Prevent tax identity theft with an Identity Protection PIN

I’ve written plenty of times about not opening emails that appear to come from the IRS (because of malware and/or phishing), but there is another type of crime that ramps up during tax season: tax identity theft.

Basically, it works like this: an identity thief already has your information, files a fake tax return in your name (from which a large refund will be due), then has the money directly deposited into an account controlled by the thief.

Most people’s first warning sign is when the IRS rejects their actual tax return because, according to their records, they already submitted one.

One step you can take to prevent this form of identity theft is to get an Identity Protection PIN from the IRS. You’ll have to use this PIN any time you file taxes (it’s not the same as your e-file signature PIN). The IRS will send you a new one every December or early January. Once you’re signed up, you’ll have to use a PIN every year to file your taxes, and you can’t opt out.

I can’t find any information about how long it actually takes to get your PIN from the IRS. If you’re ready to file your taxes now, or if April 15th is approaching (depending on when you read this), it might be better to wait until after you’ve filed this year’s return.

For more information, and to request a PIN, visit the official IRS page at https://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN

An example of the exact type of email you should NOT open

Here’s a screenshot of something that appeared in my inbox recently:

2015-12-21-spam

I spend a lot of time trying to describe the kinds of emails you should avoid, but this one illustrates those concepts perfectly. Let’s look at a few warning signs:

  1. The message wasn’t expected (I’m not a USAA member, but even if I was, this isn’t a usual email)
  2. The subject line is intended to provoke a fear reaction
  3. The subject line is kind of weird, grammatically; are they saying that a “New Document” has been prevented? If “Due to Suspicious Sign-in” modifies the subject of the sentence, which in this case is “New Document,” then…okay, you get it;  it just reads weird.
  4. There is a file attached (the little paperclip icon)

What is supposed to happen with this kind of email is that the victim sees “Suspicious Sign-in” and immediately opens the message, which is most likely blank or contains instructions to open the attached file. Once the victim does that, some form of malicious software, anything from spyware to ransomware, will be installed on their computer.

What actually happens, when the recipient knows some of the warning signs, is that the message is immediately deleted and causes no harm.

Also note that this message slipped past some pretty burly anti-spam and anti-malware software. Those tools are important, but sometimes a dangerous email still makes it through. Stay vigilant!

Stop calling back every number in your “missed calls” list

Today, I received a phone call from a stranger who demanded to know who I was. No greeting, just “who’s this?”

I declined to answer (because we don’t give out ANY personal information to people who call us, right, class?), instead telling them that it seemed they had the wrong number. This person then insisted that I had called them, and they wanted to know why.

“I didn’t call you. I haven’t called anyone today,” I replied. (I wasn’t even stretching the truth for emphasis—other than a couple text messages and posting something about Beethoven’s birthday [Happy 245th, Viggy!] on a social media account, I had not used my phone for communication purposes all day. I still haven’t, actually.)

“It says you called me,” they said.

“Maybe there’s a mistake,” I offered. I have an incredibly easy-to-mis-dial mobile number, and I figured someone had called them from one of the several same-digits-in-same-order-but-different-quantity-of-each phone numbers that exist.

They just hung up, because of course they did. Hopefully this person had simply mis-dialed and realized their mistake.

But there is a more sinister possibility, here: scam callers almost always use fake caller ID. There is a possibility that my number was the one they happened to use for a round of scam calls; this caller did share both the area code and interchange with my number.

Now, if that was what happened in this case, the damage is limited. They called the spoofed phone number back, which happened to be mine. I explained that I didn’t make any calls, they got angry and hung up, I blocked their number (just in case, and also because I was a little annoyed as well).

But what if a scam call had been placed using a number that was attached to a phone number owned by the perpetrators? This person might have, in going through their list of missed calls, run straight into a trap designed to steal money, personal information, or both.

I wasn’t aware of this until recently, but it appears that a lot of people look at their “missed calls” list every day, and call back every single number. Because of the very real possibility of running headlong into fraud, I cannot recommend against this activity strongly enough.

If someone is truly calling for a legitimate, important reason, they will leave a message or call back later. There is no good reason to try to find out what’s on the other end of every single random phone number that attempts to reach you every day. A lot of those calls are going to be from people you do not want in your life.

(Some of the numbers you do recognize may be, too, but that’s outside the scope of this article…)

Security freeze information for Indiana residents

The Indiana Attorney General’s office has information about security freezes, which are free for residents of Indiana (and some other states—you’ll have to check your own state’s laws if you don’t live here).

You can download the information here, or visit the Indiana Consumer website. I’ll put a link on the Fraud Prevention Resources page as well.

A security freeze (or credit freeze) prevents new lines of credit from being opened in your name, even if an identity thief has your Social Security number and other information, by adding an extra step to the credit application process.

T’is the season

This time of year, a lot of people are thinking about ways to help those who are less fortunate.

Some like to volunteer directly, others donate goods, and many like to give money to charitable organizations.

