The Common Scams People Still Fall for All the Time

The scams are dumb, but the victims are not. Here's why we keep falling for these fraudulent tricks and how to stop doing so.

The top site for classified ads in the U.K. conducted a study recently that should send a wave or two to this side of the Atlantic. When it comes to scams, it’s all about the bait. Gumtree found that even with the forethought that a listing was a scam, more than a third of their users would still go ahead with a transaction. As my mother would say … Actually, she’d probably just shake her head.

It doesn’t matter where they happen. Scams are as international and ubiquitous as the human capacity to be tricked. And while some scams are super-nova dumb, that does not always mean that most people who fall for them are.

Scams rely on a simple fact of life: People are busy. Most of us aren’t Zen masters of meditation. It’s hard to fully occupy each and every moment because we lead distraction-filled lives. We’re not constantly up on the fire tower scanning the horizon for smoke, and that’s a good thing.

Unfortunately, there are some real slime balls out there who rely on this problem of ours.

Here are some recent scams that are making the rounds:

Amazon Phishing Scam

In this scam, you get an email from Amazon. It informs you that there’s been a problem of some sort. Don’t focus on what sort, because it’s these nuances that will get you got. If you get an email from Amazon telling you that there’s been a problem with an order, or that a recent order was canceled, it’s time to focus. It could be a scam.

How it works: There’s a link in the email that leads to a site that looks identical to Amazon, but you’re not anywhere near the site. The scammers are looking to get your personal information to use in the commission of identity theft, and your financial information to drain your credit card or bank account.

What to do: Visit your Amazon account by logging in directly. Do not use the link in the scam phishing email.

[Editor’s note: Keeping track of your credit scores can help you spot signs of fraud early on. A significant decrease in your scores could be a sign that someone has gotten hold of your information and using it without your permission. You can check your credit scores regularly using Credit.com’s absolutely free Credit Report Summary.]

Smishing Scams

Smishing isn’t terribly different from phishing, but if you’re not expecting at least the possibility of a smishing text, you might fall for it. The text arrives and appears to be from your bank. It could be from your internet provider. Generally, it’s from somewhere that can negatively impact your life, and that would also be in possession of your mobile digits.

How It Works: The smishing text informs you that someone has tried to access your account or it’s been frozen (again don’t get caught up on the details, the account or anything else), and your password or some other data needs to be updated. There’s a link to use where you can authenticate yourself by entering your personal information (for example, your Social Security number), and secure your account.

What to Do: If you regularly use your smartphone to access the internet, bear in mind that there are hidden dangers everywhere, and pause before you pounce on text warnings.

Sweepstakes Scam

You get a phone call from someone very cheerful, and maybe even a little breathless in the delivery of their blue-sky greetings. You’ve just won the Publishers Clearinghouse Sweepstakes. You’re a millionaire or a $500,000-aire. The prize patrol is 20 minutes away, so get dressed and be ready for your photo op with a beach towel-sized check.

How It Works: This scam preys on the wonderful human trait that, no matter how our day or month or year is going, hope springs eternal. Part of your prep for the prize patrol, however, requires that you pay the processing fee upfront. There could be many explanations for it, but the bottom line is you’re going to have to spend money to collect the prize.

What to Do: Hang up, and don’t bother changing your clothes. If you really have money coming to you from the sweepstakes or lottery, they are legally obligated to get it to you.

IRS Phone Scam

You get a phone call from the IRS, which is not entirely far-fetched anymore because Congress directed the IRS to collect back taxes with help from collection agencies. So, you could get a legitimate call from one of these four collection agencies: CBE Group of Cedar Falls, Iowa; Conserve of Fairport, New York; Performant of Livermore, California; or Pioneer of Horseheads, New York.

How It Works: The caller says you owe taxes (never mind the particulars as this is the nuance stuff that fuels any good scam), and if you don’t pay you’re going to be arrested (or some other bad thing will happen). Payment can only be made through a prepaid debit card or gift card, because of the particular kind of hell you created with your fictional bad behavior. You are informed that the purchase of whatever card you are told to buy is linked to the Electronic Federal Tax Payment System.

