wary there, as well.  This type of scam is called spear phishing.

TIPS

You can never be sure when you receive a telephone call, email or text message if the person communicating with you is who he or she represents himself to be.  Therefore, never click on links or download attachments in emails or text messages unless you are absolutely positive that the communication is legitimate and because in this case ,as in others, the identity thief has your name, the communication may appear to be directed personally to you, you cannot trust the communication merely because it appears to be legitimate.  In this case, as in others, if you think the communication may not be a scam, check it out by calling or going to the  real website of the person or company purporting to send the communication at a phone number or website that you know is correct to find out whether or not the original communication was legitimate or not.  The same goes for telephone calls.  You can never be sure who is calling, so never give personal information over the phone to anyone whom you have not called.  Instead call them back at a number you know is accurate.

Scam of the day – December 21, 2013 – What to do if you were a Target hacking victim

With 40 million credit and debit cards affected by the recent hacking of Target, there is a good chance that many Scamicide readers are a part of that group that includes my own wife.  The hacking of Target once again shows that regardless of how careful you are, you are only as safe from identity theft as the place with the weakest security that holds or processes your personal information such as credit cards.  Today I am going to provide the simple steps that you should take if your credit card or debit card was compromised.

TIP

First of all, resolve not to use your debit card for purchases.  Reserve its use for ATMs.  The maximum that you are possibly liable for in regard to fraudulent charges on your credit card is only $50 and most credit card issuers won’t charge you anything.  However, with a debit card, if you don’t notice the illegal withdrawals from your bank account in a timely fashion, you risk losing all of the money in the account and even if you do report the fraudulent activity right away, you will not be made whole by the bank until they have completed an investigation of the matter.

The next thing you should do is check your credit card statement for illegal activity.  Do this online for both speed and to see the most recent transactions.  If fraudulent purchases appear, notify the credit card company to have them remove the charges.  Also file a police report.  You should then cancel the card and have the credit card company issue you a new card.  Even if you have not yet noticed illegal activity, you shouldn’t be complacent because generally in these situations, the thieves sell the stolen credit card information on black market websites and there may be a long time lag before you would see illegal activity on your card.  Why wait for the inevitable?  Cancel the card and get another one.

You also should use this opportunity to obtain your free credit report in order to make sure that there is no evidence of identity theft.  Go to www.annualcreditreport.com.  This is the only source for the free credit reports that you have a right to have by law.  Many other websites with similar names may provide you with a free credit report, but in the fine print, you may find that you have unwittingly signed up for a costly service that you do not want or need.

Finally, you may wish to consider putting a credit freeze on your credit report so that even if someone has sufficient personal information about you to otherwise gain access to your credit report in order to use it to make a large purchase, they would not be able to get access to your credit report because it is frozen and can only be made available by you using a PIN.  You can find all the information you need about credit freezes here on Scamicide.  Just go to the column on the right and click on “credit freezes.”

 

Scam of the day – December 20, 2013 – Massive hacking at Target

If you, like my wife, shopped at any of the 1,797 Target stores in the United States between November 27th and December 15th, you may be in serious danger of identity theft if you used a credit card or a debit card.  Target announced today that more than 40 million customers who made purchases at Target stores during that time period had their credit and debit card data stolen by hackers through what appears to be a point of sale security breach attack which is the same type of attack that was used against Barnes and Noble in 2012 as I explained to you then in a number of Scams of the day at that time.  The data stolen includes customers names, credit card numbers, debit card numbers, expiration dates and the three digit security code found on cards.  This information can be used easily to make the affected customers victims of identity theft.

As I have repeatedly said, debit cards are a dangerous way to shop because unlike credit cards which carry a potential liability of no more than $50 for fraudulent purchases made using your credit card, if your debit card security is compromised and your discovery of the breach of your security is delayed. you risk losing all of the money in the bank account connected to your debit card.  As more companies have become better at protecting the credit card data and debit card data including PINs that are found on the companies’ computers through encryption and other security measures, the weak link now more and more being exposed by identity thieves is the point of sale (POS) terminals that many companies use that is found at the checkout counter.  We are all familiar with these small machines through which we swipe our credit or debit card rather than giving our card to the clerk to run through the cash register’s credit or debit card processor.  Unfortunately, many stores, including Barnes and Noble as I described in my Scam of the Day on October 25, 2012 and now Target have not taken the steps necessary to protect the security of these devices which in many stores have been manipulated to provide credit card and debit card information including PINs to identity thieves.  In some instances, the identity thieves have posed as repairemen to alter these credit and debit card terminals in order to get access to the information contained therein.  Debit cards in particular present a substantial problem because once the identity thief has the card number and PIN, it is a relatively easy task to create a phony debit card that can be used at any ATM to empty the victim’s account.

The massive scope of this hacking is evidence of a very sophisticated hacker being behind this because of the necessity of physically altering the various  card processors.  Generally when this data is stolen in such a huge hacking, the card information is sold to other criminals on the black market.

TIPS

Don’t use your debit card for shopping.  The risk is just too great.  Limit its use to getting cash from an ATM.  Additionally, if you are shopping with either a credit card or a debit card (and not following my advice) don’t use the POS terminals, but rather ask the clerk to run your card through his or her cash register’s credit card terminal.  Your security is improved as the cash register’s information is generally protected better by most companies.  If you are one of the affected people in this Target hacking, make sure you monitor your credit card account or debit card activity online regularly for quite a while.  Just because you may not have yet had phony charges made is no consolation, as it sometimes takes time before the stolen card information is sold by the hackers and used by the criminals buying the information.