Posts

Top 3 Social Engineering Scams

/in , , , , /by

Think about hackers breaking into accounts. If you think they need top-notch computer skills, you would be wrong. These days, instead of requiring skills behind a keyboard, hackers generally rely on strategy…specifically a strategy called social engineering. This means that hackers don’t have to be technical, but they DO have to be clever and crafty because they are essentially taking advantage of people and “tricking” them into giving information.

There are four main ways that hackers use social engineering:

  • Phishing – where hackers use email tricks to get account information
  • Vishing – similar to phishing, but through voice over the phone
  • Impersonation – the act of getting information in person
  • Smishing – getting account info through text messages

Phishing accounts for 77 percent of all social engineering incidents, according to Social Engineer, but in vishing attacks, alone, businesses lose, on average, $43,000 per account.

Here are the top scams that all consumers and businesses should know about as we move into 2017:

Scam Using the IRS

Starting from the holiday season stretching through the end of tax season, there are scams involving the IRS. One such scam uses caller ID to change the true number of the caller and replaces it with a number from Washington, D.C., making it look like the number is from the IRS. Usually, the hacker already knows a lot about the victim, as they got information illegally, so it really sounds legit.

In this scam, the hacker tells the victim that they owe a couple of thousands of dollars to the IRS. If the victim falls for it, the hacker explains that due to the tardiness, it must be paid via a money transfer, which is non-traceable and nonrefundable.

BEC or Business Email Compromise Scam

In the business email compromise, or BEC scam, a hacker’s goal is to get into a business email account and get access to any financial data that is stored within. This might be login information, back statements, or verifications of payments or wire transfers.

Sometimes a hacker will access the email by using an email file that contains malware. If an employee opens the file, the malware will infect the computer and the hacker has an open door to come right in.

Another way that hackers use the BEC scan is to access the email of a CEO. In this case, they will impersonate the CEO and tell the financial powers that be that he or she requires a wire transfer to a bank account. This account, of course, belongs to the hacker not the business. When most people get an email from their boss asking them to do something, they do it.

Ransomware

Finally, hackers are also commonly using ransomware to hack their victims. In this case, the hackers are working towards convincing targets to install dangerous software onto their computer. Then, the computer locks out the data and the victim cannot access it…until he or she pays a ransom.

At this point, they are informed that they can get access back when they pay a ransom. This might range from a couple of hundred to several thousands. Usually, the hackers demand payment by bank transfer, credit card, bitcoin, PayPal, or money transfer services. Victims are usually encouraged to go to a certain website or call a certain number Unfortunately, too often, once the victim pays the ransom, the hacker never opens up the system. So now, the hacker has access to the victim’s computer and their credit card or financial information.

The way social engineering works in this scam is varied:

One way is this…imagine you are browsing the internet, and then you get a popup warning that looks quite official, such as from the FBI. It might say something like “Our programs have found child pornography on your computer. You are immediately being reported to the FBI unless you pay a fine.” When you click the popup to pay, the program actually downloads a program called spyware to your computer that will allow the hacker to access your system.

Another way that social engineering works with ransomware is through voice. In this case, you might get a phone call from someone saying they are from Microsoft and the representative tells you that they have scanned your computer and have found files that are malicious. Fortunately, they can remotely access the machine and fix the problem, but you have to install a program to allow this. When you install it, you give them access to everything, including personal and financial information, and they can do what they want with it.

Finally, you might get an email offering a free screen saver or coupon, but when you open it, the software encrypts your drive and takes over your computer.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Ransomware a $2.5 Million Service

/in /by

One bitcoin = $590.

11DIf you’re sucked into a ransomware scam, you’ll likely be charged at least one bitcoin for the cyber key to unlock your computer’s files—that are being held hostage by hackers.

A report from Check Point Software Technologies and IntSights has discovered a gigantic ransomware-as-a-service (RaaS) ring, raking in $2.5 million yearly. Eight new scam campaigns are launched every day, with dozens of campaigns already in action, tricking people into allowing the ransomware software (namely Cerber) to take control of their computer.

