Scam of the Day

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Scam of the day – February 9, 2019 – Delta SkyMiles Phishing Email

Recently there has been a dramatic increase in the stealing of frequent flier miles from the accounts of unsuspecting airline customers who participate in the various airline frequent flier programs. The reasons for this is because this kind of theft is easy to accomplish, easy to avoid detection and quite profitable. Hackers often take advantage of the fact that many people use the same username and password for many accounts. With so many usernames and passwords available to identity thieves due to the many data breaches that have become common occurrences, identity thieves are able to use usernames and passwords that they buy on the Dark Web, that part of the Internet where hackers buy and sell such information, to easily access the frequent flier accounts from people who use the same username and passwords for multiple accounts. In other instances, identity thieves will use socially engineered spear phishing emails to pose as the airlines and lure the victims into providing their usernames and passwords to the identity thief, often under the guise of confirming information for the airline.

However, sometimes victims of frequent flier miles scams merely turn over to the scammer their user name and password by clicking on links and responding to phishing emails like the one reproduced below.  As phishing emails go, this one is pretty well done.  The appearance, spelling and grammar of the email look legitimate and the purported reason for asking the victim to update their information due to new security features also appears legitimate.  But it is not.  It is a scam and people responding to this email by logging in to the site to which they are taken will end up providing their username and password to a scammer who will steal the frequent flier miles.

Because people so rarely monitor their frequent flier accounts, criminals who steal frequent flier miles often go undetected for long periods of time.
Once the criminal gains access to the account, they can profit from the information in many ways including redeeming the points for merchandise from retailers participating in the frequent flier program, transferring the points to another clean account from which they can use the points for themselves or redeeming the points for travel vouchers which they then sell posing as legitimate travel websites.

In order to protect yourself you should have a unique username and password for each of your online accounts including your frequent flier accounts. This is a basic tenet of online security that you should be following. If your program permits dual factor authentication, you should sign up for it. Refrain from providing your username and password even if it appears it is being requested from your airline’s frequent flier program. If you have any question as to whether such a request contained in an email is legitimate, you should merely contact the airline by phone at a number that you know is accurate to confirm that the request was a scam.

In regard to protecting yourself from phishing emails such as this, you can look for red flags such as the fact that your account number does not appear anywhere in the email.  However, the safest tact to take is to never log in to any website from an email.  If you had any belief that the email was legitimate, you should merely go to the Delta website directly and not from an email that you can never be sure is legitimate.

Also, monitor your account regularly even if you are not flying in order to become aware as early as possible if there has been a security breach in your account.

Finally, you should always shred your boarding passes. Don’t merely thrown them away in trash receptacles at the airport. The bar code on your boarding pass contains important information including your frequent flier account number that can be used to make you a victim of identity theft.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Here is the phishing email presently being circulated.

Thanks for choosing Delta. Your Flight is confirmed.
Hello Member,
SkyMiles ® #**********>
Update Your Skymiles Account Access
Kindly update your Delta skymiles account access below to activate the new security features and updates.
Update Your Skymiles Account


Increase your mileage balance faster on your next flight.
Purchase up to 3,000 miles.
Earn 30,000 bonus miles and a $50 statement credit.
Terms apply.
Find, compare and book flights from your favorite mobile device with the Fly Delta app.
Earn Starpoints® when you fly and miles when you stay.
Register now for Crossover Rewards™.
Terms apply.
THE #1 AIRLINE APP. | Get the Fly Delta app today.
Terms & Conditions
Delta is not liable for losses resulting from unauthorized access to a SkyMiles account. All SkyMiles program rules apply to SkyMiles program membership, miles, offers, mile accrual, mile redemption, and travel benefits. To review the rules, please visit Subscription
You have received this email because you elected to receive your SkyMiles account notification sent to you via email. If you would like to take advantage of other Delta email programs featuring special fares, promotions, information and flight updates, please visit or
Privacy Policy
Your privacy is important to us. Please review our Privacy Policy.
Copyright Information
This email message and its contents are copyrighted and are proprietary products of Delta Air Lines, Inc. Delta Blvd., P.O. Box 20706 Atlanta, GA 30320-6001. Any unauthorized use, reproduction, or transfer of this message or its contents, in any medium, is strictly prohibited.
This is a post only email. Please do not respond to this message.
© 2019 Delta Air Lines, Inc. All rights reserved.

Scam of the day – February 8, 2019 – SIM Swapping Thief Indicted

A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone.  The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone.  However, as more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are also increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby providing the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.

