Utility Scams are an Ongoing Threat

It’s been a while since I brought up Utility Scams, so now is as good a time as any for a quick recap.

Utility Scams are an example of a distraction scam, and they generally target seniors. These scammers generally work in pairs. One will knock on the door and claim to work for the local utility company. He will claim they are testing something, or fixing something, or there’s some kind of urgent situation that requires the resident to allow him inside the house to do something with the circuit breaker.

While the homeowner is busy with this person in the basement, his partner will enter the home and look around for cash, jewelry or other valuables to steal. After a few minutes of pretending to work on something, the first person will claim the job is done and leave. By the time the resident notices the robbery, the scammers are long gone.

Your utility company should always contact you in advance if there really is an issue that requires someone to enter your house. However, such scenarios are extremely unusual. If someone appears at your door claiming to represent a utility, politely ask to see an ID badge. Regardless of the response, ask them to wait a moment. Close the door and lock it, make sure any other doors are locked, and call the utility company directly if you’re still unsure, or call the police if you’ve got a bad feeling. Do not simply let a stranger into your house on his word.

It’s also not a good idea to let on that you think this person is trying to commit a crime. This is an in-person scam, and it carries risks that aren’t really present with a scam phone call from the other side of the globe. They might just run, but they might not. It’s better to pretend to play along. Most likely they’ll take off as soon as you close the door—the point of most scams is to get in and out quickly. Standing around on someone’s porch in broad daylight for more than a couple seconds isn’t going to appeal to someone who doesn’t want to be seen.

Another Perspective on Passwords

The standard advice for creating passwords has long been this: use a long string of completely random letters (upper- and lowercase), numbers and special symbols. Make it so long and complex that nobody is able to guess (or remember) it, and it would take a computer billions of years to crack.

But recently a different perspective has emerged: what if those passwords were still long enough to foil a brute-force, script-based hacking attempt for long enough to make the attempt non-worthwhile, but made of words you might actually be able to recall without logging into your password manager app or plugin? What if you used something like a string of four random words?

Let’s look into a few options. I’ll be using the website How Secure Is My Password? to compare. Results on the site are given in the form of “It would take a computer about [length of time] to crack your password” (or “Your password would be cracked INSTANTLY” if you put in a real clunker like “abc123” or “password”). The results from this site are simply an estimate (not a guarantee), but it is useful in determining whether a password is lousy, decent, or excellent.

First, an example of the old random-string-of-characters method:

84xNMat88xy4TkVTE^5!UQty: 1 OCTILLION YEARS

Yeah. That is an unfathomably long time. Written out, that’s 1,000,000,000,000,000,000 years. If the universe is 13.82 billion years old, it would take a computer almost 72.5 million TIMES that long to crack your password.

In other words, that’s a very strong password. But now try to memorize it.

Now let’s try a string of four random words (“wheel,” “grout,” “oyster” and “button”), no spaces, all lowercase:

wheelgroutoysterbutton: 11 TRILLION YEARS

Now, technically, that’s not as secure as 1 octillion years. But on a practical level, we’re still in “might as well be forever” territory. You’re going to be pretty well-protected against a script-based hacking attempt.

What if we add a number, or a number and a symbol, or capitalized the words, or added dashes or spaces (not all online accounts allow this) between the words?

wheelgroutoysterbutton7: 494 QUADRILLION YEARS
wheelgroutoysterbutton7%: 76 SEXTILLION YEARS
WheelGroutOysterButton: 45 QUINTILLION YEARS
wheel-grout-oyster-button: 17 SEXTILLION YEARS
wheel grout oyster button: 169 SEXTILLION YEARS

They’re all fine options, and you’ve actually got a fighting chance of remembering them if needed, and an even better chance of actually typing them correctly if your password manager app/plugin isn’t available (or playing nice with a website, which does happen).

So it’s really a matter of what you’re comfortable with and what the website you’re using requires (some force you to use at least one uppercase letter, number and symbol).

However, bear in mind that this type of brute force hacking is probably not even remotely the biggest threat to your online accounts. It doesn’t matter HOW many octillion years it would take a computer to guess your password if you fall for a phishing email and type it into a compromised website, or if the company that owns the website keeps its list of logins and passwords in a plain-text file and experiences a data breach.