What to Do: Hang up and wait for a letter from the IRS notifying you of the situation, or call the IRS directly to inquire about any taxes you may owe.

The Grandparent Scam

Here’s one that doesn’t prey on the attention deficit disorder called daily life, but rather, it plays on the heartstrings. This scam relies on the sharing of information on social media, and the universal inability among some people to recognize a relative’s voice.

How It Works: A targeted grandparent gets a call asking for emergency funds, either directly from the grandchild who is actually a scammer armed with family names gleaned from your social media account — or someone representing them (a lawyer, bail bondsman, police officer). The story is good. All scammers are good storytellers. The ask is doable. They need money wired now.

What to Do: Never wire money unless you are absolutely certain where and to whom it’s going. If possible, double check a request with another relative. If you’re told secrecy is necessary (because a parent or sibling will be mad), just say no. Bigger picture advice: Don’t overshare. Set your privacy as tight as it will go, and don’t let people tag you in photos. And while it’s hard to sift through these days, get rid of any friends on social media who aren’t actually friends. Perhaps you should use this as an opportunity to prune a few friends too. You know, the ones that are always asking you for money.

The One-Ring Scam

This one is simple. Your phone rings once. That’s it. The scam relies on a couple things, though. First, there’s a curiosity factor. Second, there’s the very real possibility that most people have not memorized every area code used in the United States. But forget that, because caller ID can be be gamed with a spoofed phone number. Here’s what you need to know: Your phone rang once.

How It Works: You call back the number, and you’re automatically charged for a service that you didn’t want, or money is otherwise sucked out of your phone account to appear at the end of the billing cycle.

What to Do: If your phone rings once, assume the conversation that didn’t happen wasn’t worth happening. Wait for whomever called to leave a message, and never (ever) return fire.

There are more scams happening all the time, and no way to chronicle every one of them. But the baseline behavior of pausing and thinking for a moment, “Could this be a scam?” is your best protection to keep fraudsters at bay.

Image: Kerkez

The post The Common Scams People Still Fall for All the Time appeared first on Credit.com.

14 Ways to Prevent Fraud on Your Debit & Credit Cards

There's no way to make yourself 100% safe from credit card or debit card fraud, but you can build some pretty tall walls. Here's how.

Every time there’s a large credit card breach, you’ll hear some expert say risks for consumers are low, because it’s easy to cancel a credit or debit card and get a new one. Not so fast. If fraud appears on your bill, but you don’t notice it, you’ll pay for it. More important, changing account numbers is a hassle. You’ll have to update all your automatic payment accounts, for example. Screw up one of those, and you could get hit with late fees from a merchant when your payment is denied.

Despite the liability limits, you’re better off avoiding all this in the first place. Below are suggestions on how to do that. Most involve limiting the number of times you have to share your plastic with someone, decreasing your “attack surface.” Some might be familiar. Others might seem extreme. Either way, there’s no way to make yourself 100% fraud proof. That’s why we’ve also provided tips on the earliest possible detection and reporting of fraud, which is the main way to protect yourself. For example, regularly checking your credit scores can help you spot fraudulent activities on your credit cards. (You can check two of your scores free on Credit.com.) Here’s how to keep yourself as safe as possible.

1. Avoid Using Debit Cards to Buy Things

When I asked Gartner fraud analyst Avivah Litan about her fraud-fighting tips, this is the first thing she said:

“Never use PIN debit, except for bank ATM machines attached to bank branches.”

PIN debit is the technical term for using a debit card as “credit” at a merchant. From a fraud perspective, the “debit or credit” question is meaningless. Either way, you are putting your debit card account information into databases criminals can hack. And recovering from a debit card fraud is much more of a hassle than recovering from a credit card fraud. With credit card fraud, consumers call their bank, dispute a fraudulent charge and don’t pay for that part of their bill. With debit card fraud, money is taken from the victim’s checking account, and the consumer has to argue with the bank to get it back. That usually happens quickly, but in the meantime, the consumer’s balance can dip below zero, leading to overdrafts and other potential problems, like bounced rent checks.

It’s a bad idea to buy things with a debit card. Use a debit card to withdraw cash at a bank ATM. Otherwise, use credit.

