A Guide to How Hackers Hack

You have surely heard of hackers, but do you really know how they work? Hackers are well known for being bad guys, though there are certainly good hackers out there too. Here’s a brief guide to help you understand how a hacker can hack:

Directions for Hacking are Easy to Come By

Hackers don’t have to look far for help, especially if they don’t know much about hacking. First is a well-known website known as Kali Linux. It has a ton of tools available for hackers, and the site features many links to other hacking resources. Of course, people who want to hack often go to YouTube, and there are more than 300,000 videos there that teach people how to hack. There are also thousands of other websites out there with easy to follow hacking instructions, and you can find them in about a minute.

Software is Easy to Find, too

Directions for hacking is one part of it, but there is also software available that makes the job of hacking quite easy. Here are some of the options available:

  • Cain & Able – This tool helps a hacker intercept traffic on a network, and then can use that information to get passwords, which helps them get into accounts. More than 400,000 people have downloaded this software.
  • Burp Suite – Hackers use this tool to map out the structure and pages of a website, and then they use the information to attack the site.
  • John the Ripper – People use this tool for dictionary attacks. Basically, it takes text strings, encrypts them, and then uses the information for an attack.
  • Angry IP Scanner – This is a free tool that allows the user to scan a network for open ports. Once they find one, they can easily gain access.

Hackers Also Use Hardware

In addition to downloading software for hacking, it’s also possible for hackers to use hardware. One is called Wi-Fi Pineapple, which is a small, portable object that the hacker can use with any hotspot. They use it to find a laptop that is searching for an access point. Once the Pineapple sees an open connection, the hacker can read texts, emails, and see what websites you are viewing.

Protect Yourself from Hacks

There are many things that you can do to protect yourself from hackers. First, make sure you are using an encrypted website, one with HTTPS instead of HTTP in the address. Also, consider using a VPN when browsing. This encrypts your data so a hacker cannot read it. There’s a ton more to do. Go here: https://safr.me/blog/

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

SIM Swapping: What You Need to Know

Have you heard of SIM swapping? It’s a new trick that hackers are using to get money and mess up your life.

What is SIM Swapping?

So, what is SIM swapping? It’s when a hacker tricks your cell phone company into thinking that you have activated your SIM card on another phone. In other words, the hackers are taking your phone number and then associating it with a different SIM card. If the switch is a success, your device will be deactivated, and all of your phones, texts, data, and more will come to the hacker. This means, of course, that the hacker could get access to any account, including your bank account, and could even totally lock you out of your accounts.

How the SIM Swap Scam is Identified

A hacker doesn’t need your device to do a SIM swap. It can all be done remotely, as long as they can convince your service provider to do it. How do they convince your service provider? They give them information about you, such as your birthday, Social Security number, or account number. They can easily get this information from your mail, email, or account.

So, how do you know if you have been the target of a SIM swap? Generally, it’s when you see weird behavior from your phone, like the inability to send texts or make calls for no reason.

Preventing a SIM Swap

There are a number of things that you can do to prevent a SIM swap. Here are some tips:

  • Start with your online mobile account –Bad guys accessing your online mobile account can own you easily. Set up two factor and use a hard to crack
  • Watch for Phishing – Most scammers get the information they need to SIM swap by using phishing emails. These are fake emails that are sent to potential victims, and might have weird links, fake login screens, or other methods for tricking people into giving up their info.
  • Don’t Share Your Info Online – Another thing to do is to watch what you share online. Scammers can also get information from what people share with others on social media, etc.
  • Protect Your Accounts – Check all of your accounts for security and consider doing things like setting up two-factor authentication, hard to guess passwords, and think about unlinking your phone from your accounts.

Are You a Victim of a SIM Swap?

If you are a victim of a SIM swap, there are certain things you can do:

  • Contact law enforcement, your bank, the three credit bureaus, and your cell phone provider.
  • Change all of your passwords, especially Venmo, PayPal, and any account that is tied to your phone number. Make sure that confirmations are NOT sent to your phone number.
  • If, for any reason, you cannot log into your account, you should contact customer service of the company ASAP and give them a heads up about what happened.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Louisiana Woman Tries to Buy a Million Dollar Home with False Documents

Have you ever seen a house and thought…I wish I could afford that? Some people actually try it, but let this story be a lesson learned: if you can’t afford the cost of a house, you probably shouldn’t try to buy it.

