Attorneys need to be alert for a phishing scam that is happening around the country. An email comes from what claims to be either a local bar association or a State disciplinary counsel. The message falsely states that a disciplinary action has been filed against the attorney.

The recipient will be told to either click on a link or open an attachment to get more information. DO NOT DO THIS! Delete this email ASAP!

The links and attachments likely contain malware or a virus that will infect the recipient’s computer and capture all sorts of personal and financial information.

Any attorney who gets this type of email should contact her local bar association to alert them about the scam.

I’ve written over the years about the proliferation around the holidays of scams and phishing schemes. The scammers count on consumers being so busy during the holiday season that they become less vigilant about protecting their personal and financial information.

Ryan Francis has written an excellent article compiling 10 of the scams that occur regularly during the holidays (www.csoonline.com; “10 top holiday phishing scams”; November 21). In his article, Mr. Francis cites the 6 holiday threats identified by Jon French, security analyst at AppRiver.

Mr. Francis’ article is worth reading for more details. Here’s a quick list of the threats identified by Mr. French:

  1. Fake purchase invoices;
  2. Fake shipping status messages that contain malware;
  3. Flyers and sales deals that come via emails: these are tricky as there will be some legitimate flyers and sales information during the holidays.
  4. Fake but legitimate looking links and urls: these are constants throughout the year but scammers know busy consumers might not take the time to check to see if the link and/or url look suspicious;
  5. Hacked bank accounts: consumers need to always be careful but especially during the holidays; make sure to check  at ATMs for “skimmer” devices; and
  6. Fake email surveys that offer money or gift cards to consumers for filling them out; doing so could mean infecting your computer with malware.

As the old saying goes, crime never takes a holiday. So be extra vigilant this holiday season.

The OPM hack continues creating havoc as reported on the Nextgov website. They have a story titled “Ransomware Emails Use OPM Breach To Lure Victims” (www.nextgov.com). This is a “must read” story for the countless current and former federal employees whose personal information was hacked in the breach. And, as the story emphasizes, the alert is important for even non-current or former federal employees as the personal information of family members and others might have also been obtained by the hackers.

Emails from hackers were sent out on Tuesday, November 8th. Anyone receiving an email that is allegedly from an OPM “account manager” must delete it ASAP! The email, per the Nextgov article, says that there’s been “suspicious movements” in the email recipients account. The email has an attachment that it says the recipients should open to learn about these allegedly suspicious activities.

Do not open it! The attachment has malware that will lock and then encrypt the recipients’ computer until and unless they pay a ransom.

The scheme was uncovered by the firm PhishMe; Brendan Griffin, a PhishMe Malware Analyst, told Nextgov that the ransomware email was likely sent to millions of individuals. How to tell if the email is part of this ransomware scheme? As the Nextgov article highlights, the email contains typos and poor grammar.

So — again — be very careful if you got one of these emails — and be aware of any similar schemes in future emails that appear to be from OPM.

 

 

Michelle Singletary writes The Color Of Money column in The Washington Post. Her October 26th column was timely and insightful as she outlined various ways consumers could, but might not, be more pro-actively protecting the privacy of their personal and financial data (Protecting yourself on the Web? Probably Not; http://wapo.st/michelle-singletary).

In her column, she cited Consumer Reports November issue that has the lead story How to Protect Your Privacy Smart and easy ways to keep your data safe. Her description of this article was excellent so I read the cover story.

It is an issue and article that consumers should read ASAP! The lead article also has links to other Consumer Reports stories on this topic. I found the September 20th article titled 66 Ways to Protect Your Privacy Right Now Do one, some, or all. Each will make a difference especially useful — concrete details written well and without jargon.

Consumers should read Ms. Singletary’s October 26th column as well as the November issue of Consumer Reports and the lead and other articles. This will be time well-spent — consumers will come away equipped with the kind of information they can use to more pro-actively protect their sensitive private information.

The Federal Trade Commission (FTC) has just issued some very helpful guidance aimed at helping businesses address data breach issues (www.ftc.gov). While the guidance is aimed at businesses, it is also very useful for consumers as the video and guide outline the steps the FTC thinks are reasonable ones for businesses.

So consumers should know about the guidance and review it. Why if it’s aimed at businesses? Precisely because it is aimed at businesses. Consumers can educate themselves about what businesses should do if they suspect a data breach. That way, consumers whose data has, or might have, been breached can be knowledgable and pro-active in asking the business the right questions — starting with, “did someone in your organization get, review and then implement the FTC’s guidance?”

The FTC’s guidance is called Data Breach Response: A Guide For Business. The video and written guidance provides concrete and sensible guidance for businesses that might suspect a data breach.  It’s excellent guidance and will help consumers as well as businesses.

I’ve previously reported on the FCC’s expanding privacy jurisdiction. In particular, Chairman Tom Wheeler has proposed new privacy rules that will apply to Internet Service Providers (ISPs). My prior concerns about these rules include the fact that they do not apply to the so-called “edge providers” (e.g., Google, Amazon, Facebook) and so the lauded privacy protections will not cover many of consumers’ online activities.

