Tag Archives: Scams

Spear phishing

The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.

But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.

In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.

Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.

Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.

Mystery Shopper Scams still exist

There are a few things you can always depend on. Light travels at 299,792,458 meters per second in a vacuum. Objects at rest will remain at rest unless acted upon by an outside force. “Cash this check and wire the money back to me” always equals “scam.”

I haven’t written about it in a while, but the old Mystery Shopper Scam and its variations are still out there. It’s time for a review.

The “classic” version of this scam starts with a job offer emailed out of the blue. If you respond to this message, you’ll be immediately “hired” as a Mystery (or Secret) Shopper. A cashier’s check for a fairly large amount of money (the old ones always seemed to be around $2,900, but there is a lot of variation) will arrive a short time later, with these instructions:

  1. Cash this check at your bank, keeping $100 or $150 for yourself
  2. Take the rest of the cash to the nearest Western Union location
  3. Wire it back to me
  4. Report on the customer service at Western Union

If you follow those instructions, a few days later you will be informed that the check you deposited was counterfeit and that you are now on the hook for the money you received in exchange. Unfortunately, you already wired that money to a stranger and can’t get it back.

Now, things are getting a little more difficult for the scammers. Financial institutions are placing more holds on cashier’s checks and are asking more questions to protect their customers, and after being slapped with a $586 million settlement for essentially letting these scams proliferate for so many years, Western Union is finally doing more to prevent this type of fraud.

But that only means this scam has evolved to work around these problems. Instead of Western Union, some versions involve prepaid gift cards (“cash the check, then buy iTunes gift cards and relay the numbers and PIN to me”), overpaying for purchases from online classifieds (“just wire the extra back to me”) or targeting businesses instead of individuals.

Still, the basic mechanism remains: if someone gives you a check and requests that you convert it to cash (i.e. placing the liability for that check’s authenticity on you, then transfer the money back to them electronically, they’re attempting to steal from you. Regardless of the initial pitch, the pattern holds true. Don’t fall for it.

Defeat phishing attacks with bookmarks

Email phishing attacks are improving.

I mean the attackers are improving. They’re wising up to the fact that actual financial institutions and social networks send emails that are (at least mostly) intelligible, and adjusting their approach accordingly.

You still see plenty of phishing emails with atrocious spelling and weird grammar bordering on word salad, but there is a growing trend toward messages that could be mistaken for legitimate communications, even by someone who is well-informed. As potential victims become more sophisticated, so do the criminals.

One way to defeat phishing attacks is to set yourself up to never use links at all. For every single site you log into – financial institutions, credit cards, social networks, online shopping – create a bookmark in your web browser, and get in the habit of always using that link to log into the website.

That way, if you get an email that looks like it might be real, instead of clicking on a link (or even spending time wondering if you should or not), simply open your web browser and use your already-created bookmark to log into the website of whomever the email purported to come from. If there’s a real message or problem, you’ll find out about it there.

Avoiding Fraudulent Debt Collectors

Debt collection generally works like this: a creditor who can’t devote the necessary time and resources needed to recover funds from old delinquent loans sells those debts to a collection agency, often for pennies on the dollar, to cut their losses a little. That agency, which now owns the debt, contacts consumers and tries to negotiate at least partial repayment.

Naturally, there are also con artists posing as debt collectors, attempting to obtain money, personal information, or both from victims. There are also collection agencies who stray from established, legal methods in order to collect legitimate debts. Here are six warning signs to watch for.

They’re trying to collect on a debt you don’t owe

Unscrupulous collectors will sometimes contact people with the same name as the actual debtor, or even settle for someone with a similar name. An outright scam artist might simply invent a debt out of thin air, or threaten random people in hopes that someone will pay out of sheer terror. In any case, never agree to pay a debt you don’t owe. Ask for a written validation notice. If they refuse, that’s a sign of trouble. Get as much information as you can about the agency, and report them to the FTC.

Important Note: collection calls for debts you didn’t incur can also be a signal that you have been a victim of identity theft. If you’ve received such a call, it may be time to check your credit report if you have not done so recently, to look for anything that shouldn’t be there.

They’re threatening you with arrest, lawsuits, or violence

For the most part, debt collectors are allowed to inform you that you owe a debt, provide proof that you owe it, state to whom the debt is owed, and present options for payment. They are not allowed to threaten you with arrest or legal action, and they’re especially not allowed to threaten physical harm to you or those around you.

