“Capital One Fraud Case” texts are fake

Someone I know showed me a text message they had received the other day. The full text message was as follows:

URGENT: Capital One Fraud Case 240: Did you chrg $12.50 on 03/05 at 7-ELEVEN 29261 on card 5451? Yes, rply 000. No, rply 001. Std carrier chrges apply

My usual knee-jerk response is that it was fraudulent, probably an attempt to sign victims up for monthly charges on their mobile phone bills, but I wasn’t 100% sure because my acquaintance does, in fact, have a Capital One credit card. Furthermore, she doesn’t actively use her card, so any charges that did suddenly come through would likely be flagged as suspicious. And, just to make things more complicated, some people online (we did a search on the phrase “Capital One Fraud Case”) claim that these ARE legitimate text messages.

But here is where we find out that this text message is fraudulent:

  1. The last four digits of her card number are not 5451.
  2. I told her to log in to her account online and check the “Messages and Alerts.” There were none.
  3. I asked if she had ever added her mobile phone number to her account. She had not (the field was blank).
  4. There were no charges for $12.50 from anywhere.
  5. I called Capital One’s customer service and asked; if there were suspicious charges, they send emails or call, and there WOULD be an alert when you log in to your account online. “If you haven’t given us your cell number, we certainly wouldn’t be able to text you.”

So I’m calling this definitive: THESE TEXT MESSAGES ARE A SCAM. Most likely they’re trying to sign you up for a non-service that just charges your phone bill every month (that “Std carrier chrgs apply” portion of the message).

Now, the Capital One service rep made it sound like they might use text messages to contact their customers (I neglected to ask the question outright), but the evidence against this particular one is pretty overwhelming.

If you get a text message like this, no matter whom it appears to come from, DO NOT REPLY TO IT. You have to find out if it’s real before you act, with 100% certainty. Log in to your credit card account online and check whatever message/alert system they have in place, as well as recent charges. Look at the card number referenced in the text…does it match?

If you don’t use their online system, sign up for it, using an email you only use for bills and a very long password made of random letters, numbers and special characters.

Or, call their customer service line directly (use what’s on the card, on your bill, or look it up at the company’s website) and ask about charges on your card, as well as fraud alerts or any other relevant information.

Anthem Data Breach: Let the scams begin

News of the massive data breach at insurance giant Anthem Inc. isn’t even a week old, and already the phishing scams have begun.

Phone calls and emails are already circulating that claim to represent Anthem and offer free identity theft protection to victims of the breach. These calls and emails are not from Anthem, but scammers attempting to obtain personal and financial information.

Anthem has stated that they will contact customers affected by the breach by mail over the next couple weeks.

That means postal mail, friends. The kind that’s on paper and comes in an envelope, delivered by that person your dog completely freaks out at six time a week. The letters will give you information on identity theft protection, as well as the next steps you should take.

If someone calls you on the telephone, they’re not from Anthem.

If you get an email message, it’s not from Anthem.

If you get a text message, that’s not from Anthem, either.

If some weirdo shows up at your door, they’re not from Anthem.

Okay, I don’t really think that last one is going to happen, but you never know. I’m trying to me preemptive, here.

Watch your mailbox if you’re a former or current Anthem (or Wellpoint) customer. The old-school mailbox. Any other communications that claim to be from Anthem are fraudulent.

You can also get information online here.

Data breach at Anthem, and it’s a bad one

Yesterday, health insurance leviathan Anthem Inc. announced that its databases had been hacked, and “tens of millions” of current and past customers (including Wellpoint customers, Anthem’s predecessor) could be affected.

This one is much worse than any of the major retail breaches you’ve heard about, because this time the hackers took names, Social Security numbers, dates of birth and addresses.  In other words, this means identity theft.

The retail breaches were irritating, sure. Your debit card might suddenly stop working, or you’d notice a fraudulent charge on your statement and you’d have to wait a few days to get that reversed. The stores would sign you up for free identity theft protection, which didn’t really help because it doesn’t block fraud on card transactions anyway. But you’d end up with a new debit or credit card.

The thieves in the Anthem breach didn’t get any credit card, debit card or account numbers, but the information they did take is exactly the information required to create false identities.

This could be much worse than not being able to use one of your cards for a couple weeks.

Anthem says it will notify affected customers by mail if their information was one of the affected accounts. When they offer free identity theft protection, this will be the time to take them up on it.

If you get a letter saying yours was one of the affected accounts, I would also recommend placing an identity theft alert or security freeze with the big three credit bureaus (Experian, Transunion, Equifax).

