Keeping you safe
Visit us each week to learn about scams to avoid and things you can do to help protect your identity.
Scam targeting Netflix users
If you are a user of Netflix, and even if you aren’t, you may have been tempted by the phishing scam targeting Netflix users
The scam targeting Netflix users comes in a few different forms. One that appeared in my inbox told me that my password had been changed. In reality, no changes were made to the account, but the uncertainty almost led me to click the link in the email. The Federal Trade Commission reports that another version of the email claims there is a problem with the account holder’s payment information. Users are directed to click on a link so they can update their billing information.
These emails scams keep coming because obviously they work. Even those who know about the scam get a bit confused when these emails hit their inbox. Remember, the best practice is to refrain from clicking on links provided in an email. Instead, open up your web browser and type in the name of the website (in this case Netfilx.com). Once the website comes up, log in to see if any changes were made to your account.
For more information on the Netflix phishing scam, visit consumer.ftc.gov.
Apple iPhone Phishing Scam
Apple users are the latest target in a phone phishing scam. In this scam, folks are receiving cell phone calls warning of a data breach at Apple. This is very similar to calls we have discussed in the past where scammers pose as agents from Microsoft. One unique thing about this scam is that the caller ID displays the Apple logo along with their address and real phone number.
According to a recent online report from Krebson Security, “The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support webpage, the fake call gets indexed in the iPhone’s ‘Recents’ call list as a previous call from the legitimate Apple Support line.” What this means is the phone contact list then has two numbers listed for Apple – one is correct and the other is the scammer’s phone number.
If you receive an unsolicited call from Apple, HANG UP! After that, you can always contact Apple directly through their website or call them at 1-800-MY-IPHONE.
Be Prepared for Tax Related Scams
With a new year comes a new tax season, and the IRS is already warning about an increase in phishing scams. “Taxpayers saw many more phishing scams in 2018, as the IRS recorded a 60% increase in bogus email schemes that seek to steal money or tax data.”
Be on the lookout for email schemes that are trying to fool you into thinking they are from the IRS or your tax provider. “One recent malware campaign used a variety of subjects, like ‘IRS Important Notice,’ ‘IRS Taxpayer Notice’ and other variations. The phishing emails, which use varying language, demands a payment or threatens to seize the recipient’s tax refund,” the agency stated.
To avoid becoming a victim of these scams, remember the following:
- - If you owe taxes, the IRS will first contact you by mail, not by telephone, email, social media, or text message.
- - The IRS never asks for credit card, debit card, or prepaid card information over the phone.
- - The IRS never insists that you must pay your taxes using a specific payment method.
- - The IRS never demands immediate payment over the phone and does not take enforcement action directly after a phone conversation. Taxpayers are usually given prior notice of IRS enforcement action regarding tax liens or tax levies.
Report phishing emails by sending them to email@example.com.
Protect your identity before guests arrive
The holiday is here! Family and friends are gathering, and we have some tips to help you keep your data safe at home.
It’s unfortunate to hear that holiday parties, at home or at work, are a major source of data theft. According to a 2017 blog by John Sileo, “Crafty thieves are searching for smartphones, iPads, financial documents, checkbooks, credit and debit cards, laptops, client lists, thumb drives, files, mail, purses, wallets, and all other sources of identity.”
None of us want to consider that there is a thief among us, and you don’t have to assume the worst about your guests. Yet, to be on the safe side, there are things you can do to keep your identity safe.
If you are hosting a party in your home, gather items that could be used to steal your identity and place them in a locked room. This could be any room in your house that has a secure lock. After your holiday gatherings, you can return your house to normal.
Remember, “Christmas doesn’t come from a store. Maybe Christmas, perhaps… means a little bit more!” Eliminating the risk up front will help you enjoy your friends, family, and coworkers at all of those holiday parties!
Click for more of John Sileo’s 12 Days to a Safe Christmas.
Caution to Last Minute Shoppers
Christmas is just about here, and many are doing that last-minute Christmas shopping, only to find out that the hot selling toy or gadget they are looking for is nowhere to be found. As you surf the web trying to find that hard to find gift, your eye is drawn to a blinking online ad. You click the ad and what to your wondering eye does appear but that very gift you are looking for with a promise that it will arrive by Christmas Day -- if you are willing to pay their price.
Before you buy
Remember there are fraudsters out there ready to take advantage of last-minute shoppers.
- Consider if you are familiar with the website or seller. Stick to reputable websites that have a policy that will protect you - should this be an illegitimate seller.
- Never wire money to the seller.
- If you shop on Craigslist, eBay, or similar sites, look for local sellers that you can meet in person and pay cash. If you are meeting a seller, make sure it is in a public place and with a friend. Also, many communities have designated “safe areas” for such transactions.
- As always, if it is too good to be true, it usually is.
Protecting your digital profile
This week we are passing along some tips that came to us via CUInsight.
Online sales on Black Friday hit a new record this year, according to Adobe Analytics. Shoppers spent $6.22 billion online on Black Friday, up from $5.03 billion last year. More than $2 billion in sales were done on smartphones, double the amount from last year.
Unfortunately, the high number of digital consumers presents a huge opportunity for cyber thieves.
Here are a few tips from the Federal Trade Commission and Identity Theft Resource Center on how to protect your digital profile.
Do a digital audit: When was the last time you checked to see what personal information is out there? Go ahead, Google yourself. You may be surprised what old social media profiles, emails, or other accounts may pop up.
Set up alerts: Put that smartphone and connectivity to good use. Set up text and email alerts so you’ll know immediately about any suspicious transactions or activity ranging from password changes to login attempts. It is also recommended to enable two-factor authentication. While it may feel like a time-consuming extra step to get a 6-digit code to access or authorize something, experts say it’s worth the added security you’ll receive in return.
Update passwords: The general rule is if it’s easy for you to remember, then it’s easy for thieves to figure out as well. Experts say the exception to this rule is using a seven to 10-digit phrase and swapping numbers, capital letters, and symbols in for letters. The odds are in your favor that it won’t be as easy to hack. While we are talking updates, you should also take the time to do those software, app and operating system updates. Yes, they can be annoying, but you will be saving the headache of your personal data being more vulnerable to thieves.
