Tag Archives: Identity Theft

App Store Scam targets iPhone and iPad users

If you’re an Apple iPhone or iPad user, be on the lookout for a recently discovered phishing scam, reported by security firm F-Secure.

It seems users of these devices are receiving emails informing them that their recent App Store purchase has been successfully cancelled. There is a link for order information, but it actually takes users to one of those pharmacy websites where they try to mine personal information.

The above linked article tells you more about it, and they make an excellent point: while the emails currently direct you to a drugstore site, which most savvy Internet users will reject right away, what if they decide to build an App Store lookalike page? Lots more people will be tricked.

There was one part of that made me laugh, though:

[T]he phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple’s legitimate App Store. F-Secure is not sure how the scammers know you just bought something from the App Store.

Oh, I can tell you right now how they know you just made an App Store purchase: people who have iPhones and iPad always just made an App Store purchase. Do you have one of these devices? You’ve been to the App Store today, haven’t you? Come on, admit it!

Maybe I’m just jealous of your neat-o phone. Or maybe I’m not. I’ll never tell. Welcome to the Fraud Prevention Unit: your source for ambiguous digs at vast swathes of popular culture.

Email links: perhaps I’ve been too alarmist

I have mixed feeling about something I heard about at the credit union recently. It seems that some of our members have taken my advice about links in email messages deeply to heart, to the point that they’re afraid to click a link in any message (even an expected, monthly newsletter from us!).

On one hand, I’m thrilled that some people are listening and learning. The vast majority of the traffic for this site comes from search engines (an unintended result; the original idea was to specifically reach people in our geographic area), so it’s good to know that local folks are getting hip to the fraud prevention tip as well.

On the other hand, perhaps I’m fomenting paranoia and fear with all the dire warnings.

Here’s the deal: if you’re getting a regular email communiqué, such as a monthly electronic newsletter, from a trusted source, it’s okay to use the links contained therein. No scammer is going to go through the trouble of creating a monthly newsletter, with constantly-changing articles about the latest promotions and happenings at a financial institution, and place low-pressure, soft-sell links at the bottom of the page (which is exactly what REGIONAL sends out during the first week of each month).

What you want to be wary of is those unexpected messages that try to jolt you into acting without thinking; “YOUR ACCOUNT HAS BEEN SUSPENDED!” screams the message. “CLICK HERE TO VERIFY YOUR ACCOUNT!”

That’s the stuff you need to avoid—the unexpected, urgent-sounding message that addresses you as “Dear Customer” or “Dead Cardholder” or that contains poor spelling and/or grammar, and that instructs you to verify your personal information. If you’ve got an account at a bank, credit union or creditor, they already have your personal information. If they didn’t, you wouldn’t have an account.

Ten Tips for an Identity Theft-Free 2011

I haven’t been able to do much posting lately. They moved us to a different office here at the credit union, and it’s been a little nuts. However, everything is finally settling down, so I thought it might be good to do a little “top ten” sort of thing. Let’s start with what NOT to do:

1. Don’t click on links in unsolicited emails

If you get an email that looks like it’s from a bank, credit card company, PayPal or other financial service, think before you click any links. Are they saying your account or card has been deactivated, and they need you to login to “verify” your personal information? That’s a common scam called phishing. The link will take you to a rogue website that may look like a real login page, but is designed to hand over your account and personal information to thieves.

2. Don’t give out your information to just anyone

You need to provide your personal information when you’re applying for a job, applying for a loan or opening a new financial account. If someone else is asking for your information, find out why before you even consider handing it over. And never give your information out to a person who calls you on the telephone, no matter who they claim to be, which brings us to…

3. Don’t implicitly trust Caller ID

With modern digital phone services, Caller ID can be manipulated to say just about anything. If they’re calling you and asking for nonpublic personal information, you could be looking at a scam.

4. Don’t carry your Social Security card with you

Look in your wallet or purse right now. Is your Social Security card in there? Get it out and put it in a lockbox or other secure location right now. If you get robbed, it’s bad enough that a thief has your cash and credit cards—do you need to hand them your identity as well?

5. Don’t leave personal information unsecured

In a quarter of identity theft cases, the victims know the person who stole their identity. Don’t leave personal information lying around, at home or at work.

Now, we all know that being reactive is only part of the equation; you have to be proactive as well. Here are some things TO do:

6. Buy a small paper shredder

With all the attention given to high-tech forms of identity theft, it’s easy to forget that a lot of it begins with dumpster diving and trash picking. A small shredder costs under $25. Not having one could cost you thousands.