Maybe it’s time for “security freeze” to be the default setting for everyone, all the time. What happens after the single year of protection Anthem will (most likely) provide runs out? It’s not like the people who will end up buying this stolen data can’t just wait it out until after the protection expires. Maybe Anthem owes all of its customers free lifetime protection. Words like “very sophisticated external cyber attack” imply that the breach was unpreventable, but was it? We don’t know, and we might not ever.

At any rate, if you’re a current or former Anthem (or Wellpoint) customer, watch your mailbox for notification that your information has been compromised.

Sources:

Beware of unsolicited offers

The phone rings. A caller identifies himself as representing a well-known and trusted local business. He’s calling to offer you a discount on their services.

“Hey, great, I need those services anyway,” you think, and agree to the offer and arrange for the work to take place.

And another scam is set in motion.

It’s been happening here in Northwest Indiana. A heating/cooling contractor from Illinois (with an F rating at the Better Business Bureau, maybe not-quite-incidentally) has  apparently been calling homeowners and claiming to be a well-known local business (with an A+ rating, also maybe not-quite-incidentally), with an offer for discounted duct cleaning. Workers show up, perform a shoddy duct-cleaning, then ask for more than the agreed-upon price.

So my fraud prevention tip today is this: be wary of unsolicited offers from local businesses. If you get a call, make sure to double-check with the actual business before you agree to anything. Use an official, published number from the real company’s website or trusted online source (or the phone book, if you didn’t just carry it directly from your front porch to the recycling bin) instead of the number that shows up on caller ID or the number given by the caller. If there’s a discrepancy, it could be a different (and unscrupulous) business posing as the real one.

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?

2014-12-08-spam-01

Here’s what comes up if you hover the mouse over the word “link”:

2014-12-08-spam-02

How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

Strong Passwords: They’re Not Just for Online Banking Anymore

I’ve talked about the importance of strong passwords many times before. You can find several articles with this site’s search feature, or you can just read this quick rundown:

  1. Short, single word or short-word-and-a-number passwords are bad
  2. Passwords like “123456” and “password” are very, very bad.
  3. Passwords that are over 16 characters and consist of garbled strings of letters, numbers and special characters are good (“*#&uE9efh09efIUN98E(Ubdf%%23r” for example)
  4. Never use the same password for more than one website, and use a password storage program like Lastpass to help you maintain your sanity

Whenever I bring up passwords, though, I’m almost always talking about things like online banking, social networks, email accounts, and other websites where your credentials need to be kept confidential. What I don’t often bring up are all the THINGS that are now Internet-enabled.

Things like thermostats, interior lights and security cameras. Hot tubs, televisions. Garage door openersrosie

The idea, of course, is to bring the vision of The Jetsons into the real world. We want to walk into a room and have the thermostat know we like it to be 73 degrees during the afternoon but 76 at night. We want to be able to check our security cameras from our phones while we’re on vacation. I personally want a black ’82 Trans Am with a self-aware cybernetic logic module (and a snarky sense of humor) that can jump over walls from a dead standstill, so I can go around punching out bad guys in tan leather jackets who have been poisoning horses or whatever.

But when your THINGS are connected to the Internet, you might face some new security and privacy issues. Many of these devices are pre-set with a default password (or have a username and password as an OPTION, in the case of older products), and if you don’t change the default (or set a password in the first place), anyone who knows the default password could manipulate them remotely. They could run up your utility bills or open your garage door from the other side of the globe. If your security cameras are remotely accessible and you don’t set a password, or leave it set to the default, someone could spy on you in your home. Or set up a website collecting hacked cameras from around the world so anyone on the Internet can watch.

So what applies to websites applies to your Internet-enabled appliances and other devices: use a good password for everything, and never leave a new device’s password set to the factory default (or neglect to set one up, if it’s optional). There are too many people who know how to access them.

Your card information has been stolen

Okay, so I can’t say for certain that you specifically have had your debit or credit card information stolen in a retail data breach.

But let me ask two questions:

  • Do you have a debit/credit card?
  • Do you ever use it to buy things in a store or restaurant?

If you answered YES to those, most likely one or more of your cards has been accessed during a data breach at some point.

If it hasn’t happened yet, it will. This is the world we live in right now.

Perhaps raising the stakes for retailers would help—I was not aware until recently that, for the most part, merchants bear none of the financial burden when their security practices lead to a massive data breach that exposes ten of millions of consumers’ card data to bad people. So they continue to allow single-authentication access to their point-of-sale machines, continue to use “password1″ and “abc123″ as their access codes, continue to just leave things as they are, because there is no reason not to.

So who pays for your replacement card? Who reimburses you for those fraudulent charges? Your bank or credit union do.