Know where you are shopping: Experts say it’s never been easier to shop on a secure site. Look for the lock symbol, which indicates a site is secure, and do your best to ensure you are on the actual retail site.
This The Season To Go Phishing
Stay safe this holiday season by keeping an eye open for shady email scams. These scammers are after your personal information, and they will stop at nothing.
A few of the latest email scams include:
- * A confirmation of an expensive purchase that includes a link they want you to click on to dispute or cancel the transaction.
- * A warning that an account will be closed if you do not confirm personal details. Once again, scammers are trying to get you to click on a link that could compromise your accounts.
- * Bogus shipping notice that notifies you that your shipment has been delayed. The email has a link to track the package, and clicking on that link could result in a virus being downloaded on to your computer. Remember that shipping notices usually include a tracking number, which you can check by going directly to the FedEx, UPS, or USPS website.
- * Clone websites that ask you to log in. Here you are asked to enter your username and password, and then click log in. Once you hit the login button it actually redirects you to a fraudulent site. By then, it is too late because the criminals have access your login credentials.
One way to help avoid phishing scams is to refuse to click on links inside of an e-mail. Instead, type the web address into your browser.
Social Media Gift Exchange Scam
The “Secret Sister” gift exchange scam is making the rounds on social media this holiday season.
One version of the post reads, "Anyone want to join in on this fun? You have to buy one gift valued of at least $10 and send it to your secret sis. (Hello, Amazon!) You will then receive 6-36 gifts in return."
According to CBS News, the post encourages users to comment, "I'm In” for more information, but doing so could lead to disappointment when participants receive very few or no presents in return for their efforts.
What seems like a fun way to gift-give during the holidays may leave you out at least $10 — and provides scammers with your home address leading to more trouble down the road. The U.S. Postal Inspection Services also warns that these gift chains like “Secret Sister” and other pyramid schemes are illegal gambling and that participants could be subject to penalties for mail fraud. Pyramid schemes are illegal, either by mail or on social media, if money or other items of value are requested with assurance of a sizeable return for those who participate.
For more details on the scam, visit the Better Business Bureau website.
Stay safe while shopping online
Holiday shopping is here! Many of you will head out to the stores this week to catch Black Friday deals, while others will take to the internet. With 45% of you doing most of your holiday shopping online, we have some tips to keep you safe.
Too good to be true
In-store or online, every shopper needs to be savvy, and we’re not just talking about finding the best deal. You also have to look out for that “too good to be true” deal as well. Sometimes that is harder to recognize online.
Look-alike emails & websites
As retailers vie for your business, they are sending more and more emails to grab your attention so you will make a purchase. Most of these emails are legitimate, but there are also many that are look-alikes trying to trick you. Scammers sending these emails are just waiting for you to click on and enter your private information.
To protect yourself, you should:
- *Review the sender’s address, as businesses will often send emails with a proprietary address, like @bbb.org.
- *Look for misspellings throughout the email.
- *Hover over links without clicking to see where they reroute.
- *Only enter sensitive information into a website that begins with "https" as the "s" informs you that it's secure and information entered is encrypted.
Shop with your Credit Card
Credit Cards generally offer more consumer protections then debit cards. Also, debit cards are tied directly to your bank account. When shopping online, it’s best to play it safe and use a credit card for transactions.
Virtual Account Number
Many credit cards offer a virtual credit card number. With a virtual credit card number, you get a randomly generated available credit card number that reduces your fraud risk when you make your payment.
Avoid scams so your money really goes to help others.
Veterans Day is a day to honor our Veterans, and many will do that by donating to charities that work each day to benefit those who have served our country. There are many great charities out there that benefit our Veterans, but at the same time, there are other charities that do not live up to their claims.
According to the U.S. Department of Veterans Affairs, fake organizations do more harm than just stealing, “Not only do fraudulent charities steal money from patriotic Americans, they also discourage contributors from donating to real Veterans’ charities.”
Questions you ask any charity before you donate:
- *How is my money being used?
- *Who exactly are you?
- *Where are you located?
- *How much of my money is going directly to the program?
When contributing, keep the following in mind:
- * Watch out for charity names that only look like well-known charities.
- * Research the charity name online.
- * Never pay donations in cash or by wiring money. It’s safer to pay by credit card or check.
- * Keep record of all donations and review your statements closely to make sure you’re getting charged the right amount.
- * Look out for recurring donations from your account.
- * Look before you click when making the payment. Know who exactly is receiving your donation.
If you've been scammed or already donated to a charity and are not sure it is legitimate, report the possible scam to FTC.gov/complaint. It also helps to report the case to your state charity regulator at nasconet.org.
Check charity reports and ratings:
Video on how to research charities to avoid donating to a sham charity.
Do Not Call List, Robo-call Scam
Robo-calls seem to be the annoyance of the day. With the right computer program and the touch of a button, these calls are sent out to thousands of phones at once and can use any number they choose to mask the identity of the actual caller. It is estimated that consumers get 98 million robo-calls a day.
One of the latest threats is a Do Not Call robo-call. The automated message asks if you want to be placed on the Do Not Call List. It then asks you to press a number, but what it is trying to do is trick you. Pressing a number on your keypad only confirms that they have indeed reached a working number. In fact, even just answering your phone gives the caller that confirmation and can lead to more robo-calls. So, what’s the solution?
Don’t recognize the number? Don’t answer.
Police say if you don’t know the number, just let it ring. If it’s something important, most likely the caller will leave a voicemail and then you can choose if you want to return the call.
There are some phone apps that can help:
* Nomorobo: 14-day free trial. After that, $1.99 / month or $19.99 / year
* RoboKiller: Free 7-day trial. After that, $2.99 / month or $24.99 / year
* Hiya: Free. Hiya partners with Samsung, AT&T, and T-Mobile to provide their spam ID services and also has standalone apps.
* TrueCaller: Free
* YouMail: Free
Add yourself to the real “Do Not Call” list.
Want to know more about robo-calls?
Check out a recent NBC Rossen Report.
