New Phone Scam Scares with Social Security Sham

We all get scam phone calls, but the newest one is meant to scare. When you pick up the phone, you get a message that your Social Security number is suspended due to suspicious activity, and then prompts the victim to speak with an agent to get help.

The FTC makes something very clear: your Social Security number cannot be suspended for any reason, so any call that states your SSN is under suspension is a scam. What they are really trying to do is to trick you into giving them your actual Social Security number along with information such as your birthday and bank account number. 

This scam is just a tricky variation of a scammer’s trick that often works. In this case, they are trying to scare you first, and then offer to help…but in reality, these scammers are trying to steal your information.

Remember These Social Security Facts

If you get a call about your Social Security number, you should remember the following:

  • The Social Security Administration only calls from one number: 800-772-1213.
  • A Social Security Number cannot ever be suspended.
  • The Social Security Administration won’t ever threaten an arrest.
  • You will probably NEVER get a call from the SSA.

Also, of course, remember this: NEVER give your SSN to someone who contacts you that you don’t know.

The Scam

There are a few variations of this scam. The first is that they call and say that your SSN is suspended due to suspicious activity. They then say, if you want to know more about the case, press 1. When you do, of course, you are connected to an agent who is trained to get your information.

Another variation of this scam is a bit more aggressive. In this case, it states that law enforcement has suspended your Social Security number because of suspicious activity. You are advised to call a toll-free number immediately and verify your SSN. The scam also claims that if you do not call the number, an arrest warrant will be issued, and you, of course, would be arrested. Though not everyone will get one of these calls, if you do, you should definitely pay attention. Again, the SSA would never suspend a Social Security number, nor would it threaten to arrest you. It’s also good practice to never give you SSN to anyone who asks for it over the phone. Instead, hang up and go on with your day.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Second Hand USB’s Could Have Personal Info Still Inside

An unsurprising study was recently released that found even when a portable USB drive is erased, not all of the documents and images are always removed. That, of course, is frightening.

Here’s how the research was done:

Researchers went online to sites like eBay, to second-hand shops, and even auction stores. They bought 200 used USB drives, half from the US and half from the UK. Almost 2/3 of the devices had data on them! This data was, for the most part, personal data, and it can also be used by cybercriminals to steal someone’s identity. On top of that, these USB drives can contain malware.

Removing All Data is Difficult

When someone tries to delete or remove data from a USB device, they rarely have success. In fact, of the 100 USB devices the researchers bought in the US, only 18 of them were totally wiped clean. The rest of them had data that had been deleted, but someone could certainly recover it. The UK devices were similar. What’s so surprising about this is that it is extremely easy…and free…for someone to fully delete their device. But most people just don’t put in the effort, and that could definitely hurt them in the future.

USB Devices Can Be Risky

Using these devices can be risky, not only for average people, but also for businesses. In 2017, for example, a USB device was lost, and it contained sensitive information about Heathrow Airport. The government investigated, and eventually fined the company. The information was not encrypted, nor password protected, and it was found on the street by a random passerby.

Because of these risks, some companies, like IBM, have banned the use of USB devices. Instead, employees must use the company’s cloud. Other companies still allow them, of course, but they could be going down a dangerous road. These devices are really cheap to buy, and people can save almost anything on them, but they are also very easy to lose.

There are other issues with USB devices too. First, of course, you have the data on these drives to deal with, but there is also the fact that potential malware could be on the devices. Most companies don’t have the same rules that IBM has, and most consumers don’t think of this at all. This makes people and small businesses very vulnerable. So, if you use USB drives, there is one very important step that you need to take: encrypt it.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

84% of Consumers Will Not Buy a Car from a Breached Dealership

Most automotive-dealership owners never think that they are going to be a target in a data breach. However, the reality of this is very different. All dealerships, no matter how big or small, are targets thanks to the information these businesses have. This includes insurance documents, drivers’ licenses, credit card numbers, Social Security numbers, phone numbers, email addresses, credit reports, payment receipts and much more. According to a study done by TDC, about 84% of people said they would never purchase another car from a dealership that allowed their personal information to become compromised.

According to research, identity theft associated with car leases and loans increased 43% in the last year, and it is costing business owners a collective six billion dollars.

