Posts

Psychic and Fortune Tellers Are Scammers

A quick break here from security and security solutions to include you in on a little secret.

People all over the world, in addition to people I know and love spend money (sometimes mine) on “readings” thinking they are getting inside information on something such as an unforeseen life event or drummed up answers to questions about the past.

Mostly, the motivations behind a “normal” person going to a fortune teller or psychic are purely for fun. I have been to a few in the past, often pulled in while walking a boardwalk at a touristy event or when someone brings a psychic to a party to bring the party up a notch.

Generally the psychic provides a degree of information that when told, gets the listeners attention because the “inside info” couldn’t possibly be known otherwise.

But that inside information is often generic, or standard. Meaning chances are “there is a family member you are having a very difficult time with” and “you love them and have tried to patch things up but can’t” and “they just don’t understand you”

WHO ISN’T IN THAT SITUATION???!!!

One psychic told me she saw “red blood” in my future “from a type of accident”. I was wearing a leather vest with a long leave shirt that said “Harley Davidson” and carrying a helmet. She was insightful.

So when people get sucked into this they will often get rolled into spending more money to get more information so the fortune teller can solve all their problems.

Recent news of an educational foundation of sorts offered up a million dollar challenge to anyone who could prove they are a psychic. Nobody has taken the bait. Know why? Because anyone who takes the challenge would be discredited on a national stage.

Just this week in Florida a family of multi million dollar fortune tellers were arrested for using magic tricks claiming they were talking to the dead, and curing disease. Victims were giving up luxury cars, cash and gold coins to have the scammers fix all their problems.

There is a scam for everyone. Everyone is a mark, it’s just a matter of finding that persons scam spot.

PS, there is no such thing as UFO’s or ghosts either. Since billions of people now carry smartphones that record pictures and videos we have yet to see a ghost or UFO on camera.

Robert Siciliano personal and home security specialist to Home Security Source discussing scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

Bad News For Banks: Courts Side With Customers

Who is responsible for financial losses due to fraud? The bank, or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer. He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email. In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

  • The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders;
  • The $5 million overdraft created by those book transfers in what is regularly a zero balance account;
  • Experi-Metal’s limited prior wire activity;
  • The destinations (Russia and Estonia) and beneficiaries of the funds; and
  • Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

 

Device Intelligence Helps Stop Scammers Targeting Social Media Sites

We’ve heard this story before, but unfortunately it happens over and over again. Social media and dating sites are overrun with criminals who pose as legitimate, upstanding individuals, but are really wolves in sheep’s clothing.

In Florida, a man named Martin Kahl met a 51-year-old woman and they developed an online romance. A quick search for the name “Martin Kahl” turns up many men with the same name and no obvious signs of trouble.

This particular Martin Kahl told his online girlfriend that he would soon be working in Nigeria (red flag) on a construction project, but a short time later he informed her that the job had fallen through. He cried poverty and asked her to send him money, which she did.

(If there are people in your life who might be prone to falling for a scam like this, please reel them in immediately. Any of their financial transactions ought to require a cosignatory.)

Anyway, during their affair, Kahl claimed he had been arrested (red flag) on some bogus charge, and requested that the woman bail him out to the tune of $4,000, which she most likely paid via money wire transfer (red flag).

All told, she sent the scammer at least $15,000 during their relationship. Sadly, social media sites can do more to protect their users, and should take advantage of information that readily exists for them to use — the known reputations on over 650 million devices in iovation’s device reputation knowledge base. Computers that are new to these social networks dealing with scammers and spammers are rarely new to iovation.  They have seen these devices on retail, financial, gaming or other dating sites and will help social sites know in real-time, whether to trust them.

In the case above, the phone numbers used in the scam were traced overseas. The computer or other device the scammer used to go online could surely also have been traced overseas and could have been flagged for many things:  hiding behind a proxy, creating too many new accounts in the social network, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.  Scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia conduct many of these scams, spending their days targeting consumers in the developed world.

Social media sites could protect users by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Dating Security on E! True Hollywood Stories.  Disclosures

Disclosing Data, Despite Breaches

The ticker tape of data breaches in the last few months has been astounding. Many have called 2011 “The Year of The Hacker“ and that prognostication has rung true, without question. Halfway through the year, data breaches are an incessant news story.

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange.

Scammers know and are capitalizing on this. There isn’t an online gamer, dater, social networker, or consumer today who isn’t at some level of risk.

While all necessary defenses must be employed to prevent hackers from compromising data, an additional layer of protection should be implemented to keep them off websites in the first place.

Every one of these platforms would do well to stem the tide of fraud by incorporating device reputation. One anti-fraud service offering fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. Hundreds of online businesses prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their websites, and with iovation’s service, they stop 150,000 online fraudulent activities each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Spear Phishing Leaves a Bloody Wound

Once criminal hackers get a person’s username and email address, they can begin to launch a targeted spear phish scam. Scammers copy the design of each breached entities outgoing email campaign and blast the breached list with “account update” or other ruses.