Your best practice, regardless of the type of passwords you use, is to regularly change them, avoid reusing them across different sites, and to know how to recognize a phishing attempt.

Scams That Target College Students

I may be biased here, but I can’t be the only one who thinks a couple hours of “How To Recognize a Scam” training every year would be of great benefit to high school students. Of course, such an undertaking is easier proposed than implemented, but it seems like an important life skill that needs to be touched on at some point.

There are a variety of scams that prey upon current and incoming college students. Here is a brief rundown of a few common ones.

Federal Student Tax Scam

This scam begins with a phone call that may use caller ID spoofing to look like it came from the IRS. The caller will inform the recipient that they haven’t paid their “Federal Student Tax” and will face dire consequences if the tax is not paid immediately. The caller will demand payment via wire transfer or prepaid cards (iTunes, Green Dot, etc.).

Of course, there is no such thing as a “Federal Student Tax,” and the IRS doesn’t call you on the phone about unpaid taxes anyway. Plus, even if you do owe back taxes, it’s impossible to pay them via wire transfer or prepaid cards.

Unpaid Tuition Scam

Another telephone-based scam, this one appears to come from the college admissions office and claims that tuition has not been paid and the student will be un-enrolled if payment is not made immediately via credit card, wire transfer, or other unusual method. A variation of this scam impersonates an FBI agent and claims that the student will be arrested if the bill isn’t paid right away.

If you really have not paid your tuition, they’re not going to call you on the phone and insist that you pay immediately, especially with a credit card or wire transfer (and especially especially with an iTunes card). Your college probably doesn’t take credit card payments over the phone. You should also never reveal personal information to someone who contacted out of the blue; if you’re truly convinced the call might be legitimate, hang up and contact the admissions office directly. Also, the FBI doesn’t get involved in matters of late college tuition payments.

Advance Fee Scams

College students are often bombarded with alleged opportunities for student loans, scholarships, financial aid and jobs. Some of these are perfectly legitimate, but many are not. There are a lot of individuals and companies charging fees for things you can do on your own for free, such as filing FAFSA paperwork or filling out job applications. Some won’t even provide the service claimed, they just want your banking information to set up a recurring charge.

Never trust an offer of “just give us the money and we’ll do the rest,” and remember that legitimate scholarships are never “guaranteed” (and they usually have requirements beyond you having a pulse).

Greed and Fraud

A few weeks ago, I posted an article about the relationship between fear and fraud. Basically, if someone is trying to make you afraid, then asking for money or personal information, it is very likely that they are trying to steal from you.

There is another emotion that scammers will often prey upon: greed. That all-too-human desire to get something for nothing, and to be the one with the most.

The most obvious example I can think of is the old Lottery Scam. By stoking greed with the promise of vast, out-of-nowhere riches, the perpetrators of this scam hope you won’t notice how suspicious the hoops they’re asking you to jump through are. The promise of millions of dollars is misdirection; while you’ve got your eyes on the prize, you might not remember how unwise it is to wire a few thousand dollars to a stranger, or that “cash this check and wire the money back to me” is a weird request to begin with.

Other examples include the Car Wrap Advertising scam, the Pigeon Drop scheme (“I found money, let’s share it!”), and of course the old Nigerian 419 scam (“I’m an exiled prince; help me retrieve my fortune and I’ll share it with you,” which at this point isn’t even a “classic” scam; it’s positively an antique).

It’s the same tip as with fear: if someone is trying to spark greed, then asking for money and/or personal information, they are trying to scam you.

Avoiding Vacation Rental Scams

So you’ve found the perfect vacation rental for an amazingly low price. You contact the owner of the property and, unbelievably, the price shown on Craigslist is correct and the unit is available for the dates you need. The owner was a bit hard to reach, but he travels all over the world for business (and of course he does—who else but a successful international businessperson could afford such a house in such a location to begin with?).

Payment is arranged by wire transfer (a little unusual, you think, but again—world traveler business type, right? He probably has reasons for his preferences, and they’ve obviously served him well, right?).

You make your payment and pack for your vacation, still not quite believing the deal you’re getting. Oceanfront! And that pool…

You arrive at the property on a Sunday morning and are delighted to find it looks even better than the pictures. You ring the doorbell to be greeted by…the permanent residents of the house, who aren’t renting it out to anyone, and who are wondering why there are a bunch of weird people with suitcases at their front door.

