Tax Identity Theft jumps on Payroll Scams

Do you work for a corporation, especially in the U.S.? You may be at risk for tax return fraud.

9DADP is a payroll provider. Hackers were able to acquire tax information of employees of U.S. Bank from ADP. Now, this doesn’t mean that ADP was directly hacked into. Instead, what happened, it seems, their authentication system was flawed and ADP failed to implement a protection strategy for the personal data to keep it safe from prying eyes.

The crooks registered ADP accounts by using the stolen data of the bank employees. These accounts allowed the crooks to get additional W-2 information—enough to commit tax return fraud. In other words, looks like a W-2 gateway was created to file fraudulent tax returns.

If it happened to U.S. Bank and ADP, it can happen many places else.

ADP says that the breach did not originate from their computer network, but where exactly it did come from is not clear at this point, as there are multiple possibilities including the hacking into of a third party service.

The hackers also used a unique company issued URL. This URL is needed to register an ADP account. It is not known at this point in time if the U.S. Bank URL required credentials to gain access to or not, but since this data breach, U.S. Bank has withdrawn plans to further post the URL online. U.S. Bank has also removed their publicly accessible W-2 form from cyberspace.

Despite the data breach, there were only minimal effects to employees and customers of ADP and U.S. Bank. But the minimal adverse outcome is no reason to let your guard down. Next time, the institutions may not be so lucky.

Solution: Fill out the IRS Identity Theft Affidavit ASAP. Here: http://robertsicilian.wpengine.com/wp-content/uploads/2016/06/f14039.pdf

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Google Alert Scams

If you want to know the latest on “any topic”, just sign up for Google Alerts. Google will e-mail you notifications of new information coming online. I have Google Alerts for “Home Invasion” “Identity Theft” “Burglary” “Computer Security” and many more.

So what could be so harmful about receiving alerts about topics or people who are famous for being famous or your favorite presidential candidate?

  • A scamster creates a website and inserts popular search terms such as “Kate Middleton” or “Donald Trump.”
  • If you signed up for Donald Trump, you’ll not only receive legitimate alerts from Google, but also links originating from the scammer’s site. You won’t know which is which.
  • These fraudsters have figured out a way to circumvent Google’s security.
  • Clicking on these links could download malware into your computer.

In another example Intel Security’s McAfee does the “Most Dangerous Celebrity” survey based on malicious search results. They then determine which searched celebrity sites produce the most malware.

What can you do?

  • A tell-tale clue of a scam is that when you hover over the link inside your e-mail, the URL doesn’t correlate to the alleged source of the news. If it doesn’t match up, skip it. A scammer’s URL isn’t going to have what appears to be a legitimate news outlet address.
  • Narrow your search down. So if you want the latest in Trump’s polls, type “Donald Trump polls” in the Google Alert field. Otherwise, just leaving it as “Donald Trump” will not only flood your in-box, but it will be much more likely that some of those “alerts” will be fraudulent.
  • Another way to narrow the parameters is to set the alerts for “news,” “blogs,” “best results” and “United States.”
  • Be very suspicious of URLs that do not end in a dot-com, net, org or other familiar suffix. Often, scammy URLs come from foreign countries where the suffix is different, such as “fr” for France or .ru for Russia or .cn for China.
  • If a link appears to be fraudulent, report it to Google.com/alerts.

If you’re signed up for Google Alerts for numerous topics, consider cancelling some of these, especially if it’s a hot topic that makes headlines nearly every day, such as the presidential race—which you’re bound to see anyway simply by visiting a reputable news site.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Beware of the Jury Duty Scam

Imagine getting a call from someone identifying themselves as a federal court official or U.S. Marshal, informing you that your arrest is imminent unless you pay a cost—all because you failed to respond to a jury summons (which you don’t remember getting). I’d like to think that you’d immediately smell the rotten scam here and hang up, but unfortunately, many adults fall for this jury duty scam.

10DFirst off, let me get it off my chest: Who the devil ever heard of being arrested or fined for not responding to a jury summons? This farce isn’t even depicted in any of the slew of crime and law dramas that have been on TV for decades.

But the scammer relies on inducing enough fear in the targeted person to win them over. These scammers are sophisticated and even have call centers, says Melissa Muir, quoted in an article on uscourts.gov. She’s director of Administrative Services for the U.S. District Court of Western Washington. She points out that a federal court will never call someone and make threats or demand payments.

So if you hear what sounds like a bustling call center in the background of the call, assume this is staged to make the call sound official.

So what is the federal court’s response when someone ignores a jury summons?

  • The court clerk’s office will contact you.
  • You may be required to appear in court before a judge.
  • At the court, the judge may order that you pay a fine—but not before you’re given the chance to explain why you failed to appear for your jury summons.