Gaming site Sega Pass was hacked. On the Sega Pass website it states, “we had identified that unauthorized entry was gained to our Sega Pass database.” Numerous outlets report hackers stole Sega Pass members’ email addresses, dates of birth, and encrypted passwords.

The recent Epsilon data breach resulted in a similar loss of data. Epsilon is a marketing company that sends over 40 billion emails a year, and keeps millions of consumer email addresses on file. When hackers breached Epsilon’s database, the email subscriber lists for over 100 major companies were compromised.

Consumers received breach notifications from financial institutions including Citigroup, Capital One, and JPMorgan Chase, and from hotels such as the Marriot and the Hilton.

All of these organizations customers are eternally susceptible to spear phish scams.

The Wall Street Journal reports that GlaxoSmithKline sent email notifications to consumers who had registered with any of GlaxoSmithKline’s websites for prescription or nonprescription drugs and products, warning that consumers’ names and email addresses had been hacked, and that the stolen data may have included the specific product websites where consumers registered.

GlaxoSmithKline provides medications that help victims of HIV and mental health disorders. The possibility of the stolen data being used to target the ill with spear phishing attacks is a major concern.

These kinds of breaches will have long-lasting effects on the public.

Never disclose personal information or login credentials in response to an unsolicited email. Never click links in an unsolicited email. Instead, use your bookmarks menu or type the address into your browser’s address bar. If your email address has been compromised, consider switching to a new address. Create new, unique passwords, without repeating the same password for multiple accounts.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

ATM Scammers’ New Tactic: Glue

You can almost hear the scammers’ “Eureka!” moment in their evil dungeon lair: “We don’t need no stinking $5000 high-tech remote access Russian-built skimmer – we just need Elmer’s!” And then a crime is committed and history is made.

The San Francisco Examiner reported, “thieves glued down the ‘enter,’ ‘cancel’ and ‘clear’ buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account. The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touch screen to finish their transaction, or become nervous when the keypad isn’t working and react by leaving the ATM.”

Once the customer has gone into the bank to alert a manager or teller, the scammer walks up to the ATM and uses the touch screen to complete the transaction.

Amazing. Even more amazing is that if a criminal were caught gluing ATM keys, he would most likely only receive a misdemeanor vandalism charge, as opposed to a larceny, which would put him in jail. The law has yet to catch up with this new and brilliantly simple crime.

So if you happen upon a glued ATM remember that you can finish your transaction using the touch screen. Once you’ve done so, alert the bank manager as soon as possible so nobody else gets scammed!

When using an ATM, pay close attention to the machine and be alert for anything that seems out of place. Wires, double sided tape, odd configurations or skimming devices on the face of the ATM, or a card that gets stuck in the reader are all red flags.

Don’t necessarily use the first ATM you see. Choose ATMs in secure locations, and be on your guard, even when using an ATM at a bank branch.

Above all, check your bank statements at least once every two weeks, and refute unauthorized transactions within 30 days.

Robert Siciliano personal and home security specialist to Home Security Source discussing ATM skimming on Extra TV. Disclosures.

Scams Setting Record Pace

There is limit to what the criminal scammy mind can conjure up.

KMOV reports Scammers have been using military photos to trick unsuspecting women on dating websites into giving them money.

The scam artists use pictures of soldiers and post them as their own. Once they convince the women to trust them, they ask for money. The military says it gets a lot of complaints about scammers swiping official military photos and using them to create dating profiles.

Fox Memphis reports The Shelby County Office of Preparedness is keeping flood victims from becoming scam victims, and making sure they stay safe from fake contractors.

Homes across the county are going to need home repairs due to flooding, so the Office of Preparedness is asking contractors to register their business. The office will then issue ID cards that let flood victims know the contractor is real.

But it’s not just “people” getting scammed. It’s big companies too.

The Star Tribune reports A man admitted that from December 2004 through December 2005 he submitted phony invoices to Best Buy on behalf of his shipping company for electronic equipment that was never sent. He had Best Buy send the payments for those invoices, amounting to more than $900,000, to a post office box in Glenolden, Pa.

CliffView pilot reports A Hudson County con man admitted his role in a scheme to steal more than $4.4 million from several Voice Over Internet Protocol service providers by setting up shell companies that he and his cohorts claimed operated from the Empire State Building and other prominent addresses. His victims included AT&T, Cordial Communications, Digerati Networks, France Telecom, and others.

Whether you are an employee from a big or small company or just a concerned citizen you must keep your head up and pay attention to the “intentions” of all those you come in contact with. Whether over the phone, email, internet or mail, scammers are in full force and looking for their next mark.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADTPulse on Fox News. Disclosures

Security Expert’s Credit Card Hacked

An excellent way to improve one’s level of security intelligence is to follow the writings of Robert X. Cringley, one of my favorite technology know-it-alls.

Anyway, Cringley’s credit card was recently hacked. And if his card can be hacked, anyone’s can. Like many cardholders, Cringley received a notification from his credit card company’s fraud department, informing him that his card data was being used overseas, on an online dating website.