Some people use debit card purchasing as a personal finance tool to limit spending. That’s a rational reason to do so. If you must, don’t use PIN debit, so at least a criminal can’t gain access to your PIN at that merchant.

2. Be Careful With Stored-Value Apps

The latest trend in money is “digitized stored value.” You probably familiar with it if you buy coffee with your Starbucks app. Many merchants are now imitating Starbucks with their own digitized stored value apps. But app makers and merchants are not banks. They have less experience keeping money safe. The consequences have been obvious: Starbucks consumers have complained for nearly two years about criminals raiding their app-linked credit cards. Worst of all, consumers with auto-fill have seen criminals conduct rapid-fire conduct transactions through the apps. Starbucks says this impacts a tiny fraction of consumers, and they are quickly refunded. If you are using “digitized stored value,” manually reloading value is safer than loading your credit card and especially your debit card.

3. Have a Separate Card for Digital Transactions

Splitting your transactions among cards can limit the “spillover” if fraud occurs. This tip isn’t for everyone. Some consumers like racking up points on one card. Others are afraid they’ll miss a payment if they have more than one credit card bill each month. But separating out transactions can have fraud-fighting benefits. If you are the type to buy items from less popular websites that might not have the security protections of a larger site, consider having a card you use just for those higher-risk purchases. That way, if the small site is compromised, the impact on your life will be contained.

4. Google Second-Tier Sites

Speaking of second-tier sites, you should always Google them before making a purchase. Search “BobsWidgetSite.com and complaints,” then “BobsWidgetSite and fraud,” before making a purchase the first time. Scroll through a page or two of results, in case the site has done search engine optimization work to beat back complaints. I talk often to victims who do that search only after they are victims of fraud, and then kick themselves.

5. Place a Sticker Over Your Security Code

Here’s a novel idea from computer security expert Harri Hursti. Most credit and debit card credentials are useless without the security code numbers on the back of the card. To limit the risk of physical theft, place a sticker over the numbers and memorize them. They are usually only three or four digits. That way someone else who holds your card for a few moments can’t get enough information to steal from your account. Such physical theft is less common than it once was, but the sticker idea is a simple fraud-fighting tool.

6. Say No to ‘Free’ Trial Offers & Avoid ‘Gray Charges’

About five years ago, a credit card fraud fighting firm named BillGuard.com coined the term “gray charges.” These aren’t traditional fraud, but they aren’t transactions you approved, either. It might be a magazine you didn’t realize you purchased as a bundle at a checkout. It might be a subscription travel service that “accidentally” ended up in your shopping cart when you booked a trip. Or it might be a free trial you forgot about that has now converted to a $20-a-month charge. Either way, gray charges are a hassle, and the easiest way to avoid them is to never sign up for a “free” anything that requires your credit card. Check your shopping carts diligently, and uncheck all the “sign me up for XX” boxes along the way.

7. Don’t Fall for Phishing

Phishing emails have been around for a while – so long you might forget the risk they pose. Big mistake. A study by the University of Texas last year found that phishers “thrive” on consumers’ overconfidence. There was a 500% increase in personalized, social-media-based phishes in 2016. A common, credit-card stealing email might be an alert claiming your credit card on file with iTunes has been rejected, and asking for an immediate update. If you think you can’t be phished, you’re wrong. Never enter your credit card number into a website unless you have manually visited the site by typing the address into your web browser’s address bar. Never click on a link in an email – even one you are certain is real – and enter payment credentials.

8. Don’t Give Your Credit Card Number Over the Phone

This tip is similar: Never give your credit or debit card number to anyone who calls your house. Even if you are certain the call is legit. Always hang up and manually dial the company’s phone number, then give your payment details. That might sound like a hassle, but any reputable company will appreciate your efforts at security. If the person on the other end of the phone gets annoyed, that’s a good indication you are being hustled.

9. Get a Post Office Box

Mail theft is still a cause of identity theft. The simplest way to avoid it is to stop mail from coming to your house. Small P.O. boxes can cost around $100 per year and can offer peace of mind.

