The Vice President Got Phished — Are You Next?

Vice President Pence did what millions of us do every day. He clicked on a link in a phishing email.

America got mail this weekend, about 30 emails, according to reports. They were written as recently as last year by then-Governor Mike Pence and sent from his personal AOL account. While this is a political story, it is not about politics. It’s about a nationwide problem.

The emails, released to the Indianapolis Star in response to a public records request, include state business. The revelation is that Pence used his private email account to conduct business — an account we now know categorically was not secure from the prying eyes of hackers since, per various reports, it sent out emails saying Pence had been robbed overseas and was in need of money to get back home, a classic email scam you’ve no doubt heard of.

Pence’s Email Problems

The emails released by the Indy Star were addressed to Pence’s chief of staff and also his homeland security officer. As such, they open a window into Pence’s tenure as governor where there shouldn’t be one. Emails discussed political issues — like the resettlement of Syrian refugees — and other sensitive matters.

The news immediately resulted in public parades of schadenfreude on the left. After all, former Secretary of State Hillary Clinton arguably lost the election because of the same issue. But while there is plenty to make fun of here, there really is very little in the way of relevance between the two email stories.

While there have been more detailed tales of the tape between the two stories, you only need to know that former Secretary of State Clinton did something, that while legal, was strongly discouraged by her employer, the State Department, and what Pence did was under no such strictures — a sentiment Pence and his press secretary echoed in statements to the press. (Pence could not be reached for comment by Credit.com.)

What Pence & Clinton Have in Common With You

This latest email snafu is about control, but not over the flow of information, secrets or privileged access to information. It’s actually about an alarming lack of control. That lack of control has to be laid at the feet of information security experts who are tasked with keeping us safe.

We can do amazing things in the realm of coding, but somehow a fix to the phishing pandemic continues to elude us. The main reason for this is at least understandable: It’s a crime that preys on human nature — something that can’t be (reliably) coded.

Vice President Pence did what millions of us do every day. He clicked on a link in a phishing email, the victim of garden-variety social engineering. In doing so, he did us a favor, though it’s doubtful he will get much credit for it. He highlighted an area where our nation needs to do way more. Phishing is a national epidemic, and we all need to worry about it. If leaders of the free world can fall for this scam, so can you.

What’s Phishing — & How Can I Avoid it?

Phishing emails spoof legitimate companies or contacts in an attempt to get the recipient to click on a fraudster’s link. As I wrote about in my book, Swiped, you can probably spot a phishing email in your sleep, and you would no sooner click on a link in an email about suspicious activity on your bank account than you would leave your wallet in a crosswalk in Times Square.

However, best practices often fly out the window when it comes to salacious material about our favorite celebrities. Think about it this way: As you wander in the darker alleys and backstreets of the internet, where the risks should outweigh all other considerations, are you willing to forego sensible web behavior when the likely outcome will be catastrophic?

The main threat is malware. You can expect it to wind up on your computer if you decide to search the less safe parts of the internet for material that was never meant for your eyes anyway.

It may be something simple, like code that turns your computer into a spam distribution center, or a more serious app that will record your keystrokes (including when you log in to your bank, email, social networking, brokerage accounts, or the gubernatorial back office). There’s no way to know what you’re getting yourself into. The best course of action is to use your imagination — or possibly even your sense of what should be off-limits. Malware leads to identity theft and worse.

If you tend to chase breaking news stories and like to download the ephemera related to them (eyewitness photographs, blog posts), you may want to do a malware scan of your computer.

As a matter of fact, this kind of scanning should be a part of your habit of monitoring your various points of contact with the outside world — your attackable surface — regularly for signs of intrusion. (You can also monitor two of your free credit scores for foul play every two weeks on Credit.com.)

The lack of cybersecurity acumen manifested in the phishing of a governor should serve as a cautionary tale for everyone. Unless you are never off your guard, it’s highly likely that you will get scammed. The solution to the phishing pandemic is nowhere in sight. Be careful because the light at the end of the tunnel could well be the headlight of a bullet train.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

Image: EOSdude

The post The Vice President Got Phished — Are You Next? appeared first on Credit.com.

How Your Netflix Obsession Could Get You Scammed

People in a rush to get back to binge-watching their favorite shows are the prime focus for this scam targeting Netflix users.

A new scam targeting Netflix users is being reported by a cyber-security company that says the scammers are trying to get credit card and other personal information.

FireEye Labs first reported the phishing scam earlier this week, saying customers should be wary of any emails asking them to update their Netflix member information. Netflix had not posted any guidance for customers on its blogs nor released an official statement at the time of this writing, but a representative sent us this: “Members who want to learn more about how to keep their personal information safe against phishing scams and other malicious activity can go to netflix.com/security or contact Customer Service directly.”

