Inside The Nigerian 419 Scam

/in /by

The Nigerian 419 Scam is a form of advance-fee fraud, a confidence trick in which the target is persuaded to advance sums of money in the hope of realizing a significantly larger gain. “419″ refers to the article of the Nigerian Criminal Code that deals with fraud.

Almost everyone has been targeted by this type of scam at some point. Most would be surprised by how many different versions of this scam exist and how reasonably intelligent people have been fooled into participating in them. Entire cities have had their bank balances drained, and families have lost their life savings.

Recently a close friend called to tell me that he had sold a $22,000 piano on a specialty site specifically for piano sales. His piano, which he had sold to an out of town buyer, was to be picked up by a mover. He called me because the buyer was sending $26,000, $4,000 above the asking price. My friend was to pay the movers with this extra $4,000. He was a little concerned about this plan, and so he asked me for my thoughts.

I explained that this was a scam. The $4,000 that he was supposed to wire to a mover accounted for the “advanced fee” element of the scam. Once my friend wired the money, the scammer would probably ask for more. In advance-fee fraud, the promised money from the scammer never happens. The scammer relies on the fact that, by the time the victim realizes this, the victim may have sent thousands of dollars of their own money, sometimes millions, to the scammer via an untraceable and/or irreversible means such as wire transfer.

My friend reminded me that the buyer had negotiated the price, requested more pictures, was adamant about the quality of the piano, and seemed legitimate. At this point, my friend became argumentative. He didn’t want to believe me, and insisted that I was wrong and that he would go through with the sale.

I reminded my friend that he’d called me based on an instinct that something was fishy, and he calmed down and agreed that I was right, after all. Nobody likes to admit that they are wrong. In this case, my friend was right when he sensed something suspicious.

This is a simple but vicious scam that can easily take you by surprise. This scam can have many different twists and varieties, and you must avoid being taken in by any of them. The simplest solution is to never send money, for any reason, to anyone, in response to a phone call or email.

Identity theft protection will not help you here. But becoming informed by visiting CounterIdentityTheft.com can help.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection provides live access to fraud resolution agents who work with victims to help restore their identities.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss scam baiting on Fox News. (Disclosures)

Hacking Wireless for Identity Theft

/in /by

The ability to connect wirelessly has a lot to do with the indispensability of the Internet in our daily lives. Wireless Internet is available in our homes, offices, cafes, restaurants, parks, hotels, airports, cars, and even airplanes. The mobility factor allows us to work anytime, anywhere, on numerous devices. “Being connected” is at an all-time high.

Wireless Internet is amazing. But is it safe?

The short answer is: no. Wi-Fi was born to be convenient, not secure. Unsecured, unprotected wireless is everywhere. When a device connects to unprotected Wi-Fi, all the data stored on that device is available to a hacker with the proper sniffing tools.

The longer answer is: it depends on what kind of wireless we’re talking about. I’m going to speak in generalizations, since most of this is debatable and at this point, there are no absolutes when it comes to wireless security. So here we go.

Free, unsecured Wi-Fi is the least secure. Any Wi-Fi connection, whether in public, at home, or in the office, that is shared with anyone with any wireless device, lacks encryption of the data packets streaming from the connected devices.

A simple Firefox add-on called Firesheep can allow anyone with a Firefox browser to sniff out other devices using the same Internet connection, and to spy on their browser activity. Even if the victim’s login is encrypted, once they visit an unencrypted site, their data becomes vulnerable.

Home or office Wi-Fi with a WEP encryption is slightly more secure. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security. But WEP has been cracked, hacked, and decimated.

Home or office Wi-Fi with a WPA encryption is better. Wi-Fi Protected Access is a certification program that was created in response to several serious weaknesses researchers found in WEP, the previous system. WPA and WPA2 are tougher to crack, but not impossible.

Mobile Broadband has a degree of encryption that has been cracked, but the necessary hardware isn’t widely deployed by criminals. Researchers have demonstrated how the system can be hacked, but it’s still more secure than other options.

For the most security, use WPA2 wireless Internet from a home or office environment that isn’t internally shared. If you must go online while traveling, use your carrier’s mobile broadband and forgo the hotel or café’s free wireless.
Identity theft can happen to anyone, regardless of how they connect to the Internet.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet

Lost and Stolen Wallets Lead To Identity Theft

/in , /by

A friend called me in a panic because she had lost her wallet, which contained her driver’s license, credit cards, debit card, store cards, and her Social Security card. (You should never carry your Social Security card or Social Security number in your purse or wallet.)

Anyway, she was freaked out and wanted to know what to do. There are certain things you can do now, before your wallet is lost or stolen, to mitigate future damage, and other things that should be done once a wallet is missing.

