How to prevent IRS scams

Once a thief knows your Social Security number…you’re at very high risk for having your identity stolen.

Computer crime concept

Computer crime concept

A report on bankrate.com says that the IRS is warning of a cyber attack on its electronic filing PIN application. Thieves infiltrated it with malware in an attempt to claim other people’s refunds as their own. Over 450,000 SSNs were involved, and over 100,000 of them enabled the hackers to access an E-file PIN.

Endless scams are directed towards SSNs, like the classic phishing attack. A phishing attack basically goes as follows:

  • An e-mail arrives with an alluring or threatening subject line, which may actually be a warning to protect your SSN.
  • The e-mail looks legitimate, complete with logos and privacy information at the bottom.
  • The hacker’s goal is to get you to fill out a form that includes typing in your SSN.
  • The FTC warns of a “Get Protected” subject line for the latest scam. This scam e-mail mentions the “S.A.F.E. Act 2015” that protects against fraudulent use of SSNs.
  • Like many phishing e-mails, the “Get Protected” one contains fake information.
  • These e-mails include a link that, when clicked, will release a virus, or take you to a website that will download a virus or lure you into revealing sensitive information.

Three Ways to Get Scammed

Most people make important decisions based on emotion. Cyber thieves know this, and they prey on fear, greed and generosity.

  • People aren’t thinking straight when emotions are ruling. Logic gets swept under the rug. There’s pressure to act quickly, such as helping the scammer (who pretends to be a grandchild of the victim) who was in an accident: wire money asap. Natural disaster scams prey on the desire to give. The emotion of greed is manipulated in “You’ve Won!” and inheritance scams.
  • Of course, before the fraudster plays with emotions like a cat playing with a mouse, he first gains your trust, pretending to like the same things you do, whatever it takes so that you don’t question him.
  • Scammers are adept at appearing credible, such as tricking your caller ID into showing “IRS” or the name of your bank in the ID field. They may have a snazzy website up, a “badge number,” noise in the background to simulate a call center, even a fake accent.
  • Remember, scammers are pros. It’s going to seem legitimate.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to freeze your Child’s Credit

Identity thieves are after children’s Social Security numbers. With this number, a thief can do so many things like open a credit card account and rent an apartment. Kids’ SSNs have great appeal to crooks because:

  • A child’s record is usually very clean.
  • This means fertile opportunities for new credit lines.
  • Kids usually don’t check their credit reports and thus the fraud can go undetected for years.

3DParents should consider putting a freeze on their kids’ credit. Simply getting the credit monitored will not prevent thieves from opening accounts using the child’s SSN. A freeze does literally that: blocks a fraudster from doing anything.

Experian

  • Will not create a file for a child unless required by state law, unless they are victimized.
  • However, will give a free copy of an existing file of a child to the parent and will freeze it upon request.
  • There may be a very small fee unless the parent provides proof that the minor’s identity was stolen.

Equifax

  • Their freeze is free and doesn’t answer to any state requirements.
  • The child need not already be a victim of ID theft to get the freeze.

Trans Union

  • Their site allows parents to check for a credit file of their kids.
  • Freezes are permitted only in states that allow this. Fees may apply.

 

Innovis (another credit reporting agency)

  • Parents can place a freeze no matter what their state says.

Not all the states provide protection for minors’ credit. Find out what your state’s requirements are, as some, for instance, provide only a flag on the Social Security number. Other states have protection going up only to age 16.

Signs that someone is using your child’s SSN:

  • You receive an IRS notice claiming your child didn’t pay income taxes.
  • You get an IRS notice informing you that another tax return used your child’s SSN.
  • You receive collection notices for things you didn’t purchase.

Rejection of government benefits because the benefits are going to another account with your child’s SSN.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to protect your network from malicious insiders

You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda.

11DThis is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company.

There is a pattern that most insider threats use: The first step is to gain access to the company’s system. Once they have access to the network, they will investigate it and seek out any vulnerable areas. The malicious insider then sets up a workstation to control the scheme and spread the destruction.

What type of destruction can you expect? The hacker could introduce malware or they could steal or delete critical information, all of which can be damaging to your business. Fortunately, there are ways to protect business from these types of hacks.

Most companies protect their IT systems with firewalls, anti-virus programs, data backup software and even spyware-scanning technology. The problem is that these technologies only work when hackers are trying to get information from the outside.

One way to protect against insider threats is to ensure that employees can only access the data necessary to do their jobs. You should look at the flow of data throughout the organization to determine how information is shared and where it becomes vulnerable to theft or other security breaches. Then work with each department to implement the proper security controls.