And then you pay for them, because this is a hard-and-fast rule of financial institutions: when they lose money, they will try to recover it from another source. So maybe a loan rate creeps up by a twentieth of a point, or a fee that used to be $2 is now $2.50. These may be tiny changes, but they still represent money you could have kept in your pocket.

Of course, financial institutions can be hacked, too. It happens. And those institutions pay for card reissue and reimbursement when it does. But it’s so much easier to mount a point-of-sale hack. Data breaches wouldn’t be such a common problem if it was too difficult—despite the word “hacker,” these criminals are not geniuses. There are too many of them.

The Credit Union National Association (CUNA) has mounted a campaign called “Stop the Data Breaches.” It’s worth a look.

Shouldn’t retailers bear some responsibility for data security, with as much consumer data as they handle every second?

It seems fair.

The IRS doesn’t tell you to load up MoneyPak cards

Today’s post is real simple:

If you get a phone call from someone claiming to represent the IRS, informing you of all the trouble you’re in due to unpaid taxes, you are almost definitely dealing with a scammer.

If the next thing they tell you is “don’t tell anyone” and “go load up a bunch of MoneyPak cards and call me back and give me the card information,” you are DEFINITELY, without any shadow of a doubt, dealing with a scammer.

The correct response is to hang up the phone. This latest round of IRS telephone scams appears to involve particularly aggressive callers, but remember: it’s just a voice on a phone. They can’t freeze your assets or confiscate your property because they’re not the IRS.

You can report the fraud at http://www.treasury.gov/tigta/ if you feel like it, but the main thing is: hang up the phone.

Source:

http://www.ic3.gov/media/2014/140925.aspx

What can consumers do about data breaches?

Home Depot, come on down. You are the next contestant on The Security Is Not Right!

Okay, so maybe that’s not confirmed just yet, and Home Depot is staying sort of quiet because they don’t want everybody to stop buying things from them, but Krebs has a pretty good hunch, and his hunches usually turn out to be right. Like Dumbledore.

But even if it turns out the breach was from somewhere else, it still leaves a question hanging in the air: what do we, as consumers, do about point-of-sale data breaches?

The first step is to not freak out about identity theft. I’ve always maintained this distinction, and it’s very relevant here: the theft of debit or credit card information is NOT the same thing as identity theft.

With your card credentials, thieves can make fraudulent charges (at least until your card processor realizes what’s going on and blocks transactions). Without your Social Security number and date of birth, they’re not going to be able to open new accounts or any of the other actions associated with identity theft.

[Optional Cynical Rant: This also goes to show something about the corporations hit by these data breaches: when they so-magnanimously promise they’re going to give all their customers “twelve months of FREE identity theft protection” against any identity theft that results from the data breach, they already know they won’t have to deliver anything, because nobody is going to have their identity stolen with just a card number, expiration date, security code and their name. You can’t commit identity theft with only those details.]

Okay, so you’re not freaking out about identity theft, but you’re still freaking out about the possibility of fraudulent charges. You have my permission to do so. Fraudulent charges are, at best, still a major irritant that can cause you to be late paying bills and other hassles. You don’t want them to happen at all if you can help it.

You could stop paying with cards altogether, sure. Start carrying cash for every single transaction. Like grampaw done. But remember that cash has its own set of disadvantages. If you lose it, it’s gone. If someone steals it, it’s gone. You can’t buy anything online with it. You can’t buy anything on credit with it. Heck, it’s dirty.

So if that’s not your favorite option, what’s left?

Being vigilant.

(Like I’ve been saying for years.)

First, don’t give your information to someone just because they ask, whether in person, by telephone, email, text message, instant message, semaphore, telegraph or cave painting. That’s RULE ONE for the prevention of all forms of fraud.

Second, for every card you have, credit or debit, have online access and check it regularly. Your debit cards are issued by your credit union or bank—they will be happy to set you with online banking. Use a good password, follow RULE ONE, and check your accounts regularly. Sometimes they will catch fraud first, sometimes you will.

If you’ve shopped at a store that has its customers’ data compromised, look through your account history online and make note of when you used your card at that retailer, and be extra-watchful.

Third, be prepared if you’ve used a card at a retailer that was compromised. Have another form of payment handy, because if your card issuer detects possible fraud, they will probably deactivate the affected card immediately. If they don’t have a chance to notify you, and you’re already trying to make a purchase with that card, your transaction could be declined. And if you were trying to buy something important (like, I dunno….GAS) you could end up stranded (or at least white-knuckling it while you drive home on fumes…I’m not going to confirm whether I speak from harrowing personal experience or not).

Don’t freak out, follow RULE ONE, be vigilant and be prepared. That’s what you can do about data breaches as a consumer.

Further reading/sources:

Stay vigilant.