According to the FireEye Labs report, a link in the email being sent to Netflix members looks like an official Netflix web page but is not legitimate. The page asks users for:

  • The name on their credit card
  • Their credit card number
  • Card expiration date
  • 3-digit security code; and
  • Social Security number

According to FireEye, the email looks very realistic, and the phony site mimics the Netflix homepage, as you can see in the screengrab FireEye published in its report:

Screen Shot 2017-01-13 at 11.58.02 AM

According to FireEye, the phishing sites it referenced in its report are no longer active, but new scams like this pop up often. It’s important for consumers to know these things exist and be very careful about sharing sensitive personal or financial information.

How to Protect Yourself From Phishing & Other Scams

There are some standard best practices when it comes to protecting yourself from scams on the internet. These tips for better internet security are a good place to start. In a nutshell, it’s always a good idea to be suspicious, especially if a company is reaching out to you through email or text message. And until you’ve confirmed that the email, text or even phone call are legitimate, it’s wise to never give out personal data like your credit card or debit card numbers, date of birth, address or, worst of all, your Social Security number.

If you think you’ve been a victim of identity theft, you can monitor your credit scores for free by using Credit.com’s free credit report snapshot, or by paying for a complete credit report monitoring service, which includes your full credit report and daily alerts to monitor your credit.

Image: mphillips007 

The post How Your Netflix Obsession Could Get You Scammed appeared first on Credit.com.

The Surefire Trick to Avoiding Holiday Phishing Scams

Holiday phishing scams are nothing new — Americans just keep forgetting to be on the lookout for them.

Every year I dedicate a column to the scams of the holiday season, and every year the roundup gets bounced around the internet — all too often among friends who’ve been scammed. (For a rundown of what’s out there, check out last year’s post.)

So what’s new this year? Unfortunately, not very much.

There’s the latest holiday phishing scam, I guess. But really? It’s about as surprising as the President-elect’s reaction to Alec Baldwin’s impersonation of him on Saturday Night Live.

An email arrives telling you that there’s been a shipping problem with a gift item that you ordered online. In this particular ploy, there’s a link embedded in the email message that takes you to a bogus site that looks exactly like a real one that many people use for their holiday shopping. It doesn’t particularly matter which site. What matters is that the link leads to a page that doesn’t just look like the site. It is a perfect replica.

Sounds like every other phishing scam, right? Well, that’s the point of this year’s holiday scams column, folks. So, why are we still falling for these things?

It’s simple. Most people still don’t consider phishing scams to be a part of everyday life because most people have busy lives. If you live in an area where mosquitos spread the Zika virus, you’re hyper-aware of when they’re around. We all live in a phishing hole, yet we’re not constantly on guard against the various kinds of bait scammers throw out there — even though the damage caused by ransomware and other kinds of malware can be very serious.

It doesn’t matter how many times I say this. Most people don’t think scams are as ubiquitous as they are, and as a result, they tend to forget about them while they are going about their daily business. If only they kept malware and the constantly evolving delivery systems that bring it into our homes and offices top of mind, scam artists would quickly have to come up with a new game.

So let’s go back to this latest holiday phishing scam. How can it be avoided? You just have to look at the web address. But not the way your kids look at you when you ask them to do something. I mean, REALLY look at it. The only thing that’s different on this new scam site is the URL address.

There is a reason people never remember this. Scammers are smart, creative and persistent.

Social Engineering

Social engineering has nothing to do with any sort of “brave new world” scenario. It describes the hacker’s skill in the area of psychological manipulation.

The hacker’s exploits all work on emotion. In some cases, they will have gone on social media and figured out who you’re friends with. The next step is to send an email — either using your friend’s hijacked account, or just their name. You’ve seen these emails before. Your friend is on holiday and lost their wallet, or asks if everything is all right between you and your partner because they saw a picture (click the link and tell me, that IS your husband, right?). Maybe someone from college found a hilarious picture of you. The gambits are clever, playing on various emotions — fear, jealousy, curiosity.

The URL of a bogus site is something you might not notice this time of year because you are completely freaked out that a package is not going to arrive on time and someone’s holiday will be ruined. While you are a still rattled, you are provided with a link and instructed to enter your name, address and credit card information. When you do that and hit send, the page redirects to the real site, and the scammer is given all the ammunition necessary to go on a shopping spree.

Reverse Engineering

The solution here is simple. Social engineering is only possible in a world where people don’t know they’re being targeted.