7. Get a credit freeze

If you’re an Indiana resident, you have the right to place a credit freeze on your credit reports. This makes it impossible for a theif to open new accounts in your name even if they have all your information. More information is at www.in.gov/attorneygeneral/2411.htm.

8. Check your credit report

Ignore the commercials with the silly songs. You don’t really need your credit score or to enroll in any high-priced credit monitoring services. What you do need is to check your credit report at each of the three major reporting agencies (Equifax, Experian and TransUnion). Go to annualcreditreport.com and follow the instructions. Since the reports should all have the same information, it’s a good idea to stagger them—get TransUnion in January, Experian in May and Equifax in September, for example. Report any errors immediately.

9. Install virus protection on your computer

Norton, Kaspersky, McAfee: they’re all good, so pick one and use it. They cost money to buy, and you will have to pay annually to keep your software updated. I know, money doesn’t grow on trees, but spyware, viruses and keyloggers apparently do—you can’t afford not to have up-to-date virus protection software.

10. Educate yourself

Pay attention to news articles about fraud and identity theft. If you’ve got a question about something, research it online. Sign up for email alerts from the Indiana Attorney General’s Office. And, naturally, keep checking right here for news, tips and other fraud prevention goodies. Have a secure and happy New Year.

(Don’t Fear) The Scammer

Promotional photo of Boris Karloff from Franke...
Image via Wikipedia

It’s a spooky time of year, the end of October. Everywhere you look, it’s ghosts and monsters and Christmas decorations. (Really? I’m serious, retailers of the world; really?)

And of course you have the inevitable horror movie marathons, where the intensity is elevated a bit (less innocent “Boo!” and more…visceral forms of scary entertainment).

But even beyond the usual seasonal fright-fests, there are a lot of things out there for people to be afraid of. I mean, have you ever watched an episode of The Doctors? That’s not just a hangnail, it’s a reason to panic! Literally everything is presented as cause for alarm. Hair turning gray as you age? You’re going to die in ten minutes! AAAAAAA!

Of course I’m being hyperbolic there, but only a little bit.

So that’s what I want to address today. I’ve written over 180 posts on topics ranging from phishing emails to medical identity theft. If you were to sit down and read twenty of them in a row with the incorrect mindset, you might walk away very, very afraid.

That’s not what I’m going for here. “That is not what I meant at all. That is not it, at all.”

Sure, there are a million different scams and schemes, tricks and traps. But to live in fear of scams and to let it dampen your enjoyment of life is going about it all wrong.

How many people have been nasty to cashiers at Walmart because of an urban legend about the so-called “cash-back scam” (which I recently saw presented on a news website as fact)?

How many people refuse to do any online banking or bill paying, despite the fact that it’s actually safer than mailing checks and takes about one-tenth the time investment, out of identity theft fears?

There’s just no reason to react to the world in this way. Trust your instincts—if something seems unusual or out of place, it probably is. Follow the basic rules, like not clicking on links in emails, knowing what phishing looks like, and knowing not to give personal information to a caller or let strangers into your house. Know that you’re never going to get anything but scammed if you receive an unsolicited job offer via email.

Keep it situational; if you’re in a situation that’s ringing your “this seems like a scam” bells, then go on alert and keep yourself and your money/identity safe. Get a free credit freeze if you live in Indiana (and check into your state’s resources if you don’t).

But don’t walk around looking for fraud—you do that long enough and you won’t even trust your own mother by the time you’re done. Know the basics, pay attention, and relax.

Freeze your credit; if you live in Indiana, that is

Map of USA with Indiana highlighted
Image via Wikipedia

A credit freeze is a really nice tool in the fight against identity theft. Essentially, a freeze makes it impossible for anyone to open new credit accounts in your name even if they have all your personal information.

Of course, it adds a little extra work if you want to open a new line of credit, but I think it’s a fair trade. Besides, didn’t we all learn a little lesson in 2008 about what happens when it’s too easy to obtain credit?

At any rate, it turns out if you’re an Indiana resident you can request a credit freeze free of charge. It’s a right provided by Indiana law to Indiana residents. I don’t know if other states have this type of thing in place (after all, I can’t do research on 49 attorneys general in the time I’m taking to write this). If you ain’t from around here, check online with your state’s attorney general to find out.

You can request a freeze either by paper mail or online. More information is available at the Indiana AG’s website. Check it out today!

A fictional story about a guy who did everything wrong one day

Hi there.

My name is Johnny, and I had a busy day today.

I woke up around eight because I had a new job as a secret shopper. I got an email a couple weeks ago, and they hired me on the spot when I responded. Yesterday, an envelope arrived with a check and my first assignment.