10. Use ATMs Carefully & Watch for Skimmers.

You know to make sure no one is watching while you enter your PIN code at an ATM. But how? It’s getting harder and harder to be sure, as hackers are inventing smarter skimmer devices that let them “watch” you remotely. The latest devices are designed to fit snugly over the slot where cards are inserted or even to be snuck inside that slot, invisible to the untrained eye. That’s one reason Litan only uses ATMs attached to a bank branch. ATMs outside grocery stores or gas stations can be easier to attack and often have higher fees. The risk isn’t only at ATMs. So-called “overlays” that fit on top of a merchant point of sale terminal have been spotted at major retailers across the country. Whenever inserting your credit or debit card into any machine, it’s a good idea to look for signs of tampering. You can take a moment to rub your fingers around the edges of a machine to see if an overlay of skimmer has been snapped on top.

11. Keep Track of Your Cards

It’s easy to forget your card at a restaurant after a meal. Develop a personal checklist so you avoid that. Each time you get up to leave a store, or before you go to bed at night, do a card count. If you can’t find your card but you are hopeful it will turn up, you might have better options than you realize. Many times, people are loathe to call and report lost cards because of the ensuing hassle. Some banks let you temporarily “freeze” your card while you look for it, then turn the card back on if it’s found safe. Discover has a feature called Freeze It. Visa and MasterCard also gives their banks similar options. Don’t be afraid to protect yourself while you are looking.

12. Sign up for Mobile Banking

Mobile banking is a great fraud fighting tool. If you aren’t using your bank’s app, you’re missing out. More people used mobile than used a bank branch for the first time in 2015, according to Javelin Strategy & Research.

Mobile banking lets you check your account every day for unusual activity. Use of mobile banking can reduce your attack surface, too, since mobile check deposits mean fewer trips to the ATM.

13. Set Text Alerts for Your Credit Card

Banking apps make it easier to use another trick that helps with fraud detection: text alerts. Most banks allow you to set up texts about transactions. Options include: A text with every purchase, a text for every purchase more than $100 or a daily text with the account balance. I prefer the last choice. Anything more frequent and the messages start to feel like spam, and can be ignored. The tool also helps with spending habits, as you’ll have a daily reminder of how much you’ve spent. Most banks can send the alerts via email, too.

14. Report Fraud Immediately

If you are hit by fraud, time isn’t on your side. You will likely be hit repeatedly until the card is canceled. Most importantly, if you don’t report the fraud in a timely manner, you can be held liable for some or all of it. Most of the time, financial institutions are responsive to fraud, and make reporting concerns and getting replacement cards easy, but early detection is critical.

Image: seb_ra

The post 14 Ways to Prevent Fraud on Your Debit & Credit Cards appeared first on Credit.com.

Does (at) Instead of @ Really Keep Spammers at Bay?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

Have you ever been on a website and noticed the site owner or another user has written out their email address in some variation of the following?

Name (at) domain dot com

If you wondered if the person was just averse to using symbols, you may be interested to know it’s actually a decent method for reducing unwanted spam emails and protecting yourself from possible phishing scams and even identity theft.

We talked to digital security expert Adam Levin, co-founder of Credit.com and chairman and founder of CyberScout (formerly IDT911), to learn more about how it works.

Good ‘Cyber Hygiene’

“One way spammers harvest email addresses is by sending out bots that are instructed to look for and scrape letter strings that contain the @ symbol,” Levin said.

For that reason, it’s a good idea to practice what Levin refers to as “good cyber hygiene” when entering your email address on public sites. Writing out your email address lets you do that. (Check out our tips for keeping your email safe and secure.)

Phishers can be dangerous, especially if you wade through a tremendous amount of email each day. They create emails that closely resemble legitimate companies and entities that can be difficult to spot as phony, especially when you’re in a hurry to get through your emails.

Using “at” and “dot” makes it more difficult for spambot programs to detect and grab your email address, Levin said. That can be helpful for small business owners whose information is listed on their website, social media accounts or other digital locations.

“For hackers and fraudsters, email addresses are essential tools used to phish their target,” he said. “Because the ultimate guardian of the consumer is the consumer, this is another way to be proactive about protecting your identity and personal data.”

Over the years, some spammers have made an effort to scrape even strings containing “at” and “dot” in hopes of gaining access to email addresses, though sifting through this data to find actual addresses requires manual review and is time-consuming.

