All posts by FPU

Three low-tech scams and how to avoid them

For all the attention given to cybercrime like phishing and data breaches, there is still a lot of fraud that occurs outside of electronic channels. Here are just three low-tech crimes and how to steer clear of them.

Dumpster Diving

Big data breaches are alarming due to their sheer scope (and infuriating because the victims did absolutely nothing wrong to cause the theft), but remember that a lot of identity theft still begins with someone digging around in a garbage can for credit applications or documents containing personal information.

The simplest solution to prevent dumpster diving is to shred every single piece of junk mail or document that contains personal information before you throw it out. A cross-cut shredder is the way to go, and they start at under $20 for a small one that can do one or two sheets at a time.

It’s also a good idea to find out how any businesses you utilize store and discard sensitive information. Paper documents containing personal information need to be locked securely, and they need to either shred old documents themselves or contract with a licensed and bonded document destruction company.

Contractor Scams

When your home needs repairs, make sure the work is your idea to begin with. Don’t trust a stranger who appears at your doorstep offering to fix your roof or asphalt your driveway. Use an established contractor with a physical address and some form of online presence (if not a website, at the very least some reviews that indicate that other people have heard of the company before).

Only hire businesses that work under a contract, with the price agreed upon before any work is done. A lot of contractor scams start with a verbal agreement on a price, then when the (often shoddy) work is completed, the victim finds out the price has doubled, tripled or worse. Also watch out for demands for upfront payment – another popular home repair scam is to weasel a large “deposit” out of the victim, then disappear. Anything over 20% before work starts is suspicious. You’ll pay the rest when the work is done to your satisfaction.

Finally, be especially wary after a major weather event (tornado, flood, etc.) that causes damage to your house. Fraudulent contractors come out of the woodwork after disasters, and when you’re trying to put your home back together and get things back to normal, a walk-up approach can seem tempting, but remember: losing money to a contractor scam is only going to add to your problems. Stick with an established company to save headaches later.

Sticky Mailbox Lid

There are some scams that are so tacky, the perpetrators should be ashamed of themselves. This is one of those. These crooks target mailboxes with pull-open lids, coating the inside with a sticky substance so that anything someone drops into the box stays on the lid. The crook then walks up and takes the envelope in hopes it contains a check or cash. If you’re mailing something at a mailbox with a pull-open front, double-check to make sure your envelope went all the way down. So far the cases I’ve read about happened in New York City, but I’m sure it’s just a matter of time before this two-bit scheme makes its way across the country.

“Mailbox full” phishing attacks

When you get an email message telling you that your mailbox is full, or that your “quota has been exceeded,” it’s a good idea to double-check before you respond in any way. It might be a phishing attack designed to harvest your login credentials, infect your computer with malware, or both.

Most email service providers have a limit to how much space incoming messages can take up on the server. The size of this limit often depends on whether or not (and how much) the user is paying for the service (free providers give you less than ones you pay for).

If you leave hundreds and thousands of messages unread because you never check your mail, or don’t set up your email program to remove messages from the server after reading, you can reach this limit and new messages won’t get through.

That said, if you get a “mailbox full” message, chances are it’s not from your email service provider at all, and clicking on any links could lead to trouble. Here are a couple things to look for.

Bad spelling/bad grammar: these days, large internet service companies hire people who know how to spell and write to compose official messages. Strange grammatical constructions or misspelled words are an immediate tip-off that the email isn’t legitimate.

Who is it from? If you were really looking at an official message about your iCloud email account, you would think the sender’s address would be “[username]@icloud.com.” Same with att.net, hotmail.com, gmail.com or any of the others. Yet in a majority of cases, phishing emails appear to come from an address that has nothing to do with the service provider. Keep this in mind, though: some more sophisticated and/or targeted attacks might not have this flaw.

Where do the links go? You can see where a link takes you without clicking on it by hovering your mouse over the link and waiting for the little popup window to display the address. On a mobile device, you can hold your finger down on the link (instead of tapping) and a window will pop up showing the address. Again, if it’s from your actual email provider, that link is going to lead somewhere related to the business (and related to the sender’s address). A message about your Gmail account is going to point to something hosted at google.com, for example. Beware of lookalike addresses, though; the architects of these attacks will sometimes set up websites with addresses like “att.net-verification.com.br” where at first glance it appears to point to an att.net site, but the actual address is “net-verification.com.br.”