The first order of business is to remember you live in the phishing hole. You need to get into the mindset that you’re always one click away from getting got. As I write in my book, SWIPED: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, there are some very good tactics for avoiding scams, like going directly to websites in lieu of clicking urls in emails, calling companies to verify they’re trying to contact you and refraining from over-sharing on social media.

If you believe you’ve been the victim of a scam, don’t brush it off. Monitor your credit report for signs of identity theft — mysterious addresses, unknown accounts opened up in your name. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your free credit scores every 14 days on Credit.com.) Report any fraud to your local authorities and the Federal Trade Commission.

Also, help others avoid scams. Talk about the threats out there with your friends and family (even strangers on a bus) because public awareness is the only inoculation against the viruses and malware that are spread through phishing email.

Image: FatCamera

The post The Surefire Trick to Avoiding Holiday Phishing Scams appeared first on Credit.com.

How to Avoid Cyber Monday Traps

cybermonday_traps

This Black Friday, millions of shoppers will once again make the final seconds of a close football game look like a store window filled with clumsy puppies. And when they don’t find what they’re looking for, they’ll go online where, in addition to great deals, a cornucopia of scams await.

The migration from brick-and-mortar retailers to online shopping is pronounced. Last year set a record, with more than $3 billion in online sales. But that doesn’t mean people aren’t still hitting the stores — Black Friday wasn’t far behind in 2015 sales, at $2.74 billion.

As consumers increasingly finish their holiday shopping online — or even do the entirety of it there — the snares and pitfalls of Internet fraud have proliferated. But fraud isn’t the only worry.

The Mouse Buster

Whether you’re faced with a “Mouse Buster” or a good old-fashioned door buster, a compelling promotion involving “limited availability” of a hot item is not a scam — or at least it doesn’t have to be. That said, you have to stay aware so you know what it is you’re dealing with on Cyber Monday — and remember, scammers are counting on the fact that you will be too stressed to think straight.

All’s fair in the battle for the perfect gift during the holiday season. Retailers aren’t responsible for the decisions you make. Unless you come prepared knowing precisely what you want, how much you should reasonably pay and have an absolute budget, you may well find it nigh impossible to resist the wiles of the marketing geniuses who make their living selling you the non-essentials of life.

There will be deals online and the promise of impossible-to-find items that disappear like a mirage — arrival to the online oasis suggested by your favorite search engine to find “the toy that can be found nowhere” immediately turning into the hard sell of desperation marketing of alternative items.

Whether you’re facing a door buster deal on a popular item or a mouse buster, the same principles apply. Know what you want and how much you should have to pay, and stick to those parameters.

Most importantly, keep your head on straight. Retailer shopping lures are tempting, but they are nothing compared to the trouble a clever phishing lure can cost. Remember: If it seems too good to be true, double check that the deal you’re being offered is real.

Phishing

At this point in the evolution of the phishing scam, it seems like we should be able to skip the particulars of scams, but the open and click-through rates on phishing emails and texts are still robust.

Part of the reason that’s true is because scammers are sophisticated, creative and persistent. Websites are replicated down to the last detail, and URLs are acquired that can pass muster as authentic — with things like a “1” replacing a lowercase L or adding an extra letter — even if you are looking at the URL to make sure you’re not being scammed. This applies whether you received an offer via text or email.

The rule of thumb here: If you get an offer via text or email, go online and visit the retailer by carefully and correctly typing in its address instead of clicking the link. If the text or email says that the only way to get the offer is through the link offered, chances are good that it’s a scam, because no retailer would chance losing a click-through because of a consumer’s fear of getting hacked. (And, if you think you have been hacked, monitor your credit for signs of identity theft. You can view your free credit report snapshot, updated every 14 days, on Credit.com.)

You Aren’t There

While millions of people take care of all their holiday shopping on Cyber Monday, the day is “traditionally” known as best for certain kinds of gifts: Electronics, beauty items, fashion accessories and travel. Bear in mind, some purchases are often better to make in person where you can check out an item and see if it does what you want it to or is the right size. You may also want to check out whether or not there are better deals on comparable products.

There are purchases that make sense online — a travel package is one that comes to mind, as you are de facto never there until you visit. But when it comes to a new TV or other item that is better seen, handled or experienced first-hand, it’s a good idea to go to a store that carries it to make sure it’s what you are looking for, even if you intend to make your purchase online.

At the end of the day, the key to successful Cyber Monday shopping is to stay on your A-game. Pay attention, do your homework, don’t get caught up in acquisition ecstasy and stick to your plan. And if your first plan for a purchase doesn’t work out, it’s a good idea to have a Plan B that wasn’t figured out by the retailer’s door buster strategy meetings.