Scam Targeting Homebuyers
The latest twist on the wire transfer scam is now affecting the homebuying marketplace. According to Forbes, these scams, labeled ‘Business Email Compromise’ (BEC) by the FBI, are costing the homebuying marketplace more than $5.3 million a month.
Homebuyers are now being targeted, and the scammer is tapping into escrow company computers, stealing their customer database, and then creating very real-looking emails to request that a wire transfer be made immediately.
Now you may be thinking, how does online dating play into a homebuying scam. This is where it gets a bit tricky. As the scammers are generally overseas, they need access to a U.S. bank account, and they are doing this through online dating sites. They romance an individual and once they are baited, they ask if they will accept an incoming wire to their personal bank account. Once the money hits the account, they manipulate the account, take the money, and break off the relationship.
If you are in the process of escrow or know someone who is, remember to:
*Review any email appearing to be from your escrow company very carefully. Look at the e-mail address, the logo, and note that most savvy escrow companies will have a notice at the bottom of the email warning customers about these crimes.
*If the e-mail states that this transfer is ‘urgent’ or must be done ‘today’, proceed with increased caution.
*Call the escrow company to verify if the e-mail is actually from them.
If you have been a victim of wire transfer fraud or find yourself with a suspect e-mail, contact local law enforcement. Crimes can also be reported to the FBI by visiting www.IC3.gov.
For more detailed information about the scam visit forbes.com For more information, visit
CEO Wire Transfer Scam
Did you see that e-mail from the CEO asking you to transfer funds? If you haven’t seen it yet, keep your eyes out, it may be coming to your inbox soon. Even if your company has excellent online security and spam filters, that doesn’t mean you can’t be caught by this scam. After all it is known as a ‘business email compromise’. Several large public companies have been compromised by this scam resulting in a loss of at least $1 million per company with one company losing over $45 million.
What to look for
*E-mail is sent from CEO@yourcompany.com or CFO@yourcompany.com
*E-mails are often personalized with your name in the greeting, making them seem even more legit.
*The body of the e-mail often says this is an urgent request and sometimes even request that you keep this transfer private.
What to do
*Do not trust an e-mail request to transfer funds.
*Verify this request by phone.
*Report suspicious e-mails to your technology department.
There are new twists on this scam that are now targeting homebuyers. Join us next Monday to learn more.
Direct Deposit Phishing and Phone Scam
One of the latest scams attempt to switch direct deposits to a scammers account. Originally it was thought that this scam was mainly targeting seniors and veterans, but the scammers aren’t stopping there.
In this latest “phishing” scam, the criminals are using more than one method to trick you into giving out the information they need.
Scammers are targeting employees through phony e-mails in an effort to capture their login credentials. The login credentials are then used to access the individual payroll accounts. Once the scammer is in, they can change bank account information, funneling the direct deposit into their account.
Scammers are calling and pretending to be someone from a bank, the Social Security Administration, or a Veteran’s organization. They claim that there has been suspicious activity on an account and because of that they must re-verify their benefit deposit. Victims then give the scammers all their bank information, and that’s when scammers are able to steal the identity of the victim. They change the direct deposit information so the victim does not receive the money.
Be cautious of e-mail hyperlinks. It is always advisable to visit the trusted benefits or payroll site before making any changes. The FBI advises that any suspicious requests should be forwarded to company IT or HR departments.
Don’t share login credentials or personally identifying information in response to any email or phone call.
Don't respond to unknown callers. If you did not initiate contact with the Social Security Administration or the Veterans Benefits Administration and are randomly contacted by them, it is most likely a scam.
Always contact the legitimate agency independently before any transaction.
Outsmart the Con Artist
Wednesday, October 17, 2018
AARP and local law enforcement will present information on protecting yourself from identity theft.
|Pennyrile ADD Office 300 Hammond Drive Hopkinsville, KY|
|10:00 – 11:30 AM|
For more information and to register, visit https://aarp.cvent.com/outsmarthopkinsville.com
Ringtone cell phone scams
Do you have any ‘free’ ringtones on your phone. If you do, then you will want to learn about this scam. This scam will not affect everyone, because there are some who stick with the standard tones that were preloaded on the phone.
If you are one of the many who enjoy sharing your favorite song each time you get a call, listen up, especially if you paid nothing for that tone. Users of downloaded ringtones could be exposing themselves to a couple of potentially costly cell phone scams.
Some tones, usually free ones or those exchanged via peer-to-peer software, have been hacked by scammers and can install a virus that either damages the phone or steals confidential information.
Second, you may get a text message inviting you to download a ringtone by returning another message or calling a 1-800 number. But, when you do this, you may incur a hefty charge and/or unwittingly sign up for a monthly charge for services you don’t want.
Action: Get your tones only from established, reputable companies, and don’t return messages or calls from people or organizations you don’t know.
Create a good smartphone password or PIN
When it comes to protecting your phone, you have a few options these days such as setting a password or PIN code. Now, I know we have phones that will unlock with your fingerprint or with your face, but at the end of the day, they still require a password or PIN code as an added layer of security.
When it comes to passwords and PINs, the problem is this: the same thing that makes a good password or PIN hard to crack is the thing that makes it hard to remember. We have found some tips to help you.
The trick to creating a good, memorable password is to make it more than just a word. Make it a phrase. Your best bet is a password phrase, especially one with punctuation like “One if by land, two if by Sea!” Running the whole phrase together, like “Goaheadmakemyday!” can also make a challenging but easy-to-remember password.
All too commonly, PIN codes are 1111 and 1234 and, of course, birthdays and anniversaries. Two good ways to come up with hard-to-guess, but memorable, PIN codes are to:
- Spell out a word with the numbers corresponding to the letters on your phone keypad; not an obvious word, though.
- Pick a number that’s significant to you, then add 4 (or 3 or 5) to each digit. So, if your birthday is March 3, 1982, take 3382 and add 4 to each digit (rolling over if you go over 10), so your PIN would become 7726.
For the full article, as well pattern tricks, visit The Whiz Cells.