If you get a fraudulent call, do not give out any information; hang up. Call your local court clerk’s office or the U.S. Marshal’s Service office for peace of mind: Check if you really did miss a jury summons, but chances are extremely high, and I mean higher than a kite, that the call was a scam.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to prevent IRS scams

Once a thief knows your Social Security number…you’re at very high risk for having your identity stolen.

Computer crime concept

Computer crime concept

A report on bankrate.com says that the IRS is warning of a cyber attack on its electronic filing PIN application. Thieves infiltrated it with malware in an attempt to claim other people’s refunds as their own. Over 450,000 SSNs were involved, and over 100,000 of them enabled the hackers to access an E-file PIN.

Endless scams are directed towards SSNs, like the classic phishing attack. A phishing attack basically goes as follows:

  • An e-mail arrives with an alluring or threatening subject line, which may actually be a warning to protect your SSN.
  • The e-mail looks legitimate, complete with logos and privacy information at the bottom.
  • The hacker’s goal is to get you to fill out a form that includes typing in your SSN.
  • The FTC warns of a “Get Protected” subject line for the latest scam. This scam e-mail mentions the “S.A.F.E. Act 2015” that protects against fraudulent use of SSNs.
  • Like many phishing e-mails, the “Get Protected” one contains fake information.
  • These e-mails include a link that, when clicked, will release a virus, or take you to a website that will download a virus or lure you into revealing sensitive information.

Three Ways to Get Scammed

Most people make important decisions based on emotion. Cyber thieves know this, and they prey on fear, greed and generosity.

  • People aren’t thinking straight when emotions are ruling. Logic gets swept under the rug. There’s pressure to act quickly, such as helping the scammer (who pretends to be a grandchild of the victim) who was in an accident: wire money asap. Natural disaster scams prey on the desire to give. The emotion of greed is manipulated in “You’ve Won!” and inheritance scams.
  • Of course, before the fraudster plays with emotions like a cat playing with a mouse, he first gains your trust, pretending to like the same things you do, whatever it takes so that you don’t question him.
  • Scammers are adept at appearing credible, such as tricking your caller ID into showing “IRS” or the name of your bank in the ID field. They may have a snazzy website up, a “badge number,” noise in the background to simulate a call center, even a fake accent.
  • Remember, scammers are pros. It’s going to seem legitimate.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to protect your network from malicious insiders

You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda.

11DThis is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company.

There is a pattern that most insider threats use: The first step is to gain access to the company’s system. Once they have access to the network, they will investigate it and seek out any vulnerable areas. The malicious insider then sets up a workstation to control the scheme and spread the destruction.

What type of destruction can you expect? The hacker could introduce malware or they could steal or delete critical information, all of which can be damaging to your business. Fortunately, there are ways to protect business from these types of hacks.

Most companies protect their IT systems with firewalls, anti-virus programs, data backup software and even spyware-scanning technology. The problem is that these technologies only work when hackers are trying to get information from the outside.

One way to protect against insider threats is to ensure that employees can only access the data necessary to do their jobs. You should look at the flow of data throughout the organization to determine how information is shared and where it becomes vulnerable to theft or other security breaches. Then work with each department to implement the proper security controls.

The process of preventing data loss begins with discovering the data, classifying it, and then deciding how much risk your company may face if the data gets out. Some of the tools and procedures you may want to consider for protection include:

  • System-wide encryption
  • Password management
  • Device recognition
  • Access controls
  • Data disposal

It’s important to create security policies and procedures that are easy for employees to understand. The more transparent these policies are, the more effective your departments will be when communicating what they want and need.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Beware of ALL these Scams

Scams targeting older people are probably very under-reported, as seniors don’t want to appear senile. The most vulnerable group is educated men over 55, because, quite frankly, they think they know everything.

9DSweepstakes/Lottery

  • This scam comes in many forms, but the common denominator is that you’re requested to pay a fee or taxes.
  • A legit sweepstakes or prize event never requires payment.

Kids/Grandkids Need Money

  • The scammer relies on the odds that the randomly-called senior has trouble hearing.
  • The scammer says, “This is your favorite grandson!” Invariably, the victim announces the grandson’s name. The scammer takes it from there, convincing the victim to send money.

Home Repair

  • A man in a worker’s uniform, complete with company logo, appears at your door, offering to do some service. They may actually perform it, but will overcharge and/or not complete it.
  • Others are there only to case your home for a future robbery.
  • A legitimate company does not go door to door.

Cyber Help

  • A call from someone claiming to be from Microsoft or some other tech giant, claiming your computer has a virus, is a scam.
  • The scam includes background noise that sounds like a busy call center.
  • This scam is also conducted via e-mail.