Porting is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal. To prevent someone from stealing access to your phone through porting, you should have a PIN added to your account so that no one can call your cell phone provider posing as you and ask to have your SIM card transferred.  Recently, Dawson Bakies was indicted in New York on 52 counts of fraud related to PIN swapping.

The best protection for your phone starts with a strong password, facial recognition or fingerprint scanner.  Also, set your phone so that it locks when you are not using it.  Make sure that you back up everything in your phone regularly. Install the Find My iPhone app if you have an iPhone or the Find My Device app if you have an Android phone.  These will enable you to locate your cellphone if it is lost or stolen and also allow you to send a command to erase everything in your cellphone even if the phone has been turned off.  If your phone is lost or stolen, you should immediately contact your wireless provider to have them disable the SIM card in your phone so that your phone cannot be used by someone else.  As for protecting your phone from cyberattacks, it is important to both download and continually update security software.

The best thing you can do to protect yourself from spear phishing emails and text messages is to never click on links in emails or text messages, regardless of how legitimate or innocuous they may appear unless you have absolutely confirmed that the communications are legitimate. The risk of downloading malware to your phone is too great if you click on links without verifying that they are legitimate.

The wireless carrier industry has got to do a better job of securing SIM cards. The best thing you can do to  protect your SIM card from being swapped is to set up a PIN or password to be used for access to your mobile service provider account.  Sprint and Verizon use PINs while T-Mobile and A T and T will let you set up a password.  This will help prevent someone from calling your carrier and posing as you convince them to swap your SIM card to the criminal’s phone.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 7, 2019 – Japan Hacking its Own Citizens

I have been warning you about dangers in the rapidly expanding Internet of things for more than five years.  The Internet of Things is made up of a broad range of devices connected to the Internet including home thermostats, security systems, medical devices, refrigerators,  smart televisions, cars and toys.  According to the research firm Gartner, the number of Internet of Things devices will increase from a significant 11 billion devices in 2018 to 20.4 billion by next year.  Unfortunately, most of these devices are not properly secured and can be harvested by cybercriminals into botnets of computers which the criminals can then use to spread malware such as was done by cybercriminals using the Mirai botnet to carry out a Distributed Denial of Service (DDoS) attack that temporarily disrupted huge portions of the Internet including making Netflix and Twitter inaccessible.  On a personal level, vulnerabilities in security of your Internet of Things devices can be exploited to gain access to your home computers and all of the data stored on them which can result in identity theft.

This past summer the FBI issued a new warning to consumers about the dangers of posed by hacking of various devices that makeup the Internet of Things.

Here is a link to the FBI warning.

Now as a security measure in advance of the 2020 Tokyo Olympics will attempt to hack into 200 million IP addresses linked to Japan in an effort to raise security awareness.  Of course, this could backfire as it can provide an opportunity for cybercriminals to send spear phishing emails to people informing them that their Internet of Things devices are insecure and luring them into clicking on links containing malware.


Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.  Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.  Make sure that you install the latest security patches as soon as they become available.  Use encryption software for the transmission of data and find out where data is stored and what steps are taken to secure the information.  Also, limit the amount of information you provide when setting up the accounts for smart toys.  The less information out there, the less the risk of identity theft. Most devices allow you to select options that increase your security and privacy.  Finally make sure your router is secure and use its whitelisting capabilities which will prevent your device from connecting to malicious networks.

As for clicking on links in emails and text messages, the warning remains the same.  Never click on any link in an email or text message unless you have independently confirmed that it is legitimate.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 6, 2019 – Fire Safety Month Scams

Hawaii Island Police are warning the public about scam phone calls where the caller tells the intended victim of the scam that it is Fire Safety Month and that it is necessary for the caller to come to the home of the intended victim to inspect their smoke alarms.  However, this is a scam and the callers are merely trying to be invited into their victims’ homes where they will rob their homes.  It is important to note that there is no Fire Safety Month.  There is a Fire Prevention Month, however, it is October and no one is going to call your home to legitimately come inspect your smoke detectors.  The U.S. Fire Administration (USFA) urges people to test their smoke detectors at least once a month and replace batteries in battery powered smoke detectors once or twice a year.  Many people choose to change their batteries when they change their clocks during daylight savings time in the Spring and the Fall.  While this scam is presently being reported in Hawaii, this scam and and similar scams are being perpetrated everywhere in this country and around the world.