Image: svetikd

The post How to Avoid Cyber Monday Traps appeared first on Credit.com.

6 Scams to Watch Out for This Summer

Summer will be here before you know it, and with it come new and old scams. As you consider possible escapes — travel to exotic places; trips to the beach, the mountains or the golf course; a staycation to get much needed work done around your house — bear in mind that these diversions provide the perfect opportunity for con artists and identity thieves just waiting to insinuate themselves into your life, becoming the sand in your picnic basket (or bathing suit) — a vacation-killing burn that no ointment can soothe.

Here are few scams to be on the lookout for this summer.

1. Thanks for the Robocalls, Congress!

Thanks to a new provision slipped into important federal legislation, you may start receiving legitimate robocalls to your mobile phone — something that was previously forbidden by the Telephone Consumer Protection Act and the Fair Debt Collection Practices Act. According to Consumer Reports, buried in a recent Congressional Budget bill is a provision that allows loan servicers and other collectors of federal loan debt to use robocalls “to collect a debt owed to or guaranteed by the United States.”

While these calls will mostly target student loan borrowers, fearless fraudsters will certainly take advantage of this newly legal means to dial for dollars and try to extract money from those among us who don’t read Congressional Quarterly.

TIP: Caller ID is by no means a fail-safe protection. If someone calls you regarding money you allegedly owe, ask for the name of the debt holder, hang up, double-check that the number is legit online, and then call them directly.

2. Your New Chip Card Opens the Door for Fraud

There’s a newish phishing scam that has reared its ugly head in New York state, after a fairly long run on the road involving EMV chip cards. It’s a pretty straightforward phishing scam. The emails look authentic — that is, they appear to be from a bank with which you do business — and they target people who haven’t received their new chip cards. The ask: your personal information to authorize the new card. There may be a link, and if you click, it installs malware on your computer or mobile phone.

TIP: If you have your chip card already and this scam poses a threat to you, you have bigger issues. If you do not have your new card and receive an email or call about it, either go directly to the issuer’s site or call them directly and communicate with a representative. Don’t take the bait!

3. Summer Jobs & First Jobs

New college and high school graduates, and kids home for the summer exploring the job market — possibly for the first time — are getting duped into putting their personally identifiable information (PII) to work for fraudsters via fake job scams, according to a warning from the Better Business Bureau of Central Oklahoma. Sometimes the scam is focused on collecting PII to be used in identity-related crimes, but there are other scams that involve handing over bank account information.

TIP: Check out the company online, and don’t provide your bank account number or any other sensitive personal information. While I know this is incredibly painful for anyone born after 1980, pick up the phone and call your prospective employer.

4. A Moving Scam

A Georgia family learned the hard way that hiring a “man with a van” or any other mover can be risky business. According to the Atlanta Journal-Constitution, a woman who asked not to be identified hired movers she found through an online classified ad. They delivered her things, minus about $75,000 worth of personal items. Authorities later learned that the truck used by the suspects had been stolen shortly before the “job.”

TIP: Summertime is when many people choose to relocate. If you’re moving and you need help, hire a reputable company. And always check references.

5. Summer Rental Scam

Here’s an old favorite: You begin your search for a summer place way too late and assume there will be nothing available. But hold on — suddenly you fall upon the absolutely best summer rental ever! You reach the owner or realtor (it makes no difference to a scammer if he or she pretends to be one or the other), and you send a check to the address provided or wire money to an account. He or she then gives you the details about the place. Unfortunately, you have just rented a vacant lot or an empty warehouse. Or when you show up, you discover that you are but one of five families who also rented the house — or landfill.

TIP: If you get a real estate agent on the phone, get his or her license number and check it. Also request references if there are no reviews online, confirm that the address is real and the premises are truly available for rent. Use common sense.

6. Scalpers

Summertime is tour time for the record industry, and the hottest acts can sell out thanks to ticket brokers who horde big blocks of seats for resale at extortionate prices seconds after they go on sale. While this isn’t a scam per se, it creates a fertile field for fraudsters, who offer tickets at more reasonable prices, though they’re often still more than face value. The only problem: They don’t have tickets, or at least not real ones.

TIP: If you are tempted to buy tickets secondhand, be exceedingly careful because there are all sorts counterfeit tickets for sale. Go to reputable sites or deal with folks whom you trust and have established a relationship with.

The Takeaway

Unfortunately, in a world where identity theft has become a near certainty, the season is pretty much irrelevant. When it comes to scams and other kinds of fraud, it’s always open season on you.

Minimize the damage by monitoring your credit for signs of fraud. You can do so by pulling your credit reports for free each year at AnnualCreditReport.com, and viewing your credit scores, also for free, each month on Credit.com.