Dating

  • Never give money to someone you met through an online dating service.
  • If they sound and look too good to be true, they probably are. A sudden sob story in which they desperately need money is a cue for you to run for the hills.

Uncle Sam

  • Through a phone call or e-mail, you’re notified you owe back taxes or that a refund is owed to you (and you must pay a fee to get it). SCAM!
  • The crook can make the caller ID look like the IRS.
  • The caller may threaten to have you arrested or pose as a sheriff.
  • If you owe or are owed, the IRS will always snail mail you.

Ugly Baby

  • You’re approached by a woman while you push a stroller. She says your baby/grandchild is ugly.
  • While you react to this, her accomplice pick-pockets your purse.
  • Distraction scams can come in many forms.

Investments

  • A call out of the blue from an “investment advisor” is very likely a scam.
  • Seek financial counseling only from a reputable service.

Identity Theft

  • Never give personal information over the phone unless you called that company (and say, want to purchase something).

POA

Never give power of attorney to someone you know only casually or without a lawyer to review the document.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect from Personal Loan Scam

Are you thinking of getting a personal loan? Hopefully you have a high credit score, as this will give you a better chance of getting the loan through a legitimate company. But even if your credit is excellent, you need to be aware of the personal loan scams out there.

2DNot Respecting Your Limit

  • You don’t want to do business with a lender that pressures you into borrowing more than you can handle

Upfront Payment

  • You should never have to pay any fees for the application process. If you’re requested to do this, move on.

Pumped up Interest Rate

  • Know what the going interest rate is. A good lender will quote you near this average rate.
  • A bad lender will recognize the desperation of the applicant with bad credit and try to sock them with an abnormally high interest rate.

Us and Only Us

  • Be suspicious of lenders that don’t like the idea of you shopping around for better rates.
  • This is a red flag that they have questionable loan practices.

Location, Location

  • An honest, legitimate lender or bank has a verifiable physical address. Get this confirmed with Google maps.
  • If you can’t, move on. But know that even a predatory lender may have a very solid physical address.

Solicitations

  • As in ones you didn’t request. Watch out for banks that send you unsolicited invitations for a personal loan application.

 

Don’t Be Intimidated

  • Because a seedy outfit may want to scare you into closing on their loan. But they can’t do anything to you, even if they use the term “legal action.”
  • If you want to reject their loan offer, then do so.

SSN

  • Does the lender want your Social Security number? This is fine if they’re wanting to do a credit check.
  • If they’re not doing a credit check but want your SSN, move on.

Signing Empty Documents

  • Do not sign anything that does not have the interest rate, terms, loan amount, monthly payment and other crucial information.
  • Before signing anything, make sure there are no blank areas that can be filled in later.
  • Run if the lender wants you to sign something that’s missing information.

Guaranteed!

  • Is a bank guaranteeing your personal loan? Sounds great, right?
  • Not so fast. They cannot do this if they have not verified your financial history or credit history.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to recycle Old Devices

When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: Out of site, out of mind, into criminal’s hands.

7WYour discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.

Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.

Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.

Only 25 states have e-waste recycling laws. And only some e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.

Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.

To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.

I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.

The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.

What to Do

  • If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:

Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3rd party software to accomplish this.

  • If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.
  • Or send it to a reputable recycling service for purging.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Beware of these 10 Job Hunting Scams

Just because a job recruiter says he’s from (fill in blank—any huge corporation) doesn’t mean the job can’t be a scam. Anyone could say they’re from Microsoft or Google. Impersonating a representative from a big-name company is one way to fool gullible job seekers.

9DAnother way is to advertise the scam jobs on radio because the scammer knows that listeners will think, “It has to be legit if it’s on the radio.” Scammers will post their job ads anywhere.

An article on consumer.ftc.gov lists the following signs of a fraudulent job advertisement:

  • There are plenty of totally legitimate jobs that involve money out of your pocket. And in some cases, this may be described as an application fee, reference check fee, background check, cost of training materials or anything else. Only pay when the site itself has been vetted by you and everyone else. Do your research!
  • The ad talks of “previously undisclosed” federal government positions. The scammer is banking that you have no idea that usajobs.gov lists all federal job openings to the public.
  • They want your bank account or credit card information. Be very aware.

