Scam of the day – October 12, 2015 – Most data breaches not caused by hacking

With the news constantly filled with stories of major data breaches such as last week’s disclosures of data breaches at Experian, Trump Hotels and Scottrade, it would be easy to come to the conclusion that hackers planting keystroke logging malware in the computers of their targeted victims would be the primary source of data breaches.  However, that conclusion is wrong.  According to a just released study done by the security firm Trend Micro, using data compiled by the Privacy Rights Clearinghouse, while 25% of the data breaches indeed were attributed to malware planted by hackers, 41% of the data breaches were attributable, according to the report, to the loss of “sensitive information stored on employees’ laptops, mobile devices, and thumb drives.”  Further complicating the problem is the fact that often the information contained on these devices was unencrypted, which should come as no surprise to those who remember the 2006 data breach at the Department of Veterans Affairs in which unencrypted personal information including Social Security numbers of more than 26 million present and former military personnel was stolen through the theft of a laptop from the home of a VA data analyst.


Once again, the lesson is that regardless of how careful you are to protect the privacy of your personal data, you are only as safe as the companies and agencies with the weakest security that hold your personal information.  Therefore, it is not a matter of if you will become a victim of a data breach, it is a matter of when.  Knowing this it is important to first, as much as you can, limit the places that have your personal information.  Many times you are asked for such information by companies without a need for that information.  Your physician does not need your Social Security number.  When possible, refuse and offer another form of identification, such as your driver’s license number.  Second, you should be prepared for the inevitable data breach and put a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if someone does obtain your personal information, they cannot use that information to get access to your credit report and run up debts in your name.  Putting a credit freeze on your credit reports is the simplest and best protection you can have against identity theft.  To learn more about how to put a credit freeze on your credit reports, go the archives of Scamicide and type in “credit freeze.”

Scam of the day – August 9, 2014 – Identity thieves defeat two-factor identification at banks

In the battle to prevent identity thieves from being able to access online the bank accounts of their victims, many banks in Austria, Japan, Sweden and Switzerland have gone beyond the simple password to the more secure (supposedly) two-factor identification.  With two-factor identification, in order to access their accounts bank customers must enter a second one-time password that has been emailed or texted to the customer.  The thought was that by requiring this second password, identity thieves who may have hacked the customer’s password still would not be able to access the customer’s account because the identity thief would not have the required second password sent by the bank to the customer’s smartphone.  However, now it has been uncovered by computer security company Trend Micro that identity thieves have found a way to defeat two-factor identification.  As with so many identity thefts, this one starts when the customer unwittingly clicks on a link in a phishing email or downloads an attachment in a phishing email that appears to be from a legitimate source.  Unfortunately, when the victim clicks on the link or downloads the attachment, he or she is actually downloading malware that sends the victim to a phony bank website when the customer attempts to do online banking.  Once at the phony website, the victim is prompted to enter their account details, passwords and personal identification number.  They are then prompted to download a mobile application found in Google’s Android store that is represented to provide enhanced security, but in actuality permits the identity thief to intercept the second password that banks would send to the customer.  Armed with all of this data, the identity thief is able to gain full access to the victim’s bank account and empty it.


Although two-factor identification is an improvement over the present password system used by many financial institutions in the United States and other parts of the world, it is still vulnerable.  Business and government must come up with better authentication protocols.  Meanwhile as with so many of these complex identity theft schemes, this one requires the victim to download the necessary malware that makes the identity theft possible.  The solution is a simple one.  As I have warned you many times.  Never click on a link in an email or download an attachment in an email unless you are absolutely sure that it is legitimate and the only way to do this is to independently call or email the real company or person purportedly sending the email at an address or telephone number that you know is accurate.  For even greater security, you may wish to have a separate computer for financial transactions where you do no emails and click on no links and download no attachments.

Scam of the day – January 7, 2013 – Most dangerous websites

Phishing is the name of the scam whereby you are lured to a phony website that appears to be legitimate, however when you click on links in these phony websites, download material from these websites or provide information to these websites, you put yourself in danger of identity theft or of downloading dangerous keystroke logging malware that can steal all of the information on your computer including credit card numbers, your Social Security number, passwords and various account information.  In addition, you may unwittingly have your computer taken over as a part of a botnet (for more information about botnets, check out other postings on or in “50 Ways to Protect Your Identity in a Digital Age”) whereby your computer is made part of the botnet circulating scams around the world.


Recently Trend Micro issued a list of the most common websites that were the subjects of phony phishing websites during the past month.  The top ten websites of which you should be particularly wary of to make sure that you are dealing with the legitimate company are:  PayPal, Wells Fargo, Visa, Citibank, Bank of America, Aol, Yahoo, Hotmail, Gmail and Mastercard.  Things to look out for to avoid phishing websites are when you are directed to a website through an email that does not refer to you by name or if the email contains spelling errors or poor grammar that may indicate the email is coming from a foreign scammer (or a poorly educated American scammer).  A good rule to follow is to not click on links in emails or text messages to go to a website.  If you consider the email or message worth following up on, go to the website of the legitimate company by typing the URL that you know is correct into your browser.