Just in July, it is believed that victims were cleaned out of $200,000. Ransomware specialists have become quite sophisticated, having developed what is called bitcoin mixing: This prevents ransomware profits from being traced. Their technique bypasses even the blockchain, which is a database that records every Bitcoin transaction.

The crooks so not pool all of their profits into one “wallet,” but rather, they mix things up, splintering the profits into thousands of different wallets, creating a jumble that makes it impossible to track individual transactions or their origins.

Cerber is being sent out with automated tools that attack the unsuspecting in large masses; no longer is this ransomware software the weapon of only the highly skilled master hacker. In fact, the software can even be rented for malicious use, and a high level of tech savvy isn’t even required.

All a thief need do is get on the Dark Web and pay a hacker to commit the crime. Of course, the hacker will have to get a nice chunk of the pie. Though several other countries are getting hit harder with Cerber, the U.S. is in the fourth spot for the most targeted country.

Not surprisingly, the phishing e-mail is the scam of choice for ransomware specialists, with malicious attachments that recipients are tricked into opening—which then download the infection. The other way that Cerber takes control of computers is via the exploit kit-based campaign.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Beware of the Jury Duty Scam

/in /by

Imagine getting a call from someone identifying themselves as a federal court official or U.S. Marshal, informing you that your arrest is imminent unless you pay a cost—all because you failed to respond to a jury summons (which you don’t remember getting). I’d like to think that you’d immediately smell the rotten scam here and hang up, but unfortunately, many adults fall for this jury duty scam.

10DFirst off, let me get it off my chest: Who the devil ever heard of being arrested or fined for not responding to a jury summons? This farce isn’t even depicted in any of the slew of crime and law dramas that have been on TV for decades.

But the scammer relies on inducing enough fear in the targeted person to win them over. These scammers are sophisticated and even have call centers, says Melissa Muir, quoted in an article on uscourts.gov. She’s director of Administrative Services for the U.S. District Court of Western Washington. She points out that a federal court will never call someone and make threats or demand payments.

So if you hear what sounds like a bustling call center in the background of the call, assume this is staged to make the call sound official.

So what is the federal court’s response when someone ignores a jury summons?

  • The court clerk’s office will contact you.
  • You may be required to appear in court before a judge.
  • At the court, the judge may order that you pay a fine—but not before you’re given the chance to explain why you failed to appear for your jury summons.

If you get a fraudulent call, do not give out any information; hang up. Call your local court clerk’s office or the U.S. Marshal’s Service office for peace of mind: Check if you really did miss a jury summons, but chances are extremely high, and I mean higher than a kite, that the call was a scam.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to prevent IRS scams

/in , /by

Once a thief knows your Social Security number…you’re at very high risk for having your identity stolen.

Computer crime concept

Computer crime concept

A report on bankrate.com says that the IRS is warning of a cyber attack on its electronic filing PIN application. Thieves infiltrated it with malware in an attempt to claim other people’s refunds as their own. Over 450,000 SSNs were involved, and over 100,000 of them enabled the hackers to access an E-file PIN.

Endless scams are directed towards SSNs, like the classic phishing attack. A phishing attack basically goes as follows:

  • An e-mail arrives with an alluring or threatening subject line, which may actually be a warning to protect your SSN.
  • The e-mail looks legitimate, complete with logos and privacy information at the bottom.
  • The hacker’s goal is to get you to fill out a form that includes typing in your SSN.
  • The FTC warns of a “Get Protected” subject line for the latest scam. This scam e-mail mentions the “S.A.F.E. Act 2015” that protects against fraudulent use of SSNs.
  • Like many phishing e-mails, the “Get Protected” one contains fake information.
  • These e-mails include a link that, when clicked, will release a virus, or take you to a website that will download a virus or lure you into revealing sensitive information.

Three Ways to Get Scammed

Most people make important decisions based on emotion. Cyber thieves know this, and they prey on fear, greed and generosity.