They’re demanding personal information

Even if you actually owe money, there is no reason for them to ask for personal identifying information or account numbers over the phone. It’s one of the core rules of fraud and identity theft prevention: never reveal personal information to a stranger who contacted you out of the blue.

They won’t give you any information

If the caller won’t tell you the name of the agency, to whom the debt is owed, or anything else about whom he or she represents, be very suspicious. A legitimate collector will be transparent about these things, presumably because they want to actually collect on delinquent debts and stay in business, instead of being shut down by the FTC.

They’re calling in the middle of the night

This applies to a lot of other types of calls, but if they’re calling you before 8:00 a.m. or after 9:00 p.m., you have every reason to suspect either a scam or a rogue debt collector. There are rules about when they can contact you by phone. It’s kind of like putting yourself on the Do Not Call registry; if they’re already violating one rule, what else are they up to?

They keep calling after you’ve told them not to

Even if you’ve got a legitimate debt, you can still tell a collector to stop contacting you about it. Usually you will have to provide this request in writing, but once you do, they’re supposed to knock it off. Of course, if they won’t even provide an address to send said request to in the first place, you already know something is fishy.

Resources

Learn more about debt collection scams:

Report a debt collector to the FTC:

File a complaint with the Indiana Attorney General’s Office:

Hard Knocks: Student Loan Relief Scams

Congratulations, it’s time to pay off your student loans!

Most people in the U.S. exit postsecondary education with at least some student loan debt, and sometimes paying those loans off can present problems. While there are well-established paths to reducing the burden of a large student loan balance, there are also plenty of con artists waiting to take your money and make things even more difficult. Here are a few things to watch out for.

Upfront Fees

It is not illegal per se to charge a fee for services, such as consolidating your federal student loans, that you can do on your own for free, in much the same way that it’s not illegal to charge a fee for tax preparation.

However, any upfront fee for help with student loan repayment is a sure sign of a scam. Don’t pay for anything in advance, and even if they’re not charging an upfront fee, look at what they are charging compared to what you’re actually getting in return. Is it worth it? Do your research on every company you’re considering working with.

Debt Elimination

There are not many ways to have your student loan debt erased completely, and if you’re reading this you already don’t qualify for the primary one (death). Also, if you were taken in by a for-profit college that used falsified job placement numbers to lure students, there may be programs that might help. There are a few other options that apply to very specific cases. Other than those, with very few exceptions, once you have student loan debt, it’s yours until you pay it off. Bankruptcy won’t even touch it.

This means anyone advertising student loan elimination or forgiveness is trying to scam you. There is no way to pay a company a fee in exchange for your student loan debt disappearing. All you’ll end up doing is losing money and ruining your credit.

High Pressure Tactics

If you’re being told that an offer is only good for a certain amount of time, or being pressured in any other way by a salesperson, that’s a sign of a scam. There are no limited-time-only offers when it comes to student debt relief. They don’t hold blowout sales on this stuff.

What You Can Do

You can consolidate your federal student loans, adjust your repayment schedule, defer your repayment period and more yourself, for free, through the Federal Student Aid Office of the Department of Education. If you have private student loans, you can contact those lenders for options as well. There is no compelling need to pay anyone to do these things for you, unless you choose to do so and know what you’re getting into before agreeing to anything. Again, do your research.

One of the best resources for detailed information on student loan repayment is the Federal Student Aid Office website (https://studentaid.ed.gov). It also features specific information on avoiding scams (https://studentaid.ed.gov/sa/types/scams).

 

 

How to Report a Dinar Scam to the FBI

If you or someone you know has fallen victim to an Iraqi dinar (or Vietnamese dong, Indonesian rupiah, or any other foreign currency) “revaluation” investment scam, the FBI has set up a website to report the seller of these worthless currencies.

Currency revaluation schemes have been around for a long time, and have never once paid off for anyone except the people charging a commission for the sale. Iraqi dinar scams have been going strong since 2003, and the currency has yet to do anything except lose value.

There’s an article at Forbes.com that goes into further detail on this type of scam.

The ‘Can You Hear Me?’ Scam (Or Maybe Not)

I’ve seen a few recent warnings about something many are referring to as the “Can You Hear Me?” Scam. Basically, someone will call, ask if you can hear them, wait for you to say “yes,” then hang up. Later, they make unauthorized charges to your credit card, and use the recording of you saying “yes” in court to “prove” you agreed to the charges.

Now, any reminder to NOT talk to strangers who call you on the phone or to engage with robocalls in any way is a good reminder, but if you’re like me, you might find a few holes in this specific warning.

