Criminals Prefer Pheasting on Phish Over Spam

Most of us are aware of spam, and while we may think it’s just an annoyance, what’s really dangerous about it is the fact that most spam are phishing attempts. Phishing is when cybercriminals attempt to fraudulently acquire your personal information, such as passwords and credit card details, by masquerading as a trustworthy person or business in electronic communications, such as email, texts or instant messages.

Criminals have long known there’s a sucker born every minute. In fact, more than 9 million households have had at least one member who gave up their information to phishers. And in the first half of 2012, these cybercriminals netted over $680 million which may be one of the reasons that McAfee Labs™ saw the average number of phishing sites found each day, increase by 70% between January and September of 2012. They also found 3-1/2 times more phishing URLs than spam URLs for the first time ever. This means spam is losing favor (and flavor) to phishing as cybercriminals are tossing out wide phish nets.

Here’s a graphic that explains how phishing works:

capture 2

There are no depleted phish stocks in the sea of scamming, so to protect yourself from phishing you should:

Be suspicious of emails that ask for personal or financial information. Most banks and legitimate businesses will not send you an email asking you to provide this type of information.

If you suspect that an email or chat message may not be authentic, or you don’t recognize the sender, do not click any links included in the message.

Check your bank, credit and debit account statements regularly for any unauthorized transactions. If you notice any suspicious or unfamiliar transactions, contact your bank and/or card issuer immediately.

Make sure to keep your browser and operating system up to date and install any necessary security patches.

Use comprehensive security software, like McAfee All Access, on all your devices and make sure they include a safe search tool that identifies risky websites in email, chat, social networking sites and search engine results to protect you from phishing.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Protect Yourself from Tax Time Scams

Tax season is now upon us, and more than ever, we are opting for the convenience of filing taxes online (81% of us did in 2012). While filing online may be faster and more convenient, there is also some risk that you need to be aware of. During 2012, the IRS discovered  $20 billion of fraudulent refunds, including those related to identity theft, compared with $14 billion in 2011.*

Hackers have developed sophisticated methods to gain access to your financial information, and they are targeting consumer and small to medium sized business owners. Consumers and small businesses are the low-hanging fruit—the path of least resistance—because they don’t usually have as much security in place as larger companies.

The number of daily targeted attacks specifically aimed at small and midsize businesses more than doubled in the first six months of 2012. One of the best ways to help protect yourself is to be aware of these tax time scams. Some of these are:

Phishing scams: Unsolicited emails that appear to be from the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS) asking for personal information or stating you are being audited, are not to be trusted. The IRS does not contact taxpayers by email or social media tools. You should report this by sending the email to . You may also see phishing scams from online tax companies like the recent TurboTax scam.

Fake IRS agents: Beware of scammers posing as IRS agents. They contact you via phone or email, and are often prepared with a few personal details (most likely garnered from your trash or social media sites), which they use to convince you of their IRS affiliation. If you are suspicious, check the IRS phishing page at to determine if it is a legitimate IRS notice or letter.

Rogue tax preparers. Be careful who you use if you have someone prepare your tax return for you. Some of these return preparers have been known to skim off some of your refund or charge inflated fees for getting you a larger return.  Make sure you use a reputable service if you are not doing your own taxes.

Here’s some additional tips that you should follow to protect yourself when filing online:

Protect your data. This means that all sensitive documents, including anything that includes tax or investment records, credit, debit or bank account numbers, or a Social Security number, must be secured from the moment they arrive in your mailbox.

Shred non-essential paperwork. Check with your accountant to determine what you need and what you don’t. Use a cross-cut shredder to destroy unneeded documents.

Go paperless. Whenever possible, opt to receive electronic statements in your inbox. The less paper in your life, the better.

File early. The earlier you file, the more quickly you will thwart any criminal’s attempt to file on your behalf and collect your refund.

Use a clean PC. Make sure you are not using a computer that is infected or does not have any security software. You should also make sure that the computer’s operating system and browser are updated and that you use up-to-date, comprehensive security software like McAfee All Access that protects all your devices.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Iran Blocking VPNs on its Already Strangled Internet

Free societies really have no idea what it’s like to live in a censored and controlled nation that locks down the internet and filters what citizens are allowed to consume.

Imagine wanting to login and research information on health or find a friend online or simply watch some funny videos on YouTube…only to discover that your government doesn’t allow it.

In Iran, the UK-based group Small Media reported,“Prominent Persian-language websites and other online services have been filtered one by one, and communications with external platforms is becoming progressively more difficult.”