  • People aren’t thinking straight when emotions are ruling. Logic gets swept under the rug. There’s pressure to act quickly, such as helping the scammer (who pretends to be a grandchild of the victim) who was in an accident: wire money asap. Natural disaster scams prey on the desire to give. The emotion of greed is manipulated in “You’ve Won!” and inheritance scams.
  • Of course, before the fraudster plays with emotions like a cat playing with a mouse, he first gains your trust, pretending to like the same things you do, whatever it takes so that you don’t question him.
  • Scammers are adept at appearing credible, such as tricking your caller ID into showing “IRS” or the name of your bank in the ID field. They may have a snazzy website up, a “badge number,” noise in the background to simulate a call center, even a fake accent.
  • Remember, scammers are pros. It’s going to seem legitimate.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Beware of ALL these Scams

/in /by

Scams targeting older people are probably very under-reported, as seniors don’t want to appear senile. The most vulnerable group is educated men over 55, because, quite frankly, they think they know everything.

9DSweepstakes/Lottery

  • This scam comes in many forms, but the common denominator is that you’re requested to pay a fee or taxes.
  • A legit sweepstakes or prize event never requires payment.

Kids/Grandkids Need Money

  • The scammer relies on the odds that the randomly-called senior has trouble hearing.
  • The scammer says, “This is your favorite grandson!” Invariably, the victim announces the grandson’s name. The scammer takes it from there, convincing the victim to send money.

Home Repair

  • A man in a worker’s uniform, complete with company logo, appears at your door, offering to do some service. They may actually perform it, but will overcharge and/or not complete it.
  • Others are there only to case your home for a future robbery.
  • A legitimate company does not go door to door.

Cyber Help

  • A call from someone claiming to be from Microsoft or some other tech giant, claiming your computer has a virus, is a scam.
  • The scam includes background noise that sounds like a busy call center.
  • This scam is also conducted via e-mail.

Dating

  • Never give money to someone you met through an online dating service.
  • If they sound and look too good to be true, they probably are. A sudden sob story in which they desperately need money is a cue for you to run for the hills.

Uncle Sam

  • Through a phone call or e-mail, you’re notified you owe back taxes or that a refund is owed to you (and you must pay a fee to get it). SCAM!
  • The crook can make the caller ID look like the IRS.
  • The caller may threaten to have you arrested or pose as a sheriff.
  • If you owe or are owed, the IRS will always snail mail you.

Ugly Baby

  • You’re approached by a woman while you push a stroller. She says your baby/grandchild is ugly.
  • While you react to this, her accomplice pick-pockets your purse.
  • Distraction scams can come in many forms.

Investments

  • A call out of the blue from an “investment advisor” is very likely a scam.
  • Seek financial counseling only from a reputable service.

Identity Theft

  • Never give personal information over the phone unless you called that company (and say, want to purchase something).

POA

Never give power of attorney to someone you know only casually or without a lawyer to review the document.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of Hot and Cold Reading Scams

/in , /by

Many so-called psychics are frauds. But so are some auto mechanics, lenders and roofers. There’s fraud in just about all lines of work.

1SWhat we do know is this: There’s not enough evidence to refute paranormal phenomena. Nor enough to prove it beyond a doubt.

And we also know this: There exist scams involving hot and cold readings.

I could give a scam reading to a flamboyant, colorfully-dressed woman (whom I’ve known for only a minute) with big hair, lots of costume jewelry and a supersonic laugh.

I could tell her she’s attracted to quiet, analytical, detail-oriented, very serious men whose eyes well up during sappy movies. She’ll pay me $100 for my “reading” and think I’m a psychic. What she doesn’t know is that I know that people with “sanguine” temperaments are attracted to the “melancholy” temperament.

I didn’t “read” her based on psychic abilities. I “read” her based on a book about temperaments I read years ago. Some people get really good at cold readings and make money off of this.

Hot Readings

You have an appointment with a woman. You find her Facebook page (because you got enough preliminary information to achieve this). You learn all about her. You look her up on LinkedIn too.