Scams Targeting Veterans
There are so many scams these days, it is nearly impossible to keep up with all of them. Many reputable organizations work diligently to warn against scams. AARP and the U.S. Postal Inspection Service have teamed up to launch Operation Protect Veterans to raise the awareness of common scams targeting Veterans.
Their website provides information on some scams to look-out for, as well as information on how to contact them for help. Learn more about benefits scams, identity theft scams, and other common scams that target Veterans.
"Can You Hear Me" and "Yes" Calls
The phone rings, you check the caller ID, and the number is not familiar, but you still answer it. A voice comes across the line, “Can you hear me?” Instinct tells you to say “yes”, but the best thing you can do is hang up. This call is part of a scam, as they expect you to act on your instincts and say that three letter word, “yes.”
In this scam, your voice is being recorded and the “yes” response could be used as a voice signature for scammers to authorize fraudulent charges over the phone. According to the FTC these types of calls are illegal, but that does not stop them from happening.
Here’s what to do if you get a call from someone you don’t recognize asking, “Can you hear me?”:
- Don’t respond, just hang up. If you get a call, don't press 1 to speak to a live operator or any other number to be removed from the list. If you respond in any way, it will probably just lead to more robocalls – and they’re likely to be scams.
- Block the number. If you do not know how to do that, contact your phone provider and find out what services they provide to block unwanted calls.
- Put your phone number on the Do Not Call registry. Access the registry online or by calling 1.888.382.1222. Callers who don’t respect the Do Not Call rules are more likely to be crooks.
- File a complaint with the FTC. Report the experience online or call 1.877.382.4357.
How strong are your passwords?
Everywhere we go online it seems we are asked for a password. Most of us are concerned about online safety, yet it is reported that 81% of Americans use the same password for more than one account (Survey by Wakefield Research, 2017). Along with using the same password over and over, frequently that password is weak to start with. Maybe it is time to consider resetting your passwords. Here are some tips we found that could help.
- Don’t just use one password. It’s possible that someone working at a site where you use that password could pass it on or use it to break into your accounts at other sites.
- Newest advice: Use a pass phrase. Security experts are now recommending a “pass phrase” rather than simply a password. Such a phrase should be relatively long – perhaps 20 characters or so and consist of seemingly random words strung together along with numbers, symbols and upper and lower case letters. Think of something that you can remember but others couldn’t guess, such as YellowChocolate#56CadillacFi$h.Avoid using famous quotations that might be easy to guess.
- Make the password at least 12 characters long. The longer the better. Longer passwords are harder for thieves to crack.
- Include numbers, capital letters, and symbols. Consider using a $ instead of an S or a 1 instead of an L, or including an & or % – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$J1ravng (short for “My friend Sam Jones is really a very nice guy) is an excellent password.
- Don’t post it in plain sight. This might seem obvious, but studies have found that a lot of people post their password on their monitor with a sticky note. Bad idea. If you must write it down, hide the note somewhere that no one can find it.
Remember to never give out your password to anyone. Never give it to friends, even if they’re really good friends. A friend can – maybe even accidentally – pass your password along to others or even become an ex-friend and abuse it.
Safety concerns of public Wi-Fi
Free Wi-Fi, we see it everywhere. Coffee shops, fast food restaurants, the public library, universities, medical offices, and the list goes on. We often opt for the free Wi-Fi so we can stay connected while at the same time making sure to keep data usage down on our cellular plans. Think for a minute, what are some of the things you do on your device while you are on free Wi-Fi? Web-surfing, social media, shopping, downloading music, watching a movie? They all seem like very innocent things, and they are, but maybe these activities are not so innocent when we are using free public Wi-Fi.
According to the Harvard Business Review, like other things that are free, free Wi-Fi also comes with a potential cost. Being on free Wi-Fi opens up our information to cybercriminals. The best course of action is to refrain from using public Wi-Fi, especially in large public spaces, such as an airport. If there’s no avoiding the use of free Wi-Fi, consider the institution who is providing the service and ask yourself, "Do I trust them?" If the answer is NO then you should stop right there, but if it is Yes then here are some safety tips to consider to keep prying eyes out of your devices:
Don't use public Wi-Fi to shop online, or to access other sensitive sites – ever.
Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted. (Research VPN software before installing a VPN on your device.)
Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your financial institution, social media, or email, they won't be able to log in.
Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses.
Turn off the automatic Wi-Fi connectivity feature on your phone so it won't automatically seek out hotspots.
Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data.
- Buy an unlimited data plan for your device, and stop using public Wi-Fi altogether.
There is a saying in the cybersecurity industry that there are three types of people in the world: those who have been hacked, those who will be hacked, and those who are being hacked right now and just don’t know it yet. The better you protect yourself, the greater your chances of minimizing the potential damage. Remember: Falling victim to public Wi-Fi’s dangers is a question of when, not if.
Tech Support Scams
You receive a call out of the blue, and they tell you that your computer has a virus. They want to help you, but what should you do? Hang up!!!
In the past few weeks, I received a call from a person who claimed to work for Dell. This person proceeded to tell me that my computer was infected with a virus and they’ll gladly help. At that point, I hung up the phone. My gut told me that this was a scam, but the caller did not give up that easily. Within a matter of minutes, I received another such call, and once again I hung up the phone. Dell reports that other customers have also reported receiving these calls over and over, and by the way, these calls are not really coming from Dell.
There are countless similar help desk scams out there, and many of them are targeting the senior population. It is reported that in similar scams the person calling claims to be from the helpdesk at Microsoft or Apple. Much like the Dell scam, a criminal calls with a warning that the individual’s computer is riddled with viruses. The fake technician offers to assist, and then dispatches the victim to a local store to buy prepaid gift cards which are given as payment for the tech support services.
Know that these companies DO NOT call you to tell you about a problem with your computer. The challenge is that these cybercriminals are tricky. They do their homework and learn what they can about you and work hard to gain your trust. They may even tell you things about your computer that you think only a legitimate vendor would know. As a criminal, they are working to earn your trust so you will give them what they want.
The best way to protect yourself is to simply hang up.
Key things to remember
- Do NOT install software on your computer because an unsolicited caller has told you to do so.Installing this software could infect your computer with malware.