While you still have your wallet, thin it out as much as possible. If you have multiple credit cards, store cards, Social Security cards, insurance cards, and more, then, “Houston, we have a problem.” All these ancillary cards serve no purpose other than putting you at risk for new account fraud or account takeover.

Remove unnecessary cards and put them in a safe, or cut them up and cancel the accounts. I have a MasterCard and an American Express, and if everyone took American Express I’d only have one card. I also carry a Costco card, driver’s license, and a debit card to make deposits and get cash. That’s it.

Beyond that, no other card is needed, including insurance cards. Insurance cards only need to be carried the day of an appointment. They are not necessary in emergency situations.

Photocopy all the cards in your wallet (front and back) and keep them in a safe.

When your wallet is lost or stolen, pull out the photocopies of your cards. Call the credit card issuer to report the loss and request new cards.

Easy enough. However, there is one thing I’d recommend you do prior to losing your wallet — invest in an identity theft protection service.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance and lost wallet protection. If your credit or debit cards are ever lost, stolen or misused without your authorization, you can call McAfee Identity Protection and they’ll help you cancel them and order new ones. If their product fails, you’ll be reimbursed for any stolen funds not covered by your bank or credit card company. (For details, see McAfee’s guarantee.) For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

The 12 Scams of Christmas and Other Attacks

/in /by

Identity Thieves and Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information. As cybercriminals begin to take advantage of the holiday season, be cautious.

Scam I: Charity Phishing Scams

Hackers take advantage of citizens’ generosity by sending e-mails that appear to be from legitimate charitable organizations.

Scam II: Fake Invoices from Delivery Services

Cybercriminals often send fake invoices and delivery notifications appearing to be from Fed Ex, UPS or the U.S. Customs Service.

Scam III: Social Networking Scams

Cybercriminals send authentic-looking “New Friend Request” e-mails from social networking sites.

Scam IV: Fake Holiday E-Cards

Cyber thieves cash in on consumers who send holiday e-cards in an effort to be environmentally conscious. Worms mask as Hallmark e-cards and more.

Scam V: “Luxury” Holiday Jewelry

Scam campaign that leads shoppers to malware-ridden sites offering “discounted” luxury gifts from brand names.

Scam VI: Practice Safe Holiday Shopping – Online Identity Theft on the Rise

Researchers predict online holiday sales will increase this year, as more bargain hunters turn to the Web for deals. While this is the season for giving, don’t give away your identity.  Cybercrooks promote fake gift card offers and other schemes with the goal of stealing consumers’ money and information, which is then sold to marketers or used for ID thefts.

Scam VII: Risky Holiday Searches

Hackers create fraudulent holiday-related websites for people searching for a holiday ringtone or wallpaper, Christmas carol lyrics or a festive screensaver.

Scam VIII: Job-Related E-mail Scams

Scammers are preying on desperate job-seekers with the promise of high-paying jobs and work-from-home moneymaking opportunities.

Scam IX: Auction Site Fraud

Buyers should beware of auction deals that appear too good to be true, because often times these purchases never reach their new owner.

Scam X: Password Stealing Scams

Thieves use low-cost tools to uncover a person’s password and send out malware to record keystrokes, called keylogging.

Scam XI: E-Mail Banking Scams

Cybercriminals trick consumers into divulging their bank details by sending official-looking e-mails from financial institutions.

Scam XII: Ransomware Scams

Hackers gain control of people’s computers then act as virtual kidnappers to hijack computer files and encrypt them, making them unreadable and inaccessible.

Protect yourself:

1.     Never Click on Links in E-Mails: Go directly to a company or charity’s website by typing in the address or using a search engine.

2.     Use Updated Security Software: Protect your computer from malware, spyware, viruses and other threats with updated security suites.

3.     Shop and Bank on Secure Networks: Only check bank accounts or shop online on secure networks at home or work, wired or wireless. Wi-Fi networks should always be password-protected.

4.     Use Different Passwords: Never use the same passwords for multiple online accounts. Diversify passwords and use a complex combination of letters, numbers and symbols.

5.     Use Common Sense: If you are ever in doubt that an offer or product is not legitimate, do not click on it.

6.     Get Identity Theft Protection: McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on CounterIdentityTheft.com. (Disclosures)

Typosquatting Scams in Social Media

/in /by

Typosquatting, or URL hijacking, is a form of cybersquatting that targets Internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter or criminal hacker.

In a new twist, some typosquatters have begun using these domains to advertise deceptive promotions, offering gift cards or iPads to lure visitors.

“Twiter.com,” for example, redirects all the would-be Twitter users who missed one “t” to http://twitter.com-survey2010.virtuousads.com/survey.html. Notice that this copycat page’s URL begins with “http://twitter.com,” but clearly is not part of Twitter. Mistyping “youube.com” or “acebook.com” will send you to similar pages, which are designed to resemble YouTube and Facebook.