For example, unless you have the weirdest credit card in the world and its number is “YES” for some reason, simply saying the word doesn’t automatically give the caller your card information. Despite the existence of Peanut Butter M&M’s, Gus’s World Famous Fried Chicken and the first Doc Watson album, magic isn’t actually real, and nobody can pull your credit card number out of your wallet simply by getting you to say “yes” one time. The scammer would have to already have this information before calling you.

Then, if they’ve already got your card information, why would they bother calling to trick you into appearing to agree to charges? In a vast majority of the cases I’ve seen, scammers aren’t interested in making their schemes complicated. They’re not going to use a recording of you saying “yes” in court because they’re never going to end up in court. If they have your card information, they’re just going to use it. They don’t need to track down a phone number associated with the card in order to get a “yes” they’re never going to need.

So this leaves us with…what, exactly? Is this a real scam? There do not appear to be any documented cases of “said yes/card was charged/disputed the charge/recording ‘proved’ I authorized the charge/no recourse.” But the calls appear to be actually happening, and you have to wonder: what are they up to?

It doesn’t matter. If you get a call and someone just says, “Can you hear me?” hang up. No matter what their intent, it’s not something you want to get involved in.

Even better, stop answering the phone every time it rings. Almost every phone scammer needs you to pick up the phone. If you don’t, you’ve already ruined their scheme. If you recognize a number, go ahead and pick it up, but let everyone else leave a message.

This may be just one of those stories that gets passed around on a better safe than sorry basis, but I like accuracy, and the story being shared by various online sources doesn’t add up. If you do get a call like this, just hang up. But consider letting all unfamiliar calls go to voicemail. It’s the safest method.

Sources:

  1. The Consumerist: If A Telemarketer Or Robocall Asks “Can You Hear Me?” Just Hang Up; It’s A Scam
  2. Snopes: ‘Can You Hear Me?’ Scam Warning

Tell Your Parents: seniors lose $36 billion every year to financial fraud

image-criminal-fraud-01Jerry Seinfeld used to do a great bit about aging. The not-very-funny paraphrased version for our purposes today is that, when people get older, everything gets smaller—the meals, the houses, their bodies. Everything except the car, which just get bigger.

But there’s another thing that gets bigger as we get older, too: the target painted on our backs. The elderly lose an estimated $36.4 billion every year to fraud. That’s the size of entire sectors of the U.S. economy.

CNBC ran a story on the subject recently, and it’s worth a read. The important thing is to stay involved in your parents’ lives and talk to them about the realities of financial fraud and the fact that they will be seen as marks simply because of their age.

Greasy telemarketers, lottery scams, the old “grandchild in danger” telephone scam, get-rich-quick schemes (Iraqi dinar and Vietnamese dong currency peddlers, I’m looking at you), phony investments and affinity fraud (where the scammer uses affiliation with a church or other organization to appear trustworthy)—all of these target the elderly. It’s important to talk to your older family members and friends about the dangers, and take action where needed.

Additional resources are listed below:

They’re not working on WRINKLES

Here’s a new one from the Dumb Spam Files (which could totally be a TV series if FX or A&E would return my calls):

2016-03-09-spam

Here’s a NON-secret for you: NASA isn’t researching wrinkles.

I don’t care how bad your wrinkles are. I don’t care if all that’s left of your face is one giant wrinkle. Never click on anything that even resembles this. Deal?

An example of the exact type of email you should NOT open

Here’s a screenshot of something that appeared in my inbox recently:

2015-12-21-spam

I spend a lot of time trying to describe the kinds of emails you should avoid, but this one illustrates those concepts perfectly. Let’s look at a few warning signs:

  1. The message wasn’t expected (I’m not a USAA member, but even if I was, this isn’t a usual email)
  2. The subject line is intended to provoke a fear reaction
  3. The subject line is kind of weird, grammatically; are they saying that a “New Document” has been prevented? If “Due to Suspicious Sign-in” modifies the subject of the sentence, which in this case is “New Document,” then…okay, you get it;  it just reads weird.
  4. There is a file attached (the little paperclip icon)

What is supposed to happen with this kind of email is that the victim sees “Suspicious Sign-in” and immediately opens the message, which is most likely blank or contains instructions to open the attached file. Once the victim does that, some form of malicious software, anything from spyware to ransomware, will be installed on their computer.

What actually happens, when the recipient knows some of the warning signs, is that the message is immediately deleted and causes no harm.

Also note that this message slipped past some pretty burly anti-spam and anti-malware software. Those tools are important, but sometimes a dangerous email still makes it through. Stay vigilant!