- Do NOT pay for services.
- Report it. Visit ftc.gov to report cyber scams.
August 20, 2018
Free Apps are not really FREE
How many applications (apps) do you have on your phone? Probably too many to count. Most of us have a larger number of apps and many of them were downloaded for free. But what is the old adage? “Nothing in life is free.” It seems that would also apply to free apps. Although you may have paid nothing for the app, that doesn’t mean it is truly free.
Some apps ask that you grant them permission to read your files, access your camera or listen in on your microphone. Sometimes, those things are necessary, but they also make you vulnerable to hacking.
Be cautious about what you install. We all love new apps – things that make our lives simpler, more productive, or just another outlet for a little more fun. But, there are a few types of apps that you should think twice about having on your phone.
There was a time when the standard mobile phone did not have a built-in flashlight, but that is no longer the case. Yet, folks continue to install a flashlight app. According to makeuseofit.com, “the most popular ones all feature tons of ads and require invasive permissions, like your locations and contacts list. Of course, the developers then use these to sell your data to advertisers, so they can make more money.”
If you have a keyboard app or you are thinking about installing one, keep in mind that a keyboard app can see everything you type. This includes password, personal messages, and financial information. The app developer can also upload data about your typing style to their servers, and should they experience a data breach, anything you’ve typed could be up for grabs.
So, who hasn’t downloaded a free game? If you haven’t, then you are among the minority. Free games are well-known for asking for access to the contact list, location, camera, and more. In 2017, a NewYork Times report exposed that hundreds of “free” games included software known as Alphonso. This is a tool often used by advertisers that can tap into your phone’s microphone to pick up the sounds of what TV shows you’re watching. This software can also match the locations you visit and track information matching advertising to your purchases.
First off, there is really no need for an antivirus app on your smart phone. Both iPhone and Android have done a decent job providing security which is built into their operating system updates. (Check out the previous post about the importance of keeping your phone up-to-date.) These apps are disguised to make you safer, but in the end, they often collect a wealth of information about you. If you have such an app installed, it is well advised to uninstall the app.
Store Loyalty Apps
If you have yet to realize it, you are paying for loyalty apps by giving the retailer access to your purchase habits. It is difficult to resist these apps, as they offer you loyalty rewards, and even before these apps were available, many stores were already requiring loyalty cards in order for customers to receive sale pricing. Over the past year, there has been an increase in user-friendly apps allowing customers to order and pay for items via the app. Once purchases are made, some stores are even offering curb-side pick-up, which is a wonderful convenience. Yet, in order to make that work, personal information, along with credit card information, has to be typed into their system. To make it easier to check out next time, most users store that information with the app, which increases your vulnerability.
Ultimately, it's up to you to decide whether granting an app such permissions is worth the mobile security risk that it may pose, so consider if those risks outweigh the benefits and act accordingly.
August 13, 2018
Don’t Wait, INSTALL that UPDATE
When you think of cybersecurity, what comes to mind? For many, it is the outside threats that could compromise our information. While there is no way of knowing all the ways cybercriminals are working to steal information, there are some simple things you can do to help improve the security and stability of your electronic devices. By electronic devices I mean our phone, computer, tablet, etc. . . . One of those simple tasks is to keep the operating system and applications (apps) up-to-date.
This may sound like a no brainer, but sometimes it is the simple things we tend to overlook, especially when simple can also feel inconvenient. Have you ever turned on your computer to start a project, only to see a reminder that there is a software update? Or maybe, unlocked your phone to check your social media and see there is an update waiting? When that happens there is the choice to make. Do you agree to install updates now or put it off until later? How many times have you opted for later? Yet, waiting may not be the best choice.
According to Microsoft, those app updates are important for your security. Saying yes to app and operating system updates “ensures that your phone's security software and your apps are current, which can protect you from hackers and prevent your personal information from being exploited.” There are flaws with any software system — and it's just a matter of time before someone discovers them. Companies, such as Apple and Google, as well as the creators of major apps, all have employees whose job is to try to hack into their own product. Their goal is to discover and fix flaws before malicious hackers find them. Even if an app update doesn't introduce many new features, and are just "improvements and bug fixes," it's still worth a download; it could prevent your phone from being hacked and prevent your data from being shared with the world.
You may think your phone or computer is working great and are therefore afraid that making a change will cause you problems; however, what may be more frustrating than taking a few minutes to install an update is the way your system acts up, or maybe better stated, how it slows down when it is not tuned up. Just like your car needs an oil change, installing those updates helps your electronic devices remain healthy.
There are other reasons to keep your phone, desktop computer, and their corresponding software up to date, too. Developers work hard to come up with cool new features that will make your life easier, and if you don't update, you won't be able to take advantage of those.
Reasons to avoid public charging stations
We seem to use our phones for almost everything, like phone calls, text messages, social media, watching videos, shopping, financial transactions, ordering food . . . and the list goes on. With such exhaustive phone use, there seems to be a common problem no matter what phone you have and that is battery life. Because of our ongoing need to charge our phones, phone charging stations are popping up all over the place in airports, hotels, cafes, stadiums, music venues, and beyond. It makes sense, after all, what is the use of a dead phone?
But, as with most things that were designed to be helpful to the general public, there is also a downside. By plugging a station’s USB cable into your smartphone, you can let hackers record everything that happens on your mobile screen, including your keystrokes. With this recording, they can steal your PIN numbers, passwords, pictures, videos, and more. You also run the risk of infecting your smartphone with malware.
How criminals infiltrate public charging stations
Videojacking – With this tactic, criminals hide custom electronics in a public charging station. When you plug an HDMI-ready smartphone into the USB cable, hackers split the signal, then mirror and record everything you do on your screen without your knowledge.
Juicejacking – Plugging your phone into a USB charging station can also infect your phone with malware. It takes only a minute for these types of programs to run. Once they’ve infected your phone, they can steal your information, even hold your data files ransom.
Here is some helpful information from the United States Postal Service
How to stay safe and charged
Follow these guidelines
- Search online for your phone’s make and model to find out if it is HDMI-ready.