This scam benefits affiliate marketers who get paid when users click links and fill out forms. The shadiness of these sites, and the misleading techniques of their operators, indicates that any information you provide will most likely be misused, leading to annoyance and possibly fraud.

Typos are a common occurrence with no solution. But users who do find themselves on one of these alternate pages need to check the address bar and use common sense. Familiar colors, fonts, and logos may imply that you’re at the right website, but pay closer attention to be sure you’re not heading down a rabbit hole of spam and scams.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Please educate and protect yourself by visiting www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)

This Holiday Season, Beware of Phantom Websites

/in , /by

A “fly by night” business is one that quickly appears and disappears, without concern for the quality of their product or service, or for legal regulations. These untrustworthy businesses often operate fraudulently. On the Internet, a fly by night business is called a “phantom website.”

Phantom websites exist to collect personal and credit card information. They can appear online any time of the year, but the holidays are prime time. They imitate the look and feel of a legitimate website, and many simply copy the web code from well-known online retailers, right down to the names and logos. They may also purchase domain names that resemble those of legitimate retailers, “typosquatting” to take advantage of mistyped searches.

Criminals may direct you to phantom websites using advertisements, even on major search engines like Yahoo and Google. These links or clickable graphics can either send you to a phantom site, or they may even directly infect your computer with malware.

Hackers and scammers also rely on black hat SEO to get their phantom websites ranked on the first or second page of search results, using the same search engine optimization techniques as legitimate vendors.

However, these scammers also game the system using techniques like “link farms,” “keyword stuffing,” and “article spinning,” which are frowned upon by search engines. Using these techniques to lure visitors will get them banned within a month or two, but that’s plenty of time to establish an online presence and scam plenty of victims.

And of course, phishing is in season all year long. Scammers send emails offering deals too good to be true, in order to draw visitors to their phantom sites. They’ll often take advantage of major holidays and significant world events to create an enticing offer. These emails are designed to trick recipients into entering account credentials, which allows the scammers to take over existing accounts or open new ones.

Protect yourself from phantom websites by only doing business with legitimate online retailers you know, like, and trust. Go directly to their websites, rather than relying on search engines, which may lead you astray. But do use search engines to check out a company’s name and look for ratings sites where customers have posted their experiences with a particular company. If you can’t find anything aside from the company’s own website, be suspicious.

And, never click on links in unsolicited emails. Just hit delete.

Use SiteAdvisor or a similar service to scan for infected links.

And invest in identity theft protection, because when all else fails, it’s nice to have a service watching your back. McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on CounterIdentityTheft.com. (Disclosures)

Online Shoppers Concerned About Identity Theft

/in /by

Shopping online is unquestionably more convenient and efficient than traditional commerce. But is it safer?

We face risk everywhere we go. We risk car accidents on the way to the mall. Muggers and thieves present a risk. Heck, you risk catching a cold from a sniffling salesclerk!

Similarly, shopping online creates another set of pitfalls, most of which involve financial loss, credit card fraud, or certain forms of identity theft.

According to a recent study conducted by the National Cyber Security Alliance, of almost 3500 United States adults surveyed, 64% have not made an online purchase from a specific website because of cybersecurity concerns. 60% said this was because they were unsure whether the specific website was secure. 51.4% worried about providing the requested information, and 48.4% felt a website requested more information than was necessary for the transaction.

When shopping online, you risk unintentionally visiting an infected website, which could infect your PC with keylogging spyware, which would be used to steal your stored data. Or, you might provide your credit card information to a legitimate online merchant that then falls victim to a data breach. Another risk is that you might order a particular product but receive something of lesser quality, or a different item entirely, and you may then have to contend with poor customer service.

Based on the potential risks, I don’t worry about shopping online. In most cases, you can protect yourself from keyloggers and malicious websites by running the newest version of your browser, keeping your antivirus software updated, and installing critical updates to your operating system.

To defend against credit card fraud, pay close attention your statements and refute any unauthorized transactions within 60 days.

The only way to avoid getting scammed by shady sites is do business only with trusted web merchants. It’s also a good idea to do an online search for the website or company’s name prior to making a purchase, since in many cases, review or opinion websites will provide background on a business’s reputation.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Cyber Monday on Fox.(Disclosures)

Black Friday Launches Holiday Fraud Horrors

/in , /by

The Christmas shopping season traditionally kicks off on Black Friday, the day after Thanksgiving. This also begins a time when criminals swarm the shopping malls as well as the Internet, seeking to take advantage of holiday opportunities.

When shopping in stores, keep the following in mind:

Employees: Seasonal employees are more likely to steal, from their employer and from the customers. It has been said that only 10% of employees are honest, 10% of employees will always steal and 80% will steal based on circumstances. So always count your change.

