The Job Scam That Even You Could Fall For

online_job_scam

This might be the most sophisticated job scam I’ve ever seen. Thanks to a near-victim, you’ll get a rare chance to see a real pro almost pull off a nearly perfect digital caper.

You do things when you are job hunting that you wouldn’t normally do. You meet strangers. You share a lot of personal information with the world, on resumes and through job sites. You’re vulnerable. And most critically: You generally need money. It’s a scammer’s dream, and that’s why job-hunting scams are so persistent and prevalent.

Every chance I get, I try to explain that “smart” folks fall for scams all the time — and those at greatest risk are those who think they are too clever for criminals. This is one of those stories.

Josh Belzman is not just a tech savvy worker; he’s spent the better part of the last decade as a social media professional in Seattle. He’s been working in and around the internet’s cesspools for years.

Still, he recently went halfway down the aisle with a criminal offering the false hope of an exciting job in social media. Like all victims and near victims, he couldn’t stop blaming himself as he described the sequence to me— but I can see exactly why Josh danced with the devil.

Josh, 39, is job hunting, and he received an email from a woman named Morgan who said she worked for a big law firm and needed contract social media work for $39-$45 an hour. That kind of short-term gig is exactly what people like Josh need while they look for their next career step.

“I probably should have trusted my spidey sense and not engaged at all but you know how it goes when looking for work— your guard and confidence can drop,” he said.

Morgan asked for a Google hangout chat as a first step. Josh did his due diligence, and Googled her. Up came a LinkedIn profile that checked out. She had a long professional history in the Seattle area, including alleged stints as a ski instructor at nearby Snoqualmie Summit. It said she had worked at various law firms dating back to 2009. The firm (I won’t mention it) was real. So he jumped online, ready to answer her questions and ask a few.

Generally, con artists betray themselves during real-time interactions. They speak poor English, they show obvious lack of subject matter knowledge, and there are awkward delays. Morgan exhibited none of those. In fact, her questions for Josh were spot on. Here’s a partial list I pulled from a transcript of their chat.

“Could you give us an example of a limitation on a social platform that you have experienced? How did you overcome this?”

“Have you ever had to handle a Social Media crisis? If so, could you provide an example and how would you describe your work ethics?”

“How would you allocate our Social Media advertising budget and How do you evaluate new social platforms? How do you stay on top of the latest updates and innovations in Social Media?”

“Do you have your own blog? Do you currently write content for various Social Media platforms and why should we hire you?”

Josh answered each one deliberately. After each response, she replied, “good,” “very good,” and eventually “great.” All what you’d expect, or even hope for, during an interview.

Reading through the full transcript, you can see in retrospect that all these questions could have been cut and pasted from a script. In fact, I suspect the criminals somehow lifted them from an actual interview involving a social media position— perhaps they’d applied for a job themselves earlier just to understand what “marks” would expect.

Only once was there something more that might have tipped off Josh. When he, smartly, tried to interrupt and ask his own questions, Morgan’s reaction was a bit off.

Josh: Mind if I ask a few questions about the role?

Morgan: Sure when we done with this process so you can get all the details you need to know.

But that’s it. The rest of the interview went as you might expect. LinkedIn page and all. Until …

Morgan: How soon can you begin work if luckily chosen for the position, do you need any our Company benefits and what means of Payment would you prefer; Check Or Direct Deposit?

Morgan: What bank are you with for Direct deposit/Check so we can see if it tallies with our preferred banks and do you have any question before i move forward?

Josh: I’m not comfortable sharing banking info online.

(Morgan may not be on Hangouts right now. Your messages will be seen later.)

The “line” went immediately dead.

Fortunately, after an hour of “seduction” and with the lure of a $35-an-hour job, Josh did listen to his spidey sense and threw up a roadblock. And as soon as Morgan saw he wouldn’t play along, she “hung up” on him.

An hour or so wasted, but it could have been much worse.

