If you’ve let your antivirus subscription lapse, renew it today

There are basically two options available for safe use of the Internet:

  1. Get antivirus software, keep it updated, and scan your computer regularly;
  2. Don’t go online, for any reason, ever, forever.

We are well past the old days where getting a computer virus was mostly just irritating. Malware is big business for organized crime, and your computer can be locked up forever unless you pay (ransomware) or infected with programs designed to steal banking credentials.

You can lose a lot of money, in other words.

There’s a new threat called GozNym. I’m still researching it so I can tell you more, but so far the details I’ve found are hazy. It’s referred to as “Trojan horse” malware in some of the articles I’ve read. That usually means the victim opens a file they think is something else and gets infected, but that’s about all I know at this point. I can tell you this: GozNym targets financial accounts. GozNym is bad. You don’t want it. [smash cut to Elaine Benes from Seinfeld shouting “I know I don’t want it! I don’t need you to tell me what I don’t want, you stupid hipster doofus!” at Kramer]

And I can also tell you this: if you get an email with a file attached, be extremely careful about opening or running that file. Is it from someone you know? Is it something you asked for? Are you being led to believe it’s from the FBI or a local police department, or is it a “shipping confirmation” from an online retailer? Slow down. Think before you click anything.

I can also tell you not to download anything just because a website is asking you to download it. And even if you did go searching for files or software to download, make sure you know what you’re getting before you download or run anything. And scan it for viruses before you run it.

But you also have to have some form of antivirus software on your computer. It won’t be perfect. It won’t protect you from 100% of malware 100% of the time. Sometimes a new threat can’t be detected yet, and careless behavior on your part can almost always defeat even the best antivirus programs. And they usually cost money.

But they’re vital. That yearly subscription cost isn’t just a racket. Sure, it hurts to shell out $30 or $50 or more, but some things hurt even worse, like losing five years of digital photos or having a business’s checking account cleaned out.

They’re not working on WRINKLES

Here’s a new one from the Dumb Spam Files (which could totally be a TV series if FX or A&E would return my calls):

2016-03-09-spam

Here’s a NON-secret for you: NASA isn’t researching wrinkles.

I don’t care how bad your wrinkles are. I don’t care if all that’s left of your face is one giant wrinkle. Never click on anything that even resembles this. Deal?

Prevent tax identity theft with an Identity Protection PIN

UPDATE 3/8/16: Or don’t get a PIN. According to KrebsOnSecurity.com, and as seen on the IRS site linked below, there have been some major security issues with the Identity Protection PIN system, and for now the service has been suspended. Once again, it took identity thieves around four seconds to figure out how to abuse a feature designed to protect your personal information and prevent tax return fraud.

I’ve written plenty of times about not opening emails that appear to come from the IRS (because of malware and/or phishing), but there is another type of crime that ramps up during tax season: tax identity theft.

Basically, it works like this: an identity thief already has your information, files a fake tax return in your name (from which a large refund will be due), then has the money directly deposited into an account controlled by the thief.

Most people’s first warning sign is when the IRS rejects their actual tax return because, according to their records, they already submitted one.

One step you can take to prevent this form of identity theft is to get an Identity Protection PIN from the IRS. You’ll have to use this PIN any time you file taxes (it’s not the same as your e-file signature PIN). The IRS will send you a new one every December or early January. Once you’re signed up, you’ll have to use a PIN every year to file your taxes, and you can’t opt out.

I can’t find any information about how long it actually takes to get your PIN from the IRS. If you’re ready to file your taxes now, or if April 15th is approaching (depending on when you read this), it might be better to wait until after you’ve filed this year’s return.