More on Identity Theft:

Image: Robert Vautour

The post 6 Scams to Watch Out for This Summer appeared first on Credit.com.

The Typo That Can Get You Hacked

online_security

Here’s another reason to be extra careful about what you type into your web browser.

Cybersecurity firm Endgame has unearthed a new spin on the good old “typosquatting” scam — the practice of purchasing domain names similar to legitimate websites (Think Gooogle.com) in hopes that a small keyboard snafu nets hackers access to your computer.

The new scam aims to install malware on devices after users accidentally type “.om” instead of “.com” after popular urls. Endgame discovered the scheme after one of its employees mistakenly typed “Netflix.om” instead of Netflix.com when attempting to watch the latest season of House of Cards earlier this month.

Per a company blog post:

“He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist.  Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully. His browser was immediately redirected several times, and eventually landed on a ‘Flash Updater’ page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups.”

After doing some more research, Endgame found the streaming service wasn’t the only popular url being “om’ed. Though some sites bearing that ending were legitimate, 319 .om domains appeared to have some type of scheme attached to them. (Fake Flash Updates, for instance, are commonly linked to a well-known malware named Genio that attaches itself to web browsers and mines for data.)

You can see a full list of the potentially dangerous domains here. It’s important to note you could also be in trouble if you typed the “c”, but misplaced the period. (Example: bestbuyc.om or cnnc.om.) This particular typosquatting game was easy for hackers to play, Endgame said, since “.om” is the country-specific domain name for Oman.

Protecting Yourself

Phishing and malware schemes are common attempts by scammers to get your personal information. For better Internet safety, it’s generally recommended you stick to trusted and encrypted websites (double-check, of course, the spelling of each address); refrain from clicking on links in unsolicited emails and keep your security software up to date.

It’s also good to monitor financial accounts regularly for fraud, and keep a close eye on your credit since a sudden drop in credit scores or unfamiliar line items on a credit report are signs identity theft is occurring. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)  If have fallen victim to an Internet scam, you might also consider freezing your credit reports to keep new accounts from being opened in your name. And you can go here to learn what to do if you’ve already spotted identity theft on your credit report.

More Reads From Credit.com:

Image: moodboard

The post The Typo That Can Get You Hacked appeared first on Credit.com.

Tax Email Scams Are Up 400%

tax-email-scams

Filers beware: There’s a good chance there’s a tax scam email in your inbox.

According to the Internal Revenue Service, there’s been an approximate 400% surge in phishing and malware incidents so far this tax season. In other words, plenty of thieves are currently sending out texts and emails under the guise of the IRS or other tax industry players this year. These messages are an attempt to steal personal information or data related to your tax refunds, filing status, transcripts and/or PIN information either directly or through malware that gets downloaded onto your computer when you click on infected links. The information can be used to file false tax returns.

“Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes,” IRS Commissioner John Koskinen said in a consumer alert re-issued earlier this week. “We urge people not to click on these emails.”

Tax Fraud on the Rise

The IRS’s findings aren’t exactly surprising. The agency announced earlier this year that it’s anticipating $21 billion in tax refund fraud this year. And, just this month, Intuit warned consumers that a fake TurboTax email was making the rounds. Still, the stats should inspire everyone to be a little more careful about what they click on this tax season. Per the agency’s latest consumer alert:

  • There were 1,026 incidents reported in January, up from 254 from a year earlier.
  • The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1 to Feb. 16, compared to the 201 incidents reported for the entire month of February 2015.
  • This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.

How to Spot a Tax Scam Email

Fortunately, there are a few simple ways to spot a tax scam email. For starters, be extremely skeptical of any emails purportedly from the IRS. The agency says it generally does not initiate contact with taxpayers by email regarding personal or financial information. Be similarly wary of emails that ask you to update important tax information by clicking on a link. (Recent scam emails the IRS has come across included the subject lines referencing “Get my E-file Pin”, “Order a transcript” and “Get my IP Pin”.) And look for typos or misspellings in the body of the message — they’re a big sign something is amiss.

If you do receive a shady email, refrain from clicking on any line and, instead, forward it to phishing@irs.gov.

Remember, filing your taxes as early as possible is the best way to minimize the odds of falling victim to taxpayer identity theft. But, if you have reason to believe your personal information was compromised, you should keep an eye on your credit. A sudden drop in credit scores is a sign your identity has been stolen. You can monitor your standing by viewing your two free credit scores each month on Credit.com.

More on Income Tax:

Image: iStock

The post Tax Email Scams Are Up 400% appeared first on Credit.com.