“I should have never entertained this — the initial email was sketchy but I chalked that up to some office admin being asked to help find candidates,” he said. “Going back through I see very few comments in ‘her’ voice— just a lot of cut-and-paste questions and ‘OK good.’ Amazing the tricks your mind plays in you when you’re visualizing a certain situation.”

After the disconnect, Josh called the firm and was told no one by that name worked there.

I, however, did find someone with her name who had posted a resume that was similar. It’s likely the con artists assumed elements of her identity for the scam. I emailed her, and got no response. I also emailed the person who chatted with Josh and got no response.

“The initial email was unsolicited with that odd name but I saw the LinkedIn profile and I’ve had some of those mails come through (job sites),” Josh said. “The hangout thing raised eyebrows but I suspended some of that because I got caught up answering the questions.”

Tips for Avoiding Scammers

So what should you do? The big one: Always trust your gut. I pretty much never talk to anyone who falls for these things who doesn’t say they had a queasy feeling in their stomach at some point.

Also, do what Josh did. Say it out loud: “I’m not comfortable with that.” It’s a handy phrase. A real person will react with an apology to that, like “Oh, I’m sorry, I didn’t mean to make you uncomfortable.” A con artist, or a bad person, will push you instead. Or hang up.

Finally, be realistic. If you are out of work, you are vulnerable. No matter how smart and put together you think you are. Know that going in. You’ll be more likely to hit the pause button if things go south, and generally, hitting pause is enough to scare off bad guys.

Here’s a handy list of ways to spot “Work at Home” scams. And if you think you’ve already fallen prey to an identity theft scam, it’s a good idea to keep an close eye on your credit. New accounts you don’t recognize on your credit reports or a sudden drop in credit scores are signs that fraud is afoot. (You can pull your credit reports for free each year at AnnualCreditReport.com and view two of your credit scores for free each month on Credit.com.) You can find more steps to take if you are an identity theft victim here.

Image: PeopleImages

The post The Job Scam That Even You Could Fall For appeared first on Credit.com.

7 Steps to Safer Passwords for All Your Online Accounts

password_security

Some passwords are funny. Some are pretty weird. Some can be a math problem. Many can be laughably easy to hack (I give you “dadada, ”“qwerty,” “password” and”123qwe” to name a few.) — or very tricky. But one thing is for sure, they are never really 100% hack proof.

Earlier this month, news broke that a significant number of Twitter passwords had been compromised and were being offered to anyone willing to fork over 10 bitcoins, or roughly $6,700, as of this writing. More than 32 million users were included in the cache of information on the cyber creep auction block. Hacked information database Leaked Source said in a blog post that it received the data set from a user under an alias.

Your Information Is Out There

The first takeaway: Anyone can scavenge and rumor-chase to find purloined login credentials. The second: You are not safe, and identity-related crimes are the third certainty in life, right behind death and taxes. (You can monitor your credit for signs of identity theft by viewing two of your credit scores for free each month on Credit.com.)

Twitter has told multiple news outlets that its systems were not breached. Leaked Source said the passwords appeared to have been grabbed by malware.

How to Keep People Out of Your Stuff

While knowing that your information is out there is an important piece of the personal data security puzzle, keeping your accounts safe is even more crucial.

While there has been much innovation in the world of data security, nothing has proven foolproof yet. Biometric authentication using fingerprint and iris scans is promising, but their adoption is far from universal and not without some spoofing issues.

There are tokens and cards that can complement passwords, but those are fallible for the reason that they can be stolen or lost.

Multi-factor authentication is probably the best way to deal with security issues, but it does not necessarily strike the best workplace balance between security and convenience. The Pixar movie “Monsters vs. Aliens” provides a comical scene that demonstrates why it’s not the most practical approach (the character has to provide a hand, foot, tongue, elbow and butt scan to gain access to the president’s situation room).

Passwords Are Still the Best Option

As things stand now, a password coupled with a second factor of authentication known only to the user — like a visual prompt — is the best personal security solution.