Robert Siciliano Marriott Breach

Pamela Chandler was arrested and now faces forgery charges after she tried to purchase a home with a million-dollar price tag. How did she do it? She used false documents. Chandler, who also goes as Pamela Goldwyn, was arrested by a special Financial Crimes Task Force in Bossier City, LA. She also has several warrants out for her in Texas with crimes including fraud and the exploitation of certain groups of people including children, the elderly or the disabled. She was booked in jail and was not given a bond, as she is a flight risk.

According to court records, Chandler, who lists her age as 47, has a permanent address in Athens, Texas, but also has addresses in Maryland and Louisiana. A local Bossier City realtor reported her to local law officials after she tried to use illegitimate paperwork to buy the home. She claimed to have a trust fund, but the paperwork just didn’t add up. As the task force began to investigate the situation, it was found that she had also altered a letter from a layer to try to convince the realtor that she had enough in this fake trust fund to buy the home. It was also discovered that she had used a number of aliases over the years. It is believed that she uses an alias in a specific area until law enforcement catches on to her scams, and then changes her name and moves to a new area.

Much of the problem here can be blamed on easily obtained fake IDs. The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

Some of the department of multivehicle new requirements of improving facial recognition include not smiling for your picture or smile as long as you keep your lips together. Other requirements meant to aid the facial recognition software include keeping your head upright (not tilted), not wearing eyeglasses in the photo, not wearing head coverings, and keeping your hair from obscuring your forehead, eyebrows, eyes, or ears.

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Fake Emails are Becoming a Major Issue for Businesses

You might be surprised to know that more than 3.4 billion fake emails are sent around the globe each day. What does this mean? It means that almost every company out there is vulnerable to cybercrimes in the form of “spoofing” and “phishing.” On top of this, most companies out there have not protected themselves from this type of cyber attack. What’s even more interesting is that the vast majority of these emails are not coming from some foreign land, but they are coming from sources based in the US.

This all sounds pretty dreary, but it’s not all bad. Research is showing that many industries in the US are making strides against these fake emails, though some are working harder than others.

To get the data for this research, companies like Valimail is using data from internal analysis of billions of different email authentication requests. The company also used almost 20 million public records about email to publish its report.

This report shows that email impersonation, which made up 1.2 percent of all emails sent during the first quarter of 2019, is the favorite weapon of cyber criminals to get access to a network. They also try to get access to sensitive information and intellectual property.

Fake emails are a problem, and they are not blocked by cybersecurity defenses that are traditionally used.

These fake emails are one of the biggest sources of cyberattacks. As more businesses recognize email vulnerabilities, organizations should start using authentication technology to protect against fraudulent and untrustworthy senders.

The fact is this: too many cybercriminals are using fake emails to get through these defenses, and better methods to identify senders is needed to make sure that email is more trustworthy both now and in the future.

Protect Yourself

  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part.
  • Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

The Smart Parent Guide to Digital Literacy

If you are the parent of a child or teen who uses the internet, here are some stats you need to know:

Stats About Teens and the Internet

  • Teens think that the internet is mostly private
  • They also think that they can make the best decisions for their life online
  • They believe they are safe online and that people are who they say they are
  • They don’t feel at risk if “friending” perfect strangers
  • They feel like since they are probably better at understanding technology, they can make better decisions than their parents about what’s best practice for online behavior

These are obviously naïve views of the digital world and if parents don’t fully explain why these views aren’t just wrong, but dangerous, then the parent is setting up their child for failure.

Make sure that you are keeping the lines of communication open with your kids about their internet use. Explain the risks involved and share stories of other teens who have found trouble online.