Come appointment (reading) time, you start telling her things about herself, flooring her. Scammers can cunningly extract information via other routes as well, but the bottom line is that the crook gets information ahead of time and pretends it’s only just coming up during the reading.

Cold Readings

The information is gleaned right on the spot—via skilled observational powers. Typically the cold-reader begins broadly, such as, “You’re very sad these days,” watching the customer’s body language and facial reactions, and then making deductions based on those.

The reading is very carefully worded to cover the possibility that the deductions are wrong. The scammer might say, “A person very dear to you is no longer around,” instead of the specific, “A person very dear to you has recently died.”  All possible reasons for the “loss” are covered with the ambiguous statement.

Cold readings to a large group are a joke, because the scammer will announce something that, by the law of averages, will apply to several people in the group. He then narrows it down from there.

There may be many honest, true psychics out there (some police departments use them for missing-persons cases believing if there wasn’t some fire to this smoke).

But beware of the scammers. Don’t pay someone to tell you something about your life that’s already on Facebook or evident in your clothing and mannerisms.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect from Personal Loan Scam

/in , /by

Are you thinking of getting a personal loan? Hopefully you have a high credit score, as this will give you a better chance of getting the loan through a legitimate company. But even if your credit is excellent, you need to be aware of the personal loan scams out there.

2DNot Respecting Your Limit

  • You don’t want to do business with a lender that pressures you into borrowing more than you can handle

Upfront Payment

  • You should never have to pay any fees for the application process. If you’re requested to do this, move on.

Pumped up Interest Rate

  • Know what the going interest rate is. A good lender will quote you near this average rate.
  • A bad lender will recognize the desperation of the applicant with bad credit and try to sock them with an abnormally high interest rate.

Us and Only Us

  • Be suspicious of lenders that don’t like the idea of you shopping around for better rates.
  • This is a red flag that they have questionable loan practices.

Location, Location

  • An honest, legitimate lender or bank has a verifiable physical address. Get this confirmed with Google maps.
  • If you can’t, move on. But know that even a predatory lender may have a very solid physical address.

Solicitations

  • As in ones you didn’t request. Watch out for banks that send you unsolicited invitations for a personal loan application.

 

Don’t Be Intimidated

  • Because a seedy outfit may want to scare you into closing on their loan. But they can’t do anything to you, even if they use the term “legal action.”
  • If you want to reject their loan offer, then do so.

SSN

  • Does the lender want your Social Security number? This is fine if they’re wanting to do a credit check.
  • If they’re not doing a credit check but want your SSN, move on.

Signing Empty Documents

  • Do not sign anything that does not have the interest rate, terms, loan amount, monthly payment and other crucial information.
  • Before signing anything, make sure there are no blank areas that can be filled in later.
  • Run if the lender wants you to sign something that’s missing information.

Guaranteed!

  • Is a bank guaranteeing your personal loan? Sounds great, right?
  • Not so fast. They cannot do this if they have not verified your financial history or credit history.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Seniors big Target for Romance Scams

/in /by

Janet N. Cook, 76, was duped by a dashing younger man. A report at nytimes.com explains that in July 2011 she connected with Kelvin Wells via a dating site.

1FNext thing, this seemingly-together man was in trouble and needed lots of money. Cook got burned; she sent the crook nearly $300,000 (amazing; just try to get a friend to give you $100).

The FBI’s Internet Crime Complaint Center warns:

  • If that wonderful man (or woman) sounds too good to be true and speaks poetically, e.g., “We were meant to be together,” run for the hills.
  • If they claim they love you, can’t live without you, etc., come on, this should turn you OFF, not ON.
  • Be suspicious of those claiming they’re originally from the U.S. but are now overseas or are entrenched in some heavy business or family situation.
  • Be leery of those insisting, very early on, that all communications be done via e-mail, phone or instant message (to avoid detection by the dating site).
  • If they claim they need you to send money for their travel expenses to meet you, make like an airplane and drop the bomb on them.
  • Older women are typical targets due to their accumulated wealth.