If you’re concerned about spammers getting your email information or phone number through this method, you can  create an image of this data that bots can’t read. With this method, the only way for spammers to “harvest” your information is manually, which means you’re pretty safe.

The bottom line when it comes to keeping your information safe is staying vigilant. Check your financial and digital accounts regularly. Check your credit reports for free once a year with each of the major credit bureaus. Ensure the reports are accurate and that you recognize all the accounts. If you suspect there are mistakes, reach out to the bureaus (Experian, Equifax and TransUnion).

Finally, to monitor your credit more closely, you can use a free tool like Credit.com’s Credit Report Summary for a breakdown, updated monthly, of the information in your credit report, along with free credit scores. If you see your score drop for no reason, something could be up.

Image: svetikd

The post Does (at) Instead of @ Really Keep Spammers at Bay? appeared first on Credit.com.

The Vice President Got Phished — Are You Next?

Vice President Pence did what millions of us do every day. He clicked on a link in a phishing email.

America got mail this weekend, about 30 emails, according to reports. They were written as recently as last year by then-Governor Mike Pence and sent from his personal AOL account. While this is a political story, it is not about politics. It’s about a nationwide problem.

The emails, released to the Indianapolis Star in response to a public records request, include state business. The revelation is that Pence used his private email account to conduct business — an account we now know categorically was not secure from the prying eyes of hackers since, per various reports, it sent out emails saying Pence had been robbed overseas and was in need of money to get back home, a classic email scam you’ve no doubt heard of.

Pence’s Email Problems

The emails released by the Indy Star were addressed to Pence’s chief of staff and also his homeland security officer. As such, they open a window into Pence’s tenure as governor where there shouldn’t be one. Emails discussed political issues — like the resettlement of Syrian refugees — and other sensitive matters.

The news immediately resulted in public parades of schadenfreude on the left. After all, former Secretary of State Hillary Clinton arguably lost the election because of the same issue. But while there is plenty to make fun of here, there really is very little in the way of relevance between the two email stories.

While there have been more detailed tales of the tape between the two stories, you only need to know that former Secretary of State Clinton did something, that while legal, was strongly discouraged by her employer, the State Department, and what Pence did was under no such strictures — a sentiment Pence and his press secretary echoed in statements to the press. (Pence could not be reached for comment by Credit.com.)

What Pence & Clinton Have in Common With You

This latest email snafu is about control, but not over the flow of information, secrets or privileged access to information. It’s actually about an alarming lack of control. That lack of control has to be laid at the feet of information security experts who are tasked with keeping us safe.

We can do amazing things in the realm of coding, but somehow a fix to the phishing pandemic continues to elude us. The main reason for this is at least understandable: It’s a crime that preys on human nature — something that can’t be (reliably) coded.

Vice President Pence did what millions of us do every day. He clicked on a link in a phishing email, the victim of garden-variety social engineering. In doing so, he did us a favor, though it’s doubtful he will get much credit for it. He highlighted an area where our nation needs to do way more. Phishing is a national epidemic, and we all need to worry about it. If leaders of the free world can fall for this scam, so can you.

What’s Phishing — & How Can I Avoid it?

Phishing emails spoof legitimate companies or contacts in an attempt to get the recipient to click on a fraudster’s link. As I wrote about in my book, Swiped, you can probably spot a phishing email in your sleep, and you would no sooner click on a link in an email about suspicious activity on your bank account than you would leave your wallet in a crosswalk in Times Square.

However, best practices often fly out the window when it comes to salacious material about our favorite celebrities. Think about it this way: As you wander in the darker alleys and backstreets of the internet, where the risks should outweigh all other considerations, are you willing to forego sensible web behavior when the likely outcome will be catastrophic?

The main threat is malware. You can expect it to wind up on your computer if you decide to search the less safe parts of the internet for material that was never meant for your eyes anyway.

It may be something simple, like code that turns your computer into a spam distribution center, or a more serious app that will record your keystrokes (including when you log in to your bank, email, social networking, brokerage accounts, or the gubernatorial back office). There’s no way to know what you’re getting yourself into. The best course of action is to use your imagination — or possibly even your sense of what should be off-limits. Malware leads to identity theft and worse.