I headed to my bank around nine. At first, the teller didn’t want to cash the check because I only had six bucks in my account, but I whined and got in her face and demanded to talk to the manager until she relented. “That’s a cashier’s check,” I told her in no uncertain terms. “Those are the same as cash.”

I left the bank with $2,700 in my pocket and headed to the nearest Western Union location. The guy there kept asking me questions about the money I was wiring, so I finally told him it was for a relative in Canada, just like the secret shopping company told me to do. It was a little annoying the way he wouldn’t leave me alone. I’m going to put that in my report for sure.

By the time I was done, it was only ten o’clock. I had made $150 for less than an hour of work! I could get used to this lifestyle. I decided to head home.

The phone was ringing when I came in the door. I ran to answer, and this guy from the county courthouse was telling me I was going to be arrested for not appearing for jury duty.

“But I never got a letter that said anything about jury duty,” I said.

“That doesn’t matter,” he replied. “The fact is that you didn’t show, and an officer will be stopping by later today to make the arrest.”

“But…isn’t there some way I could just do jury duty another time? I didn’t miss on purpose.”

“Let me see what I can do, sir,” the man said. After a minute on hold, he told me I could just pay a fine and the whole thing would be taken care of. I gave him my name, date of birth, Social Security number and some credit card information to pay the fine. I was relieved when I hung up the phone. Crisis averted.

The mail had arrived, but it was nothing but a pile of credit card offers. I threw these in the trash unopened. Nobody’s going to rip me off.

I sat down on the sofa to unwind with some TV. It was mostly talk shows at that time of morning, but there was a news broadcast between commercials that caught my eye. It gave some phone number you could call to get your debts eliminated. I have a lot of debt, so I wrote down the number. It seemed like a strange place for a news alert, during the commercials, but whatever. There was a ticker on the screen and some footage of the President, so it must be some kind government program, right?

I went to the computer to write up my report for the secret shopping job. I hate my computer. It came with this virus protection software, but the only thing it’s done for the past two years is tell me my subscription is expired. It’s annoying. Plus, when I opened my web browser (Internet Explorer 6) and tried to visit a website, this window popped up offering a free virus scan. I clicked “OK” and it found like ten infections. The software that came with my computer doesn’t even work!

After the scan, there was a window that wouldn’t go away, so I just closed the browser and checked my email. There, a miracle happened. It turns out I was entered in the lottery up in Canada, and I won! $2,500,000, all for me. I called the claims agent right away. It turns out there are some taxes and fees I have to pay first, but that’s okay—they’re going to mail me a check. I think I may retire from secret shopping. After all, with two-and-a-half million, I’m going to be pretty much set for life.

I’m not going to tell anyone about it, though. I don’t want everybody asking me for money.

My name is Johnny, and I made at least ten mistakes today, if not more. Can you spot them all?

Alleged national fraud ring busted: let’s do the math!

This item appeared in today’s edition of the NWI Times.

If you don’t want to read the whole thing, here’s a summary: four people from Indianapolis were arrested for allegedly running a fraud ring in which involved adding themselves to other people’s financial accounts. Four others (two from Northwest Indiana) are also named in the case.

They are alleged to have taken around $200,000 over the course of three years. The first thing I thought when I saw that number was, “Isn’t that an awfully small amount?”

Assuming the facts are as stated in the article, and that all eight people are guilty (which has not been proven yet, I know—this is a purely educational discussion), let’s do the math:

$200,000 divided by eight people equals $25,000 for each person. That, divided by the three years, equals $8,333.33 each per year.

That’s not exactly a major haul, is it?

Think about it:

$8,333.33 divided by 52 weeks per year equals $160.26 per week. Divide that by the current minimum wage of $7.25 per hour, and these people would have had to work just over 22 hours per week at minimum wage to match their income from this fraud scheme.

In other words, they could have worked a drive-through window for less than 4½ hours a day (assuming a five-day week) and come out ahead, with the added advantage of not having to serve jail time for doing it.

I wonder how hard they worked to create and maintain this scheme. I’ll bet it involved a lot more sweat than handing sacks of burgers to people in cars would have, though.

Again, we have a justice system in this country, so these people could all be completely innocent. I just thought the math was kind of interesting.

Ridiculous Spam Friday the 13th

How’s that for timing? The thirteenth installment of Ridiculous Spam Friday falls on an actual Friday the 13th. I love it when a plan comes together.

Let’s get to the garbage…

From: Dick Glock <[removed]@amadorcoe.k12.ca.us>
Date: Sunday, August 01, 2010 11:30 AM
To: info@lotto.co.uk
Subject: Final Notification!!!?