Last June, researchers found an online database that contained information about more than 10 million vehicles. It was then noted that cyber criminals had accessed the information, which included VINs and personal information about owners. They then can use this information to make a stolen car seem legal.

On top of this, dealerships are “financial institutions” as they collect and store financial information from their customers. This means that they have a responsibility to follow established guidelines to protect that information from getting out. If this wasn’t enough, dealerships could get steep fines, loss of reputation and the potential to lose revenue and customers.

Checking Compliance

Like most businesses that work with sensitive customer information, dealerships are regulated. Owners must be aware of the regulations and laws (that are designed to protect the identities of their customers) as well as keep privacy and financial data safe. For example, the Gramm-Leach-Billey Act forces dealerships to give customers a description of their privacy practices. Another law, the Disposal Rule, requires dealerships to immediately and securely shred consumer reports when they are no longer needed. If dealers are not doing these things, they could face legal consequences.

Regulations for Third Parties

There is also the fact that dealerships often share information with third parties, such as financial organizations and insurance companies, and it cannot be assumed that these companies have the same security standards as the dealership. To avoid sensitive customer information from getting shared, it is imperative to confirm the security protocols of these third parties.

On top of this, dealerships see people coming in and out all of the time, and visual hacking is rising. So, it is very important that employees of dealerships are watching for unusual acts, such as customers taking photos in office areas. Making sure that all visitors are escorted is the best way to alleviate this.

Shred Everything, and Stay Secure

Shredding documents before throwing them out is one of the best ways to get rid of sensitive information. This type of destruction helps you to eliminate any of those “what ifs,” and it also ensures that car dealerships are securely getting rid of any unwanted devices or papers. On top of this, document disposal is generally legally required in the industry.

Keep in mind that reputation is everything—especially in an industry like the auto industry, as customers have so many options to choose from. By protecting your reputation, you are also protecting your customers’ information.

Threats to Your Automotive Dealership

There is a need for all dealers with staff to understand the electronic threats against them. However, approximately 80% of dealerships don’t have the right type of network protection because they lack the expertise and resources. This causes customer information to be in the open and open to being stolen. There are other ways that dealers can also fall victim to cybercrimes including:

·         Evil Emails – Email is a very easy way for a hacker to spread viruses on computers and networks. All it takes is one person on your network to click on and download an email attachment that has a virus on it. Once this virus is there, a hacker can do almost anything, including access credit card information of customers.

·         Fake Sites – There are also many hackers who create fake websites that look almost identical to the websites of real companies. Again, it just takes one person on your network to log into a fake site and lose money or other valuable information.

·         Wi-Fi – If people are using mobile devices or personal computers on your network during the workday, and then take it home to do more work, the data that is on those devices is not secure.

Preventing Your Dealership from Becoming a Victim

As you can see, there is no limit to how a vehicle dealership can become a victim of hacking. So, you have to become very vigilant and take on a very active role to make sure that you are protecting the information of your customers. Here are some things that you can do to prevent your dealership from falling into this trap:

·         Take a look at your security – One thing you can do is look at where you might have a lapse in security. Fundamentally, it is best that companies conduct yearly intelligence gathering to learn where data might be compromised. This can give a dealer the upper hand in creating ways to predict where breaches can happen and how to avoid them.

·         Train staff on what to look out for – It is very easy to open emails or download attachments. Security awareness training is as important as sales training. Dealerships can train anyone to never open emails from people they don’t know or to confirm that they are only putting information into authentic websites.

·         Get cyber liability insurance – Another thing that you can consider is getting cyber liability insurance. This can cover the costs associated with any potential data breach.

·         Restrict information from becoming accessed – Finally, consider restricting access to things like your dealership’s Wi-Fi network. You also might have to create a policy that limits the devices that are connected to the network. This will help to limit the instances of data theft.

These are just a few of the ways that a dealership can create a better sense of security for their digital information. Customers will feel as if their personal information is safe, and that will keep customers coming back for cars time and time again.

FTC Brings Office Depot Fines and a Strong Warning to Other Companies

The Federal Trade Commission (FTC) announced that Office Depot, along with a tech support firm, must come up with $35 million to settle a lawsuit over claims that both organizations were part of a computer repair service scam, which involved a fake malware scan.

