We’re into the holiday season which should be a happy time for people. But it’s also the time of year when, unfortunately, the scammers also are keeping busy figuring out ways to steal personal and financial information. The scammers count on people being so busy, and getting more holiday-related emails, that they might be too busy to be as careful about online scams and suspicious looking emails.
There are resources that can help people avoid having the holidays marred by these scams. The United States Computer Emergency Readiness Team (US-CERT) has a blog providing very helpful tips as well as a list of links to other useful resources (www.us-cert.gov; “Holiday Season Phishing Scams and Malware Campaigns”).
I’m summaring the US-CERT article into the top 5 tips:
- Malware can come in electronic greeting cards;
- Charitable contribution emails could be phishing scams coming from scammers; verify whether the charity’s authentic by going to the Better Business Bureau’s National Charity Report Index or the Federal Trade Commission’s Charity Checklist;
- Online shopping ads might actually be phishing scams or identity theft attempts from scammers posing as retailers;
- Do not follow unsolicited web links in email messages; and
- Use caution when opening email attachments.
Take the time to read the US-CERT article and look at some of the other helpful resources listed there (e.g., “Using Caution with Email Attachments”; “Recognizing and Avoiding Email Scams” (pdf)). A few minutes doing so might help you protect your personal and financial information, your computer and help make for better holiday memories.
The Better Business Bureau (BBB) has issued an alert about a scam that could reach countless Verizon Wireless customers (scam firstname.lastname@example.org; “Robo Calls Fool Verizon Customers with Fake Credit”; November 15). It’s a phishing scam that will sound and look very real so Verizon Wireless customers really need to be ready to defend against it.
Per the BBB, here’s how the scam works:
- A robo call comes to a Verizon Wireless customer’s cell phone;
- It’s a recording telling the customer that he’s got a credit on his Verizon Wireless account;
- The recording instructs the customer that there’s a special website he’s got to go to in order to claim the credit;
- Anyone going to the URL provided will find a website that looks very close to the legitimate Verizon site — same colors, logo and other characteristics;
- Once there, the customer’s instructed to enter his account username, password and/or credit card information.
The BBB says one tipoff about this fake website is that the amount of credit the customer is supposedly owed matches the URL provided. The BBB says, for example, the customer will be instructed that his $123.00 credit can be claimed by going to vzw123.com.
BBB also warns consumers that it’s very easy to steal the logos, colors, headers and other “brand” identifiers of a legitimate business. They urge consumers to really look closely at the URL since scammers are able to make the one for their phishing website look very similar to the one for the legitimate business they’re impersonating.
As BBB noted, the scam keeps changing as the phishing websites get closed by various authorities. But that only means the scammers come up with new scams, not that they give up. So keep remembering these important final points from the BBB:
- Do contact the legitimate business to see if the offer (or other reason for the contact) is real; and
- Don’t go to any URL, or provide any of the personal information requested, when you’ve got a doubt.
It’s better to take the time to be sure than regret not having done so.
Graham Cluley and the U.S. Computer Emergency Readiness Team (US-CERT) have just issued alerts about Cryptolocker, a new type of ransomware. As Mr. Cluley reports, the alert about Cryptolocker was first reported in the United Kingdom (see, grahamcluley.com; “Cryptolocker: What is it? And how do you protect against it?”; November 16). US-CERT issued a first warning about Cryptolocker in early November and then posted an update on November 18th (see, http://www.us-cert.gov; “Cryptolocker Ransomware Infections” (TA-13-309A)).
The reports from Mr. Cluley and US-CERT provide detailed information about Cryptolocker — what it is; how it works; and how people can try to protect their computers against it. Here is just a brief overview since consumers will want to read both reports since the “how to protect” aspects are very detailed.
Very briefly, here’s how Cryptolocker works:
- It is a new variation on prior ransomware schemes — schemes that capture a victim’s computer and hold it hostage until a ransom is paid;
- It is targeting computers running versions of Windows; Mac computers aren’t affected;
- It is a “Trojan Horse” scheme as it’s spread via spammed emails;
- The spammed emails look as if they’re coming from banks and financial institutions
- The spammed emails have an attachment that the recipient is told to open;
- The computer is captured and infected once the attachment’s opened;
- Once infected, all of the files on the computer become encrypted and can’t be opened;
- Another message comes up demanding a ransom so the owner can get the decryption key.