- Avoid all public charging stations if your phone is HDMI-ready.
- Purchase a portable charger to prevent yourself from using stations.
- Carry an extra USB wall charger to safely charge your phone in public places with a standard wall jack.
How to tell if your phone has been hacked
If you end up using a charging station, stay mindful of your phone activity to see if there has been any data breaches. Though it’s not easy to detect, here are some telling signs that your phone has been infiltrated.
- your passwords no longer work
- new apps appear on your phone
- random pop-ups come out of nowhere and redirect you to an install page
- you’re using more data than usual
- your battery life has gone down significantly
What’s your number?
You are checking out at the grocery store you frequent, and you don’t have your rewards card with you, but no problem, just give the clerk your phone number or type it in yourself on the key pad. Ever since stores started requiring a no-cost reward membership in order for shoppers to get the sales price, most of us have become accustomed to this interaction. Since that time, many shoppers have transitioned from landlines to cellphones. Because of that, maybe it is time to rethink how often we give out our number.
A recent blog post from Thomas Martin, a former Drug Enforcement Agency Agent, was titled, “Your cell phone number is your new Social Security number.” Stop for a minute and let that sink in. Most of us understand the importance of keeping our Social Security Number safe and think twice before giving it out. What Martin is suggesting is that we also need to be careful with our cell phone number.
What’s the big deal?
Your cell phone number, unique to you, is the gateway to your identity. It provides an entrance to all the data contained on your phone and can connect your other information to you – your email address, physical address—everything. A few weeks ago, we touched on phone number identity theft and how it is adversely affecting a large number of consumers. In fact, from 2015 to 2017, the number of those affected by phone number theft has doubled according to Javelin Strategy & Research in Pleasanton, California.
How often do you give out your phone number?
Over the next week, pay attention to how frequently you are asked for your phone number. Almost everywhere you turn you are asked for this piece of information.
A Short example
Here is a story recounted by Agent Martin.
“Just the other day, a shoe store demanded my phone number when I was buying a $69 belt. I balked, and they let me buy the belt anyway—but when I went back to return it a few days later, the clerk said: “You can’t return it without providing your cell number.” I explained I didn’t want it in the company’s database, so she made up a number to type in, but not before smiling at me and saying with a scary smile: “We want all the information about you we can get.”
We are not suggesting that the retailers are out to steal your phone number. But, as we have become more and more familiar with SMIShing, the hackers have had to find new ways to gain access to our financial information. This leads them to hack into databases where they can obtain cell phone numbers and other personal information.
What can you do?
Use common sense: If you’re asked for your phone number, ask why. In general, don’t give it out to people you don’t know. If you can leave it blank on online forms, do so, even if that means it may take a few seconds more to identify you the next time you make a purchase.
Choose which private data you are willing to share: When asked for your cell number, especially at a retailer, you may be able provide an email address, zip code or just your name as a way to identify you. It’s worth asking about.
Resource: "You're sharing your cell phone number too frequently" by Steven Petrow, Special for USA Today published June 20, 2017
Protecting Yourself from Skimmers
Law enforcement across the U.S. have seen a spike in skimming cases this year, and it's expected to keep rising. More credit and debit cards are using chip technology, making it increasingly difficult for thieves to skim your information, but that only means they have upped their game.
What is skimming?
Skimming is the use of a small device called a skimmer to steal card information from a physical debit or credit card. The skimmer scans the card’s magnetic strip to retrieve the credit card data. Once the card is swiped through the skimmer, the data is recorded and stored on the device. Scammers often skim the cards to sell the information online for criminals to create counterfeit credit cards.
Skimming also transpires when an individual (i.e. waitress or retail employee) completes a valid credit card transaction and then covertly captures a second, unauthorized swipe through the skimming device before returning the card to the cardholder. Once the individual skims the credit card, he or she may conduct a fraudulent transaction immediately afterwards or the information may be stored for future use. Therefore, the cardholder is likely unaware until the fraudulent charges appear on the statement. Skimming has been on the rise in our area with reports of skimming devices being found inside gas pumps and on ATM machines.
Avoid gas pumps that are the farthest from the store clerk.
Thieves are more likely to install a skimming device on pumps that are not as easily in view by store employees.
Leave your debit card in your wallet.
Using a credit card is generally a better option. Mainly because when your debit card is compromised so is your entire bank account. It's all too easy for a thief to skim your debit card's magnetic strip. If they catch your pin number, you can bet your bank account is up for grabs. If you must use a debit card, have it run as a credit and avoid putting your PIN number in whenever possible.
The old rule that we should be aware of our surroundings, still holds true today. With skimming devices becoming more hi-tech, we must look around for clues that could alert us to a potential threat. At the ATM, at the gas station, and really anywhere you shop, be sure to look for tampering, a loose credit card reader, or a broken seal. If it looks like the card reader has been tampered with, don’t use it. If you notice suspicious charges on your account, contact your financial institution immediately.
Use Your Phone.
That’s right - another way to check for skimmer devices is using your phone. Thieves often use Bluetooth technology to transmit card and pin information. Just turn on Bluetooth and search for a device. If you see a long string of numbers trying to connect, that's a bad sign.
Keep a close eye on your account.
Even if you do your best to avoid suspicious terminals, you may still fall victim to a skimmer. The most important step you can take to enhance your card’s safety is the one you should be doing no matter where you’re making purchases: monitor your account activity. If your card has been skimmed, it may take some time before someone else actually uses it.
Look out for fake invoices.
You might think you'd never pay a fake invoice but think again. We have far more subscriptions than we used to. You might be paying every month for movies, music, video games, an online dating service, or monthly subscription boxes where you receive, say, beauty products, food, or children's toys every month. And, this is in addition to monthly bills you have to pay, such as your utilities and rent. It would be very easy to receive a fake bill and believe it's real.
Holly Reisem Hanna, an entrepreneur in Austin, Texas, who runs a website called TheWorkatHomeWoman.com, says that she received an invoice from what looked like Apple iTunes.
"It was a bill for $400 in gaming credits. I about flipped my lid," Hanna says. "I was out of town and immediately called my daughter to see if she had accidentally purchased some gaming coins. She swore up and down that she hadn't."