Because we have many accounts and they should all have separate passwords, most consumers have a problem keeping all that information straight. There are apps for that, of course, and if you are OK with cloud-based solutions — bearing in mind that nothing is un-hackable — you might want to check out a service like 1Password, which allows you to store all your passwords, PINs, credit card numbers, and more. PasswordWallet 4 and Dashlane provide similar services. Bear in mind that they are not the only good games in town. So do your research and read reviews. Keep in mind, too, some password managers charge for their services.

The upside to password valets is clear — you only have to remember one password. If that’s of interest, you still need to make sure that password is very strong.

Rules of the Road for Effective Passwords

If you decide not to use a password manager, never store your passwords and user names in a document that resides on your computer. Save them on an encrypted thumb drive. Then you need only remember two things: Where you keep it and the password (hopefully long and strong) required for access.

The best practices here include a number of things you shouldn’t do:

1. Try to avoid single words, since many password-cracking programs use the dictionary.

2. Avoid letters and numbers that are close to each other on the keyboard.

3. Never use a password based on personal information that could well be available on social media or via a data breach. This would include your birthday or the birthdays of loved ones, children’s names, pet names, your high school or college mascots and the like.

4. Never use a password on a retail site that you use anywhere else. If that site gets hacked and the same login information is on a bank account, you’re toast.

And a few things you should do:

5. Create an easier password for sites that don’t have a great deal of your personal information, like news sites, video streaming services and the like.

6. Consider using a password generator. (Bear in mind this generally requires using a password management system, bought or homemade.)

7. Create long and strong passwords containing a phrase at their core. One thing that a brute force attack cannot do is guess the first line of a poem you wrote in fourth grade, especially if you have a simple math problem embedded in the middle of a word of two.

Most of us have day jobs. Identity thieves and scammers view grabbing our information and exploiting it for their gain as their day job. Always assume there is a never-ending riot overflowing with looters happening just outside your cyber house. That’s why you must be thoughtful, inventive and vigilant when creating passwords, for they are the locks to all your virtual doors and windows — even when you are home.

More on Identity Theft:

Image: PeopleImages

The post 7 Steps to Safer Passwords for All Your Online Accounts appeared first on Credit.com.

4 Signs Your Boss Is Spying on You

Chances are, your boss is keeping an eye on you. In fact, the American Management Association (AMA) reports that 43% of companies actively monitor employee emails and roughly the same number track the time you spend on the phone and who you call (16% go so far as to record those calls). Nearly half of companies say they use video to reduce theft and workplace sabotage.

Workplace monitoring is nothing new, of course. Bosses have probably been spying on employees for as long as they’ve been hiring people to work for them. But new technologies make it easier for companies to track their employees’ every move, while at the same time making it harder for workers to tell if they’re being watched.

From GPS tracking to checking your social media profiles, it’s not hard for a company to keep tabs on you. And, unless your boss tells you they’re spying, you may never know. (To be fair, the AMA reports that many companies do inform employees that they may be subject to monitoring.) This stealthy on-the-job surveillance is perfectly legal in most cases, which may come as a surprise to many people.

“Privacy in today’s workplace is largely illusory,” the AMA’s Ellen Bayer told The Week.

Not sure if your boss is using techniques to keep tabs on you? Here are four signs that you’re likely being watched at work.

1. You’re Secretly Planning to Quit & Your Boss Already Knows

More companies are mining big data to make predictions about which employees are likely to leave their job in the near future. And then there’s social media. If you’re connected to your boss on LinkedIn or have a public profile, they may get suspicious if your network suddenly starts to grow or you link up with recruiters or industry competitors. If your company is tracking the website you visit or logging keystrokes, you may also alert your boss to your on-the-clock job search.

2. You’re Called Out for a Conversation You Thought Was Private

If your boss reprimands you for a less-than-professional conversation or email exchange that you thought was private, there’s a chance you have a tattletale co-worker. But it’s also possible that your supervisor could be spying on you, perhaps by scanning your email, monitoring your phone conversations, or even looking at the text messages you send on a work-issued device. If they’re using a key-logging program or other monitoring software, they may even know what you’re saying in your personal emails sent on any company-owned devices.