A scammer used Cringley’s credit card number to create a fake profile, posing as a woman named Katya to lure desperate, unsuspecting men into dating scams.

Cringley determined that the IP address associated with the fraud was anonymized, going through numerous channels to disguise its origin. A Russia-based email address may mean Russian criminals are involved in the hack.

Cringley’s card was used to purchase Badoo credits, which are used to unlock certain features of the dating website, such as chatting with another user or requesting photos. The scammer used Cringley’s card to buy Badoo credits in numerous countries, making her profile internationally accessible.

Cringley surmises that his card data may have been skimmed when he used an ATM or handed his credit card to a store clerk or waiter, or possibly stolen when used to make an online purchase. Even if you are giving your card number to a legitimate online merchant, there’s always the risk they may get hacked. It’s also possible than an unknown worm could have slithered onto Cringley’s PC and sniffed out a credit card transaction.

Even a security expert’s PC can fall victim to hackers, and even someone who knows plenty about security can get hooked. So you must be that much more alert, aware, and on top these issues.

Websites like Badoo can eliminate scammers with device reputation scanning. Real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for fraud, as well as expose all of the accounts associated with the suspicious device or group of devices, allowing websites to immediately shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

Scammers Spoof College Website

Reed College’s entire website was recently copied and replicated, but with the fictitious name “University of Redwood.” The Wall Street Journal reports, “Officials at Reed suspect the site is part of a scheme to collect application fees from prospective students in Hong Kong and Asia.” Presumably, scammers could simply collect a fee and then issue a rejection letter several weeks later.

Spoofed websites are generally created in order to phish for consumers’ personal information, or to accept credit card payments for products or services that will never be delivered.

In the case of the nonexistent University of Redwood, it’s entirely possible the website served as the front for a diploma mill.

Diploma mills were born alongside legitimate, accredited online universities. Diploma mills issue degrees that can be used to fraudulently obtain employment, promotions, raises, or bonuses. They can also be used as fake identification, to gain employment under an invented name, impersonate a licensed professional, or use fake documents to obtain a genuine ID with fraudulent information.

Diploma mills model themselves after accredited institutions, right down to the .edu web address. They may even incorporate part of an existing university’s name or logo into their own, or mimic an Ivy League school’s color scheme or website design.

Just like a legitimate school, a diploma mill may actually require students to purchase books, do homework, and take tests. Unlike a legitimate school, the diploma school may make passing a foregone conclusion. In many cases, students can simply purchase a diploma, no questions asked. Many of these organizations are nothing more than glorified print shops.

Before plunking down a dime on any learning institution, do your research. There are websites that publicly expose diploma mills, and the U.S. Department of Education recommends that you consult their database as well as additional sources of qualitative information.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

Elderly Scams Heating Up

Unfortunately the media is reporting lots and lots of scams directed towards the elder population. We’ve discussed these scams at length in these posts, and we are going to again today. As long as there are victims, we need to be reminded of how to protect those who need protecting.

Real time – real life examples are often the best teaching tool providing insight to the scammers process and what to look out for. Print this out or email it to someone who needs to be reminded:

Austin Texas, April 4, 2011: The austindailyherald.com reports “an 85-year-old rural Austin woman is out $3,800 after getting scammed by someone she believed was her granddaughter. The person told her she had been in a car accident in Mexico and needed her to wire money to pay for the accident.”

Perry County PA, March 22: WHPTV.com reports “An 84 year old woman fell victim to a phone call scam from someone saying they were from law enforcement and that her grandson needed bail money. They claimed he was in jail in Haiti. The scammer then put someone else on the line who claimed to be her grandson. She provided her credit card information and a driver’s license number. A charge was later received for $1400. That charge was made in Canada.”

Chicago IL, April 4: The Chicago Tribune reports: “An 86-year-old Tinley Park woman who told police she handed over her savings last week to a man she thought was investigating an earlier scam against her. A con artist posing as an investigator — in this case reportedly wearing glasses, a tan coat and dark dress pants and flashing a gold badge. A Chicago ring whose members allegedly posed as an FBI agent as well as bank and credit-card fraud investigators and stole roughly $100,000 from about 20 elderly victims.

In another Chicago case, an 80-year-old woman was persuaded by a police impersonator to withdraw $18,000 to pay her husband’s bail. She was so panicked, police said, she forgot to check if he was in jail.”

Toronto, April 7th: CityTV.com reports “Man charged with scamming 95-year-old woman out of thousands. Conman duped woman into paying him for furnace repairs he didn’t make. It began when the victim answered a knock on the door of her home.  “He comes to the door and said, ‘I’d like to see the heater,” .The elderly woman let him in and the suspect went down in the basement and stayed there for quite some time while she waited upstairs. When he came up, he said she owed over $7,000.  She told the man she didn’t have that kind of money on her, and he allegedly convinced her to approve a bank withdrawal for the amount.

I repeat: Print this out or email it to someone who needs to be reminded.

I feel like I need to take a shower with a Brillo pad.

Robert Siciliano personal and home security specialist to Home Security Source discussing scammers and thieves on The Big Idea with Donnie Deutsch.