Security Tip

Identity theft tax refund fraud: Everybody is at risk

Criminals who use stolen personally identifiable information can launch a wide variety of fraudulent financial schemes, such as hacking online accounts, submitting phony insurance claims, and applying for loans and credit cards to pad their bank accounts. Increasingly, though, identity theft through tax refund fraud is becoming a favorite money-making scheme for criminals.

There have been a number of stories in recent months of identity theft and how the information can be used against individuals. Because identity theft through tax refund fraud has become the most popular tax scam around, you might even know someone who has been a victim of it. All that is needed is a computer (or even a cell phone with the necessary app) and someone’s Social Security number (SSN) and date of birth.

This fraud is so rampant that the U.S. Internal Revenue Service (IRS) estimates that it mistakenly paid $5.2 billion to identity thieves in 2013, according to a report by the Government Accountability Office (GAO). The fraudsters filed fraudulent tax returns on behalf of millions of unsuspecting taxpayers, and the IRS did not catch the scheme until well after the refund checks had been processed. However, the financial damage could have been far worse: The IRS also estimates that it was able to identify and stop $24.2 billion in attempted identity theft tax refund fraud last year.
Ways to Protect Your Identity

Although identity theft is difficult to completely guard against, there are steps you can take to make it challenging for criminals to steal personally identifiable information, including:

  • Regularly check your credit report.
  • Do not carry a Social Security card or any documentation containing your SSN.
  • Properly dispose of documentation containing sensitive information; shred it instead of leaving it in the trash.
  • Only give personal information when absolutely necessary — especially on websites and via social media — and keep track of those who have access to it (this might be helpful in determining the breach source if victimized).
  • Never use public Wi-Fi or a non-password-protected network to file electronically.
  • Protect personal laptops and devices by installing firewalls and the most recent anti-virus software.
  • File taxes as early as possible during tax season because criminals try to file fraudulent returns before the actual filer (once the IRS receives a return with an SSN, the agency will reject any duplicate filings and immediately notify you).
  • If filing taxes is not required, consider doing so anyway to prevent a criminal from submitting a false return in your name, and to be alerted if someone has already filed in your name.
  • Be leery of phone calls from people who already know your SSN and claim to be IRS agents. Some even manipulate caller ID. (The IRS warned of this sophistication last October.)

For more information, please go to IRS.gov; Tax Refund Fraud; Examples of Identity Theft; and Don’t Be a Victim.

What to Do If Your Phone Is Stolen

The not so humble smartphone has become a significant part of our everyday lives. Whether you’re a CEO, a busy parent, a social media addict, or all three, your phone is most likely the control center amongst the chaos, helping you to organize your finances, stay in touch with your family and interact with your friends.

It contains your emails, contacts, photos, financial details and more, so having it stolen can be extremely distressing. These days, it’s not just the hardware itself that’s valuable to criminals, the data on your phone is worth just as much as its resale price on the black market. According to Consumer Reports, 3.1 million smartphones were stolen last year alone in the US, nearly double the number stolen in 2012. So what should you do if your phone is stolen?

If you do have mobile security app

If your phone has been stolen and you have a mobile security app, the first thing you should do is try to locate, lock and possibly wipe your phone. These immediate actions give you a fighting chance of finding your smartphone before you suspend your service. With mobile security, you’ll have the breathing room you need to contact the police and your carriers.

Lock your device

Mobile security features like Lock and Wipe allow you to remotely lock your device to stop thieves from accessing your personal data. You may even be able to post a custom message to the home screen that could help you get it back!

If you are positive that your device is gone for good, then you have the option to remotely wipe your smartphone to ensure that your important information doesn’t fall into the wrong hands.

Locate your device

Mobile security apps like Lookout also allow you to easily locate your phone using GPS. It’s as simple as logging into your account using a web browser and finding its location. Once you’ve located your device (and it’s definitely not hiding under the couch cushions) give this information to the police. For your safety, leave it to the experts to retrieve.

Stay safe as you get your device back

Once you have more information on your device’s whereabouts, rope in law enforcement and don’t try to be a vigilante. The tips below for people who don’t have Lookout installed will still be helpful for you, too.

Whether or not you have a mobile security app

Contact your provider

If your cell phone is lost or stolen and you don’t have a mobile security app, the first thing to do is contact your network provider, who will be able to block your phone in order to stop anyone else from using it.

This is particularly important if you have a pay monthly contract, as you will be liable for any calls made (or expensive apps downloaded) before you report your phone stolen.
Most of the major US network providers allow you to suspend your service and request a new SIM online or by calling their customer service department.

Reporting a lost or stolen phone to Verizon

Verizon Wireless allows you to temporarily suspend your service if your device has been lost or stolen, and your line will automatically reconnect in 30 days giving you the chance to find or replace your smartphone.