If you tend to chase breaking news stories and like to download the ephemera related to them (eyewitness photographs, blog posts), you may want to do a malware scan of your computer.

As a matter of fact, this kind of scanning should be a part of your habit of monitoring your various points of contact with the outside world — your attackable surface — regularly for signs of intrusion. (You can also monitor two of your free credit scores for foul play every two weeks on Credit.com.)

The lack of cybersecurity acumen manifested in the phishing of a governor should serve as a cautionary tale for everyone. Unless you are never off your guard, it’s highly likely that you will get scammed. The solution to the phishing pandemic is nowhere in sight. Be careful because the light at the end of the tunnel could well be the headlight of a bullet train.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

Image: EOSdude

The post The Vice President Got Phished — Are You Next? appeared first on Credit.com.

How Your Netflix Obsession Could Get You Scammed

People in a rush to get back to binge-watching their favorite shows are the prime focus for this scam targeting Netflix users.

A new scam targeting Netflix users is being reported by a cyber-security company that says the scammers are trying to get credit card and other personal information.

FireEye Labs first reported the phishing scam earlier this week, saying customers should be wary of any emails asking them to update their Netflix member information. Netflix had not posted any guidance for customers on its blogs nor released an official statement at the time of this writing, but a representative sent us this: “Members who want to learn more about how to keep their personal information safe against phishing scams and other malicious activity can go to netflix.com/security or contact Customer Service directly.”

According to the FireEye Labs report, a link in the email being sent to Netflix members looks like an official Netflix web page but is not legitimate. The page asks users for:

  • The name on their credit card
  • Their credit card number
  • Card expiration date
  • 3-digit security code; and
  • Social Security number

According to FireEye, the email looks very realistic, and the phony site mimics the Netflix homepage, as you can see in the screengrab FireEye published in its report:

Screen Shot 2017-01-13 at 11.58.02 AM

According to FireEye, the phishing sites it referenced in its report are no longer active, but new scams like this pop up often. It’s important for consumers to know these things exist and be very careful about sharing sensitive personal or financial information.

How to Protect Yourself From Phishing & Other Scams

There are some standard best practices when it comes to protecting yourself from scams on the internet. These tips for better internet security are a good place to start. In a nutshell, it’s always a good idea to be suspicious, especially if a company is reaching out to you through email or text message. And until you’ve confirmed that the email, text or even phone call are legitimate, it’s wise to never give out personal data like your credit card or debit card numbers, date of birth, address or, worst of all, your Social Security number.

If you think you’ve been a victim of identity theft, you can monitor your credit scores for free by using Credit.com’s free credit report snapshot, or by paying for a complete credit report monitoring service, which includes your full credit report and daily alerts to monitor your credit.

Image: mphillips007 

The post How Your Netflix Obsession Could Get You Scammed appeared first on Credit.com.

The Surefire Trick to Avoiding Holiday Phishing Scams

Holiday phishing scams are nothing new — Americans just keep forgetting to be on the lookout for them.

Every year I dedicate a column to the scams of the holiday season, and every year the roundup gets bounced around the internet — all too often among friends who’ve been scammed. (For a rundown of what’s out there, check out last year’s post.)

So what’s new this year? Unfortunately, not very much.

There’s the latest holiday phishing scam, I guess. But really? It’s about as surprising as the President-elect’s reaction to Alec Baldwin’s impersonation of him on Saturday Night Live.

An email arrives telling you that there’s been a shipping problem with a gift item that you ordered online. In this particular ploy, there’s a link embedded in the email message that takes you to a bogus site that looks exactly like a real one that many people use for their holiday shopping. It doesn’t particularly matter which site. What matters is that the link leads to a page that doesn’t just look like the site. It is a perfect replica.

Sounds like every other phishing scam, right? Well, that’s the point of this year’s holiday scams column, folks. So, why are we still falling for these things?

It’s simple. Most people still don’t consider phishing scams to be a part of everyday life because most people have busy lives. If you live in an area where mosquitos spread the Zika virus, you’re hyper-aware of when they’re around. We all live in a phishing hole, yet we’re not constantly on guard against the various kinds of bait scammers throw out there — even though the damage caused by ransomware and other kinds of malware can be very serious.