For more information, and to request a PIN, visit the official IRS page at https://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN

An example of the exact type of email you should NOT open

Here’s a screenshot of something that appeared in my inbox recently:

2015-12-21-spam

I spend a lot of time trying to describe the kinds of emails you should avoid, but this one illustrates those concepts perfectly. Let’s look at a few warning signs:

  1. The message wasn’t expected (I’m not a USAA member, but even if I was, this isn’t a usual email)
  2. The subject line is intended to provoke a fear reaction
  3. The subject line is kind of weird, grammatically; are they saying that a “New Document” has been prevented? If “Due to Suspicious Sign-in” modifies the subject of the sentence, which in this case is “New Document,” then…okay, you get it;  it just reads weird.
  4. There is a file attached (the little paperclip icon)

What is supposed to happen with this kind of email is that the victim sees “Suspicious Sign-in” and immediately opens the message, which is most likely blank or contains instructions to open the attached file. Once the victim does that, some form of malicious software, anything from spyware to ransomware, will be installed on their computer.

What actually happens, when the recipient knows some of the warning signs, is that the message is immediately deleted and causes no harm.

Also note that this message slipped past some pretty burly anti-spam and anti-malware software. Those tools are important, but sometimes a dangerous email still makes it through. Stay vigilant!

Stop calling back every number in your “missed calls” list

Today, I received a phone call from a stranger who demanded to know who I was. No greeting, just “who’s this?”

I declined to answer (because we don’t give out ANY personal information to people who call us, right, class?), instead telling them that it seemed they had the wrong number. This person then insisted that I had called them, and they wanted to know why.

“I didn’t call you. I haven’t called anyone today,” I replied. (I wasn’t even stretching the truth for emphasis—other than a couple text messages and posting something about Beethoven’s birthday [Happy 245th, Viggy!] on a social media account, I had not used my phone for communication purposes all day. I still haven’t, actually.)

“It says you called me,” they said.

“Maybe there’s a mistake,” I offered. I have an incredibly easy-to-mis-dial mobile number, and I figured someone had called them from one of the several same-digits-in-same-order-but-different-quantity-of-each phone numbers that exist.

They just hung up, because of course they did. Hopefully this person had simply mis-dialed and realized their mistake.

But there is a more sinister possibility, here: scam callers almost always use fake caller ID. There is a possibility that my number was the one they happened to use for a round of scam calls; this caller did share both the area code and interchange with my number.

Now, if that was what happened in this case, the damage is limited. They called the spoofed phone number back, which happened to be mine. I explained that I didn’t make any calls, they got angry and hung up, I blocked their number (just in case, and also because I was a little annoyed as well).

But what if a scam call had been placed using a number that was attached to a phone number owned by the perpetrators? This person might have, in going through their list of missed calls, run straight into a trap designed to steal money, personal information, or both.

I wasn’t aware of this until recently, but it appears that a lot of people look at their “missed calls” list every day, and call back every single number. Because of the very real possibility of running headlong into fraud, I cannot recommend against this activity strongly enough.

If someone is truly calling for a legitimate, important reason, they will leave a message or call back later. There is no good reason to try to find out what’s on the other end of every single random phone number that attempts to reach you every day. A lot of those calls are going to be from people you do not want in your life.

(Some of the numbers you do recognize may be, too, but that’s outside the scope of this article…)

Security freeze information for Indiana residents

The Indiana Attorney General’s office has information about security freezes, which are free for residents of Indiana (and some other states—you’ll have to check your own state’s laws if you don’t live here).

You can download the information here, or visit the Indiana Consumer website. I’ll put a link on the Fraud Prevention Resources page as well.

A security freeze (or credit freeze) prevents new lines of credit from being opened in your name, even if an identity thief has your Social Security number and other information, by adding an extra step to the credit application process.

T’is the season

This time of year, a lot of people are thinking about ways to help those who are less fortunate.

Some like to volunteer directly, others donate goods, and many like to give money to charitable organizations.

If you fall into that last category, this is your annual reminder: always look into a charity before you give them money. There are people out there who take advantage of others’ goodwill, and sometimes they set up elaborate schemes to siphon funds meant for other purposes.