What should consumers with computers running Windows do?
- Read the reports from Mr. Cluley and US-CERT to learn more about the email formats so they don’t open the attachment;
- Read their reports to understand the consequences either from paying or not paying the ransom;
- Read their reports to learn how to pro-actively protect your computer — including backing up your files; and
- Read the list of references in the US-CERT report which also includes links to Microsoft to learn more.
Cryptolocker is a major ransomware spamming scheme and consumers running Windows need to be aware, be alert and be pro-active.
Facebook users should also read the November 15th blog by Erin Egan, Facebook’s Chief Privacy Officer, Policy (https://www.facebook.com; “Updates to Data Use Policy, Statement of Rights and Responsibilities Take Effect”). In brief, Ms. Egan said that “…nothing about this update changes advertising policies and practices….” She wrote that the changes only clarified Facebook’s prior policies.
Ms. Egan’s lengthy blog outlines many areas about which Facebook users need to be aware (e.g., use of tags, advertising, setting changes). Facebook users might not mind having their posted information used in ads but they should know what is being done — and what, if anything, they can do about it. I also encourage Facebook users to periodically visit the Facebook “Site Governance” and “Privacy” pages to keep current on any future policy changes.
Health care issues, and patients rights, are in the forefront of the news. However, along with the accurate information, there is also confusing and inaccurate information being produced.
The good news for patients and consumers is that they can find accurate information presented in easily understandable terms at the Department of Health and Human Services (HHS) website (www.hhs.gov). The HHS Office for Civil Rights (OCR) has produced various YouTube videos, fact sheets and brochures that provide up-to-date guidance on an array of topics.
For example, I watched the just-released HHS/OCR video titled “Your New Rights Under HIPAA” (HIPAA stands for the Health Insurance Portability and Accountability Act). The video highlights some of the important new rights for patients under HIPAA (http://www.youtube.com/watch?v=3-wV23_E4eQ).
The video explains, among other points, that:
- patients are entitled to get an electronic copy of their information (and that doctors might charge a small fee for copying the records or producing a thumb drive);
- patients can ask that their doctor send the patients’ medical information to a friend or family member who’s involved with the patients’ medical care;
- there are new tougher limits on the sale of health information, including the fact that this can’t be done (with a few exceptions) without getting permission from the patient;
- parents and guardians now have an easier way to share a child’s immunization information with the child’s school; and
- Privacy Policies of doctors should include information about the above (and other) new rights.
OCR has produced 10 other mini-videos on health issues; they can be found at: http://www.youtube.com/user/USGOVHHSOCR. They have also produced four consumer fact sheets (available in eight different languages). The fact sheets can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers. The fact sheets are handy references guides that are worth reading.
People need to be pro-active to learn how they can access and control their health information, have it shared or not shared as they wish and better protect their privacy. The HHS/OCR materials are excellent resources that will help everyone do so.
Back on October 4th and 7th, I wrote about the hackers who had gotten into the customer Adobe files (see, “Top 5 Things to Know About Abobe Hacking” and “Alert! Adobe Hacking Update”).
When the breach was first reported, Brad Arkin, Adobe’s Chief Security Officer, estimated there were around 2.9 million Adobe customers whose Adobe IDs, names, encrypted passwords, encrypted credit and/or debit card numbers (and expiration dates) along with order details had been hacked. That now seems like a vastly underestimated number.
Anna Brading just reported that the final number is 38 million active Adobe customers (see, nakedsecurity.sophos.com; “Adobe breach THIRTEEN times worse than thought”). Ms. Brading’s report is based on an announcement by Heather Edell, an Adobe spokesperson. In her announcement, Ms. Edell says that Adobe has finished its investigation during which it identified the 38 million Adobe customers with active accounts who were affected. Ms. Edell says those customers have already been contacted and that Adobe is now investigating whether any inactive Adobe customer accounts were hacked.
This is a “heads up” to Adobe customers — keep an eye on your credit and debit card bills and other financial account statements. Remember to change passwords and don’t use the same one for multiple accounts. Do check the Adobe website for further updates.