The best practice is to never interact directly with this type of message in the first place. If you think there might be a real issue with your email account, go directly to the provider’s website to find out if there really is a problem and how to correct it. If you did click on a suspicious link, run a virus scan to make sure you haven’t been infected with malware, and change any affected account passwords immediately.

Mystery Shopper Scams still exist

There are a few things you can always depend on. Light travels at 299,792,458 meters per second in a vacuum. Objects at rest will remain at rest unless acted upon by an outside force. “Cash this check and wire the money back to me” always equals “scam.”

I haven’t written about it in a while, but the old Mystery Shopper Scam and its variations are still out there. It’s time for a review.

The “classic” version of this scam starts with a job offer emailed out of the blue. If you respond to this message, you’ll be immediately “hired” as a Mystery (or Secret) Shopper. A cashier’s check for a fairly large amount of money (the old ones always seemed to be around $2,900, but there is a lot of variation) will arrive a short time later, with these instructions:

  1. Cash this check at your bank, keeping $100 or $150 for yourself
  2. Take the rest of the cash to the nearest Western Union location
  3. Wire it back to me
  4. Report on the customer service at Western Union

If you follow those instructions, a few days later you will be informed that the check you deposited was counterfeit and that you are now on the hook for the money you received in exchange. Unfortunately, you already wired that money to a stranger and can’t get it back.

Now, things are getting a little more difficult for the scammers. Financial institutions are placing more holds on cashier’s checks and are asking more questions to protect their customers, and after being slapped with a $586 million settlement for essentially letting these scams proliferate for so many years, Western Union is finally doing more to prevent this type of fraud.

But that only means this scam has evolved to work around these problems. Instead of Western Union, some versions involve prepaid gift cards (“cash the check, then buy iTunes gift cards and relay the numbers and PIN to me”), overpaying for purchases from online classifieds (“just wire the extra back to me”) or targeting businesses instead of individuals.

Still, the basic mechanism remains: if someone gives you a check and requests that you convert it to cash (i.e. placing the liability for that check’s authenticity on you, then transfer the money back to them electronically, they’re attempting to steal from you. Regardless of the initial pitch, the pattern holds true. Don’t fall for it.

The IRS doesn’t accept iTunes gift cards

The IRS doesn’t accept iTunes gift cards.

I’ll say it again: the IRS doesn’t accept iTunes gift cards.

“But wait,” some might say, “what about iTunes gift cards?”

NO. You can’t pay your tax bill with iTunes gift cards. Or any other gift cards.

The IRS has never allowed you to pay your taxes with an iTunes gift card. They are never going to let you pay your taxes with an iTunes gift card. iTunes gift cards come from Apple Inc. They are not money. They are not legal tender for any debts, public or private. They can only be used to buy digital goods from one company.

It’s Tax Season 2018, and the scam calls are already in full swing. “This is the IRS. You owe x dollars in back taxes and you’re going to go to jail unless you pay right now. Go buy some iTunes gift cards, then call me back with the numbers from those cards.”

That’s the gist of the calls. And they’re a scam. It doesn’t matter what Caller ID says, it doesn’t matter who the caller claims to be. The IRS doesn’t call you (or email) out of the blue demanding immediate payment. The IRS doesn’t open with “you’re going to jail.” And the IRS does not, has never, and never will accept iTunes gift cards (or any prepaid card) or wire transfers as payment for taxes owed.

This has been a very repetitive article, but the message is important and can not be repeated enough: the IRS does not accept iTunes gift cards.

Can you spot the advertisements?

Have you ever looked up something online and then been followed around for the next few weeks by online advertisements for the very thing you searched for?

That online advertising can be creepy and annoying is hardly a controversial statement, and with so many websites relying on ad revenue as their primary income source, it is pretty much everywhere.

But even when it’s not being creepy, it can be sneaky.  Often, online ads are disguised as regular “content” (which is a lame marketing buzzword for things like articles, news stories, videos, etc.) and if you’re not paying close attention, you could be drawn in, and not all ads lead to reputable sites.

Here’s a screenshot from the news feed at Yahoo.com from 1/15/2018 (note that I am not commenting on the content of these particular ads, and that I do not know what happens if you click on them because I didn’t):

Yahoo.com screenshot 1/15/2018

The first one isn’t too hard to spot, in the upper-right corner. The little blue symbol in the corner of the photo shows that this is an advertisement, and it shows a website other than Yahoo.com at the bottom of the photo.

Advertisement from Yahoo.com 1/15/2018
This is definitely an advertisement.

But there is another advertisement on this page, and it’s a little trickier. Did you notice the “article” about “People in Heavy Debt…”?