If you’re unfamiliar with an organization, one of the best places to start is Charity Navigator.  There you can find out how much of a charity’s income it actually spends on its programs, how much it spends on fundraising, and more. Quick tip: if it spends 3% on programs and over 85% on fundraising, pass on making a contribution. All charities have some operating expenses, but that’s just beyond the pale.

I’m leery of charities that make cold calls. I used to get one all the time from an alleged charity that had something to do with police officers. I forget which one, so I won’t try to guess, but I recall the people on the phone would routinely imply that they themselves were actual officers. They weren’t. I never donated a cent because the whole operation sounded shady to me. Later I found out their operating expenses, including fundraising, executive salaries and administrative costs, took up something like 98% of their income. The other 2% went to whatever the charity claimed to do (they were vague about this as well). Maybe there are good charities that make cold calls, but I’ve never been contacted by one, so make sure you check them out before you donate a dime.

I believe the best way to avoid charity scams is to decide in advance who is getting your donations each year, and contact the organization(s) yourself. Pick your favorites, find out how to get in touch, and give whatever you are able.

They’ll be thrilled to take that call. I guarantee it.

Nigerian 419 email scams live on

I saw this one just today. It’s a doozy:

From: The Desk Of Mr. James Dike
Reference: GTBank Plc.
Address: 402, Lagos-Abeokuta Expressway, Abule-Egba, Lagos State, Nigeria.

Attention: $10.5M ATM Fund Beneficiary,

I am Mr. James Dike, the new appointed ATM Head of Operation Department Guaranty Trust Bank Nigeria PLC, I resumed to this office on the 1st of this month and For your information i have been empowered and instructed by the new elected President Federal Republic of Nigeria Gen. Muhammadu Buhari to pay all outstanding debt payment to the rightful beneficiaries and summit my payment report to his office with immediate effect and any payment that is not paid before the end of this month will be cancelled and the fund will be returned to the Federal Reserve Oil Account.

So, during my official research last week I discovered an abandoned ATM Master card valued sum of $10.5Million with card number 5321452123409380 belonging to you as the rightfully intimate beneficiary. I tried to know why this card have not been released to you but I was told that the formal ATM head of operation who left this office two months ago withhold your card for his own personal use without knowing that I will not approve or support him to take your card.

Now that your ATM Master card is still available for you to pick it up here in our bank. I want to know how you wish to receive your ATM card along with your four digits pin code number. You can come down here in our bank to pick up your card direct from my office or alternatively it can be send to your address through any registered reliable courier service company that you will take care of the courier charge. I don’t know the cost of shipping the card to you but if you permit me I can make an inquiry from the courier shipment company to find out the cost, but in that case you will be required to forward to me your shipment address to enable me find out the shipment cost to your location.

Your direct telephone number and address will be needed and more details of your ATM Master card payment will be made known to you as soon as I receive your swift positive response, to enable you know the amount programmed for your ATM Master Card daily withdrawal.I will send your ATM master card information including your Card Pin Code as soon as you declare your choice of receiving your ATM card so as to enable you receive your card and start making use of it to withdraw at any ATM card machine all over the world as programmed.

Do not hesitate to call me on +234 802-850-0459 as soon as you read this mail.

Thanks for your co-operation.

Yours Faithfully,
Mr. James Dike
ATM Head of Operation Department
Guaranty Trust Bank Nigeria Plc.
Tel: +234 802-850-0459.

A lot of us have become jaded when it comes to the old Nigerian 419 scam. Even though this one takes a different angle and doesn’t mention an exiled prince, for many of us, it’s easy to see through. We probably wouldn’t even read it…”$10.5M” in the subject line would be enough to trigger our “delete” reflex.

But somebody still falls for it. If they didn’t, these emails wouldn’t happen anymore. So while you may have become almost flippant about the Nigerian 419 scam, remember that there are still people who haven’t heard about it yet. If someone you know starts talking about an impending payout from a mysterious source, or mentions their plans to wire money overseas, it might be time to educate him or her.