Reporting a lost or stolen phone to T-Mobile

T-Mobile allows users to suspend their service online and has a program that allows you to transfer your contacts and personal information to a new device.

Reporting a lost or stolen phone to AT&T

AT&T allows users to not only suspend their service, but to block the device from using voice, text, and data on the AT&T network if another SIM is inserted.

Reporting a lost or stolen phone to Sprint

Sprint asks users to call them immediately on 888-211-4727 to suspend service if you suspect that your phone has been lost or stolen.

Notify police

If your cell phone has been stolen it’s also important to notify the police, as insurance providers will usually need a crime reference number in order to process any claims.

If you use your smartphone to shop or bank, you may also need a police report to dispute any fraudulent charges made on your debit or credit card accounts using the stolen device.

Make a report at your local station, being sure to give them your device’s International Mobile Equipment Identity (IMEI) number, which your network should be able to provide you with. (You can also find this on your account settings page if you do have Lookout installed.) This could help the police get your phone back to you if it were to be recovered.

Change passwords and PINs

According to a nationwide survey by Consumer Reports, 34% of Americans don’t passcode protect their cell phones.

If you’re one of the people that make up this statistic, then it is absolutely essential that you change any passwords or PINs that are stored on your cell phone, as well as passwords to apps that automatically log in when you launch them on your device.

Bank details, user names, passwords and PINs, when used along with the personal data readily available on your phone (your birthday and address, for example) can easily be used by thieves looking to capitalize on your misfortune.

If you use your mobile device to shop or bank (with a banking or store app, for example) then it’s also a good idea to contact your financial institution and credit card company, as it may be necessary to cancel any cards stored on your smartphone.

Prevention is better than cure

In the future, the single most important thing you can do to prevent anyone from getting to your personal data if your phone is lost or stolen is set a passcode. Not only does it make your device a less attractive target for cell phone theft, it means no expensive international calls can be made at your expense; your personal information will stay personal no matter who ends up with your cell.

Set a complex password that you’ll remember but thieves won’t guess (don’t use common passcodes like 1234 or 0000), and set your screen to auto-lock within five minutes.

Backing up your data is also a great way to ensure you don’t lose important contacts, photos, music and more. Many service providers offer this service free of charge.

As well as this simple precautionary measure, downloading a mobile security app such as Lookout is a great way to add an extra layer of protection. From locating your phone to remotely locking and wiping it, Lookout makes defending your personal data simple.

Article courtesy of Lookout (https://www.lookout.com/resources/know-your-mobile/what-to-do-if-your-phone-is-stolen)

Top 10 holiday scams

As the new holiday cyber-crime season rolls in, it’s a good idea to look at the scams of last year, which will be recycled with a few small updates. Here are the Top 10 scams to keep an eye out for this holiday season:

Black Friday Deals
Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are out to get rich with your money. Don’t buy anything that seems too good to be true.

Complimentary Apple Watch
Watch out for the too-good-to-be-true coupons that offer complimentary watches, phones, or tablets on sites all over the internet. Don’t fall for it. Make sure the offers are from a legitimate company.

Postal Deliveries
Watch out for alerts via email or text that you just received a package from FedEx, UPS or the US Mail, and then asks you for some personal information. Don’t enter anything. Think before you click.

Fake Refunds
There is a fake refund scam going on that could come from Amazon, a hotel, or a retail chain. It claims there was a “wrong transaction” and wants you to “click for refund” but instead, your device will be infected with malware.

The Grinch E-Card Greetings
Happy Holidays. Your email has an attachment that looks like an e-greeting card, pretty pictures and all. You think that this must be from a friend. Nope. Malicious e-cards are sent by the millions, and especially at the office, never open these things as they might infect your workstation.

The Fake Gift Card Trick
Internet crooks promote a fake gift card through social media but what they really are after is your information, which they then sell to other cyber criminals who use it for identity theft. Here is an example: A Facebook scam offering a complimentary $1,000 Best Buy gift card to the first 20,000 people who sign up for a Best Buy fan page, which is a malicious copy of the original.

The Charity Tricksters
Holidays are traditionally the time for giving. It’s also the time that cyber criminals try to pry money out of people that mean well. But making donations to the wrong site could mean you are funding cyber-crime or even terrorism. So, watch out for any communications from charities that ask for your contribution, (phone, email, text, and tweets) and make sure they are legit. It’s a good idea to contact the charity to make sure the request did in fact come from them. It is safest to only donate to charities you already know, and refuse all the rest.

The DM-Scam
You tweet about a holiday gift you are trying to find, and you get a direct message (DM) from another twitter user offering to sell you one. Stop – Look – Think, because this could very well be a sophisticated scam. If you do not know that person, be very careful before you continue and never pay up front.