Dear e-MAIL Winner,
Your email address won £850,000.00 GBP in this month NATIONAL LOTTERY E-mail online drew.
To file for your claim, contact our agent Mr.Albert Nelson.  with
the details below(Full Names, Contact Address, Country, Age, Sex, Occupation &
Telephone numbers) to this Email: uknldepartment2010@discuz.org  Phone Number: Tel:+44 7024027755

MODE OF PAYMENT !!!

Option (1)  Via Courier Delivery

Option (2)  Via Bank Wire Transfer

Note: This is an automatic message do not click on your reply button send all details to the below  Email:  uknldepartment2010@discuz.org  

Yours Sincerely,
Dick Glock

I removed the email address under “From” because it is apparently the legitimate address of an administrator for a school district out in California. Where do spammers get the legit addresses from?

At any rate, since it’s just another lottery scam message, you don’t even have to wonder why a school admin would be telling you about a lottery, since you already know it’s a scam. The incredulous punctuation in the subject line (“!!!?”) is cute, though.

From: Zoosk Request Notification <noreply@dipfishesnet.com>
Date: Tuesday, July 20, 2010 12:09 PM
To: [correct address]
Subject: Facebook Notification – Zoosk dating app

-Someone is searching for you on a Facebook application called Zoosk-     
      
Press here to see who wants to make a connection with you:     
http://dipfishesnet.com/c/ejAvaGhF7140LFFvOEtFKA.html?0      

—–      
             
To not receive this message again please visit this page:     
http://dipfishesnet.com/c/ejAvaGhF7140LFFvOEtFKA.html?1     
      
or write to:     
      
Zoosk Inc. 475 Sansome Street., 10th Floor,     
San Francisco, CA 94111     
To remove yourself from this list,
click here http://dipfishesnet.com/u/ejAvaGhF7140LFFvOEtFKA.html
or write to us at:
PO Box 85073
Richmond, VA 23285-5073

And how, pray tell, would an application on Facebook (I thought Zoosk was its own site) be trying to find me at my work email address? That’s not the one I use there.

This one serves as a good reminder: never click the “unsubscribe” link in a spam message. All you’re doing is confirming that your address is good. I wonder what happens if you write to the P.O. Box, though. I’d imagine putting your email address, full name and home address into the hands of these people could be even worse. Ten bucks says that P.O. Box is just a drop site that is set up to forward everything to Russia.

From: [removed]
Date: Tuesday, June 29, 2010 10:29 AM
To: [removed]
Subject: Hello!

Hello!
How are you recently?
I bought a laptop from a website:   www.laosm.info/ Last week, i  have got the product, its quality is very good and the price is  competitive. They also sell phones, TV, psp, motor and so on, by the  way, they import products from Korea and sell new and original  products, they have good reputation and have many good feedbacks. If  you need these products, look at this website will be a clever choice.
I am sure you will get many surprise and benefits.
Greetings!Hello!

Hello! This one came from a person I work with, although from their personal email address. Somehow it was used to forward this message to every one of her contacts. Greetings! She’s perfectly capable of using coherent English, so I could tell right away something was fishy.

I’m sure you’d get all kinds of “surprise” if you tried to follow that link and actually purchase electronics, and there’d be absolutely nowhere to give them any negative “feedbacks.” Hello! Greetings!

Child Identity Theft: How shady credit repair companies are stealing kids’ Social Security Numbers

Shady, fly-by-night credit repair companies that promise fast credit score improvements (700-800 in just a couple months!) may be sinking to a new low here. It seems they’re harvesting valid but inactive Social Security numbers, many from children too young to have opened financial accounts.

They sell the numbers as “CPNs,” or “Credit Profile Numbers” (sometimes the “P” is “privacy” or “protection”). They tell their customers how to piggyback their credit on the clean CPN, which has the effect of making them appear more creditworthy. Once they burn through the credit for that number, they just purchase another one (I wonder if they use a credit card).

There are several articles on the topic all over the Internet. The Sun News out of South Carolina has a good one that explains it very well. However, there are still a few questions I have about this crime:

  1. Am I to understand that simply calling it a “CPN” instead of a Social Security Number somehow makes this practice legal?
  2. How are they obtaining the SSNs of all these children? Are they using a logarithim to generate the numbers, or is your Social publicly available until you turn 18?
  3. If it is, do I have to personally go to Washington D.C. and rap my knuckles on every single noggin in Congress (and yell “Helloooo, McFly, anybody home?!” in every single ear) until this is remedied with Federal intervention?

In any case, it’s time to check your kids’ credit reports. Yes, today. You don’t want to wait until they get turned down for an auto loan fifteen years later for allegedly defaulting on $45,000 worth of credit card debt.

This has been a pretty big story in the fraud prevention world. Look for more information to surface over the next few weeks.