It’s a numbers game for these smooth-talking scammers. They keep hunting ‘til they find that lonely, vulnerable victim, usually a woman living by herself who becomes enthralled at all the gushy e-mails and phone calls from Mr. Dashing. He may have told his sob story to 500 women just to land one victim, but for $300,000, it’s time well spent.

According to the IC3, about 6,000 people reported such scams between July 1 and December 31 of 2014.

Is this $300,000 an anomaly? The nytimes.com article tells of a woman in Pensacola, Florida who gave her swindler $292,000.

Victims aren’t necessarily uneducated. The article cites Louise B. Brown, a nurse from Vermont, who’d been scammed. Brown, 68, met Thomas on Match.com. He was about to leave for Malaysia (typical story; originally from the U.S. but currently living in or about to travel to a foreign land—HUGE red flag!). She sent Thomas $60,000 and ate up her savings. These guys must be good; where do they find such vulnerable victims?

Really, the rule is simple: If the guy asks you for money, drop him. End of story. But by the time these clever crooks tell you they’ve been robbed by bandits in a remote Southeast Asian village, the victim is already under his spell—but there were warning signs before even that happened (see above bullet list).

It took only three weeks for Betty L. Davies of Georgia to fall under the spell of Donald Leo Moore. Davies, 62, gave him a whopping amount of money after he claimed he’d been robbed while in Malaysia. Then his chemical engineering project ran into trouble and she gave him $20,000. He then needed $30,000 thanks to Singaporean officials. Total money lost: nearly $300,000.

“Script” of the Scammer

  • Build victim’s trust
  • Create sense of urgency

If Mr. Dashing has any of the aforementioned traits, immediately report him to law enforcement, even if you know the truth: That your lent money is gone forever.

Prevent Getting Scammed

  • I’m going to play psychologist here and ask you why you’d want to get involved with a man who travels. Think of all the hardships this would bring to a relationship. One of the common denominators in scammers is that they claim they’re overseas or will soon be going there.
  • Psychologist again: Lower your standards. MUST he have a glamorous job like international relations, foreign road construction or cruise ship engineering? MUST he type and speak like a poet? Swindlers will present themselves as very accomplished and above the common man.
  • MUST you equate constant attention from Mr. Dashing with compatibility and honesty? Cook was hooked by Kelvin’s constant attention.
  • MUST you travel to the Bahamas and Bermuda to be happy? Brown’s scammer promised her trips there.
  • Right-click on the man’s profile image to see where else online it shows up.
  • If his verbiage sounds canned, paste it into the search engine to see if it appears on romance scam sites.
  • Immediately alert the dating site when a suitor asks for money.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Catfishing Scammer tells all

/in /by

Catfishing is when someone creates a phony online account—and not necessarily to scam someone for financial gain. An article on vice.com tells all about a person who’s been catfishing for eight years.

9DShe started in middle school by creating “Joey” on MySpace. She then commented, as “Joey,” on her real MySpace page to make herself appear that some cool kid named Joey thought she was pretty.

She got older and didn’t have friends. Don’t blame her for this. Her mother was an addict and father behind bars. She wanted friends, but years of abuse impaired her ability to integrate with people—as herself.

So she created more fake accounts, to create the self she wanted to be. She snatched photos of a cool-looking girl on MySpace and created an account for “Amanda Williams.” The common name would make detection of catfishing impossible.

Because Amanda’s photo was stunning and her account presented with confidence, many people began adding her and sending flattering messages and friend requests.

Our girl here spent loads of free time on social media, constructing Amanda’s life. (Can you see how it’s believable that many adults do this with Facebook? There’s even a site where you can hire a Photoshop specialist to alter and beautify your headshot for only five bucks, and shop you onto a galloping horse or a sailing boat.)

One day our girl, posing as Amanda, messaged a classmate that Amanda liked her, figuring that this would get out and make the other kids think she was cool if Amanda liked her.

But she got busted because it was discovered that Amanda’s phone number was the same as hers.