Internet Rules that Parents Should Consider

It is recommended by experts that parents set up rules for their kids in regards to internet use. Here are some:

  • Know every password that your kid has and use those passwords to check on their accounts.
  • Don’t let kids use social media, text friends, or chat online until they are in 9th or 10th grade, and never let kids use apps or sites that allow for anonymous communication.
  • There is NO reason why your 13 year old needs to be head deep in Snapchat or TikTok. NONE. Nothing good will come from it.
  • Give your kids a time limit for internet use
  • Don’t allow your kids to respond to messages from strangers, and never “friend” strangers.
  • Never give out any personal information, such as address or phone number, online.
  • Always be respectful and kind to others online; bullying should NEVER be allowed.
  • Do not allow your children to know your passwords.
  • Do not allow kids to use have access to their devices at all times. Have family time with no screens. i.e. game night, a walk to the local park, etc.
  • No phones in the bedroom. Buy laptops, not desktops. Laptops shouldn’t be allowed in the bedroom after homework is done.
  • No photos should be posted to an internet site without permission of parents.
  • Always check text messages, chat logs, or any other communication online, and make sure that kids understand that there will be consequences if they delete the messages.
  • Don’t allow kids to download any apps or software without your permission.

Don’t Make These Mistakes

  • Don’t give your child a traditional smart phone before 9th You can give them a feature-phone, that you have full access to, however.
  • Don’t give your child internet access that is unmonitored.
  • Don’t allow your kids to use the internet in closed rooms or in areas where you can’t see what they are doing.
  • Don’t allow them to play online games where chat is enabled, as these are common targets for sexual predators.

Just because other families are breaking most of these rules, doesn’t mean your family needs to. Don’t be cattle or sheep. Lead by example.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

What is Two-Factor Authentication and How Does it Work?

There are a number of ways that you can protect yourself online, and one of the things you can do is to start using two-factor authentication.

You probably have seen two-factor authentication even if you aren’t sure what it is. For instance, if you do online banking, your bank might text a code to your phone or email when you try to change the password. This is two-factor authentication. It’s basically just an extra step that confirms that you are the account owner. This makes it more difficult for hackers to get into your account, too. Not only do they need a password, they also need access to your smart phone or email account.

These Critical Websites need Two Step Authentication

Most large websites have the option for two-factor authentication. Each company name is linked to their specific instruction.  Here’s how to set it up:

Apple ID

You can use two-factor authentication on your iCloud, iPhone or iPad:

  • Click on “Settings,” “Security,” and then “Turn on two-factor authentication.”
  • Enter a phone number
  • Look at your text, enter the code, and you are good to go

Facebook

  • Log into your Facebook account. Click on “Settings,” “Security and Login.”
  • Choose “Use two-factor authentication,” and then click “edit.”
  • Select the method. There are several options including texts, apps, and code generators.
  • Follow the instructions shown on the screen.
  • Click “Enable.”

Gmail

You can set up two-factor authentication for Gmail and Google accounts.

  • Navigate to the Google page for two-step authentication.
  • Click “Get started.”
  • Follow on-screen instructions to turn the feature on.

Yahoo

  • Sign into your account
  • Click “Account security.”
  • Look for “two-step verification,” and make sure it’s “on.”
  • Enter your phone number, and choose text message or phone call
  • Enter the code, and then click on “Verify.”

Instagram

If you use Instagram, you can also set up two-factor authentication:

  • Log into your account on Instagram.
  • Navigate to your profile and choose your operating system.
  • Scroll down until you see “two-factor authentication.”
  • Click on “require security code.”
  • Enter a phone number if one is not there. Click “Next.”
  • You will get a code to your phone. Enter it, and then click “Next.”

Twitter

If you use Twitter, you can also set up two-factor authentication. However, there are different steps to take depending on how you access the site, either from a laptop or PC, an iPhone, or an Android. You can learn about setting two-factor authentication up by visiting the Help Center.

Here are a few more important sites that require a more in-depth explanation:

Linkedin

Paypal

Ebay

Amazon

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Disinformation i.e. FAKE NEWS: How the Weaponization of Social Media Has You Conned

This post takes a hard and honest look at whats happening right now. You either “get it” or you are a victim of whats going on. Victims who read this will trash it and deny the reality of what they read. Denial is warm and comfortable. The truth is cold and can hurt. And nobody likes to admit they are wrong, ever. So I expect plenty of haters.

“People are much like cattle or sheep; they just want to be led.”

The author of that controversial and maybe offensive quote is the author of this article. Maybe YOU aren’t like cattle or sheep, but most are. The problem with this sentiment is that some cowpokes and herders may use evil methods to lead their herd for their personal gain. In the digital age, this is done most effectively via disinformation weaponized with social media.