Free Disney Vacation Scam Alert

If you haven’t already, at some point very soon you are going to see this image on Facebook:

2015-07-17-disney-scam

The hook is this: like the photo, share it, then visit a website to enter a contest for a free Disney World vacation.

Here’s the problem: the Facebook page this image resides on is NOT the official Disney World page. It is an impostor designed to trick users into liking the page. Once enough people have done so, the page content will be changed to push other scams into the news feeds of the people who liked the Disney page.

Now, why am I such a downer? Why am I trying so hard to make people sad? How do I know it’s a fake Disney page?

Well, look at this screenshot for a moment (click to see it full-size):

2015-07-17-disney-scam-02

Do you see what it says next to the profile picture? I’ll zoom in a little so you can read it better (click for full size):

2015-07-17-disney-scam-02a

It says “Walt Disney-World.”.

Notice the dash.

Notice the period.

Notice the category: “Transport/Freight.”

Notice the lack of the blue “Verified Page” checkmark next to the name.

Do you think for one moment that a company the size of Disney would have ITS OWN NAME written incorrectly on its own Facebook page? Look at any official Disney website or product. Do you see “Walt Disney-World.” anywhere?

Do you see Walt Disney World train cars and semi trailers all over America’s railroad tracks and roadways, delivering jars of pickle relish and car parts and textiles? No? That’s because Disney World is a theme park, not a transportation and freight business.

Do you believe Disney World’s official Facebook page would have 20,000 likes (as of today) and ONE lousy post? And no link to the official Disney World website?

These, and a dozen other points, are your free ticket to knowing that this Facebook page and offer are a scam.

Go look at Walt Disney World’s official Facebook page. Notice:

  • 14 million likes
  • The name is correctly punctuated (which is to say there is NO punctuation)
  • The category is listed as “Theme Park,” which is correct
  • The checkmark next to “Walt Disney World.” This means Facebook has verified that the page is official. You can hold your mouse over the checkmark and a little window will pop up that says “Verified Page”
  • Posts going back to 2009
  • Multiple posts, pretty much every day

I’m taking a pretty emphatic tone because I want people to stop falling for fake Facebook pages. I’m tired of seeing people I know get taken in by this stuff because it helps crooks spread spam and fraud to millions of people. If you see this photo and post in your Facebook newsfeed, please do the following:

  • DO NOT SHARE, LIKE OR COMMENT ON the page yourself
  • Tell whoever shared it or posted it that it is a scam and that they need to unlike the page right away; point them to the real Disney World page if they don’t believe you
  • Go to the fake page and Report it as fraudulent to Facebook
  • Share this article, or this one from the Consumerist if you can’t bring yourself to take my word for it

I don’t Facebook much anymore, but I’ve always lived by an “If it’s being shared a lot on Facebook, it’s probably not true” code. It’s a pretty accurate rule, and the stuff that IS true you’ll hear from credible sources eventually anyway.

 

 

If you use LastPass, it’s time to change your Master Password

I’ve been encouraging people to use password vault tools like LastPass for years. These browser plugins are great for keeping track of dozens of strong passwords (the hard-to-hack kind that nobody can remember) across all the websites you log in to.

However, LastPass recently announced they had discovered and blocked suspicious activity on their servers; “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Now, this could be bad, bad news IF users’ master passwords had been accessed in plain text form. However, LastPass uses some pretty robust encryption (that’s what that business about salts and hashes in the quote is about). They don’t keep your master password in plain text anywhere. In other words, even with the information that may have been compromised, thieves would have an awfully hard time using any of the information.

Still, the company is encouraging users to change their master passwords as soon as possible. This will make it impossible for the hackers to log in using the information they took, even if they managed to un-encrypt it (the chances of which are near zero).

I also encourage you to make your master password a strong password. You may have to write it down and keep it somewhere safe, but encrypted or not, a brute-force attack will plow through “password1” in well under a second. A strong master password can be irritating to type in, but it’s worth the trouble.

Stay vigilant.