Similarly, scammers may prey on people seeking a job placement service. The consumer.ftc.gov names the following red flags:

  1. Fictitious jobs are promoted.
  2. Payment is made but no job materializes—and the service suddenly falls off the radar.
  3. If the ad mentions a company, contact that company to verify they’re contracted with the job placement service before you make your next move.
  4. Never make major decisions without first getting everything in writing: cost, what it gets you, etc.
  5. Ask them what happens if they can’t place you in a compatible position. Then listen good. If the response doesn’t make sense or is vague, move on. If they assure you you’ll get a refund within a certain period of time, make sure this is in writing.
  6. But if you decide to go with them, read your contract word for word. If they show impatience with this, it’s a red flag.
  7. Beware of ads that sound like job openings, but actually are just worded to sound that way. These semi-scammers want you to pay them to give you information you can easily find online. A classic example is an ad for writing jobs. It’s worded to sound like the ad placer can connect you with clients—whom they are working for—who need a writer. Instead you’ll be paying for a list of freelance markets, such as some boating magazine seeking submissions—when you specialize in a completely unrelated niche.
  8. Make sure you know precisely what you’re getting into. Are you seeking help with job placement or looking for someone to construct your resume?
  9. See what the BBB says about the company and what a Google search pulls up.
  10. Just because you have to pay doesn’t mean it’s a scam. However…ask yourself why you need to pay someone thousands of dollars to find you a job, what with all the online (and legitimate) job postings and the ability to blast out hundreds of e-mail queries in just a few days with your resume attached?

By keeping your scam radar on high during a job search, job seekers can prevent their personal information and financial data pout of the hands of criminals.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Seniors big Target for Romance Scams

Janet N. Cook, 76, was duped by a dashing younger man. A report at nytimes.com explains that in July 2011 she connected with Kelvin Wells via a dating site.

1FNext thing, this seemingly-together man was in trouble and needed lots of money. Cook got burned; she sent the crook nearly $300,000 (amazing; just try to get a friend to give you $100).

The FBI’s Internet Crime Complaint Center warns:

  • If that wonderful man (or woman) sounds too good to be true and speaks poetically, e.g., “We were meant to be together,” run for the hills.
  • If they claim they love you, can’t live without you, etc., come on, this should turn you OFF, not ON.
  • Be suspicious of those claiming they’re originally from the U.S. but are now overseas or are entrenched in some heavy business or family situation.
  • Be leery of those insisting, very early on, that all communications be done via e-mail, phone or instant message (to avoid detection by the dating site).
  • If they claim they need you to send money for their travel expenses to meet you, make like an airplane and drop the bomb on them.
  • Older women are typical targets due to their accumulated wealth.

It’s a numbers game for these smooth-talking scammers. They keep hunting ‘til they find that lonely, vulnerable victim, usually a woman living by herself who becomes enthralled at all the gushy e-mails and phone calls from Mr. Dashing. He may have told his sob story to 500 women just to land one victim, but for $300,000, it’s time well spent.

According to the IC3, about 6,000 people reported such scams between July 1 and December 31 of 2014.

Is this $300,000 an anomaly? The nytimes.com article tells of a woman in Pensacola, Florida who gave her swindler $292,000.

Victims aren’t necessarily uneducated. The article cites Louise B. Brown, a nurse from Vermont, who’d been scammed. Brown, 68, met Thomas on Match.com. He was about to leave for Malaysia (typical story; originally from the U.S. but currently living in or about to travel to a foreign land—HUGE red flag!). She sent Thomas $60,000 and ate up her savings. These guys must be good; where do they find such vulnerable victims?

Really, the rule is simple: If the guy asks you for money, drop him. End of story. But by the time these clever crooks tell you they’ve been robbed by bandits in a remote Southeast Asian village, the victim is already under his spell—but there were warning signs before even that happened (see above bullet list).

It took only three weeks for Betty L. Davies of Georgia to fall under the spell of Donald Leo Moore. Davies, 62, gave him a whopping amount of money after he claimed he’d been robbed while in Malaysia. Then his chemical engineering project ran into trouble and she gave him $20,000. He then needed $30,000 thanks to Singaporean officials. Total money lost: nearly $300,000.

“Script” of the Scammer

  • Build victim’s trust
  • Create sense of urgency

If Mr. Dashing has any of the aforementioned traits, immediately report him to law enforcement, even if you know the truth: That your lent money is gone forever.

Prevent Getting Scammed

  • I’m going to play psychologist here and ask you why you’d want to get involved with a man who travels. Think of all the hardships this would bring to a relationship. One of the common denominators in scammers is that they claim they’re overseas or will soon be going there.
  • Psychologist again: Lower your standards. MUST he have a glamorous job like international relations, foreign road construction or cruise ship engineering? MUST he type and speak like a poet? Swindlers will present themselves as very accomplished and above the common man.
  • MUST you equate constant attention from Mr. Dashing with compatibility and honesty? Cook was hooked by Kelvin’s constant attention.
  • MUST you travel to the Bahamas and Bermuda to be happy? Brown’s scammer promised her trips there.
  • Right-click on the man’s profile image to see where else online it shows up.
  • If his verbiage sounds canned, paste it into the search engine to see if it appears on romance scam sites.
  • Immediately alert the dating site when a suitor asks for money.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.