It doesn’t matter how many times I say this. Most people don’t think scams are as ubiquitous as they are, and as a result, they tend to forget about them while they are going about their daily business. If only they kept malware and the constantly evolving delivery systems that bring it into our homes and offices top of mind, scam artists would quickly have to come up with a new game.

So let’s go back to this latest holiday phishing scam. How can it be avoided? You just have to look at the web address. But not the way your kids look at you when you ask them to do something. I mean, REALLY look at it. The only thing that’s different on this new scam site is the URL address.

There is a reason people never remember this. Scammers are smart, creative and persistent.

Social Engineering

Social engineering has nothing to do with any sort of “brave new world” scenario. It describes the hacker’s skill in the area of psychological manipulation.

The hacker’s exploits all work on emotion. In some cases, they will have gone on social media and figured out who you’re friends with. The next step is to send an email — either using your friend’s hijacked account, or just their name. You’ve seen these emails before. Your friend is on holiday and lost their wallet, or asks if everything is all right between you and your partner because they saw a picture (click the link and tell me, that IS your husband, right?). Maybe someone from college found a hilarious picture of you. The gambits are clever, playing on various emotions — fear, jealousy, curiosity.

The URL of a bogus site is something you might not notice this time of year because you are completely freaked out that a package is not going to arrive on time and someone’s holiday will be ruined. While you are a still rattled, you are provided with a link and instructed to enter your name, address and credit card information. When you do that and hit send, the page redirects to the real site, and the scammer is given all the ammunition necessary to go on a shopping spree.

Reverse Engineering

The solution here is simple. Social engineering is only possible in a world where people don’t know they’re being targeted.

The first order of business is to remember you live in the phishing hole. You need to get into the mindset that you’re always one click away from getting got. As I write in my book, SWIPED: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, there are some very good tactics for avoiding scams, like going directly to websites in lieu of clicking urls in emails, calling companies to verify they’re trying to contact you and refraining from over-sharing on social media.

If you believe you’ve been the victim of a scam, don’t brush it off. Monitor your credit report for signs of identity theft — mysterious addresses, unknown accounts opened up in your name. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your free credit scores every 14 days on Credit.com.) Report any fraud to your local authorities and the Federal Trade Commission.

Also, help others avoid scams. Talk about the threats out there with your friends and family (even strangers on a bus) because public awareness is the only inoculation against the viruses and malware that are spread through phishing email.

Image: FatCamera

The post The Surefire Trick to Avoiding Holiday Phishing Scams appeared first on Credit.com.

How to Avoid Cyber Monday Traps

cybermonday_traps

This Black Friday, millions of shoppers will once again make the final seconds of a close football game look like a store window filled with clumsy puppies. And when they don’t find what they’re looking for, they’ll go online where, in addition to great deals, a cornucopia of scams await.

The migration from brick-and-mortar retailers to online shopping is pronounced. Last year set a record, with more than $3 billion in online sales. But that doesn’t mean people aren’t still hitting the stores — Black Friday wasn’t far behind in 2015 sales, at $2.74 billion.

As consumers increasingly finish their holiday shopping online — or even do the entirety of it there — the snares and pitfalls of Internet fraud have proliferated. But fraud isn’t the only worry.

The Mouse Buster

Whether you’re faced with a “Mouse Buster” or a good old-fashioned door buster, a compelling promotion involving “limited availability” of a hot item is not a scam — or at least it doesn’t have to be. That said, you have to stay aware so you know what it is you’re dealing with on Cyber Monday — and remember, scammers are counting on the fact that you will be too stressed to think straight.

All’s fair in the battle for the perfect gift during the holiday season. Retailers aren’t responsible for the decisions you make. Unless you come prepared knowing precisely what you want, how much you should reasonably pay and have an absolute budget, you may well find it nigh impossible to resist the wiles of the marketing geniuses who make their living selling you the non-essentials of life.

There will be deals online and the promise of impossible-to-find items that disappear like a mirage — arrival to the online oasis suggested by your favorite search engine to find “the toy that can be found nowhere” immediately turning into the hard sell of desperation marketing of alternative items.