The Extra Holiday-Money Fraud
People always need some extra money during this season, so cyber fraudsters are offering work-from-home scams. The most innocent of these make you fill out a form where you give out confidential information like your Social Security number which will get your identity stolen. The worst of them offer you work where you launder money from a cyberheist which can get you into major trouble.

The Evil Wi-Fi Twin
If you bring your laptop/tablet/smartphone to the mall to scout for gifts and check if you get it cheaper somewhere online. But the bad guys are there too, shopping for your credit card number. They put out a Wi-Fi signal that looks just like a complimentary one you always use. Choose the wrong Wi-Fi and the hacker now sits in the middle and steals your credit card data while you buy online. When you use a Wi-Fi connection in a public place, it is better not to use your credit card.

Provide courtesy of KnowBe4 CyberheistNews (https://www.knowbe4.com/cyberheist-news/)

 

Internet safety for seniors

The Internet creates excellent opportunities for seniors to meet people, conduct business, plan travel, access records, stay in touch with friends and family, and support hobbies and entertainment interests.  You can learn how to take advantage of the opportunities without falling prey to predators so you can have peace of mind when you go online.

The Washington State Office of the Attorney General’s Office has put together an online resource aimed at the unique vulnerabilities seniors face when going online.  There are specific scams tailored specifically to exploit older Internet users.

Having less refined computer and Internet skills and being more trusting are major factors that make seniors more vulnerable.  This site addresses: seniors and social networking sites; cyberbullying and seniors; online dating and seniors; information exposure and seniors; and tips for seniors to stay safer online.  Learn more here.

Stop. Think. Connect.

Be a good cyber citizen by own your online presence.

Take security precautions, understand the consequences of your actions and behaviors and enjoy the benefits of the Internet.

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.

Protect yourself and help keep the web a safer place for everyone.  For more information about owning your online presence and for information about how to protect your digital life, go here.

OnGuardOnline.gov: be safe, secure and responsible online

At OnGuardOnline.gov, you will find information for your computer, your children and yourself.  Information is shared through videos, blogs and online articles.  You can also sign up for email updates to stay on top of the latest threats to your security.

The Federal Trade Commission manages OnGuardOnline.gov, in partnership with the federal agencies listed below. OnGuardOnline.gov is a partner in the Stop Think Connect campaign, led by the Department of Homeland Security, and part of the National Initiative for Cybersecurity Education, led by the National Institute of Standards and Technology.

Tech support scams continue to cost computer users

Reposted from Fraud.org, a project of the National Consumers League.

Just before midnight George got a call. “I was told it was the Microsoft Corporation,” George said. “They said there was a problem with my computer but they would fix the problem for free and would install an antivirus to protect against future attacks for $99.” George went to bed uneasy, not sure if the supposed Microsoft employee was legitimate or a fraudster.

Unable to sleep, George watched helplessly later that evening as someone remotely entered his credit card number into a Web site without his control. George frantically called Microsoft and learned that he had, as he suspected, fallen victim to a scam. In an attempt to avoid charges, George called Western Union — only to find out that $207 had already been charged to his credit card and was being processed in India.

The National Consumers League’s Fraud.org has seen a recent uptick in this “tech support scam.” These occur when a fraudster, claiming to work for well-known technology companies like Microsoft or Norton, contacts a consumer. The scammers claim that viruses have been detected on the computer and that they can remotely remove it for a fee, typically anywhere from $100 to $400. The victim is then instructed to go to a Web site or open computer program that “proves” that the computer is compromised. Often these programs show computer functions that look scary but are actually normal.

Frightened by the supposed virus — and reassured because of the reputation of the company the fraudster is claiming to represent — many consumers agree to pay the fee and give the criminal remote access to the “corrupted” computer. Sometimes the hacker charges a consumer to download harmless programs that are available for free online to demonstrate the alleged virus. Other times, they install tracking software that gives the fraudster access to personal information on the computer.

Estimates of the scope of this scam vary widely. For example, Microsoft reported that the average victim lost $875 and had to pay $1,700 in repair bills. The Federal Trade Commission (FTC) said it had received more than 40,000 complaints about this scam when it initiated a crackdown in October 2012 and an official with the FTC’s consumer protection bureau said he thought the number of victims was probably “substantially higher.”

Although scams of this sort started in 2008, it has become far more common in the last couple of years, gaining attention from media organizations across the world. The companies that are affected have also noticed, warning their customers and offering tips on how to spot and avoid the scam. PayPal and other payment companies have helped by shutting down the accounts of known fraudsters.

Despite government action to identify and stop scam artists running these schemes, copycats continue to defraud consumers. Consumers should use the following precautions to minimize the risk of falling victim:

  • Know that legitimate companies will not call you without solicitation and tell you that you must pay for tech support;
  • Find a legitimate phone number for the company and ask them whether a representative contacted you;
  • Never allow someone to take remote control of your computer unless you are certain that they are actually representing a legitimate company;
  • Do not disclose sensitive financial information such as passwords, credit card, or bank account routing numbers over the phone; and
  • When buying things over the Internet or phone, use a credit card or a debit card so that you can better dispute fraudulent charges.

