Watch out for fake utility workers

It seems like as good a time as any to once again remind everyone to beware of burglars posing as utility company workers.

The usual setup starts with a knock on the door. The person standing on your doorstep claims to work for the electric or gas company, telephone company, or some other utility. They tell you they are in your neighborhood working on some or other problem, or performing routine maintenance, and ask to be shown to your circuit breaker (or whatever piece of hardware makes sense). Often they’ll even look like a real utility company employee, with a clipboard, nametag and possibly even a uniform.

While you’re showing them to the circuit breaker-or-whatever, an accomplice you didn’t see slips into your house looking for valuables or money.

It doesn’t really matter which type of company they claim to represent, the important thing to remember is that if a utility provider is going to need access to the inside of your house (which they almost never will), they will contact you ahead of time. They will not show up unannounced.

If someone is at your door and you were not contacted in advance, ask to see a badge or official identification, which they should gladly provide. Then politely ask them to wait while you close your door, lock it, lock any other doors, and call the utility company to ask if they’ve sent people to your house. Whatever you do, don’t let them in or call them out on being a crook. This type of scam differs from most in that it involves actual, physical proximity to the perpetrators, which can put you in danger of bodily harm.

Utility worker scams often target senior citizens, so make sure your friends, family and neighbors are aware of this type of crime, what to watch for and how to respond.

“Capital One Fraud Case” texts are fake

Someone I know showed me a text message they had received the other day. The full text message was as follows:

URGENT: Capital One Fraud Case 240: Did you chrg $12.50 on 03/05 at 7-ELEVEN 29261 on card 5451? Yes, rply 000. No, rply 001. Std carrier chrges apply

My usual knee-jerk response is that it was fraudulent, probably an attempt to sign victims up for monthly charges on their mobile phone bills, but I wasn’t 100% sure because my acquaintance does, in fact, have a Capital One credit card. Furthermore, she doesn’t actively use her card, so any charges that did suddenly come through would likely be flagged as suspicious. And, just to make things more complicated, some people online (we did a search on the phrase “Capital One Fraud Case”) claim that these ARE legitimate text messages.

But here is where we find out that this text message is fraudulent:

  1. The last four digits of her card number are not 5451.
  2. I told her to log in to her account online and check the “Messages and Alerts.” There were none.
  3. I asked if she had ever added her mobile phone number to her account. She had not (the field was blank).
  4. There were no charges for $12.50 from anywhere.
  5. I called Capital One’s customer service and asked; if there were suspicious charges, they send emails or call, and there WOULD be an alert when you log in to your account online. “If you haven’t given us your cell number, we certainly wouldn’t be able to text you.”

So I’m calling this definitive: THESE TEXT MESSAGES ARE A SCAM. Most likely they’re trying to sign you up for a non-service that just charges your phone bill every month (that “Std carrier chrgs apply” portion of the message).

Now, the Capital One service rep made it sound like they might use text messages to contact their customers (I neglected to ask the question outright), but the evidence against this particular one is pretty overwhelming.

If you get a text message like this, no matter whom it appears to come from, DO NOT REPLY TO IT. You have to find out if it’s real before you act, with 100% certainty. Log in to your credit card account online and check whatever message/alert system they have in place, as well as recent charges. Look at the card number referenced in the text…does it match?

If you don’t use their online system, sign up for it, using an email you only use for bills and a very long password made of random letters, numbers and special characters.

Or, call their customer service line directly (use what’s on the card, on your bill, or look it up at the company’s website) and ask about charges on your card, as well as fraud alerts or any other relevant information.

Anthem Data Breach: Let the scams begin

News of the massive data breach at insurance giant Anthem Inc. isn’t even a week old, and already the phishing scams have begun.

Phone calls and emails are already circulating that claim to represent Anthem and offer free identity theft protection to victims of the breach. These calls and emails are not from Anthem, but scammers attempting to obtain personal and financial information.

Anthem has stated that they will contact customers affected by the breach by mail over the next couple weeks.

That means postal mail, friends. The kind that’s on paper and comes in an envelope, delivered by that person your dog completely freaks out at six time a week. The letters will give you information on identity theft protection, as well as the next steps you should take.