Many consumers know that advertisers and companies are tracking their online footprints. People might not like it but they accept it as part of using the Internet regularly.
Mozilla understands that consumers might want to know whose tracking them. To do so, Mozilla created Lightbeam, a new app that allows consumers to do just that. It’s an add-on that can be downloaded onto the Firefox browser. Lightbeam is an updated version of Collusion which is an earlier Firefox add-on.
How does Lightbeam work? Nick Heath has an excellent article that also has a screen shot showing how LIghtbeam works (www.zdnet.com; “Want to know who’s spying on you online? There’s an app for that”; October 25). In a nutshell, per Mr. Heath, each time a consumer visits a website Lightbeam will log “….every web address that is connecting to your machine, revealing how visiting a single website can result in your computer to (sic) connecting to many different web servers. Each of these servers may be controlled by different companies, and send and collect different information —for example, serving up images and adverts on the site or placing tracking cookies on your computer.”
Mr. Heath’s screen shot is a visual depiction of what a consumer will be able to see about the tracking.
I went to the Mozilla site to read more about Lightbeam (https://addons.mozilla.org; “Lightbeam for Firefox 1.0.2″). The Mozilla site has more details about Lightbeam and the fact that it will enable consumers who download it to see both first and third party sites with which the consumer is interacting. Consumers will, per the Mozilla article, be able to save a copy of the “connection history” which is the place where a consumer “…can see the specific data collected by the add-on.”
Consumers might want to take a look at Lightbeam, if for no other reason, to understand more about the different methods being used for online tracking.
The Better Business Bureau (BBB) has just issued an alert about the latest scam being used by thieves to steal money and/or personal information (see, scam email@example.com, “Scammers Impersonate Police with Spoofed Caller ID”). Consumers need to be very alert to this ploy. BBB says the scams being used all around the country.
The scammers have gotten hold of a computer program that lets them change phone numbers that can be displayed on Caller ID — the spoofing part of this scam. The scammers are using this technology to send calls with the right phone numbers of the local sheriff or police offices appearing when the recipients hit Caller ID.
The intended victims see the legitimate phone number, answer the call and are then told by the scammers (posing as the local sheriff or police) that there’s an arrest warrant out for them. BBB reports that some of the scammers have been using the real names of local sheriffs or police officers in the calls — thus making the threat seem more legitimate.
The scammer tells the intended victim that he can avoid the criminal charge by paying a fine. Here’s the next part of the scam: the scammer says the fine can only be paid by a money order or pre-paid debit card.
Now many people will see through this scam but others will be scared into doing so — maybe because the scammer uses a real name of a local police officer; or because they might not know what fines could exist for them; or because the scammer already has some personal information about the intended victim. BBB cited the case of a Detroit-area woman who became a victim because the scammer specifically mentioned a loan she’d taken out (that alone raises more problems about how the scammers got that information).
Consumers should remember these “Do’s” and “Don’ts” to avoid becoming a victim:
- Don’t wire money: legitimate police forces don’t operate by calling people and asking for money over the phone;
- Do hang up ASAP: don’t call back as doing so might give the scammers more personal information they can later use for other criminal ends;
- Do call the real local police or sheriff’s office: let them know about the call so they can alert others in the area; and
- Don’t give out personal information: scams come in different formats and approaches but they all want the same thing — consumers’ money and/or personal information.
As explained in the Facebook announcement, and in Mr. Goel’s article, teenagers who choose “Public” in the audience selector will automatically get a reminder that by doing so, their post will be seen by anyone. The Facebook announcement and Mr. Goel’s article both have a screen shot mockup of what this reminder will look like. The screen shot mockup shows that teenagers will have the option to change the post’s privacy setting. The Facebook blog has a second screen shot mockup that shows the follow-up reminder that will come up if the teenager has chosen the “Public” setting. The follow-up reminder tells the teenage that picking “Public” means the post will be shared with people whom the teenager doesn’t know.
This is a significant change about which parents need to know — and which they will want to discuss with their teenagers who use Facebook. Teenagers might or might not fully understand what it means to have their posts published to a wide audience of people they don’t know — and people who might use the teen’s posts, or personal information, in ways the teen doesn’t like or want (either now or in the future).