Although this particular scam involved an inspection of your home’s smoke detectors, you should always be wary of any telephone call that indicates that someone needs to gain entry to your home for any reason.  Always independently confirm that there is a legitimate need for such an inspection.  Also, remember that your Caller ID can be tricked through a technique called “spoofing” to make a call appear to have originated from a legitimate source, when the call is really coming from a scammer.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 5, 2019 – Another Nest Camera Hacking Incident

In the Scam of the day for December 28, 2018 I told you about  a Houston family who were frightened when they heard vulgar threats coming from the baby monitor they used to watch their four month old son. Their baby monitor had been hacked by someone attempting to scare them. While the hacker did not pose a physical threat to the family, the threats coming from the baby monitor certainly caused distress and also could lead to identity theft and other security concerns.  Now a similar story is coming from Illinois where a family reported obscenities emanating from the Nest security camera in the room of their seven month old son.  Additionally, their thermostat had been altered remotely, raising the temperature to 90 degrees and it appears that this too was caused by the hacker being able to infiltrate their other Internet connected devices.  While it may seem that hacking into a baby monitor may be an invasion of privacy and nothing more, the truth is that in many instances, if a hacker is able to gain access to one device that is part of the home’s WiFi network, he or she could also gain access to other connected devices, such as the parent’s computer containing personal financial information or even the capability of connected to the computers  of the company for which the parent works if the parent’s computer is networked in for working from home. Many hackers search the Internet for unsecured web cameras and baby monitors that have not changed the factory setting username and password.

Many of you familiar with my work are aware of my great concerns over the vulnerability of what has become known as the Internet of Things.  The Internet of Things is the name for the technology by which various things are connected and controlled over the Internet.  Some of the more common products that are a part of the Internet of Things include cars, refrigerators, televisions, copy machines and medical devices.  Here is a link to a column I wrote for USA Today about the Internet of Things.

In the four years since I first reported about this problem on Scamicide little has been done to correct the problem and there are no security standards required of the manufacturers of these devices.  However,  as I often say, the best place to find a helping hand is at the end of your own arm and there are things that you can do to protect yourself.


Anyone who has a baby monitor should make sure that the camera and software are constantly updated with the latest security software from the company that manufactures the baby monitor.  It also is a good idea to, as I have advised many times previously, make sure that your router, which connects you to the Internet, is password protected and that you change the username and default password for each of your Internet of Things devices.  In the case of the Illinois family the problem does not appear to have been a flaw in the Nest security cameras, but most likely can be attributed to the use of a common password with other accounts with companies that may have suffered data breaches in which the hacked passwords became available to cybercriminals.  It is for this reason that it is always a good practice to have unique passwords for each of your accounts.  In addition, Nest security cameras also provide the option to use dual factor authentication by which access to the system not only requires a password, but also a one time code sent to your phone whenever you or someone else tries to access the account.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 4, 2018 – FTC Returning Millions to Victims of Health Products Scams

Scams involving health care products and weight loss scams are among the most common scams and with good reason. Many people want to build muscle, lose weight or reduce wrinkles and most of the scam products promise to do that for you easily without diet or exercise. The unfortunate truth is that there is no magic formula for quick and easy weight loss, muscle building or wrinkle reduction without diet and exercise, but scammers continue to prey on people looking for that quick solution.  The Federal Trade Commission (FTC) sued Tarr, Inc in 2017.  Tarr used a wide network of online marketers to sell more than forty different bogus weight loss, muscle building and wrinkle reduction products.  Their ads were filled with unsupported claims, phony celebrity endorsements, bogus testimonials and phony news stories touting the products.  Tarr also offered what appeared to be free trials of the products, but then automatically enrolled customers in monthly programs and billed their victims without the consent or knowledge of their victims.   Now the FTC has settled its claims against Tarr.  As a condition of the settlement, Tarr will be paying 6.4 million dollars to the FTC to be refunded to its scammed customers.


For more information about this refund program go to the tab in the middle of the Scamicide home page entitled “FTC Scam Refunds.”  Search for specific information about the refund program by typing in the word “Tarr” at the top right corner of the FTC refund page.