If someone calls you on the telephone, they’re not from Anthem.

If you get an email message, it’s not from Anthem.

If you get a text message, that’s not from Anthem, either.

If some weirdo shows up at your door, they’re not from Anthem.

Okay, I don’t really think that last one is going to happen, but you never know. I’m trying to me preemptive, here.

Watch your mailbox if you’re a former or current Anthem (or Wellpoint) customer. The old-school mailbox. Any other communications that claim to be from Anthem are fraudulent.

You can also get information online here.

Data breach at Anthem, and it’s a bad one

Yesterday, health insurance leviathan Anthem Inc. announced that its databases had been hacked, and “tens of millions” of current and past customers (including Wellpoint customers, Anthem’s predecessor) could be affected.

This one is much worse than any of the major retail breaches you’ve heard about, because this time the hackers took names, Social Security numbers, dates of birth and addresses.  In other words, this means identity theft.

The retail breaches were irritating, sure. Your debit card might suddenly stop working, or you’d notice a fraudulent charge on your statement and you’d have to wait a few days to get that reversed. The stores would sign you up for free identity theft protection, which didn’t really help because it doesn’t block fraud on card transactions anyway. But you’d end up with a new debit or credit card.

The thieves in the Anthem breach didn’t get any credit card, debit card or account numbers, but the information they did take is exactly the information required to create false identities.

This could be much worse than not being able to use one of your cards for a couple weeks.

Anthem says it will notify affected customers by mail if their information was one of the affected accounts. When they offer free identity theft protection, this will be the time to take them up on it.

If you get a letter saying yours was one of the affected accounts, I would also recommend placing an identity theft alert or security freeze with the big three credit bureaus (Experian, Transunion, Equifax).

Maybe it’s time for “security freeze” to be the default setting for everyone, all the time. What happens after the single year of protection Anthem will (most likely) provide runs out? It’s not like the people who will end up buying this stolen data can’t just wait it out until after the protection expires. Maybe Anthem owes all of its customers free lifetime protection. Words like “very sophisticated external cyber attack” imply that the breach was unpreventable, but was it? We don’t know, and we might not ever.

At any rate, if you’re a current or former Anthem (or Wellpoint) customer, watch your mailbox for notification that your information has been compromised.

Sources:

Beware of unsolicited offers

The phone rings. A caller identifies himself as representing a well-known and trusted local business. He’s calling to offer you a discount on their services.

“Hey, great, I need those services anyway,” you think, and agree to the offer and arrange for the work to take place.

And another scam is set in motion.

It’s been happening here in Northwest Indiana. A heating/cooling contractor from Illinois (with an F rating at the Better Business Bureau, maybe not-quite-incidentally) has  apparently been calling homeowners and claiming to be a well-known local business (with an A+ rating, also maybe not-quite-incidentally), with an offer for discounted duct cleaning. Workers show up, perform a shoddy duct-cleaning, then ask for more than the agreed-upon price.

So my fraud prevention tip today is this: be wary of unsolicited offers from local businesses. If you get a call, make sure to double-check with the actual business before you agree to anything. Use an official, published number from the real company’s website or trusted online source (or the phone book, if you didn’t just carry it directly from your front porch to the recycling bin) instead of the number that shows up on caller ID or the number given by the caller. If there’s a discrepancy, it could be a different (and unscrupulous) business posing as the real one.

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?

2014-12-08-spam-01

Here’s what comes up if you hover the mouse over the word “link”:

2014-12-08-spam-02

How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

Strong Passwords: They’re Not Just for Online Banking Anymore

I’ve talked about the importance of strong passwords many times before. You can find several articles with this site’s search feature, or you can just read this quick rundown:

  1. Short, single word or short-word-and-a-number passwords are bad
  2. Passwords like “123456” and “password” are very, very bad.
  3. Passwords that are over 16 characters and consist of garbled strings of letters, numbers and special characters are good (“*#&uE9efh09efIUN98E(Ubdf%%23r” for example)
  4. Never use the same password for more than one website, and use a password storage program like Lastpass to help you maintain your sanity

Whenever I bring up passwords, though, I’m almost always talking about things like online banking, social networks, email accounts, and other websites where your credentials need to be kept confidential. What I don’t often bring up are all the THINGS that are now Internet-enabled.