If you believe that you are the victim of a tech support scam, please take the following actions:

  • File a complaint with Fraud.org so that we can help others avoid falling victim;
  • Call your credit card company and ask to have the charges reversed;
  • Check your bank and credit card statements for inaccuracies. If you find any, ask that those charges be reversed, too;
  • Contact the major credit-reporting agencies (Equifax, Experian, and TransUnion) and notify them of the potential for fraud on your account; and
  • Delete the tracking software from your computer. For tips on how to do this, click here.

Visit the following sites to learn more about tech support scams and ways to protect yourself:

  • This post on the FTC’s Web site provides consumers with a video on how to protect computers and phone audio of a scammer conducting a tech support scam.
  • This section of the FTC’s Web site gives an overview of how these scams work and ways to protect yourself if contacted by a fraudster.
  • The Better Business Bureau has a scam alert that describes an incident in Montana involving this scam.
  • Finally, Microsoft’s posting on its Web site details common scams that falsely use its name and the common indicators that you are not truly talking to a company official.

Identifying Hoaxes and Urban Legends

Chain letters are familiar to anyone with an email account, whether they are sent by strangers or well-intentioned friends or family members. Try to verify the information before following any instructions or passing the message along.

Why are chain letters a problem?

The most serious problem is from chain letters that mask viruses or other malicious activity. But even the ones that seem harmless may have negative repercussions if you forward them:

  • they consume bandwidth or space within the recipient’s inbox
  • you force people you know to waste time sifting through the messages and possibly taking time to verify the information
  • you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?

There are two main types of chain letters:

  • Hoaxes – Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category (see Avoiding Social Engineering and Phishing Attacks for more information).
  • Urban legends – Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?

Some messages are more suspicious than others, but be especially cautious if the message has any of the characteristics listed below. These characteristics are just guidelines—not every hoax or urban legend has these attributes, and some legitimate messages may have some of these characteristics:

  • it suggests tragic consequences for not performing some action
  • it promises money or gift certificates for performing some action
  • it offers instructions or attachments claiming to protect you from a virus that is undetected by anti-virus software
  • it claims it’s not a hoax
  • there are multiple spelling or grammatical errors, or the logic is contradictory
  • there is a statement urging you to forward the message
  • it has already been forwarded multiple times (evident from the trail of email headers in the body of the message)

If you want to check the validity of an email, there are some websites that provide information about hoaxes and urban legends:

Authors

Mindi McDowell and Allen Householder, http://www.us-cert.gov/ncas/tips/st04-009

 

 

Protecting portable devices

What is at risk?

Only you can determine what is actually at risk. If a thief steals your laptop or mobile device, the most obvious loss is the machine itself. However, if the thief is able to access the information on the computer or mobile device, all of the information stored on the device is at risk, as well as any additional information that could be accessed as a result of the data stored on the device itself.

Sensitive corporate information or customer account information should not be accessed by unauthorized people. You’ve probably heard news stories about organizations panicking because laptops with confidential information on them have been lost or stolen. But even if there isn’t any sensitive corporate information on your laptop or mobile device, think of the other information at risk: information about appointments, passwords, email addresses and other contact information, personal information for online accounts, etc.

How can you protect your laptop or internet-enabled device?

  • Password-protect your computer: Make sure that you have to enter a password to log in to your computer or mobile device (see Choosing and Protecting Passwords for more information).
  • Keep your valuables with you at all times: When traveling, keep your device with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary—these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.
  • Downplay your laptop or mobile device: There is no need to advertise to thieves that you have a laptop or mobile device. Avoid using your device in public areas, and consider non-traditional bags for carrying your laptop.
  • Be aware of your surroundings: If you do use your laptop or mobile device in a public area, pay attention to people around you. Take precautions to shield yourself from “shoulder surfers”—make sure that no one can see you type your passwords or see any sensitive information on your screen.
  • Consider an alarm or lock: Many companies sell alarms or locks that you can use to protect or secure your laptop. If you travel often or will be in a heavily populated area, you may want to consider investing in an alarm for your laptop bag or a lock to secure your laptop to a piece of furniture.
  • Back up your files: If your mobile device is stolen, it’s bad enough that someone else may be able to access your information. To avoid losing all of the information, make backups of important information and store the backups in a separate location (see Good Security Habits for more information). Not only will you still be able to access the information, but you’ll be able to identify and report exactly what information is at risk.

What can you do if your laptop or mobile device is lost or stolen?
Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organization so that they can act quickly.
Author
Mindi McDowell through US Computer Emergency Readiness Team (US-CERT)