The process of preventing data loss begins with discovering the data, classifying it, and then deciding how much risk your company may face if the data gets out. Some of the tools and procedures you may want to consider for protection include:

  • System-wide encryption
  • Password management
  • Device recognition
  • Access controls
  • Data disposal

It’s important to create security policies and procedures that are easy for employees to understand. The more transparent these policies are, the more effective your departments will be when communicating what they want and need.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Location Apps make it easy for Thieves

If you’re using the app Strava for example, your bike could get stolen, says a report on the manchestereveningnews site. Strava, like many other location apps, isn’t the badguy here.

Bicyclists in Greater Manchester are being warned that Strava’s tracking could lead thieves to their bikes and even homes. That’s because it’s already happened. One man had two bikes stolen after Strava tracked his ride and led the crooks to his garage.

It’s easy to see how this happens. The users simply post their location activities, often to and from their homes and they broadcast this data via the apps and social sites.

Why do people have this app in the first place? Cyclists and runners want to share route information and compare times, says the article. The application is a social media venue for cyclists and runners.

The aforementioned man had made his bike model and home address public on his smartphone without using privacy settings. The brazen thieves broke into his garage, perhaps overnight, and took only the bikes even though there was other loot present such as valuable tools. Hmmm, it can’t be coincidence. Bikes can cost hundreds to thousands of dollars.

Strava has security settings to set privacy zones. USE THEM. The victim recommends starting your tracked route a few hundred yards from your home to throw off any potential thieves. And end the tracking a few hundred (or even more) yards from your house as well.

A spokesperson from Strava explains that the privacy settings are easy to use. How much of the user’s information gets out there can be constrained. Many people don’t bother with the security settings of applications and just dive into these tools without a second thought.

But assume that there’s always someone else spying on the personal information that’s being made public by a naïve user.

A privacy zone means that you can set up cyber barriers around your house so that thieves will not be able to see where your start and finish locations are.

As for the man whose two bicycles were stolen out of his garage, he has since purchased a new bicycle (and the stolen ones were very pricey, by the way—something that the thieves certainly knew once they saw the publically-shared model number). But don’t wait for your property to get stolen before you realize the importance of any app’s security settings.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How long does Information stay on Credit Reports?

If you are concerned how long any negative information will remain on your credit report, it takes seven years from the Date of the Last Activity (DLA) before the item is deleted from your records (and seven to 10 years for bankruptcies). This is a very common question posed to credit reporting agencies.

Credit reporting agencies get your information (bad or good) from lenders and collection agencies. The reporting agencies simply compile the information that comes to them.

Consumer Statements

The credit report may contain not-so-appealing information about a dispute that you were involved in that did not see a resolution. For no fee, you can file a statement with the credit reporting agency, summarizing the situation in a brief fashion. At any rate, you can make a request for the dispute information to be removed from your record, and there is no fee or required timeline for this.

Collection Accounts

These stick around for seven years out from the first past-due date for the payment.

Judgments

From the date filed, it’s seven years.

Credit Accounts

These will stay on your record up to a decade from the DLA. If you fail to pay, it will be on your record for seven years from the first past-due date. So you’re looking at seven years for records of delinquent payments.

Inquiries

When entities like businesses get a copy of your credit file, this inquiry report stays on the record for one or two years. Another type of inquiry relates to promotional offers of credit lines; they’re gone in a year. Inquiries do not affect your credit score.

Tax Liens (Paid and Unpaid)

From the date these are paid, it’s seven years. However, unpaid ones are on the record forever.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Beware of Amazon’s scary Customer Service Hack

Do you shop at Amazon.com? Are you aware they have a back door through which hackers can slip in?

11DLet’s look at Eric’s experience with hackers and Amazon, as he recounts at medium.com/@espringe.

He received an e-mail from Amazon and contacted them to see what it was about. Amazon informed him that he had had a text-chat and sent him the transcript—which he had never been part of.

Eric explains that the hacker gave Eric’s whois.com data to Amazon. However, the whois.com data was partially false because Eric wanted to remain private.

So Eric’s “fake” whois.com information wasn’t 100 percent in left field; some of it was true enough for the customer service hack to occur, because in exchange for the “fake” information, Amazon supplied Eric’s real address and phone number to the hacker.

The hacker got Eric’s bank to get him a new copy of his credit card. Amazon’s customer service had been duped.

Eric informed Amazon Retail to flag his account as being at “extremely high risk” of getting socially engineered. Amazon assured him that a “specialist” would be in contact (who never was).

Over the next few months, Eric assumed the problem disintegrated; he gave Amazon a new credit card and new address. Then he got another strange e-mail.

He told Amazon that someone was impersonating him, and Amazon told him to change his password. He insisted they keep his account secure. He was told the “specialist” would contact him (who never did). This time, Eric deleted his address from Amazon.

Eric became fed up because the hacker then contacted Amazon by phone and apparently got the last digits of his credit card. He decided to close his Amazon account, unable to trust the giant online retailer.