Here’s How It’s Done: 

Cambridge Analytica, on behalf of its clients, scientifically weaponized social media using disinformation to win elections. It was first tested in third world countries and then with Brexit and most recently to win the United States presidential election. Here’s a breakdown of what is believed to be the basis of how it used social influence to change hearts and minds.

Company leaders understood that the weaponization of social media is “the act of manipulating facts by spreading disinformation for propaganda”. This act is accomplished by;

  • a coordinated effort using viral memes,
  • emotionally charged videos,
  • and clickbait headlines.

Confidence Trick

Fundamentally, disinformation is a confidence trick or scam. The motivation of a conman is to influence their mark enough to gain the confidence of the victim. The conman wants to be trusted. Once the conman has the trust of their target, it’s like taking candy from a baby.

Divide and Conquer via Disinformation

The desired outcome of disinformation by its author is to divide and conquer or rule the persons who are manipulated by it. The Oxford definition of “divide and conquer” is the policy of “maintaining control over one’s subordinates or subjects by encouraging dissent between them”. In other words, from the perspective and motivation of the conman, “don’t trust them, trust me.”

I REPEAT: 

The desired outcome of disinformation by its author is to divide and conquer or rule the persons who are manipulated by it. The Oxford definition of “divide and conquer” is the policy of “maintaining control over one’s subordinates or subjects by encouraging dissent between them”. In other words, from the perspective and motivation of the conman, “don’t trust them, trust me.”

Can you see exactly how Divide and Conquer and don’t trust them, trust me is being played out every single day in our current political climate with the impeachment hearings? The administrations own cabinet, the people and professionals hired to do the job they are doing, are being deposed and are publicly confirming what was said in the call. The administration is saying don’t trust them, trust me. Thats pure Disinformation.

Disinformation i.e. Dezinformatsiya

Disinformation, fundamentally, is lying. Disinformation used to be spread by the spoken word only.  But with the invention of the printed word and the press, disinformation was spread using pamphlets, leaflets, books, magazines, political cartoons, and in planted clandestine newspaper articles. Agents of influence, political spies, and journalists can all be used to spread disinformation. Digitally, social media spreads disinformation like the proverbial wildfire.

The birth of the word “disinformation” comes from the Russian word (dez-inform-ahhT-see-ahh) dezinformatsiya. Joseph Stalin coined the term in 1923 derived from the title of the KGB black propaganda “special disinformation office” department. Disinformation was formally defined in the Great Soviet Encyclopedia in 1952 as “false information with the intention to deceive public opinion”.

Disinformation is meant to instill fear and confuse its intended target by blurring the lines between fact and fiction. Disinformation’s primary purpose is to spread conspiracy theories that isolate readers and viewers from alternative viewpoints to create a cloud of confusion and paranoia.

Disinformation in Mainstream Media

Can you see where in our culture, right now, which leg or legs of our media might isolate readers and viewers from alternative viewpoints to create a cloud of confusion and paranoia? If you can’t, then you are a victim of Disinformation. You are being led. You are sheep.

When you see disinformation, which is born a lie that you believe to be the truth, and you agree with it and then support it by liking it and sharing it, you are then a victim of it and a perpetrator of the confidence crime that the disinformation is.

The 5 P’s of Persuasion

Heres how minds are manipulated;

Persuasion

When you are of a particular belief…or persuasion…it means that you have already made up your mind. An example of this is of the Republican persuasion or the Democratic persuasion. Another definition of persuasion is the act of influencing another person to change their mind or to do something they might not do without your influence.

Psychographics

This is the study of people based on their aspirations, attitudes, and other criteria. It is especially the case in market research. The study of psychographics is a methodology that is used to describe a person based on their psychological attributes. The method has been applied to studying values, attitudes, personality, opinions, lifestyles, and interests.

Psychological Operations (PSYOPS)

Psychological operations, or PSYOPS, are used to convey certain pieces of indicators and information to an audience to influence their motives, objective reasoning, and emotions. It can ultimately affect the behavior of organizations, governments, individuals, and groups.

Psychological Warfare

The act of psychological warfare is the planned use of threats, propaganda, or other non-combat techniques during the danger of war or even during a war. It can also apply to any time of political unrest to demoralize, intimidate, or influence the behavior or thinking of the enemy.

