New phishing attack poses as PayPal email…

June 27, 2014

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.


Overpayment scams affect businesses, too

March 28, 2014

I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.

Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.

What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.

But did you know that scammers also target businesses with the same tactic?

And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.

However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.


How law enforcement doesn’t operate: scam alert from the BBB

October 18, 2013

If you live in the United States (I can’t vouch for other countries), there are certain ways in which law enforcement is carried out, and ways in which it generally is not.

Here’s one way law enforcement doesn’t work: if there’s a warrant out for your arrest, they usually don’t call you first and tell you.

Here’s another: if you’re accused of a crime, you can’t pay a fine to avoid charges (if you can, it probably means you’re bribing someone, and they’re accepting the bribe, and you’re both in a lot of trouble, mister. Bribing the police. That’s not right!). The fines (and other consequences) generally happen after you’ve been convicted, which is supposed to occur via due process.

The Better Business Bureau is warning of an active scam that has already claimed several victims. The fraudulent phone calls use spoofed caller ID to extort “fines” from victims, by money orders and prepaid debit cards. They’ve got the full lowdown here, but the proper response is one you’ve seen before: don’t give any money or personal information (even if they have some already—victims have reported the callers having information about loans), hang up, call the real police (because others are likely getting the same calls).

The problem is that such phone calls can incite a moment of panic, and panic makes it hard to think rationally. But if you’re aware that such scams exist, you’ll be able to stop, take a breath, calm down and remember how reality works before you become a victim.


How to spot a disguised link in an email message

October 1, 2013

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same (click the image for actual size):

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.


File Under “Things That Were Just a Matter of Time.” New scams using Affordable Care Act to harvest personal information.

August 23, 2013

Okay, so if you live in these United States, you may have heard of a controversial little thing called the Affordable Care Act.

Yeah, okay, before you head to the bottom of the page to sound off, I’ve already turned comments off for this post. I’m not here to express my opinion of the legislation, and I’m not fielding others’, either. Our opinions are irrelevant for the moment. Besides, certain post topics generate TONS of bot-generated spam comments, and I have a hunch this might be one of them (you should’ve seen how many came in when I wrote about Açaí berry scams a few years ago…it was seriously ridiculous).

Here’s all we need to know, and it’s pretty easy to agree upon: The Affordable Care Act is a Thing That Exists. (That’s only a matter of opinion if you’re into really fabric-of-universe-level philosophical discussions.)

And, as a Thing That Exists, it was only a matter of time before someone started up a scam based upon it.

Lo and behold, the FTC is reporting exactly that. Scammers are calling potential victims to “verify” information. For example, “So I see here that your routing number is __________, is that correct? Okay, good, so now we just need your account number…”

Here’s the deal with the Affordable Care Act: if you’re one of the people who is going to need to use the exchanges to obtain insurance, you’re going to be the one contacting them. According to the FTC report, “If someone who claims to be from the government calls and asks for your personal information, hang up. It’s a scam. The government and legitimate organizations you do business with already have the information they need and will not ask you for it.”

That sums it up pretty nicely, both in this specific instance and as a general rule.


2 people are not spying on you

August 13, 2013

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.


How to spot an investment scam

August 2, 2013

Wisebread is a pretty great website. They post tons of articles on saving money, being frugal, finding deals, getting more out of life for less cash, and occasionally, scams.

They ran a good one not too long ago: 5 Sure-Fire Signs of an Investment Scam. It’s a topic I haven’t explored too deeply yet, and it’s one I’d like to write more about. For the time being, go read their article and learn from it.

Now think about some iffy investment “opportunities” you’ve heard of. How many of Wisebread’s signs did it fall under?

My favorite investment scam is the Iraqi Dinar scam that’s been running riot for several years (and I mean “favorite” in the most sarcastic way possible, by the way). For the most part, these schemes hit all five points.

Absolute promises that the currency will revaluate? Check. “Opportunity” for beyond-massive profit, yet being offered to everyone in the universe equally? Got it. Affinity groups? Yes, you hear about this stuff in social circles. Business practices? Well, selling a supposed investment without an actual license to do so by calling it a “collector’s item?” How sketchy do they have to be? And look at the comments on any article exposing this scam for what it is: hundreds of people insisting that the author (even when said author is an expert writing for a credible source) is the biggest idiot that ever lived in the history of ever. Some of those may be victims clinging to hope, but a lot of them are people running Iraqi Dinar scams attempting to discredit any suggestion that what they’re doing is tantamount to fraud.

Do you have an obvious example of an investment scam? Fire away in the comments! But no calling me stupid for thinking knowing the Dinar thing is fraud. Those comments won’t get through at all.


Follow

Get every new post delivered to your Inbox.

Join 209 other followers