Then she was hooked on catfishing, and this awful experience only taught her to be more cunning. So she created a new account—with the same photos used for Amanda Williams (not a bright idea), but she blocked her classmates.

After ninth grade, she was transferred to a vocational school due to bullying. All free time was spent on social media doing you-know-what.

More clever this time, she gradually added about 150 “filler friends” to make the account look legitimate, then began adding desired friends. She’d steal photos from Facebook and then block that person’s friends to avoid getting busted.

She then created subaccounts to add to the authenticity. This was done by taking Instagram videos and posting to Facebook. She used Photoshop to fake the “proof” signs.

The phony Amanda Williams account, studded with stolen photos, backstories and fake friends, made our unfortunate girl feel validated. But to her, the fake friends of Amanda Williams were real enough to “speak” to. Those made-up friends cared about her. They were more real to her than people in real life who didn’t care.

She even managed to lasso a cyber relationship through Amanda Williams, but her conscience won out and she fessed to the young man the truth. He vanished after that. But it haunts her because she wonders if she could have accomplished this without Amanda.

She admits to being addicted to catfishing for attention, which has prevented her from working on relationships with real people in person. She’s created more than 20 fake accounts thus far, excluding the subaccounts, which perhaps total 200. But she claims all of this has been therapeutic, though at the same time, heartbreaking.

Today she’s 21 and still friendless in real life. She’s never been employed. But she admits to how wasteful this addiction has been. She hardly leaves the house due to social anxiety; her reality is inside her computer.

She’s in therapy, though, and only one of the fake accounts is active. She can’t part with it. “My existence hinges on this fake account,” she says in the vice.com article. She raised Amanda as her child, giving her new hairstyles, even. Amanda grew up, but her creator is still crippled inside a cocoon.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

5 Auto Repair Scams

/in /by

You take your car to the mechanic; it’s been making a funny grinding noise when you press on the gas pedal. The mechanic tells you what’s wrong and what needs to be fixed, then socks you with the estimate.

1SHow can you tell he’s not embellishing a lot of the “diagnosis”? You know nothing about cars. You have to take his word for it. What if the second opinion is also from a scammer and sounds a lot like the first opinion? You’re screwed.

An article at carbuying.jalopnik.com describes five auto repair scams.

Charging for repairs you don’t need.

  • The mechanic says he fixed the problem.
  • The problem still persists.
  • You take the car back and he “diagnoses” the “real” problem and fixes that.
  • The problem still exists.
  • The game repeats but finally the issue is corrected, but you get charged for the first two “repairs,” which never had to be made in the first place. The mechanic scammed you, and this is illegal.

Saying something is wrong when it’s not.

  • What an easy way for a mechanic to make money and get away with it, especially if the “something wrong” is a small repair. He can really clean up if he pulls this stunt on dozens of customers.
  • A version of this is to find something out of place or not working optimally and tell you it needs to be replaced—even though a repair will fix the problem.
  • This is illegal in many states.

Overcharging for parts or labor. 

  • It’s so easy for a mechanic to do this. How do you know that the four-hour job wasn’t really a two-hour job?
  • Do you know how much a shock absorber or new brakes should cost?
  • Though prices for the same product vary from one shop to the next, consider yourself scammed when the charge is way over the norm.
  • You also shouldn’t pay a mechanic for his inexperience. If he honestly took four hours to do a job that should have taken two hours, you should not be charged for the extra two hours.
  • Get a price and labor estimate before authorizing the work. AND GET IT IN WRITING.

Theft

  • Yes, mechanics have been known to steal valuables including performance features of the vehicle. Even taking a candy bar is illegal.
  • The shop may tell you to file an insurance claim. They’re scamming you because this isn’t how it should work. Since they had possession of your car, the onus is on them that something is missing.
  • Don’t leave valuables in your car.

Joyriding

  • In your car, that is.
  • After the work is completed, the mechanic takes your wheels for a spin.

Damaging your car by accident.

  • They owe you to fix the damage.

If you believe you were scammed, call your lawyer, not your insurance company.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.