Propaganda

Propaganda is defined as information that has no objectivity and is used to influence a specific audience or to further an agenda. This is often done by presenting selective facts to encourage a particular perception or synthesis, or by using loaded language to create an emotional instead of a rational response to the given information.

Propaganda Comes in Many Flavors.

White propaganda is information that is purposefully put out by a known transparent source and credited by its origin. The information intends to express a valid option of its author. An example would be a political ad put out by the “Jane Smith” political campaign designed to discredit her opponent and at the conclusion the video stating “Brought to you by the campaign to elect Jane Smith.”

Grey Propaganda is when the source of information is not expressed nor credited, and the identity of the source is concealed. The information shown does not have to be inaccurate as it could be true or false. An example might be a local small business putting out an ad about a competitor revealing the competitor uses inferior materials. This information may be correct, but the author, to avoid backlash, doesn’t want to admit they placed the ad.

Black propaganda is false information that is designed to look like it was created by those it is intended to discredit. For example, a meme or video that might appear to come from the Black Lives Matter network that may express images or video sanctioning black people attacking white people. Obviously, it is not in the best interests of a movement designed to accelerate civil rights to put out media of this kind. But if it says in the video “Brought to you by Black Lives Matter” and its spread via social media, it will inevitably spread disinformation to discredit the group.

Are You Sheep? 

The questions then are; Are you aware of what is disinformation? Or are you sheep? Don’t shoot the messenger please. I’m only trying to shine a light on the fraud that you might be a victim of.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

DoorDash Admits 4.9 Million Affected by Data Breach

DoorDash has admitted that it has been the victim of a data breach, which has affected about 4.9 million merchants and people.

In a recent blog post, DoorDash announced that it noticed some odd activity early in September from a third-party service. After looking into it, the company found that an unauthorized third party was accessing user data from DoorDash on May 4, 2019. DoorDash immediately took steps to stop any future access and to improve security.

Those who were affected by this breach joined DoorDash on April 5, 2018 or before. Those who joined after that specific date were not part of this breach. The company said it will contact those customers who were affected.

This breach involved data including email addresses, names, order history, delivery addresses, phone numbers, and encrypted passwords. In some situations, bank account numbers and the last four digits of payment cards were also released. Additionally, the driver’s license numbers of approximately 100,000 delivery people were accessed. Bank account information and full payment card numbers were not compromised.

This data is called PII or Personal Identifying Information that could be used to open new accounts, take over existing or “socially engineer” you. Going forward, as with all data breaches be on the lookout for scammy emails and phone calls. Be suspect every time the phone rings and make sure unless you are 100% sure, you aren’t clicking links in emails even if you recognize the sender.

DoorDash also said that it has added additional layers of security in order to protect the data of its customers, and it has improved the protocols that are used to get access to this data. The company has also told customers that it is a smart idea to change their passwords, even if they were not affected.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

YouTube’s Spoon Feeding Pedophiles Kids Home Videos

YouTube uses a recommendation algorithm to help people view things they’d like to see. Recently, the algorithm seemingly encouraged pedophiles (YouTube would have no way of knowing this) to watch videos of children playing at home, videos that the family members uploaded.

safr.me

Do your kids make digital purchases with you money?

A report from the New York Times detailed how YouTube had been exploiting minor children through the automated recommendation system. According to the report, researchers at the Berkman Klein Center for Internet and Society at Harvard were studying the influence of YouTube in Brazil. This was when they noticed the alarming issue. The experiment used a server, which followed YouTube recommendations a thousand or more times, which build a map of sorts in the process. The map is designed to show how YouTube users are guided as to what they may want to watch.

During the experiment, recommendations stemmed from sexually-themed videos, which is when researchers noticed that the system showed videos that were extreme or bizarre, placing more emphasis on youth. In some cases, a video of females discussing sex led to videos of women breastfeeding or wearing just underwear. Many times, the women mentioned their ages, which ranged from 19 to 16 years old.

Deeper into the experiment, YouTube started recommending videos where adults wore children’s clothing or solicited payment from ‘sugar daddies.’

With such softcore fetish recommendations already being showed, YouTube showed videos of children who weren’t fully clothed, many of them in Latin America or Eastern Europe.