Don’t make the mistake of thinking that your boss doesn’t care about your idle workplace gossip, either, whether in person or something shared digitally. Thoughtless emails can come back to haunt you.

“Employers own the content on their own internal email systems and have the right to monitor what you write and to whom,” Jennifer Lee Magas, an employment law attorney and vice president of Magas Media Consultants, LLC, told MainStreet.com.

3. Your Boss Knows What You Did This Weekend Before You Tell Him

Does your boss seem to know an awful lot about your personal life? They could be checking out your Facebook, Twitter, Instagram or other social media profiles, even if you haven’t added them to your network or given them your password (something that some employers really do ask for, though laws about that are changing). Looking at your public profiles is a bit creepy, but it’s not all that unusual. And people have been disciplined or fired after their employers stumbled upon inappropriate posts, photos and comments online.

4. There’s Some Suspicious Software on Your Devices

If your company’s IT department is monitoring your computer use, it’s not always going to be immediately obvious. However, you can poke around on your computer to see if there are any telltale signs of monitoring software (Online Tech Tips has some advice on how to do that, if you’re so inclined). The same goes for unusual apps installed on smartphones. But don’t be too quick to uninstall something that looks suspicious or your boss may fight back.

[Editor’s Note: You never know who may be looking at what you do online, whether it’s your boss or a hacker. It’s a good idea to keep an eye on your credit for any signs of identity theft, like a sudden dip in your score or unfamiliar new accounts. You can see your free credit report summary, updated each month, on Credit.com.]

This article originally appeared on The Cheat Sheet.  

More Money-Saving Reads:

Image: Jen Grantham

The post 4 Signs Your Boss Is Spying on You appeared first on Credit.com.

The Lesson Mark Zuckerberg Just Taught Everyone About Reusing Passwords

zuckerberg_hacked

Facebook CEO Mark Zuckerberg apparently didn’t read the warning about using different passwords to protect online accounts.

Sources told The Wall Street Journal that Zuckerberg’s Twitter and Pinterest accounts were hacked over the weekend. Per the paper, Zuckerberg utilized the same password — “dadada” — to protect each account. That password had appeared last month in a database of more than 100 million usernames and passwords that was stolen from LinkedIn back in 2012, it said.

Screenshots taken by Engadget show hacker group OurMine, using their now-suspended Twitter account, to alert Zuckerberg (@finkd) of their takeover on Sunday, saying “Hey @finkd we got access to your Twitter & Instagram & Pinterest, we are just testing your security, please dm us.”

Representatives from Facebook, Instagram, Pinterest and Twitter did not immediately respond to Credit.com’s request for comment. Facebook did tell Engadget that the hackers didn’t get access to any of its accounts or systems.

Why Strong Passwords Are Important

Zuckerberg’s reported hack serves as a strong reminder not to skimp on password security. “Dadada” may not be on the list of 25 passwords you should never use, but it certainly wasn’t the most secure one out there, given that it’s short, repeats characters and doesn’t vary the types of characters used with numbers or symbols (all generally considered good password rules of thumb.)

And, while it may not seem like that big a deal to have a social media account compromised, using the same passwords across accounts, could open you up to other vulnerabilities, including card fraud or deeper identity theft. A thief, for instance, could potentially gain access to your bank account if it’s protected by the same password as a social media account that got compromised.

It’s generally a good idea to go through your passwords and update them regularly, making sure you are using secure passwords, unique to each site. And, if you ever think your personal information has been compromised, you may want to monitor your credit accounts or even freeze your credit reports. Sudden changes in your credit scores can be a sign your identity has been stolen. You can get two of your credit scores for free, updated each month, on Credit.com.

More on Identity Theft:

Image: FLDphotos

The post The Lesson Mark Zuckerberg Just Taught Everyone About Reusing Passwords appeared first on Credit.com.