So, Hanna studied the invoice and noticed that while the bill looked authentic, the email clearly didn't come from Apple. Before you pay a bill that you receive online, take a hard look at it. If you have any concerns about the bill, look up the customer service number, not what is listed on the invoice, and give the company a call.
DO NOT click links within the e-mail. If the e-mail is not legit, clicking the link will allow scammers access to your personal information. It is not uncommon to see fake invoices that look like they come from PayPal, the IRS, or even banks.
To try to protect yourself from fraudsters, use virtual private networks rather than public networks, change your passwords often, and ensure your virus protection software is always up to date.
If you are a victim of an online financial scam.
- Call your bank, credit card, or financial institution for assistance.
- File a fraud victim statement with the three main credit bureaus (Experian, Equifax and TransUnion).
- Consider freezing your credit to prohibit a fraudster from taking out a loan in your name.
- Call the police and file a report.
As if the whole idea of phishing wasn’t complicated enough, let me add in another dimension to it – Angler Phishing. What? Angler Phishing? Yes, you read it right. It isn’t new, but at the same time, it isn’t very well-known either.
How Does Angler Phishing Work?
When using angler phishing, a cyber-criminal’s goal is to bypass the genuine customer support page of a well-known brand, and the first step can take two forms:
- The criminals create an entirely fake brand profile, thus impersonating the brand: the victims are unknowingly engaging directly with criminals; or
- The criminals monitor conversations on a genuine customer support page: the criminals go after their victims by getting involved in an existing conversation.
Either way, the result is the same: criminals are posing as members of the brand’s customer support staff so that they can “help” customers on social media networks with issues such as product faults, account issues, the tracking of a parcel….
How can I stop angler phishing attacks?
- Never LOG IN to an account if the link is provided to you through email or social media.
- If you are unsure about a link in a social media post, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network.
- Access websites through your web browser. Typing the address of a website directly into your web browser will ensure that you are going to the legitimate Website and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a website.
- Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor.
- Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages.
- Don't trust the sender information in an e-mail message. Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.
- Know the social media account handle for the company you are dealing with. Make sure you communicate only with the legitimate account.
- Look closely at the reply you receive and be skeptical. Look for misspelled Twitter handles, email addresses, etc.
Online Account Security
How many online accounts do you have? Stop and think about this for a minute. There is social media, online shopping, online banking, and online BillPay, just to name a few. We have more online accounts than we realize, each requiring password protection and many also have you answer security questions. As online consumers, we should not rely solely on the online companies to keep us safe, here are a few things you can do to better protect yourself from hackers.
Create strong passwords.
I know we say this over and over, but it is important! A strong password is your best defense. But what is a strong password? It should be at least 10 digits long, use a mix of upper- and lower-case letters, numbers and symbols — and you should never use the same password for more than one website. Also, don’t use your name or initials, even if you substitute ‘3’ for ‘E’ or ‘1’ for ‘i’.
One big reason that we often fail to create strong passwords is because the more complex the password the more difficult it can be to remember. This is also the challenge with having a unique password for each account. To help with this, there are automated password managers that can suggest and securely keep your multiple passwords.
Rethink answers to security questions.
Between Facebook, LinkedIn, whitepages.com, classmates.com and ancestory.com, a lot of your personal data is out there. Hackers use these sites to get past your security questions. Stay one step ahead by outsmarting them. Your hometown? Pick a place that’s meaningful to you, like where you got engaged, or use something unrelated, like the name of your favorite old TV show.
Join us again next Monday to learn more tips for securing your online accounts.
Tips to keep your Online Credit Card Purchases Safe
We have compiled a list of tips to help keep your online credit card purchases safe:
Use credit, not debit
The first rule of keeping your payments safe is to always use a credit card. Credit cards come with better fraud protections and usually have a low or zero-liability policy. Debit cards do not always offer that same level of fraud protection.
Take advantage of Virtual Account Numbers
Many credit card companies now offer virtual account numbers. By using this service, a one-time random card number is generated. The number will be linked to your account, but as it is not your actual account number, it makes it harder for criminals to steal your information.
Check for the ‘s’
When it’s time to enter your information, make sure the page’s address starts with https:// rather than http://. The extra ‘s’ indicates the site uses an encryption system to scramble your information. The ‘s’ doesn’t necessarily guarantee the transaction is 100% safe, but it’s a fast and easy check that can give you another layer of confidence.
Don’t shop in public
Only shop online from your own computer (or that of a trusted friend) with a private WiFi connection. Shopping on a shared computer has its risks because websites often save login information. Also, it is possible for hackers to install keylogger information to record your keystrokes. That will give them your usernames, passwords, credit card numbers and personal information.
Even using your own personal laptop or tablet on a public WiFi is not safe. A good hacker can snag your information using the public WiFi.
Never give out your social security number
You never need to give out your Social Security number to make a simple purchase. Don’t do it. If a website seems to be asking for more information than is normal, leave immediately and don’t look back.
Choose a strong password
A strong password is essential. You should always have a mix of numbers and letters, both uppercase and lowercase characters and at least one symbol like @ or %. Don’t use obvious words like your name, your Social Security number or birthday, “12345” or the word “password.” Make it unique and custom, and don’t use the same password for multiple accounts. If someone figures out one of your passwords, you don’t want them to have instant access to everything.
Trust your instinct
If a website seems shady, don’t use it. You’ll probably be safe on websites like Amazon and BestBuy.com. You can usually trust big names. Smaller, lesser-known websites should be treated with suspicion. If a site looks outdated or poorly designed, proceed with caution.
Theft of Cell Phone Numbers
Maybe you have taken all the right steps to secure your cell phone. You have good password protection, your data is encrypted, and you have even set up a remote wipe. But what do you do if your cell phone number is stolen. I know that sounds odd, but a number porting scam does just that. Unfortunately, you may not even know it has happened until you notice your mobile device has lost service.
But why would someone want to steal your phone number? The short answer is to intercept the texts that are often sent as a two-factor authentication. If a crook has already stolen a password to your account, often what they need next is that authentication number, and stealing your cell phone number and activating it on another device on another network will do just the trick.
