Overpayment scams affect businesses, too

March 28, 2014

I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.

Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.

What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.

But did you know that scammers also target businesses with the same tactic?

And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.

However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.


This is why I don’t use ad-blocking plugins: so I can point out stuff like this

February 12, 2014

Today I checked out the weather forecast at Weather.com, mostly to confirm my suspicions that yes, this winter is going to be eternal and that it’s never going to rise above four degrees for the rest of my life.

(Okay, the actual forecast wasn’t that bad, and it’s actually going to get a little warmer very soon, but still.)

I noticed this banner ad in the right-side column where Weather.com usually puts them (among other locations):

2014-02-12-junkware

Looks important, don’it? Like your security software is telling you something is wrong, right?

Yeah, well, it’s not. It’s an advertisement. Good thing the ONLY indication is the little Google AdWords logo in the upper right corner, eh?

Now, I don’t know exactly what this advertisement leads to, but as far as I’m concerned, they’re using deception to trick people into clicking on it. That makes me think of ransomware, because it’s almost the exact technique used by makers of that type of malicious software. Click on it and you may find your computer locked down until you pay $80 or more to some crook.

I wish I could issue “just never click on anything” as a general rule, but it’s sort of hard to use the Internet without clicking on something now and then. I would suggest this, though: if you see an ad like this on a major website, click on that little triangle AdWords logo (click carefully…you don’t want to click on the ad itself!) and use the submission form to tell Google about it. Google’s AdWords system is great because it allows access to online advertising for businesses of all sizes, but that wide-openness also means a lot of scammers get their greasy little banner ads through. It’s like those “work at home” scans in the old print newspapers, only a couple hundred million times larger in scope.


Just change all your passwords this weekend, okay?

January 31, 2014

The place I am typing this from is predicted to get yet another pile of snow and ice dumped on it this weekend, and I’m guessing most of the people who read this site are in the same situation.

There are some things to do right now to prepare for the impending Snow Event: make sure you’ve got some salt for the driveway, buy seven dozen eggs and a 55-gallon drum of milk (because, you know, you might not be able to leave the house for a whole 30 hours), and get your snowbound entertainments all lined up (The Shining is fun if you’re brave, or you could splurge on kind-of-expensive board games—Settlers of Catan is awesome if you’ve got three or four players available; I’ve heard there’s a football game on Sunday that a few people are interested in, too).

There are some things you can do while you’re stuck indoors, too, and this weekend, make changing every password you’ve got one of them.

See, there’s been another data breach, from Yahoo! this time. They say an “unspecified” number of accounts have been compromised, which probably will end up meaning all of them. Remember how the Target thing went from 40 million to 110 million? So you need to change your Yahoo! passwords, but there will be more major security breakdowns in the near future. There always are. So even if you’re not going to be stuck inside due to inclement weather this weekend, even if you don’t have a single Yahoo! account, it’s time to just change all your passwords.

Make all your passwords long, very random, don’t use real words, use numbers, upper- and lowercase letters, special characters, and do not use the same password for more than one account. Here’s a quick primer that should teach you everything you need to know about choosing a good password:

Bad Password: 123456
Bad Password: password
Bad Password: trustno1
Good Password: 6ZUNFPtjaWZPk$eAafBt8YhP
Good Password: KjV7$y!92#MqKS&YYSaW3MjtRmSPxR

Now, it’s going to be impossible to remember twenty different passwords (or even one) that look like those last two, so you’re going to have to find a way to record them, whether by carefully writing them in a notebook (that you keep in a different room than your computer), or by using a password manager like LastPass or Keeper (both of which will generate those stupid-long passwords for you). It doesn’t matter what method you use, just do it.

It’s a good idea to change passwords regularly, too. I’m even pretty bad about remembering to do it, but it’s a good idea to at least do it a few times a year. Even a super-strong password that would take a brute-force password guessing script a quadrillion years to guess might as well be “123456” as soon as some goofy company decides to keep its entire database of usernames and passwords in plain-text, unencrypted form, and somebody breaks in and gains access to it. This has happened in the past.

Stay vigilant. And warm.


Of data breaches and phishing

January 17, 2014

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.


How law enforcement doesn’t operate: scam alert from the BBB

October 18, 2013

If you live in the United States (I can’t vouch for other countries), there are certain ways in which law enforcement is carried out, and ways in which it generally is not.

Here’s one way law enforcement doesn’t work: if there’s a warrant out for your arrest, they usually don’t call you first and tell you.

Here’s another: if you’re accused of a crime, you can’t pay a fine to avoid charges (if you can, it probably means you’re bribing someone, and they’re accepting the bribe, and you’re both in a lot of trouble, mister. Bribing the police. That’s not right!). The fines (and other consequences) generally happen after you’ve been convicted, which is supposed to occur via due process.

The Better Business Bureau is warning of an active scam that has already claimed several victims. The fraudulent phone calls use spoofed caller ID to extort “fines” from victims, by money orders and prepaid debit cards. They’ve got the full lowdown here, but the proper response is one you’ve seen before: don’t give any money or personal information (even if they have some already—victims have reported the callers having information about loans), hang up, call the real police (because others are likely getting the same calls).

The problem is that such phone calls can incite a moment of panic, and panic makes it hard to think rationally. But if you’re aware that such scams exist, you’ll be able to stop, take a breath, calm down and remember how reality works before you become a victim.


How to spot a disguised link in an email message

October 1, 2013

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same (click the image for actual size):

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.


Credit Card Scam Alert: Ignore that offer from AmTrade International Bank

September 27, 2013

There is a new scam showing up in mailboxes.

It takes the form of an offer for a “secure” credit card, and it targets people with low credit scores or other financial issues.

A “secure” credit card is a credit card where the cardholder puts up some of their own money as collateral against the credit line. It allows lenders to extend credit to higher-risk consumers at a lower annual percentage rate, and can actually be a good tool for rebuilding credit (timely payment of debts makes up a large portion of your credit score). We actually offer a secured credit card here at REGIONAL. They’re a legitimate financial tool.

Except for when they’re used as the basis for a scam.

This one comes from AmTrade International Bank, with an implied connection to Credit One Bank, N.A. (there is none). Victims select a card with either a $1,500 or $3,600 credit limit, and then send in $500 or $900 (respectively) as “collateral” for the credit lines.

And the credit cards never arrive. At its core, this is the simplest form of scam: take money, disappear.

This exact same scam showed up earlier in the year, from Freedom 1st National Bank, which also implied a link to Credit One. In both cases, victims instantly found themselves robbed of either $500 or $900.

If you get offers for pre-approved credit cards in the mail, it is vital to verify all claims before making a purchase decision and sending personal information and money.

In fact, I’ll just put it out there now: don’t respond to unsolicited pre-approved offers for “secure” credit cards, at all.

Also, never just send money to an unknown entity, for any reason.

This scam is going to keep popping up, with different fake banks running it each time, and law enforcement is going be playing whack-a-mole for quite some time. In the meantime, it’s on each of us to look out for ourselves.

Read more:

 


Follow

Get every new post delivered to your Inbox.

Join 208 other followers