As for weight loss products, the truth is that there are no quick fixes when it comes to weight loss and you should be wary of any product that promises you can lose tremendous amounts of weight quickly without dieting or exercise.  You should also be wary of any weight loss product that is sold exclusively either over the Internet or through mail-order advertisements. The best course of action is to ask your physician about the effectiveness of a particular weight loss product or program before you reduce your wallet in an effort to reduce your waistline.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 3, 2019 – New Proposed Legislation to Combat Income Tax Identity Theft

It was only a few days ago on January 28th that the filing season for federal income taxes began and, once again, we can expect income tax identity thieves to be among the first people filing returns.  Income tax identity theft, by which identity thieves file phony income tax returns with counterfeit W-2s using the Social Security numbers and names of their victims is still a major problem for the IRS and taxpayers costing us all billions of dollars each year.  However, when someone has stolen your Social Security number and filed an income tax return using your name, the problem becomes particularly personal.

Regardless of how careful you are about protecting the privacy and security of your Social Security number, the many data breaches that have occurred in recent years have made the Social Security numbers of many millions of us available for purchase by criminals on the Dark Web, that part of the Internet where criminals buy and sell goods and services.  In an effort to fight income tax identity theft, bi-partisan legislation has been filed in the senate by Maine Senator Susan Collins and Alabama Senator Doug Jones that would expand the IRS’ Identity Protection PIN program to include everyone.  Presently only taxpayers in Florida, Georgia and the District of Columbia are able to request and obtain a special IP PIN, which is a six digit number issued by the IRS to be included on a tax return in order for it to be processed.  The pilot program in these two states and the District of Columbia appears to be effective.  The new legislation entitled the Taxpayer Identity Protection Act would expand the availability of the IP PIN to all taxpayers who wanted to obtain one.


This proposed legislation will take a long time to be passed and even once passed will be phased in.  So for now, if you live in one of the three jurisdictions where you are able to obtain an IP PIN, I urge you to do so.  As for the rest of us, along with protecting the privacy of your Social Security number as much as possible, the best thing you can do to protect yourself from income tax identity theft is to file your income tax return as soon as possible in order to make sure your return is filed prior to that of an identity thief.  Income tax identity theft only works if the identity thief files a tax return before you do.

If you do become a victim of income tax identity theft, you should file a Form 14039 electronically.  You can obtain the form at the FTC’s website where you will be asked questions necessary to automatically complete the form. Once the form is completed, you will be able to review it and, if it meets with your approval, submit the form directly to the IRS through the website. You should also download and print out a copy of the form for your own records as well. You should receive a confirmation from the IRS of receipt of the form within thirty days.  You  also should file a police report immediately

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 2, 2019 – Super Bowl Scams

The Super Bowl, which will be played tomorrow in Atlanta between the New England Patriots and the Los Angeles Rams promises to be a hugely popular event with an estimated viewing audience of well more than a hundred million people.  Every year, it is the most watched television program of the year.  But not everyone watches television on their television and while most viewers will be watching the game via cable television, an increasing number of  people are cutting the cord and using their computers or smart televisions to stream content and many of these people, particularly people between the aged of 18 and 24 will be watching the game in that manner.  CBS sports which will be carrying the game also will be providing a streaming version of the game through CBS All Access, and through Roku, Amazon Fire, Apple TV and Chromecast.  But all of these streaming options cost money and some people will be looking to watch the game for free and that is where the problem comes in.  Doing a search engine search for free ways to watch the Super Bowl runs the risk of coming up with sites that promise a free streaming of the Super Bowl, but instead provide a free way of unwittingly downloading malware on to your electronic devices such as ransomware or keystroke logging malware that can lead to your becoming a victim of identity theft.

Another scam to be wary of is purchasing official Super Bowl merchandise such as jerseys online.  While it is relatively easy to examine merchandise when you purchase it at a brick and mortar store for the substandard quality of counterfeit merchandise as shown by low quality fabrics, loose stitching and off-center logos, you can never be sure when you buy Super Bowl merchandise online as to whether it is legitimate or not.  In addition, official NFL merchandise will have a hologram tag attached to the item, which is readily apparent in a store, but not when purchasing online.


If you are going to stream the game online use one of the legitimate online sources, such as Roku, Amazon Fire, Apple TV and Chromecast to watch the official CBS broadcast of the game.  It is just too risky to trust a search engine result for a free streaming of the game.  It is important to remember that neither Google nor any of the  other search engines are able to prevent clever scammers from manipulating the algorithms used by the search engines to achieve a high position in a search engine search.  Do the right thing.