Credit Card Skimming: When a salesperson or waiter takes your credit card, they can run it through a card reader device that will copy the information stored on the magnetic strip. So when you hand over your card, watch closely to see where it is taken and what is done with it. It’s normal for the card to be swiped through a point of sale terminal or keyboard card reader. But if you happen to see your card being swiped through an additional reader that doesn’t coincide with the transaction, your card number may have been stolen.

Debit Card Skimming: Without the associate PIN, a skimmed debit card number is difficult to turn into cash. With the help of a hidden camera or a “shoulder surfer,” though, your PIN could be recorded at an ATM or point of sale terminal. Cover the keypad while you’re entering your PIN.

Pickpockets: Pickpockets slink through society, undetected and undeterred. They are subtle and brazen at the same time. They are like bed bugs, crawling on you and injecting numbing venom that prevents you from detecting their bite until it’s much too late.

Be aware of your surroundings, especially in crowded places. Pickpockets use distractions like bumps, commotions, and aggressive people. Sometimes a person will fall down, drop something, or appear to be ill.

Consider subscribing to McAfee Identity Protection, a service that offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Black Friday on The Morning Show with Mike and Juliet. (Disclosures)

5 Tips to a Secure Cyber Monday

/in /by

For the past five years, Cyber Monday has been the marketing term for the Monday immediately following Black Friday. It is now one of the biggest online shopping days of the year, with 77% of online retailers reporting substantially increased sales.

Scammers seek to take advantage of seasonal opportunities like Cyber Monday, so beware of the following scams:

Fake websites: Criminals draw visitors to their deceptive websites using the same techniques as legitimate eTailers: search engine optimization, search engine marketing, and online advertising via AdWords. They use keywords to boost their rankings on Internet searches, causing their scam sites to appear alongside legitimate sites in search results. These same processes are also used to infect unsuspecting users with malware. Run a SiteAdvisor program to give you a sense of a website’s legitimacy.

Phishing: Many victims who find themselves on scam sites get there by clicking links in phishing emails, which offer high-end products for low prices. In this case, it should be easy enough to avoid spoofed websites. Anytime you receive an offer via email, you should automatically be suspicious. The same goes for offers received through Twitter or other social media.

Too good to be true: If you aren’t familiar with the eTailer, don’t even bother clicking the links. Do business with those you know like and trust. I do occasionally patronize whichever eTailer offers the lowest price, but only when purchasing a relatively inexpensive item, generally under $50. It’s safer to make larger purchases from eTailers that also have brick and mortar locations.

Typosquatters: Be sure you’ve typed in the correct address and are at the eTailer’s actual domain. Beware of cybersquatting and typosquatting, which rely on imitation websites that resemble your desired destination, but are in fact copies, using domains that are similar to the legitimate web address.

Unsecured sites: When placing an order, always check the address bar for “https,” which indicates a secure page. Your browser may also display a closed padlock, further confirming that the page is secure. Generally, scammers won’t take the time to set up secure sites.

Common sense can help you avoid becoming a victim of these and other scams. Beyond that, consider subscribing to McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Cyber Monday on The Morning Show with Mike and Juliet. (Disclosures)

Using Social Media Passwords With Critical Accounts

/in , /by

For some social networking sites, security is not a top priority. Some do not protect your data with the same vigilance you could expect from your bank, for example. Nor do social media require strong passwords. And if you use the same passwords for more critical sites, like webmail or online banking, having your social networking account compromised can make those other accounts vulnerable as well.

Last year, 32 million passwords were posted online after a data breach at RockYou, a company that creates applications for social networking sites. The breach revealed the weakness of most people’s social networking passwords.

InformationWeek reports, that all the major sites have the same minimum password length of six characters. And password complexity checks are few and far between.

Of the 32 million people whose passwords were exposed, almost 1% had chosen “123456.” The next most popular password was “12345.” “Princess,” “qwerty,” and “abc123” were other common choices.

In another instance, phishers posted thousands of Hotmail addresses and the associated passwords in an online forum. These passwords were equally obvious. Those used most frequently included “111111,” “123456,” “1234567,” “12345678,” and “123456789.” Many of the phishing victims used people’s first names as passwords, most likely the names of their kids, spouses, and so on. 60% of the exposed passwords contained either all numbers or all lowercase letters.

Naturally, anyone using an insecure password is far more likely to be hacked. It is crucial to have strong, secure passwords for all online accounts, including social media accounts. And it is equally important to use different passwords for different accounts. Using the same password for social media sites as for critical accounts, like webmail and online banking, is an invitation for identity theft.

To protect your identity, observe basic security precautions. Consumers should also consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious account activity is detected. McAfee Identity Protection includes all these features, plus live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visit www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him

discuss hacked email passwords on Fox News. (Disclosures)