If you fall into that last category, this is your annual reminder: always look into a charity before you give them money. There are people out there who take advantage of others’ goodwill, and sometimes they set up elaborate schemes to siphon funds meant for other purposes.

If you’re unfamiliar with an organization, one of the best places to start is Charity Navigator.  There you can find out how much of a charity’s income it actually spends on its programs, how much it spends on fundraising, and more. Quick tip: if it spends 3% on programs and over 85% on fundraising, pass on making a contribution. All charities have some operating expenses, but that’s just beyond the pale.

I’m leery of charities that make cold calls. I used to get one all the time from an alleged charity that had something to do with police officers. I forget which one, so I won’t try to guess, but I recall the people on the phone would routinely imply that they themselves were actual officers. They weren’t. I never donated a cent because the whole operation sounded shady to me. Later I found out their operating expenses, including fundraising, executive salaries and administrative costs, took up something like 98% of their income. The other 2% went to whatever the charity claimed to do (they were vague about this as well). Maybe there are good charities that make cold calls, but I’ve never been contacted by one, so make sure you check them out before you donate a dime.

I believe the best way to avoid charity scams is to decide in advance who is getting your donations each year, and contact the organization(s) yourself. Pick your favorites, find out how to get in touch, and give whatever you are able.

They’ll be thrilled to take that call. I guarantee it.

Nigerian 419 email scams live on

I saw this one just today. It’s a doozy:

From: The Desk Of Mr. James Dike
Reference: GTBank Plc.
Address: 402, Lagos-Abeokuta Expressway, Abule-Egba, Lagos State, Nigeria.

Attention: $10.5M ATM Fund Beneficiary,

I am Mr. James Dike, the new appointed ATM Head of Operation Department Guaranty Trust Bank Nigeria PLC, I resumed to this office on the 1st of this month and For your information i have been empowered and instructed by the new elected President Federal Republic of Nigeria Gen. Muhammadu Buhari to pay all outstanding debt payment to the rightful beneficiaries and summit my payment report to his office with immediate effect and any payment that is not paid before the end of this month will be cancelled and the fund will be returned to the Federal Reserve Oil Account.

So, during my official research last week I discovered an abandoned ATM Master card valued sum of $10.5Million with card number 5321452123409380 belonging to you as the rightfully intimate beneficiary. I tried to know why this card have not been released to you but I was told that the formal ATM head of operation who left this office two months ago withhold your card for his own personal use without knowing that I will not approve or support him to take your card.

Now that your ATM Master card is still available for you to pick it up here in our bank. I want to know how you wish to receive your ATM card along with your four digits pin code number. You can come down here in our bank to pick up your card direct from my office or alternatively it can be send to your address through any registered reliable courier service company that you will take care of the courier charge. I don’t know the cost of shipping the card to you but if you permit me I can make an inquiry from the courier shipment company to find out the cost, but in that case you will be required to forward to me your shipment address to enable me find out the shipment cost to your location.

Your direct telephone number and address will be needed and more details of your ATM Master card payment will be made known to you as soon as I receive your swift positive response, to enable you know the amount programmed for your ATM Master Card daily withdrawal.I will send your ATM master card information including your Card Pin Code as soon as you declare your choice of receiving your ATM card so as to enable you receive your card and start making use of it to withdraw at any ATM card machine all over the world as programmed.

Do not hesitate to call me on +234 802-850-0459 as soon as you read this mail.

Thanks for your co-operation.

Yours Faithfully,
Mr. James Dike
ATM Head of Operation Department
Guaranty Trust Bank Nigeria Plc.
Tel: +234 802-850-0459.

A lot of us have become jaded when it comes to the old Nigerian 419 scam. Even though this one takes a different angle and doesn’t mention an exiled prince, for many of us, it’s easy to see through. We probably wouldn’t even read it…”$10.5M” in the subject line would be enough to trigger our “delete” reflex.

But somebody still falls for it. If they didn’t, these emails wouldn’t happen anymore. So while you may have become almost flippant about the Nigerian 419 scam, remember that there are still people who haven’t heard about it yet. If someone you know starts talking about an impending payout from a mysterious source, or mentions their plans to wire money overseas, it might be time to educate him or her.

Free Disney Vacation Scam Alert

If you haven’t already, at some point very soon you are going to see this image on Facebook:

2015-07-17-disney-scam

The hook is this: like the photo, share it, then visit a website to enter a contest for a free Disney World vacation.

Here’s the problem: the Facebook page this image resides on is NOT the official Disney World page. It is an impostor designed to trick users into liking the page. Once enough people have done so, the page content will be changed to push other scams into the news feeds of the people who liked the Disney page.

Now, why am I such a downer? Why am I trying so hard to make people sad? How do I know it’s a fake Disney page?

Well, look at this screenshot for a moment (click to see it full-size):

2015-07-17-disney-scam-02

Do you see what it says next to the profile picture? I’ll zoom in a little so you can read it better (click for full size):

2015-07-17-disney-scam-02a

It says “Walt Disney-World.”.