As for buying Super Bowl merchandise online, the same rules for purchasing anything online apply.  If the price looks too good to be true it generally is.  Also you are better off buying from established companies with good reputations and always pay with a credit card rather than a debit card because if it is a scam, it is simpler and easier to cancel the order with your credit card at less risk than if your debit card is used for such a purchase.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – February 1, 2019 – Robocalls From Scammers Posing as Utility Companies Threatening Termination of Service

Scams involving utility bills for electric, water or gas services have long been popular with scammers and with much of the country in the grip of cold weather, scammers are using robocalls posing as their targeted victims’ electric utility company threatening to turn off the customer’s power if payment is not paid immediately.  While this scam occurs everywhere, New England electric company Eversource recently issued a warning to its customers to be aware of this scam.  In another version of this scam, potential victims are called on the phone by scammers who tell them that their utility service will be terminated for non-payment unless they pay by credit card or prepaid cards such as iTunes cards over the phone.  In a third version of this scam, potential victims receive an email that has a link to take them to their bill.

All of these are scams.  In the first, utilities will not use robocalls to demand immediate payment under the threat of termination of service. In the second, the victim is coerced into giving their credit card or prepaid card information  to a scammer and in the third, merely by clicking on the link to go to the phony bill, the victim ends up downloading keystroke logging malware or ransomware that can lead to identity theft or worse.


You can never be sure when you get an email or a telephone call if it is really from a legitimate source.  Even if you have Caller ID, a scammer can use a technique called “spoofing” to make it appear that the call is from a legitimate caller.  Emails and text messages may also appear legitimate, but can be merely made to appear as if they are coming from your utility company when, in fact, they are coming from a scammer.
Trust me, you can’t trust anyone.  Never provide personal or financial information to anyone in response to a telephone call, text message or email until you have independently confirmed that the communication was legitimate.  In the case of a utility bill, merely call the number on the back of your bill and you will be able to confirm whether or not the communication was legitimate.  Also, never click on links unless you have confirmed that they are legitimate.  The risk is too great.  It is also important to remember that no legitimate utility company will require you to immediately pay your bill over the phone with a prepaid card such as an iTunes card.

A hundred American and Canadian utility companies have formed an organization called Utilities United Against Scams and they have created a Consumer’s Guide to Impostor Utility Scams which provides much information to help you avoid these types of scams.  Here is a link to the guide.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

Scam of the day – January 31, 2019 – Concerns About Dual Factor Authentication

One of the primary ways that identity thieves steal from your online accounts such as your online banking is by luring you with phishing emails or more targeted spear phishing emails to either click on links that download keystroke logging malware that will search your computer for the passwords to your accounts or by prompting you to click on a link that takes you to a phony, but legitimate looking website that appears to be that of your bank or some other company where you have an account where you are instructed to insert your password.  Mere passwords have not proven to be a particular secure method of authentication.  Many people use simple to guess passwords and even what may appear to be complex passwords can often be identified by sophisticated hackers using password cracking software.  Regardless, however of how strong your password is, if you provide it to an identity thief, the criminal will be able to access your account.  It is for this reason that many companies require dual factor authentication, by which when your password is used to access your account, a special code is sent to your smartphone by text message that must be used in order to complete access to the account. This provides dramatically enhanced security.  While this may seem to be inconvenient, some dual factor authentication protocols do not require it to be used when you are accessing your account from the computer or smartphone that you usually use, but only require its use if the request to access the account comes from a different device.

Now, however reports are surfacing of a scam where you are tricked into going to a phony website and inserting your password.  The identity thief then uses your password to attempt to log in to your account which prompts your company to send you the special one time code, which the phony website asks you to provide.  If you provide this to the identity thief through the phony website, you will have given access to your account to an identity thief.


Passwords are just too vulnerable to be the sole method of authentication for important apps or accounts.  Whenever you are able to use dual factor authentication for a particular website, account or app, you should do so.  However, you should recognize the vulnerability of even dual factor authentication.  If your dual factor authentication only sends a code if access is being attempted from a device that is not your usual phone or computer, it is a red flag if you are sent a one time code when you are accessing your account from your own phone or computer because this is an indication that the website you are on is a phony one and that someone is using the information you provide to access your account from another computer or phone.  As always, remember my motto, trust me you can’t trust anyone.  Don’t click on links unless you are absolutely sure the email or text is legitimate and don’t provide passwords in responses to emails that may direct you to sign-in pages.  If there appears to be some sort of emergency to which you must respond, you should either contact the company by phone directly or go to the website of the real company at an address that you know is correct.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of and click on the tab that states “Sign up for this blog.”

  • Categories