Once the number has been moved to a new network, then your phone is shut off. All calls and texts will then forward to the new device and once in control of the mobile number, thieves can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or an automated call that reads the one-time code aloud.
Carriers are trying to combat the problem and have put different measures in place for increased verification. But what can you do to protect you?
Set up two-factor authentication. In many cases you can set up additional verification measures that would prevent a stranger from successfully porting your phone number. Call your cell phone carrier for more details.
Contact your provider if your phone suddenly stops working. If you can’t make or receive phone calls, or text messages, don’t assume there is something wrong with your phone. Use a landline or a friend’s phone to report the problem immediately to your cellular service provider.
Be alert to any signs of phishing. Be wary of any suspicious alerts from your personal or financial accounts or unsolicited requests for two-factor authorization.
Be cautious when sharing personal information. Only share your full name, phone number, and other personal information with people and companies that you know and trust.
Choose an authentication alternative. Use something other than your cell phone number to receive the one-time codes that are either texted to you or read to you in an automated phone call. Sometimes you have an option to receive an e-mail. Also, many companies now support third party authentication apps.
Lookout for new twists on old scams
Most of us have heard of the “Nigerian prince scam.” This is where you receive an e-mail from someone pretending to be a member of the Nigerian royal family and asking for your help to transfer money out of the country. In return, they promise you a generous reward. Of course, to make that happen, they need your personal information. While you may think you are too smart to fall for that scheme, there is now a new twist.
According to Rene Kolga, senior director of project management at Nyotron, a cybersecurity firm says, "This one updates it by impersonating real people, such as a NASA astronaut or government officials, who you can easily find online. The scam uses their real names, photos, and facts about their life to spin a story about how they found a massive amount of money and have kindly chosen you to receive the funds."
To protect yourself against such scams, ask yourself a few questions:
- How did this person find my contact information?
- Does the story actually make sense?
- Why would an astronaut or government official choose to give me money?
- Why would an astronaut or government official choose to give me money?
Always keep in mind that anytime you share your personal information you are putting yourself at risk. Many times these scams are asking you to provide your checking account routing and account number, which then opens your account up to them to add or withdrawal funds.
No matter your age – you are at risk
Financial scams are no respecter of age. A recent Federal Trade Commission (FTC) study revealed that in 2017 about 40% of those between 20-29 lost money to con artists to 18% of folks 70 years of age and older. At the same time, while the overall percentage of the older population that fell prey to a scam was smaller, they did tend to lose more cash than millennials. This just goes to show you that everyone needs to protect themselves against financial scams.
Keeping your phone data safe
“Smart” phones are great – they allow us to have so much wonderful information at our fingertips, but having all this information saved on one small device also leaves us vulnerable. That is why we have compiled a list of things for you to consider to help keep you, your data, and your phone safe.
Lock your phone.
Protect your phone with a password or fingerprint detection. That way if your phone is lost or stolen, cybercriminals will have to get through the first gate. Also, set a short time on your password lock – 30 seconds or less is recommended.
Encrypt your data.
Consider encrypting your data. This is useful to protecting sensitive data, whether that’s business emails or investing and banking apps.
Set up remote wipe.
If your phone is lost or stolen, you’ll be able to wipe all of its data remotely (and therefore keep it out of the hands of criminals).
Back up phone data.
Consider connecting your device to its associated cloud service in order to automatically back up data (and encrypt it). If you don’t trust the cloud, be sure you connect to a PC or Mac to sync data regularly in order to preserve photos, videos, apps, and other files.
Avoid third-party apps.
Not allowing apps from unknown sources keeps you relatively safe. If you do decide to use third-party apps, research to be sure you’re not getting a malicious one. Read reviews, and if the app asks for access to too much personal data up front, don’t download it.
Update operating system.
When that pop-up reminder comes up, don’t ignore it. Charge your phone, clear out some space, and install the update right away.
Be wary of questionable texts and e-mails with links.
Cybercriminals love to spoof banking apps, send phony texts meant to collect personal data, and email malicious links and attachments. (See the May 25 post for more information.)
Use public wifi carefully.
Public wifi is inherently insecure, so try not to make transactions or transmit sensitive data while using it.
Information courtesy of Malwarebytes Labs
Have you heard that word before? I hadn’t until I started checking out information on text message scams. So, let me explain. “Smishing” is another word for text message phishing. In other words, “smishing” is when a scam artist sends a deceptive text to try to get you to provide personal information. These scammers are getting more and more creative. Most recently I heard of someone receiving a text message asking them for a bank verification code that was being texted to their phone. The text read as follows:
By sending the code back, you could be unlocking their access to your account, all under the disguise of helping them out.
If you receive one of these messages do NOT respond to it. Not even to tell the sender to stop contacting you. Responding to “smishing” messages verifies that your phone number is active and that you are willing to open such message, which may lead to an increase in unsolicited text messages you receive.
Report internet fraud to the Federal Bureau of Investigation’s Internet Crime Complaint Center online at: www.Ic3.gov and contact the following agencies:
|Federal Bureau of Investigation
1501 Freeway Boulevard
Brooklyn Center, MN 55430
|Federal Trade Commission
Bureau of Consumer Protection
600 Pennsylvania Avenue NW
Washington, DC 20580
Don’t answer that question
So you are scrolling through your social media accounts and you see a friend’s post. “What was the name of your first pet?” Now, that seems innocent enough, right? Think again.
These kind of questions are commonly used as security questions for password recovery. If you have ever signed up for online services with your bank or another financial institution, they have you set up security questions that are then used when you lock yourself out of your account or when they are verifying your identity because you are using a new device.
Ten most common security questions:
- What Is your favorite book?
- What is the name of the road you grew up on?
- What is your mother’s maiden name?
- What was the name of your first/current/favorite pet?
- What was the first company that you worked for?
- Where did you meet your spouse?
- Where did you go to high school/college?
- What is your favorite food?
- What city where you born in?
- Where is your favorite place to vacation?
Keep in mind, the more personal information that you leave open to the public, the more you put yourself at risk.