Earlier this week, the popular stock trading app Robinhood disclosed that it had suffered a data breach the previous week in which personal information of approximately seven million of its customers was compromised. Fortunately for the large majority of people whose information was stolen, the information was limited to email addresses and names. An unusual aspect to this particular data breach was that rather than being accomplished through hacking the computers of the targeted company, the data breach started with a phone call in which the criminal called Robinhood’s customer support and using social engineering techniques convinced the Robinhood employee to provide access to customer support systems. Obviously, Robinhood has some work to do in its employee security training. The criminals have demanded a ransom payment for the return of the information stolen, but at this point, customers of Robinhood should be very concerned.
Personal information, such as the information contained in the data breach is used by cybercriminals not just to directly steal the identities of the affected people, but also to create specifically targeted spear phishing emails and text messages (called smishing) to lure people into clicking on malware infected links or providing personal information that will be used to make you a victim of identity theft. While many common phishing emails and text messages are easily recognized as phony, sophisticated spear phishing emails and text messages can be tailored by the criminals to our own interests using the information obtained through the data breach in order to appear to be trustworthy which makes them quite dangerous. This particular data breach brings back memories of a massive data breach at JP Morgan where similar information was stolen and used to target people who became victims of a stock pump and dump scam.
One important lesson is to limit the amount of personal information that you provide to companies and websites whenever possible. It is also critical that we all remember that whenever we get an email, text message or phone call, we can never be sure who is really contacting us so you should never click on links or provide personal information in response to such communications unless you have absolutely confirmed that the communication was legitimate. Trust me, you can’t trust anyone.
For those of you receiving the Scam of the day through an email, I just want to remind you that if you want to see the ever increasing list of Coronavirus scams go to the first page of the http://www.scamicide.com website and click on the tab at the top of the page that indicates “Coronavirus Scams.” Scamicide has been cited by the New York Times as one of three top sources for information about Coronavirus related scams.
If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is sign up for free using this link. https://scamicide.com/scam-of-the-day/