The prior proposed rules had been open for public comment; the newly revised proposal has been amended to incorporate some of the comments and concerns that had been raised. The latest version goes to the entire Federal Communications Commission (Commission) on October 27th for a vote.

The Commission will be voting on a revised proposal that will require ISPs to tell their customers about the ways in which their personal information will be collected, used and shared. Are these good end goals? Yes — and it’s precisely because these are worthwhile and important goals that the Commission should have prepared a set of rules that would have encompassed more of the online entities with which consumers interact.

However, the new proposal has a category of “sensitive” information for which consumers would have to give affirmative permission to the ISPs before the ISPs could use and share it. The list omits such personal information as a consumer’s name and email address — this is considered “non-sensitive” and an ISP could share it unless a consumer opts-out. Why is this bad? A consumer could consider his name and/or email address sufficiently sensitive that he would want to have control over whether it’s used and shared; opt-out puts the burden on the consumer so the default is that this information will be used and shared unless the consumer takes whatever steps will be needed.

The privacy of consumers personal information will still not be protected as completely or effectively as could have been done if Chairman Wheeler and the Commission had tackled the harder issue — the one of including many of the online entities with whom consumers interact more frequently. These other entities collect as much, perhaps even more, personal information as the ISPs and are subject to far less stringent rules than the FCC’s proposal for ISPs.

 

Here’s yet another one of those scam emails intended to make consumers get scared, act fast and give scammers personal financial information.

I got an email from “Chase” with the exact replica of their logo. The heading was “Account Has Been Suspended” and the email said that my online Chase account had been suspended due to a violation of the terms of service. The email included a link to a Chase site and said I needed to go to that site and confirm my account information.

I don’t have a Chase online account but this still gave me concern. I didn’t open the link and  immediately called the Chase customer service number and got a very knowledgeable customer service representative. He asked me precise questions about the email itself that conclusively confirmed this was spam.

Here are his very important tips about any legitimate emails that Chase sends to customers:

  • The customer’s name is in the body of the email. The email I got didn’t have my name.
  • The last four digits of the customer’s account will be included but only the last four digits. The email I got didn’t have any account digits.
  • Be careful even if this specific information’s included since scammers are getting more and more sophisticated and might be able to include some or all of this individual information.

He asked that I forward the email to the Chase security division that collects and addresses these scams — he said it’s very important that Chase learn about these scams in “real time”. I  forwarded the email to: abuse@chase.com. I got an automatic reply which repeated what I had heard and said Chase customers should call the customer service number or contact them (chase.com/contactus) about any suspicious emails.

 

It’s even worse than originally thought. Today’s top news includes an update about the Yahoo data breach I wrote about yesterday. Now it’s being reported that at least 500 million Yahoo customer user accounts were hacked back in July.  I now repeat with even greater emphasis and urgency what I said in yesterday’s post — Yahoo customers have to change their passwords right now!

Why is this mega data breach only being announced now by Yahoo — who knows the real reasons? The company is saying some of the usual reasons offered when there’s this kind of 2+ month delay. They’re saying they needed time to investigate the breach after there were the first signs detected that accounts were being hacked. The cynics — or realists — among us might also suggest that Yahoo wanted to wait until the Verizon deal was completed.

Regardless, the damage is done. What information was hacked? Per Yahoo, the hackers might have gotten customers’ email addresses, phone numbers, dates of birth and answers to security questions. Yahoo claims that customers’ credit card numbers weren’t stolen since that information is kept in a separate system.

However, Yahoo customers shouldn’t assume that there won’t be ways hackers can use the information they’ve already gotten to try and gain access to customers’ financial information.

Again, Yahoo customers must change their passwords ASAP and be very alert to suspicious financial transactions on credit and debit cards as well as bank accounts.

As was reported over the summer, Yahoo is investigating what appears to be a massive data breach. Graham Cluley posted an article today in which he said that, per a report by Recode, Yahoo might be making an announcement very soon about that investigation (www.grahamcluley.com; “Yahoo ‘expected to confirm massive data breach’ says Recode”).

The hacker or hackers breach was rumored to have gained access to 200 million user accounts. In fact, Yahoo has been sending out emails to users urging them to change their passwords.

It’s always a smart move to change passwords and now that’s even a more timely reminder for Yahoo users.

I’ll keep everyone posted as more news emerges about this breach.

I’ve written before about the set-top box proposal that the FCC Chairman Tom Wheeler and his fellow Commissioners were considering. The proposal generated strong pushback from various industry components due to a variety of content and competition issues. My concern is from a privacy perspective since the original proposal would have presented a cascading number of issues due to the number of companies that would have had potential access to consumers’ data.

Chairman Wheeler and the FCC responded to the criticisms by redrafting the proposal. He just circulated the revised proposal yesterday (Thursday, September 8th) as part of the FCC’s September meeting agenda. The latest proposal would give all the affected industry entities 2 years to implement the changes.

I’m going to review this latest version to see what, if any, improvements have been made from a consumer privacy perspective. I’ll post my analysis once I’ve done my review.

Stay tuned.