You’ve been taken in by a classic vacation rental scam, and good luck getting your money (that you wired to a stranger) back. What could you have done differently?

First, you could have been more wary of a price that’s too good to be true. There’s no real reason for the owner of a rental property in an extremely popular location to offer a huge discount as long as that demand exists.

Now, I’m not a huge fan of Craigslist for finding vacation rentals, but I’m also not a huge fan of Craigslist in the first place due to the overall potential for fraud. I’m sure there are plenty of legitimate rental listings. However, Craigslist should not be the only place the property is listed. Check vacation rental websites in the area and make sure the property is represented elsewhere as available.

The owner being hard to reach or unresponsive is a red flag. If the entire conversation takes place via email, that’s also suspect. There should always be a phone number with a name attached to it that you can verify with a search. A legitimate business should want to be easy to find and reach. If you find yourself leaving a message every single time you call, that can be another sign of trouble.

Finally, the unusual payment method is a warning that something is not right. You should never wire money to a stranger for any reason. Some rental scammers request that you purchase gift cards and pay by relaying the card information to them. Don’t do it. You want a payment method that leaves paper trail and has some fraud protection, and you want a buffer between the transaction and your deposit (checking/savings) account. In other words, if you can’t pay with a credit card, look elsewhere.

Sign Up for Activity Alerts Everywhere You Can

Receiving and paying your bills online instead of through postal mail is a good idea. It’s not only convenient, but it also helps fight identity theft and other types of fraud (the fewer pieces of paper floating around in the world with your personal information on them, the better).

But your financial accounts may offer online features you’re not taking advantage of just yet. Most credit card providers and deposit institutions (i.e. credit unions and banks) that offer online access also offer alerts that let you know when activity has occurred on your account. Alerts can be an important tool in detecting unusual transactions or changes as early as possible.

Every financial provider is different, but many will offer alerts for new charges or withdrawals. Other options may include notifications for a change of address, phone number, email address or other contact information. Remember that identity thieves will sometimes attempt to change these details in an existing account in order to hide their activities from the victim. If you get an alert that your address has been changed (and you’re not the one who did it), it’s time to contact that institution and report the suspicious activity.

Fear and Fraud

Humans are an emotional animal. No matter how advanced our technologies or societies become, no matter how objective or logical we believe we are, primal emotions can still affect our behavior, and when someone manipulates those feelings into a heightened state, we find ourselves at risk of making mistakes.

Many types of fraud work by stoking one of our most basic emotions: fear. The assumption goes: if you can make someone afraid, they’ll believe anything you say, even if it makes no logical sense.

Here is a list of several common scams and how they use fear to trick victims into handing over money or personal information:

  • Phishing: uses the fear of losing access to money (“your debit card has been deactivated”) to trick victims into visiting a website that harvests personal information
  • Medicare scam: uses fear of losing access to health care to convince victims to reveal personal information
  • Tech Support scam: uses fear of malicious software to trick victims into handing over control of their computer
  • IRS scam: uses fear of imprisonment to get victims to load prepaid gift cards, then pass along the card information to the scammer
  • Missed Jury Duty scam: uses feat of imprisonment to obtain credit or debit card information
  • Grandparent scam: uses fear of loved ones’ safety to lure victims into wiring money or loading prepaid cards with cash
  • Lottery scam: mostly appeals to greed (another primal emotion), but also stokes fear of missing out on a once-in-a-lifetime opportunity to trick victims into falling for a counterfeit check scheme
  • Ransomware: uses fear of losing access to important files to extort payments from victims

In other words, a lot of scams operate by inciting fear.

The key is to understand that the use of fear is an extremely common (if not the most common) tactic, and to be able to recognize when someone is trying to make you afraid. This requires a certain amount of self-awareness, and I’m not really sure how one goes about developing that, other than to just slow down and take a moment whenever a stranger is presenting you with alarming information, instead of reacting immediately.

Unless they’re shouting “duck!”

$500/week to wrap your car in ads? Better think again.

I still haven’t encountered anything that contradicts this fraud prevention axiom:

“Cash this check then wire the money back to me” is a sure sign of a scam.