In the FTC complaint, it was stated that Office Depot, OfficeMax, and Support.com ran a program called PC Health Check. This program is designed to search for malware on a customer’s computer. However, it actually doesn’t quite do that. Instead, it gives the customer a questionnaire, and then it uses the answers given by the respondent to flag some malware…even though malware might not have even been on the computer.

Some of the questions asked by the PC Health Check program included asking if the computer was slow, if it had a lot of pop-up ads, or if it crashed a lot. When the person clicked “yes,” to these questions, the software prompted them to buy fixes for the issues, which could cost hundreds of dollars.

Additionally, the complaint alleges that Office Depot and OfficeMax told their store employees to run PC Health Check on every computer that was brought into the store. In total, it is estimated that there were tens of millions of dollars lost in this scam.

On top of this, it is alleged that this scheme went on from 2009 until late 2016. It was only stopped when KIRO 7, a CBS-affiliate, began looking into it after viewers started reporting complaints about the program. Employees were also upset, and the FTC shared an incident from 2012 in its report. It said that an employee complained to upper management and said that they could not keep “lying to a customer” or be subject to being “tricked into lying” just so their store could “make a few extra dollars.”

If all of this wasn’t enough, the complaint also alleges that Office Depot advised its stores to never run a PC Health Check on any computer that had been repaired, because the program would still report malware, even though there was none on the machine. In other words, Office Depot knew that the program would flag malware even if there wasn’t malware on the computer.

Because of this scam, Office Depot will have to pay $25 million and Support.com must pay $10 million to settle with the FTC. The agency says that it will use the money to repay people who were victims of this scheme. Joe Simons, FTC Chairman, said in a statement that this should “send a strong message” to any other companies that might be considering this type of deception to trick people into buying services that they might not really need.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

“Troncast” Podcast with Tron Jordheim

I recently had the opportunity to join Tron Jordheim on his podcast hosted on stitcher.com. We talked about digital security and how to watch out for yourself in our digital landscape. I was able to share advice on privacy, information security and why it is so important to take control of your own security, and ultimately your life. Thanks again to Tron, stitcher.com and the sponsors of this “Troncast!”

Facebook in the Spotlight Once Again for a Massive Data Breach

It’s a new day, so you should expect news about another data breach—again, with Facebook. According to research, tons of Facebook user data was recently exposed on cloud computing servers owned by Amazon.

safr.me

According to UpGuard, a cybersecurity firm, it is believed that Facebook app developers store the data on the servers, but they did so in a way that allowed the public to download it. One of these groups stored more than 500 million records on the servers, but it’s not yet clear how many people might have been affected. Another developer stored Facebook passwords for more than 20,000 people.

According to “the powers that be” at UpGuard, it is believed that the data was gathered through some type of Facebook integration. Basically, Facebook allows its developers to integrate these websites, apps and other info with its platform, which allows people to sign into another account by using their Facebook account.

Facebook has stated that it prohibits its developers from storing Facebook information in any public database. It said that once it was alerted to the breach, it began working with Amazon. The company also says that it is committed to working with its app developers to protect its users’ data.

This is only the latest incident that shines a bright light on Facebook’s struggle to keep its users’ data safe. With more than two billion users, this is extremely important, and it is surely going to put the social media giant under increased scrutiny.

Just about a year ago, Cambridge Analytica, which is a data firm that has connections to the Trump presidential campaign, was able to access information from almost 90 million Facebook users without their consent.

Facebook has stated that the data was first collected by a professor, who was doing it for academic reasons, which is or was actually allowed according to Facebook’s policies. The information was then transferred to a number of third party companies, including Cambridge Analytica, which is in direct violation of Facebook’s policies.

Since the Cambridge Analytica scandal, Facebook has been under scrutiny for offering its users’ data to more companies than it had admitted previously. In the last year, the company also admitted that hackers had exploited some type of bug in the Facebook platform, which ultimately exposed the information of almost 50 million people.

People from all over the world have criticized the way Facebook stores data, and the U.S. Federal Trade Commission is thought to be looking into a fine against Facebook for violating a data privacy agreement. Facebook was fined £500,000 ($653,000) over the issue with Cambridge Analytica.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Exclusive Coaching Call Webinar Recording

My interview with CNN has been trending all over the internet, and that makes me so happy because we talked about a very important topic–personal security. I’m so passionate about this subject that I wanted to provide some followup commentary. Use this link to view my most recent discussion, but this is not for the faint of heart…