Ransomware Is a Real Threat (Even to You, Apple Users)

ransomware

Maybe the thought actually occurred to you that something was “phishy” about that link, but that’s so 30 seconds ago. You clicked and now your computer screen is locked. Behind that frozen screen lie your personal files — everything from photos to tax documents — all of it encrypted by a third party that promises to return access for a ransom, which is usually between $200 and $5,000, according to the FBI.

Encryption can be a tool for good and evil. It’s the safest way for an enterprise to keep information safe from prying eyes and sticky fingers, but unfortunately it’s relatively easy for a hacker — and not even a very clever one — to use it to force an ugly situation: your files are encrypted and can only be unlocked by the thief.

A recent newsworthy item takes its lead from the popular “Saw” horror series. If you get hit with this one, Billy the Puppet from the franchise pops up on your screen with the message: “I want to play a game with you.”

Think that invitation from Billy the Puppet sounds fun? Before you go looking for the jigsaw ransomware, also known as BitcoinBlackmailer.exe, let me assure you that it’s not. There are different versions, but they all say pretty much the same thing: “Your computer files have been encrypted. Your photos, videos, documents, etc….But, don’t worry! I have not deleted them, yet. You have 24 hours to pay 150 USD in Bitcoins to get the decryption key. Every hour, files will be deleted. Increasing in amount every time. After 72 hours all that are left will be deleted.”

If you get the jigsaw ransomware, don’t panic. As ZDNet (my source for the above script) points out, a company named Forcenet already solved the problem with simple reverse-engineering. According to those at Forcenet, “A genius malware author this is not, the use of C#/.NET makes it trivial to reverse engineer and analyse.”

Not Just an Inconvenience & Not Just a PC Problem

The point here is not whether or not a particular ransomware poses an extinction-level threat. Ransomware attacks are on the rise. According to Symantec’s 2016 Internet Security Threat Report, “crypto-style ransomware grew 35% in 2015.” In this report, Symantec warns that this often profitable approach, while adept at ensnaring PC users and branching out through network-connected devices, is increasingly targeting, “smartphones, Mac and Linux systems.”

In plain English: ransomware is a danger for anyone using a network-connected device. A former NSA employee recently released a tool for Mac users called RansomWhere, which detects when files are being encrypted on an Apple device and allows the user to stop it. That’s notable because, until now, most Apple users have been relatively unscathed by ransomware.

How People Are Affected by Ransomware

While many ransomware attacks are fixable, they can be embarrassing. A number of the links that get people “got” involve sites you wouldn’t want your mother — or spouse, or child — to think were part of your regular Internet diet, or sites that would suggest you’re about to go into personal bankruptcy. Ransomware crooks use various hot-button clickbait to lure victims.

But do you know what’s worse than being embarrassed by a public airing of what piques your curiosity? A lot of things are, but when it comes to ransomware, at the top of the list has to be the increasing risk for more serious kinds of fallout as hospitals are being more frequently targeted by this form of attack.

In February, Hollywood Presbyterian Medical Center was hit by ransomware. The incident got a great deal of attention because instead of risking patients’ lives, the hospital decided to pay the ransom, which was about $17,000 — or 40 bitcoins. Another hospital was hit in Kentucky, but they only had to pay a ransom of 4 bitcoins, according to internet security reporter Brian Krebs. MedStar Health was also a victim of ransomware, with employees reporting, “a pop-up on their computer screens stating that they had been infected by a virus and asking for ransom.” MedStar owns 10 hospitals and 250 out-patient facilities in Maryland and D.C.

TrendMicro, a company that focuses on internet content security software and cloud computing security, recently predicted “2016 will be the year of online extortion.” If ever there was a time to be careful out there, it was last year. And the year before that, and the one before that, too, but also: tomorrow. Tomorrow is still really not the sort of thing that’s conducive to a good night’s sleep, because the underlying message here is that you are going to get got. Being informed is your best defense.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: iStock

The post Ransomware Is a Real Threat (Even to You, Apple Users) appeared first on Credit.com.

429 Million Identities Were Stolen in Data Breaches Last Year

loan to buy a computer

Data breaches and other security crimes surged ahead in 2015, a new study found.