It’s a fairly easy pattern to spot when it comes to things like lottery scams, because the scammers almost literally use that exact wording. But there are other times where the “wire the money back to me” stage is a little more obscure.

One such case is the Car Wrap Advertising Scam. Below is a scan of an actual letter used to initiate this scheme after the would-be victim responded to a random email or text message offer. This letter came with a cashier’s check for $2,390.00 (click to enlarge):

In this case, they’re not directly saying “wire the money back to me,” but they are telling you to give it to someone else, in the form of setting up a payment to a “Decal Specialist.”

What happens when you contact this person? You’re instructed to wire the money from the check, which will eventually be returned as fraudulent, putting you on the hook for the cash you gave away. It’s the same pattern as a lottery scam, only with an additional step in between.

One reason this scam continues to work is that there are actual wrapped cars out there. We’ve all seen them. However, even in cases where these aren’t company-owned vehicles, legitimate car wrap advertisers share certain features:

  • They don’t randomly contact you out of the blue via text message or email
  • They don’t take everyone who applies; they’ll want to know how far you drive each day, where you drive, what kind of car you have, and your driving record
  • They’re not going to pay you $500 per week. About $1,000 per month seems to be the ceiling, and that’s for absolute ideal (for the advertiser) circumstances (i.e. you drive hundreds of miles per day in an area extremely densely-populated with people within the ad’s target demographic; I’m guessing your car has to meet certain visibility criteria as well, because I’ve mostly seen these ad wraps on lifted, customized 4×4 pickups)
  • You don’t pay them at any point, and you’re not responsible for passing along money to whomever applies the decals (“Hey stranger we’ve never met in person, here’s a few thousand dollars to give to someone else for us. We’ll just trust you to not keep it.”)

If you’re truly interested in turning your vehicle into a billboard, there are a few links to apparently legitimate agencies in this Penny Hoarder article. But before you act on anything online, be sure to do a lot of research first, and always get in writing what you are agreeing to do and how you will be compensated. If it’s too easy to get the gig, it’s probably a fraudulent offer.

What is ‘Brushing?’

In theory, getting free stuff sounds great. But what if it’s stuff you don’t particularly need or want, and it just keeps coming?

A new scam called “brushing” involves exactly that. Reports are growing of people receiving shipments from Amazon of items they didn’t order, sometimes the same item over and over, with no real mechanism available to stop the unwanted deliveries.

What exactly are they up to?

Shady sellers are creating fake Amazon accounts, then buying their own products and shipping them to random addresses. They then post five-star reviews of their own products. Since the system shows the item was actually bought by the reviewer, this review appears as a “Verified Purchase,” which makes the review more prominent, and the great average customer rating boosts the item’s rank in Amazon’s search function. The ultimate goal is to sell sub-par products to consumers tricked by the high average product rating.

What should you do if unordered shipments start showing up?

First, contact Amazon to let them know you’re getting them. Amazon will attempt to figure out who is behind the scam and delete the seller.

For the most part, Amazon has been telling people to either keep, donate or discard the actual items shipped. That part is up to you.

So far it doesn’t appear that the people receiving the shipments have had their accounts compromised. However, if you start getting things you didn’t order, go ahead and change your Amazon password (which you should do now and then anyway). The addresses used for shipping seem to be chosen at random, though there may be a link between previous purchases from overseas sellers using the Amazon platform. When you’re shopping on Amazon, pay attention to the “sold by,” “fulfilled by” and “ships from” information, and favor domestic sellers (or Amazon itself) and orders that are fulfilled by Amazon.

Fakespot.com is a good resource for checking out products on Amazon for fake reviews (it also works with Yelp, TripAdvisor and the Apple App Store). It’s not foolproof, but it can at least give some insight as to how trustworthy an item’s reviews are. All you have to do is paste the URL of the Amazon item into Fakespot, and it will give a letter grade and a percentage of high-quality reviews as determined by the site’s algorithm. Anything with less than 80% high-quality reviews, I would avoid. Pay attention to the negative reviews, too, to see what customers who didn’t like the product are saying. If fewer people buy items with tons of fake five-star reviews, the motivation for the brushing scam might dry up a little.

Spear phishing

The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.

But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.

In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.

Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.

Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.

Stay vigilant.