Iran isn’t the only country like this. Countries with some kind of internet censorship are frequently Middle East and North Africa (MENA) countries, as well as some countries in Southeast Asia and China. Specifically, Saudi Arabia, UAE, Qatar, Bahrain, Yemen and others in the MENA region block a lot of content and often communication applications like Skype, Viber and social media sites. Pakistan has blocked YouTube; in Vietnam, some ISPs block Facebook; some Central American countries block communication apps as well.

Reuters reports, “A widespread government internet filter prevents Iranians from accessing many sites on the official grounds they are offensive or criminal.”

“Many Iranians evade the filter through use of VPN software, which provides encrypted links directly to private networks based abroad, and can allow a computer to behave as if it is based in another country.”

“But authorities have now blocked ‘illegal’ VPN access, an Iranian legislator told the Mehr news agency on Sunday. Iranian web users confirmed that VPNs were blocked.”

It’s not just users in Iran who relyon US or European-based services that enable them to tunnel around the government censorship.

Robert Siciliano is an Identity Theft Expert. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

The Top 6 Sources of Grey Charges

Those out-of-the-blue credit card charges that sneak up on us and require our time, attention, persistence and aggravation to squelch are called grey charges. Thanks to these insidious leaks, millions of people lose billions of dollars.

Sleazy, scheming merchants have perfected the art of the grey charge by capitalizing on the fact that we don’t payattention to the fine print and often do not pay much attention to our statements, either. But by being aware of these scammy sales techniques, you can prevent getting caught up in a vicious circle of grey charges.

Here are the top six sources of grey charges:

#1 Unknown subscriptions. In the process of checking outduring an online transaction, you might check or uncheck a box in regard to an offer or discount. Either way, a few months later you start getting all these charges for services you never wanted or ordered.

#2 Zombie subscriptions. After you recognize a grey charge for an unknown subscription, you might get the charge removed—only to find out months later it’s back from the dead and you’re being charged again.

#3 Auto-renewals. When signing up for a service that bills you monthly, quarterly or annually, a forthright retailer will let you know when your renewal date is coming and will inform you of upcoming charges. But shady companies don’t say a word and re-charge you without notification, sticking you with the bill even after you complain—all because you were “too late.”

#4 Negative-option marketing. When buying a product, you ultimately buy a suite of services you never wanted.

#5 Free to paid. When getting something “for free”and you have to cough up your credit card, there is always a catch. That catch is usually in the form of ongoing charges that are difficult to remove.

#6 Cost creep. The initial purchase price might have been $9.99 for the first three months, but then it becomes $19.99 a month thereafter. Then the merchant tacks on an annual $99.99 membership fee.Then you want to crawl through the phone and choke someone.

Stay out of trouble by keeping these tips in mind:

  • Pay attention. Nothing is free.
  • Monitor your purchases. Know what you’re getting into.
  • Check statements biweekly. Look for grey charges
  • Sign up for BillGuard to watch your statements. It’s free, easy and effective.

Robert Siciliano is a personal security expert & advisor to BillGuard and is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

Fake Friends Fool Facebook Users

The word friend is defined as “one who entertains for another such sentiments of esteem, respect and affection; an intimate associate.” But that definition seems to have gone out the window with the advent of social networks.

Studies show 50% of people will accept a Facebook “friend” or LinkedIn invitation from a total stranger. So do you consider the hundreds of friends on these social networks as people who you have an intimate affection for? Probably not.

This is why fraudsters have set up 15 million fake profiles that are used for spam and fraud. Just about anyone can set up a fake account on just about any website. Facebook and other social media sites are popular targets due to the amount of users on those sites and how much time people spend on those sites.

People share an awful lot of information including their birth date, high school, email, phone number, pet’s name, kids’ names, maiden name and more on social networking sites. The fraudsters then use this information to send you phishing messages to try and get access to your accounts and passwords. And, since these messages appear like they “know” you, they seem more legitimate and you are more apt to trust the message.
capturejcapture k

What can you do? Be a good friend to yourself and your true friends. Protect yourself.

Only friend people you know in the physical world, ones that you like and trust.

Beware of offers with the word “free” or that sound too good to be true.

Stop and think before you click. Be wary of links in chat, text and email as this is one of the main ways hackers can “hook” you.