  • Frequently log into your account to check on orders. See if there are transactions you are unaware of. Look for “ship to” addresses you didn’t authorize.
  • Amazon’s customer support reps should be able to see the IP address of the user who’s connecting. They should be on alert for anything suspicious, such as whether or not the IP address is the one that the user normally connects with.
  • Users should create aliases with their e-mail services, to throw off hacking attempts. In other words, having the same email address for all your online accounts will make it easy for them to be compromised.
  • If you own domain names, check out the “whois” info associated with the account. It may be worth making it private.

Be very careful when sharing information about yourself. Do not assume that just because a company is a mega giant (like Amazon), it will keep your account protected from the bad guys.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Popular Passwords make it easy to hack You

Your account passwords should be as unique as your fingerprint—to make them less hackable by crooks using password-guessing software that can run through millions of possible combinations in just minutes. And if you have an easy password, there may be a hit within 10 seconds.

5DThink this software can figure out your password of “password1” or “monkey”? These are among the most used passwords. Needless to say, so is “1password” and just “password.” And “login.” What are people thinking?

Every year, millions of passwords are stolen. These are made public by researchers, in order of popularity. Hackers see this list. If you don’t want to get hacked, then avoid using the following passwords (this list is very incomplete):

  • 123456 (avoid ANY numerical sequence)
  • qwerty (avoid ANY letter sequence)
  • 123456789 (long sequences are just as bad as shorter ones)
  • Football (hackers know that tons of passwords are a name of a popular sport)
  • abc123 (combining different keyboard sequences doesn’t toughen up the password)
  • 111111 (how lazy can you be?)
  • 1qaz2wsx (vertical sequences are vulnerable too)
  • master, princess, starwars (give me a break)
  • passw0rd (wow, so creative!)

Don’t even bother with names of animals, countries, cities, famous music bands or people names. Even combining these won’t help, such as EmilyParis. If any component of the password can be found in a dictionary, change it.

Using a unique, different and strong password for all of your accounts goes a very long way in protecting yourself from hackers—and that means a different password for every account/site, not just a strong and original one. A hacker’s software will take millions of years to crack a password like 8guEF$#gG2#&4H.

Now suppose you have 15 passwords like this (for 15 accounts). How do you remember them all, being that they’re a crazy jumble of all sorts of characters?

Use a Password Manager

  • Solves the problem of having to remember (and type in) many different whacky combinations of characters.
  • Creates complex, hard-to-crack passwords.
  • Stores all the passwords and allows you to use one master password.
  • Eliminates having to reset passwords.

But feel free to make some of your passwords up. So if your favorite movie is the original “Star Wars,” your different passwords might be:

  • iLVth1st*wrz!FB (FB being for Facebook)
  • iLVth1st*wrz!A2Z (A2Z being for Amazon)
  • iLVth1st*wrz!$$ ($$ being for your bank)
  • Passwords should be at least eight characters.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Bank Tellers stealing Identities

Ever consider the possibility that a person gets a job as a bank teller…for the sole purpose of stealing a patron’s identity?

Do you realize how easy this would be?

  • No techy hacking skills required.
  • No gun required.

So we’ve all been instilled with fear of our bank getting data breached by Russian hacking rings, while that mousy looking teller with the sweet smile could be your greatest threat.

A nytimes.com article points out that a teller from Capital One had gained access to seven accounts and gave information to a co-thief who drew checks on these accounts.

Tellers can fake debit cards and wire unauthorized funds. They can also sell personal data to other thieves.

The nytimes.com article says that a teller was part of an ID theft ring that stole $850,000. The idea of tellers committing these thefts is very real. One teller even took photos with a cell phone of account data to cash phony checks. Another thief, who worked at a credit union, took loans out in customer’s names.

There are many ways that tellers can steal, including creating credit cards in customer’s names. Tellers may also be easily bribed by thieves to sell them customer information, as the tellers’ income isn’t that great, averaging about $25,000 a year.

The thieves, who bribe the tellers, don’t necessarily pay them with money. They may offer them luxuries that the teller can only dream of, such as flying in private jets and meeting famous athletes, says the nytimes.com report.

And if you think that banks require rigorous background checks for new teller  hires…think again. Furthermore, continues the article, savvy thief-tellers will keep their fraudulent withdrawals under $10,000, to keep below the detection radar. These sneaks can get away with this for years.

The general rule of thumb is that tellers have way too much access to customers’ data, and banks are lax at correcting this problem beyond simply reimbursing customers with their stolen money. The banks don’t want to invest the money and time in straightening out this problem, though a small number of banks have implemented tighter controls on tellers.

But what can we, the customer, do? We just have to keep our fingers crossed? The most effective way to prevent fraud is to do two things:

  1. Go over your accounts security controls with a bank advisor. Set up limits on transactions, require second signatures for large dollar amounts, and restrict money flow in any way that will cause financial harm.
  2. Set up alerts and notifications, so you, the account holder can become fully aware of every transaction of any kind.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.