Advertisement from Yahoo.com 1/15/2018
This is also definitely an advertisement, just not as obvious.

See where it says “Sponsored” above the headline? That’s your cue that the “article” (and the two little sub-articles) is actually an advertisement. It’s easy to see once you know what to look for, but could they get the text color of the “sponsored” disclaimer any lighter?

Like I said, I’m offering no commentary on the products, services or websites being advertised in either case. I’m not even saying you should never, ever click on an advertisement.

But I’m not a fan of advertising when it tries to dress up as something else. It may not violate any laws or regulations, and it may not be a scam or fraud per se, and yes, if you’re really paying attention you should see the disclaimers, but I feel like everyone deserves to be told clearly and directly that they’re being advertised to. I don’t care how high-tech the delivery system is, most sponsored content is no more respectable than “Be sure to drink your Ovaltine” from A Christmas Story.

File your taxes as early as possible in 2018

With the flurry of headlines regarding the Equifax data breach of 2017 and the upswing in consumer interest in freezing their credit reports, there was one possible consequence that tended to get overlooked in all the talk: fraudulent tax returns.

It’s understandable. When most of us think of identity theft, the first thing that comes to mind is someone opening credit accounts in our name. However, with the kind of data stolen in the Equifax breach and with at least some percentage of consumers placing credit freezes (making the “classic” form of identity theft more difficult), it is likely that many of the compromised records will be used to file fraudulent tax returns.

That means your best practice is to file your 2017 taxes as soon as you possibly can. If you have all your required documents in your hands by the end of January, that’s the time to file.

You’re playing the odds here; basically hoping that, if your information has been compromised and is in the hands of someone aiming to file a fraudulent tax return, that you can file before they get around to yours. The more people file right away, the more time the identity thieves will waste trying to file tax returns that have already been submitted.

That we’ve been reduced to “hurry up and file before someone else does” shows that there are some pretty deep flaws in our current systems of identification. The data points used to identity literally every single U.S. citizen are also extremely easy to steal and use for criminal purposes, and have likely already been at least partially compromised for every single person. I can’t even conceive of what an alternative system would possibly look like, but Social Security numbers and PINs and knowledge-based authentication aren’t cutting it. If I think of something, I’ll let everybody know (after I patent and trademark it, of course).

Defeat phishing attacks with bookmarks

Email phishing attacks are improving.

I mean the attackers are improving. They’re wising up to the fact that actual financial institutions and social networks send emails that are (at least mostly) intelligible, and adjusting their approach accordingly.

You still see plenty of phishing emails with atrocious spelling and weird grammar bordering on word salad, but there is a growing trend toward messages that could be mistaken for legitimate communications, even by someone who is well-informed. As potential victims become more sophisticated, so do the criminals.

One way to defeat phishing attacks is to set yourself up to never use links at all. For every single site you log into – financial institutions, credit cards, social networks, online shopping – create a bookmark in your web browser, and get in the habit of always using that link to log into the website.

That way, if you get an email that looks like it might be real, instead of clicking on a link (or even spending time wondering if you should or not), simply open your web browser and use your already-created bookmark to log into the website of whomever the email purported to come from. If there’s a real message or problem, you’ll find out about it there.

Don’t Compromise Your Security for the Sake of Nostalgia

Satirical image of old radio with "Do you remember your childhood Social Security Number?" superimposed.

Lately I’ve noticed a certain type of post circulating on social networks. I don’t know if they have a name, but they generally appeal to a sense of nostalgia. There will be an image of an old telephone with the question, “Do you remember your childhood telephone number?” Another one asks which movie you love that you’ve seen over and over. And people dutifully post their responses to these questions as comments on the post.

Now, here’s the issue: there is a thing called “Knowledge-Based Authentication” (KBA). It is a deeply flawed but still very common online security practice that asks the user to answer a series of multiple-choice questions that supposedly only he or she would know the answer to. Several of the major credit bureaus use it when you place a freeze on your credit through their websites. So you might get a question like:

Which of the following phone numbers have you been associated with?

a. 417-555-3456
b. 322-555-4632
c. 322-555-0989
d. 786-555-3674
e. None of the above

If you responded to a Facebook post about your phone number growing up, there is a small chance you have just put one of your KBA answers out on the public internet.

What about that “movie you’ve seen over and over” question? Have you ever logged into an online account and had to create answers to security questions? These are designed as a line of defense against unauthorized login attempts; if a login from a different computer or location is detected, it will trigger the security questions and prevent further access if they are answered incorrectly.