Notice the dash.

Notice the period.

Notice the category: “Transport/Freight.”

Notice the lack of the blue “Verified Page” checkmark next to the name.

Do you think for one moment that a company the size of Disney would have ITS OWN NAME written incorrectly on its own Facebook page? Look at any official Disney website or product. Do you see “Walt Disney-World.” anywhere?

Do you see Walt Disney World train cars and semi trailers all over America’s railroad tracks and roadways, delivering jars of pickle relish and car parts and textiles? No? That’s because Disney World is a theme park, not a transportation and freight business.

Do you believe Disney World’s official Facebook page would have 20,000 likes (as of today) and ONE lousy post? And no link to the official Disney World website?

These, and a dozen other points, are your free ticket to knowing that this Facebook page and offer are a scam.

Go look at Walt Disney World’s official Facebook page. Notice:

  • 14 million likes
  • The name is correctly punctuated (which is to say there is NO punctuation)
  • The category is listed as “Theme Park,” which is correct
  • The checkmark next to “Walt Disney World.” This means Facebook has verified that the page is official. You can hold your mouse over the checkmark and a little window will pop up that says “Verified Page”
  • Posts going back to 2009
  • Multiple posts, pretty much every day

I’m taking a pretty emphatic tone because I want people to stop falling for fake Facebook pages. I’m tired of seeing people I know get taken in by this stuff because it helps crooks spread spam and fraud to millions of people. If you see this photo and post in your Facebook newsfeed, please do the following:

  • DO NOT SHARE, LIKE OR COMMENT ON the page yourself
  • Tell whoever shared it or posted it that it is a scam and that they need to unlike the page right away; point them to the real Disney World page if they don’t believe you
  • Go to the fake page and Report it as fraudulent to Facebook
  • Share this article, or this one from the Consumerist if you can’t bring yourself to take my word for it

I don’t Facebook much anymore, but I’ve always lived by an “If it’s being shared a lot on Facebook, it’s probably not true” code. It’s a pretty accurate rule, and the stuff that IS true you’ll hear from credible sources eventually anyway.

 

 

If you use LastPass, it’s time to change your Master Password

I’ve been encouraging people to use password vault tools like LastPass for years. These browser plugins are great for keeping track of dozens of strong passwords (the hard-to-hack kind that nobody can remember) across all the websites you log in to.

However, LastPass recently announced they had discovered and blocked suspicious activity on their servers; “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Now, this could be bad, bad news IF users’ master passwords had been accessed in plain text form. However, LastPass uses some pretty robust encryption (that’s what that business about salts and hashes in the quote is about). They don’t keep your master password in plain text anywhere. In other words, even with the information that may have been compromised, thieves would have an awfully hard time using any of the information.

Still, the company is encouraging users to change their master passwords as soon as possible. This will make it impossible for the hackers to log in using the information they took, even if they managed to un-encrypt it (the chances of which are near zero).

I also encourage you to make your master password a strong password. You may have to write it down and keep it somewhere safe, but encrypted or not, a brute-force attack will plow through “password1” in well under a second. A strong master password can be irritating to type in, but it’s worth the trouble.

Two Quick Ones: Popups and “Please Open”

Just a couple very, very short fraud prevention tips to keep in mind:

  1. In most cases, legitimate websites will not ask for your username and password in a popup window. If you’re looking at a popup window that’s asking for this information, it’s time to double- and triple check that you’re actually on the website you thought you were visiting.
  2. If you get an email with the subject “Please open,” don’t. I know….rude, since they asked all polite an’ stuff. But don’t open the message, or any attachments. Just don’t do it.

Watch out for fake utility workers

It seems like as good a time as any to once again remind everyone to beware of burglars posing as utility company workers.

The usual setup starts with a knock on the door. The person standing on your doorstep claims to work for the electric or gas company, telephone company, or some other utility. They tell you they are in your neighborhood working on some or other problem, or performing routine maintenance, and ask to be shown to your circuit breaker (or whatever piece of hardware makes sense). Often they’ll even look like a real utility company employee, with a clipboard, nametag and possibly even a uniform.

While you’re showing them to the circuit breaker-or-whatever, an accomplice you didn’t see slips into your house looking for valuables or money.

It doesn’t really matter which type of company they claim to represent, the important thing to remember is that if a utility provider is going to need access to the inside of your house (which they almost never will), they will contact you ahead of time. They will not show up unannounced.

If someone is at your door and you were not contacted in advance, ask to see a badge or official identification, which they should gladly provide. Then politely ask them to wait while you close your door, lock it, lock any other doors, and call the utility company to ask if they’ve sent people to your house. Whatever you do, don’t let them in or call them out on being a crook. This type of scam differs from most in that it involves actual, physical proximity to the perpetrators, which can put you in danger of bodily harm.

Utility worker scams often target senior citizens, so make sure your friends, family and neighbors are aware of this type of crime, what to watch for and how to respond.

Stay vigilant.