Protect your devices. Use up-to-date, comprehensive security software on all your devices that has a safe search plug-in to protect you from going to malicious sites.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

10 Tips for a Safe and Secure Spring Break

Spring has arrived, and students are gearing up to head to warmer climes and tear it up on spring break. Coming from a dad who a) tore it up a bit at that age himself and b) lives and breathes safety/security, I have a few tips—from low tech to high tech– to keep teens and twentysomethings from getting into trouble, becoming victimsorhaving their identity stolen, which—believe-me—will put a real damper on a vacation.

#1 Don’t be stupid. I know this is easier said than done. Anyone who plans a spring break trip which involves partying amongst thousands of other teens is actually planning on getting stupid. That’s not a successful plan. Make smart choices and be careful.

#2 Eat. You’re probably going to be consuming alcohol. Eat and eat often. Alcohol is poisonous; food absorbs the poison and can helpprevent you from getting sick or too intoxicated (in-toxic-ated).

#3 Moderation. Everything in moderation, including alcohol. Negative side effects of too much alcohol can mean bad hangovers or even death.

#4 Cover your drink. There are lots of idiots who think it’s fun and funny to drug people by slipping drugs into drinks. Get your own drink and cover it up with your hand or a napkin.

#5 Use the buddy system. Never leave a friend alone, especially if he or she is inebriated.

#6 Use a designated driver. Seriously. Or cab it.

#7 Watch out for aggressive people. It is a sad fact that too much alcohol makes men get aggressive and women sometimes become vulnerable. Beware of this and don’t become a Spring Break statistic.

#8 Protect your wallet. Cash, credit cards, IDs, etc. should go in your front pocket. Have a photocopy of everything accessible online.

#9 Locate/Lost/Wipe. Install software to locate or wipe a lost mobile device, and make sure it’s password protected.

#10 WiFi security. Whether on a mobile, tablet or laptop, you’re going to be connected to the internet at some point. And just like there are predators out there waiting for you to slip up so they can take advantage of you, there are criminal hackers looking to swipe your wireless data and access your accounts to steal your identity. Download Hotspot Shield VPN for your iOS, Android, PC and Mac to encrypt all your wireless internet traffic.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

What is a Botnet?

The word botnet or bot is short for robot network.  A botnet is a group of Internet-connected personal computers that have been infected by a malicious applica­tion (malware) that allows a hacker to control the infected computers or mobile devices without the knowledge of the device owners. When malware is launched on your computer or mobile device, it “recruits” your infected device into a botnet, and the hacker is now able to remotely control your device and access all the data on your device.

A botnet can consist of as few as ten computers, or tens or hundreds of thousands. Millions of personal computers are potentially part of bot­nets. Computers that aren’t properly secured are at risk of being turned into bots, or zombies.

Consumers’ and small businesses’ relaxed secu­rity practices give scammers a base from which to launch attacks, by allowing them to create botnets without being detected. Hackers use bot­nets to send spam and phishing emails and to deliver viruses and other malware and thus make money.

Here’s a graphic that explains how your device could easily become a “zombie” computer or part of a botnet.


To stay protected, you should:

Don’t click on links from people you don’t know

Be cautious downloading content from peer-to-peer sites

Be wary of free downloads (is it really free?)

Keep your operating system and browser updated

Make sure you have updated security software for all your devices, like McAfee All Access

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Grey Charges Are Upsetting—and Legal

Disclosure notices on websites, advertisements and in the terms of an agreement when making a product purchase are often complicated and confusing. Companies know this and take advantage of consumers, figuring potential purchasers don’t have the time, inclination or knowledge of the legalese that goes along with the fine print. Embedded deeply in the disclosure is the exact nature of credit card charges—and really, has anyone ever read that? My best guestimate is that 95 percent of the population hasn’t, which is why 95 percent of unwanted credit card charges are considered “grey charges.”

Because the legalese spells it all out (and trusting consumers sign on the dotted line),grey charges are not illegal—which by default makes them legal. However you slice it, I’m sure we can all agree that grey charges are upsetting, sleazy, sneaky and deceptive. More than once I’ve yelled and screamed at a customer service representative who gave me a million reasons under the sun as to why I wasn’t entitled to a reversed charge on my credit card. Grey charges cost more than time and money; they also cost users personally through the very expensive commodity of emotional bandwidth.

Companies exercising their grey charge rights (however wrong they may seem to the rest of us) are well-known legal entities that many of us do business with every day. They make billions of dollars confusing and deceiving customers into paying, and consumers are mostly uninformed—until now.

Companies engaged in this behavior know levying grey charges is legal, but unethical. But when they are making so much money, they aren’t about to stop. Consumers are ultimately responsible for checking their credit card statements and looking for grey charges. But according to BillGuard, few credit card holders—1 in 10—rarely, if ever, look at their statements.