A total of 429 million identities were stolen last year as a result of data breaches, according to Symantec.

The security software company’s latest Internet Security Threat Report, released on April 12, notes that is a 23% increase from the prior year.

There were also a record nine mega-breaches reported last year. Mega-breaches are defined as data breaches involving more than 10 million records.

Additionally, the report found that crypto-ransomware attacks increased by 35% last year. This type of attack involves using malicious software to encrypt a victim’s computer files and block the victim from accessing them until a ransom is paid.

Ransomware called “CryptoWall” even prompted the FBI to issue a public warning last year, calling it “the most current and significant ransomware threat targeting U.S. individuals and businesses.”

Symantec also reported that more than 75% of all legitimate websites have vulnerabilities that have yet to be patched. And 15% of legitimate sites’ vulnerabilities are considered critical, “which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes,” the report states.

Symantec, which is known for software like Norton Antivirus, offers consumers the following tips to protect themselves.

1. Use Strong Passwords

Use strong and unique passwords for your accounts. Change passwords every three months, and never reuse your passwords. Additionally, consider using a password manager to further protect your information. (Need password ideas? These are 25 passwords to immediately cross off the list of possibilities.)

2. Think Before You Click

Opening the wrong attachment can introduce malware to your system. Never view, open or copy email attachments unless you are expecting the email and trust the sender.

3. Be Wary of Scareware Tactics

Versions of software that claim to be free, cracked or pirated can expose you to malware. Social engineering and ransomware attacks will attempt to trick you into thinking your computer is infected and get you to buy useless software or pay money directly to have it removed.

4. Safeguard Your Personal Data

The information you share about yourself online puts you at risk for social engineered attacks. (You can read more about identity theft protection here.) Limit the amount of personal information you share on social networks and online, including login information, birth dates and pet names.

And, if you have reason to believe your personal information was compromised, you can keep an eye on your credit. A sudden drop in credit scores, for instance, is a sign your identity has been stolen. You can view your two credit scores for free each month on Credit.com.

More From Money Talks News:

Image: iStock

The post 429 Million Identities Were Stolen in Data Breaches Last Year appeared first on Credit.com.

How to Get a ‘Burner’ Credit Card

FICO_credit_score

A new online payment service, which launched earlier this week, hopes to curb online shopping fraud by doing away with the need to share your credit card number just to buy something.

Privacy.com is creating virtual debit cards for online transactions for anyone who signs up for the service. The free app, which Credit.com reported on last fall, is now available for Apple iOS and Google Chrome.

“Credit card breaches are growing at an alarming rate and real people are getting hurt,” said Bo Jiang, CEO and Founder of Privacy, in a press release. “We minimize your risk of fraud and identity theft by creating virtual burner cards.”

Here’s an overview of how the app works: Users download the software, register and link an online bank account. There is no pre-loading of funds required and the service can be used anywhere Visa cards are accepted. Once downloaded, a browser extension enables you to create burner card numbers when you go to check out on shopping websites. The funds are then withdrawn from the linked bank account.

The service uses two-factor authentication, an extra layer of security that requires not only a password and username but also something that only that user has on them, such as a physical token.

Prospective Privacy.com users can sign up on the company website. Keep in mind, you’ll have to enter personal information, including your name, address, date of birth and checking account information, to get and use the app. You can find more information about Privacy.com’s security protocols on the company website.

Remember, some banks also give cardholders the option to create virtual card numbers to increase security while shopping online, so you may want to look into these options, too, if you are interested in increased online card security.

And, if you think your credit card or personal information has been compromised, or even if you don’t, one of the best things you can do to protect yourself from identity theft is to regularly check your statements and your credit for signs of fraud. You can spot sudden, unexpected changes in your free credit report summary, which is updated every month on Credit.com. Here’s what to do if you find you are a victim of identity theft.

More on Identity Theft:

Image: gpointstudio

The post How to Get a ‘Burner’ Credit Card appeared first on Credit.com.