Things like thermostats, interior lights and security cameras. Hot tubs, televisions. Garage door openersrosie

The idea, of course, is to bring the vision of The Jetsons into the real world. We want to walk into a room and have the thermostat know we like it to be 73 degrees during the afternoon but 76 at night. We want to be able to check our security cameras from our phones while we’re on vacation. I personally want a black ’82 Trans Am with a self-aware cybernetic logic module (and a snarky sense of humor) that can jump over walls from a dead standstill, so I can go around punching out bad guys in tan leather jackets who have been poisoning horses or whatever.

But when your THINGS are connected to the Internet, you might face some new security and privacy issues. Many of these devices are pre-set with a default password (or have a username and password as an OPTION, in the case of older products), and if you don’t change the default (or set a password in the first place), anyone who knows the default password could manipulate them remotely. They could run up your utility bills or open your garage door from the other side of the globe. If your security cameras are remotely accessible and you don’t set a password, or leave it set to the default, someone could spy on you in your home. Or set up a website collecting hacked cameras from around the world so anyone on the Internet can watch.

So what applies to websites applies to your Internet-enabled appliances and other devices: use a good password for everything, and never leave a new device’s password set to the factory default (or neglect to set one up, if it’s optional). There are too many people who know how to access them.

Your card information has been stolen

Okay, so I can’t say for certain that you specifically have had your debit or credit card information stolen in a retail data breach.

But let me ask two questions:

  • Do you have a debit/credit card?
  • Do you ever use it to buy things in a store or restaurant?

If you answered YES to those, most likely one or more of your cards has been accessed during a data breach at some point.

If it hasn’t happened yet, it will. This is the world we live in right now.

Perhaps raising the stakes for retailers would help—I was not aware until recently that, for the most part, merchants bear none of the financial burden when their security practices lead to a massive data breach that exposes ten of millions of consumers’ card data to bad people. So they continue to allow single-authentication access to their point-of-sale machines, continue to use “password1″ and “abc123″ as their access codes, continue to just leave things as they are, because there is no reason not to.

So who pays for your replacement card? Who reimburses you for those fraudulent charges? Your bank or credit union do.

And then you pay for them, because this is a hard-and-fast rule of financial institutions: when they lose money, they will try to recover it from another source. So maybe a loan rate creeps up by a twentieth of a point, or a fee that used to be $2 is now $2.50. These may be tiny changes, but they still represent money you could have kept in your pocket.

Of course, financial institutions can be hacked, too. It happens. And those institutions pay for card reissue and reimbursement when it does. But it’s so much easier to mount a point-of-sale hack. Data breaches wouldn’t be such a common problem if it was too difficult—despite the word “hacker,” these criminals are not geniuses. There are too many of them.

The Credit Union National Association (CUNA) has mounted a campaign called “Stop the Data Breaches.” It’s worth a look.

Shouldn’t retailers bear some responsibility for data security, with as much consumer data as they handle every second?

It seems fair.

The IRS doesn’t tell you to load up MoneyPak cards

Today’s post is real simple:

If you get a phone call from someone claiming to represent the IRS, informing you of all the trouble you’re in due to unpaid taxes, you are almost definitely dealing with a scammer.

If the next thing they tell you is “don’t tell anyone” and “go load up a bunch of MoneyPak cards and call me back and give me the card information,” you are DEFINITELY, without any shadow of a doubt, dealing with a scammer.

The correct response is to hang up the phone. This latest round of IRS telephone scams appears to involve particularly aggressive callers, but remember: it’s just a voice on a phone. They can’t freeze your assets or confiscate your property because they’re not the IRS.

You can report the fraud at http://www.treasury.gov/tigta/ if you feel like it, but the main thing is: hang up the phone.

Source:

http://www.ic3.gov/media/2014/140925.aspx

Stay vigilant.