“What is your favorite movie?” is definitely the type of security question that could be used by a website, and if there’s a movie you’ve seen many times, chances are it’s your favorite. If you answered the post, you may have revealed the answer to one of your security questions to the world. Several celebrities have had their Twitter accounts hacked because they used real, easy-to-find-out answers for their security questions.

Of course, these tiny pieces of information are simply pieces, not the whole puzzle. But the more puzzle pieces are in place, the more you begin to see the whole picture. The less information you put out there, the better – you don’t owe the internet anything. Think before you post any personal information online, even if it seems innocuous or silly on the surface. Anything you reveal can be used against you.

Fraudulent Customer Service Phone Numbers

By now you’ve probably heard about Tech Support Scams, where someone calls you out of the blue and tries to convince you that your computer is infected with a virus, that they have somehow detected it remotely, and that the only way to fix the problem is to hand over money, control of your computer, or both.

It’s one of those scams that can easily be avoided with the question, “Who initiated contact?” If they called you, it’s fraudulent.

But what about when you’re the one initiating contact?

When you need customer service from a large company like Amazon, Facebook or Netflix, it’s important to make sure you’re getting their contact information from a trustworthy source. Internet searches might lead you to a correct number, but the internet is also brimming with hundreds of examples of fraudulent customer service numbers, posted by criminals in hopes that you will call them instead of the legitimate phone number.

What happens if you call a fraudulent number? They may try to get your password information to take over your account and lock you out, they may ask you to reveal credit card or other financial account information, or they may take over your computer (with your help) and install malicious software or commit other crimes.

If you need to contact customer service, make sure you’re getting your information from a reliable source. Don’t trust phone numbers that appear in online forums. If you notice zeros replaced with the letter “O” (1-8OO instead of 1-800, for example), that’s a sure sign of a fraudulent phone number.

With some companies, Facebook being the most prominent example, there simply is no phone number you can call. Any problems have to be resolved using online tools. Every single phone number you see listed on the internet as a Facebook customer service line is false information.

The best way to find customer service contact information is to go directly to the company’s website and look for links like “Help” or “Contact Us.” Sometimes there will be options for help via email or chat and no option for telephone contact, other times the phone number will be front and center. It depends on the company you’re dealing with. In any case, to avoid a massive headache and potential losses to fraud, always make sure you’re getting the number from the official source before you even pick up the phone.

Gas Pump Card Skimmers and How to Avoid Them

Technology is essentially a process of making tasks easier for ourselves. The electric refrigerator was a lot easier to deal with than the icebox, which was a lot simpler than having to can, cure or smoke nearly every single scrap of food you weren’t going to eat in the next day or two. As far as ease-of-use goes, the telephone beat the telegraph by a long shot, and transporting your music collection became a whole lot easier when the iPod took over the world in 2001.

The problem is that technology also makes things easier for criminals, too.

There was a time when a thief who wanted to install a skimmer on a gas pump card reader had to place the device, which tended to look “wrong” in the first place, over the dispenser’s actual card reader, hide out and hope nobody noticed it, then return to the scene of the crime to retrieve the device and the data contained therein.

But now, if they’re high-tech, thieves can attach the skimmer (which is a lot smaller and easier to conceal) and then use Bluetooth to obtain the data in real-time from a few hundred feet away, and no need to return to the pump. If they’re really high-tech, they can install a skimmer than uses SMS technology to send the data as a text message to anywhere in the world. The crook placing the device can just be a hired contractor.

At some point, it gets frustrating. What can I tell you to help you avoid getting your card data skimmed at a gas pump? The original deadline to equip dispensers with chip card readers was pushed back from 2017 to 2020, so we’ve got at least three more years of magnetic stripe readers being the norm, and that’s assuming they don’t find a way to push back the deadline yet again, which they almost certainly will.

I could tell you to inspect the pump for anything that seems out-of-place, or to use the pumps nearest the station, since the installer’s main goal is generally to not be seen. Never run your debit card as “debit” (i.e., never enter your PIN). Use only well-lit, well-maintained dispensers. Et cetera. But those are stopgap measures at best.

No, the only thing I can tell you is this: forget about pay-at-the-pump. Pretend it never existed. Go inside the station to pay for your gas. It involves more walking. It takes longer. It’s more of a pain, less convenient. They’ve got lots of tempting, terrible-for-you food in there. But the risks of having your card skimmed are much lower. Shop around to see which stations have a chip-enabled terminal inside, and only buy from those stations. It’s really the best option at this point.