Don’t get taken! Here’s how to outwit the grey chargers:

  • Scrutinize your statements carefully
  • Demand refunds when grey charges occur
  • Threaten a “chargeback,” which is a transaction in which a bank pulls money back out of a merchant’s account
  • Get BillGuard to do all the worrying for you—and get back your peace of mind

Robert Siciliano is a personal security expert & advisor to BillGuard and is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

Identity Theft on the Rise…Again

CaptureAccording to a report released by Javelin Strategy and Research and another by the FTC, the incidence of identity fraud increased in 2012 for the second consecutive year, affecting 5.26 percent of U.S. adults. This increase was driven by dramatic jumps in the two most severe fraud types, new account fraud (NAF) and account takeover fraud (ATF).

Key findings from the FTC’s report:

  • Over one million complaints were fraud-related. Consumers reported paying over $1.4 billion in those fraud complaints; the median amount paid was $535.
  • Fifty-seven percent of all fraud-related complaints reported the method of initial contact. Of those complaints, 38 percent said e-mail, while another 34 percent said the telephone. Only 9 percent of those consumers reported mail as the initial point of contact.

Key findings from Javelin’s report:

  • Identity fraud incidents and amounts stolen have increased. The number of identity fraud incidents increased by one million more consumers over the past year, and the dollar amount stolen increased to $21 billion—a three-year high, but still significantly lower than the all-time high of $47 billion in 2004. This equates to one incident of identity fraud every three seconds.
  • One in four recipients of a data breach notification became a victim of identity fraud. This year, almost 25 percent of consumers that received a data breach letter became a victim of identity fraud, which is the highest rate since 2010. The study found consumers who had their Social Security number compromised in a data breach were five times more likely to be a fraud victim than an average consumer.
  • Small retailers are losing out. Fraud victims are more selective where they shop after an incident, and small businesses were the most dramatically impacted. The study found that 15 percent of all fraud victims decided to change behaviors and avoid smaller online merchants. This is a much greater percentage than those that avoid gaming sites or larger retailers.

With iovation’s services, when computers or mobile devices with fraudulent histories connect to a retailer’s website, the business is alerted in real time. If velocity or geolocation alerts are triggered, the retailer knows that too, also in real time. The company maintains a living database of device intelligence, sharings the data across its global base of finance, gaming, travel, shipping, dating, and retail clients. Information is shared in order to detect fraudulent activity as soon as possible—before a product is shipped and chargebacks and fees are incurred. iovation calls it device reputation; I call it another bit of common sense for retailers.

Robert is a personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Fighting the Cyber Intelligence Sharing and Protection Act (CISPA)

All my life I’ve been hearing about Big Brother. For those unfamiliar with the term, coined by George Orwell in his 1949 masterpiece, Nineteen Eighty-Four, Big Brother is the embodiment of a society under complete surveillance by its government. But it’s not fiction; infact, our everyday activities are being monitored, today, right now, either by self-imposed technology or the ever-present Big Brother.

Traditionally, documenting our existence went like this: You’re born, and you get a medical and a birth record. These documents follow you throughout your life, filed and viewed by many. You must present these records in order to be admitted to a school, to be hired, or to be issued insurance. You get a Social Security number shortly after birth, which serves as your national identification. These nine digits connect you to every financial, criminal and insurance record that makes up who you are and what you’ve done. Beyond that, it’s all just paperwork.

And now comes CISPA, a proposed law in the United States that would allow for the sharing of internettraffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill—which has been revived after being defeated last year in part because of widespread public protest– is to help the U.S. government investigate cyberthreats and ensure the security of networks against cyberattacks.

The Electronic Frontier Foundation adamantly opposes CISPA and calls the proposed legislation “apoorlydefined ‘cybersecurity’ exception to existing privacy law. CISPA offers broad immunities to companies who choose to share data with government agencies (including the private communications of users) in the name of cybersecurity. It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency (NSA).”

I’m all for more security. But I’m not sure the CISPA bill has been well thought out. The implications for this bill and the potential for abuse are scary. Whether CISPA is passed or not, consumer privacy is eroding on a daily basis. Every time we connect to the internet, our IP address is revealed. An IP address is kind of like an online social security number which can be tracked or traced back to you. Masking this address with a virtual private network (VPN) is the first step toward locking down your online identity and personal information.  The second is to call, write, or tweet your congresspersonurging them to vote “No” on this bill.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.