These videos were usually home videos that had been uploaded by their parents. Many times, parents want to easily share videos and pictures of their children with family and friends. However, YouTube’s algorithm can learn that people who view sexually-exploited children want to see these family videos and may recommend them without knowledge.

One mother, Christine C., was interviewed by the Times about her 10-year-old child. The child uploaded a harmless video of her and a friend playing in the pool. The video was viewed over 400,000 times in just a few days. The mother said that her daughter was excited about the view count, which alerted Christine that something was amiss.

This is just one of many incidents that unfolded after YouTube publicly confronted its issues with pedophilia earlier in 2019. Back in February, YouTube had to disable comments on minor children’s videos because pedophiles were reportedly commenting on the videos in ways to signal other predators.

Studies have shown that the recommendation system on YouTube can create a rabbit-hole effect where the algorithm recommends more extreme content as time goes on. The company denied that reality or skirted the topic. However, in May, Neal Mohan, the chief product officer at YouTube, said that extreme content doesn’t drive more engagement or watch time than other content options.

YouTube hasn’t made many comments about the recommendation system or that it creates the rabbit hole effect. Instead, journalists and reporters are referred to a particular blog that explains how the company focuses on protecting minors and that its videos don’t violate any policies and are posted innocently.

The announcement also focuses on the recent steps taken by YouTube to disable comments for videos that feature or are uploaded by minors. Minors are also going to be restricted so that they cannot live-stream unless a parent is on the video. Along with such, the company plans to stop recommending videos that depict minors in risky situations.

Researchers believe that it would be best to block children’s videos or videos depicting children and not allow those videos in the recommendation system at all. However, YouTube reported to the Times that it doesn’t plan to do that because the automated system is one of the largest traffic drivers and could harm creators.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Gift Cards: The Newest Scam that You Should Be Aware of

Hackers are making a lot of money thanks to phishing attacks these days, and now they are also focusing on gift card scams. One of the most notorious scam groups, Scarlet Widow, which is out of Nigeria, has been boosting its efforts to scam people with gift cards since 2015. This group generally focuses on people in the UK and US and also is known for tax scams, romance scams, and rental cons.

Are you at risk of getting scammed by Scarlet Widow? The group generally focuses on medium to large US businesses and nonprofits including the United Way, Boy Scouts of American, and YMCA chapter. The scammers send emails to employees of these organizations, and though most people understand that the emails are, indeed, scams, it only takes one person to put your organization at risk.

The Targets

From November 2017 to the present, Scarlet Widow has targeted thousands of nonprofits and individuals. It also targets the education industry and tax industry. Scarlet Widow only succeeds by getting access to these organizations’ email accounts. They might put malware in the emails or use malicious phishing links. Either way, eventually, these people are going to be able to scam the organizations.

The Scam

Though traditional phishing scams work for Scarlet Widow, it is really focusing on the gift card scam these days. In October 2018, more than a quarter of people who have been scammed during the year said that they were victims of a gift card scam. Scammers love these because they can get the cash quickly, they can be anonymous, and it’s very difficult to reverse. All the scammers have to do is convince someone to buy a gift card, then send them a photo, and they can take the money that is on there.

Scarlet Widow generally focuses on Google Play and iTunes gift cards, but other scammers will ask for cards from places like Target, Walgreens, or CVS. You might think it sounds strange that these people could con others into paying for business services with gift cards but remember…these scammers are experts at manipulation. They will certainly come up with some story with a sense of urgency, and people fall for it all of the time. For instance, there was an administrator in Australia who sent a scammer $1,800 in iTunes gift cards. The email she got seemed as if it was from the head of the finance department, so she believed it was legitimate. However, it was just a scammer.

A security awareness training financial advisor client of mine was conned too. Actually it was his assistant. She received an email that looked like it was coming from him requesting 5 $500.00 Apple gift cards to send to their top 5 clients. She went right out to Walgreens, bought 5 cards and the instructions were to scratch off back to reveal the codes and email pictures of the cards and codes back to him. Which she did. And then the scammers disappeared.

Though there are limitations to scammers using gift cards, these nefarious groups will use any method they can think of to get more money funneling in. So, if you ever get a request from a contractor or organization leader asking for a gift card, use an extreme amount of caution.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.