Whether you’re facing a door buster deal on a popular item or a mouse buster, the same principles apply. Know what you want and how much you should have to pay, and stick to those parameters.

Most importantly, keep your head on straight. Retailer shopping lures are tempting, but they are nothing compared to the trouble a clever phishing lure can cost. Remember: If it seems too good to be true, double check that the deal you’re being offered is real.

Phishing

At this point in the evolution of the phishing scam, it seems like we should be able to skip the particulars of scams, but the open and click-through rates on phishing emails and texts are still robust.

Part of the reason that’s true is because scammers are sophisticated, creative and persistent. Websites are replicated down to the last detail, and URLs are acquired that can pass muster as authentic — with things like a “1” replacing a lowercase L or adding an extra letter — even if you are looking at the URL to make sure you’re not being scammed. This applies whether you received an offer via text or email.

The rule of thumb here: If you get an offer via text or email, go online and visit the retailer by carefully and correctly typing in its address instead of clicking the link. If the text or email says that the only way to get the offer is through the link offered, chances are good that it’s a scam, because no retailer would chance losing a click-through because of a consumer’s fear of getting hacked. (And, if you think you have been hacked, monitor your credit for signs of identity theft. You can view your free credit report snapshot, updated every 14 days, on Credit.com.)

You Aren’t There

While millions of people take care of all their holiday shopping on Cyber Monday, the day is “traditionally” known as best for certain kinds of gifts: Electronics, beauty items, fashion accessories and travel. Bear in mind, some purchases are often better to make in person where you can check out an item and see if it does what you want it to or is the right size. You may also want to check out whether or not there are better deals on comparable products.

There are purchases that make sense online — a travel package is one that comes to mind, as you are de facto never there until you visit. But when it comes to a new TV or other item that is better seen, handled or experienced first-hand, it’s a good idea to go to a store that carries it to make sure it’s what you are looking for, even if you intend to make your purchase online.

At the end of the day, the key to successful Cyber Monday shopping is to stay on your A-game. Pay attention, do your homework, don’t get caught up in acquisition ecstasy and stick to your plan. And if your first plan for a purchase doesn’t work out, it’s a good idea to have a Plan B that wasn’t figured out by the retailer’s door buster strategy meetings.

Image: svetikd

The post How to Avoid Cyber Monday Traps appeared first on Credit.com.

6 Scams to Watch Out for This Summer

Summer will be here before you know it, and with it come new and old scams. As you consider possible escapes — travel to exotic places; trips to the beach, the mountains or the golf course; a staycation to get much needed work done around your house — bear in mind that these diversions provide the perfect opportunity for con artists and identity thieves just waiting to insinuate themselves into your life, becoming the sand in your picnic basket (or bathing suit) — a vacation-killing burn that no ointment can soothe.

Here are few scams to be on the lookout for this summer.

1. Thanks for the Robocalls, Congress!

Thanks to a new provision slipped into important federal legislation, you may start receiving legitimate robocalls to your mobile phone — something that was previously forbidden by the Telephone Consumer Protection Act and the Fair Debt Collection Practices Act. According to Consumer Reports, buried in a recent Congressional Budget bill is a provision that allows loan servicers and other collectors of federal loan debt to use robocalls “to collect a debt owed to or guaranteed by the United States.”

While these calls will mostly target student loan borrowers, fearless fraudsters will certainly take advantage of this newly legal means to dial for dollars and try to extract money from those among us who don’t read Congressional Quarterly.

TIP: Caller ID is by no means a fail-safe protection. If someone calls you regarding money you allegedly owe, ask for the name of the debt holder, hang up, double-check that the number is legit online, and then call them directly.

2. Your New Chip Card Opens the Door for Fraud

There’s a newish phishing scam that has reared its ugly head in New York state, after a fairly long run on the road involving EMV chip cards. It’s a pretty straightforward phishing scam. The emails look authentic — that is, they appear to be from a bank with which you do business — and they target people who haven’t received their new chip cards. The ask: your personal information to authorize the new card. There may be a link, and if you click, it installs malware on your computer or mobile phone.

TIP: If you have your chip card already and this scam poses a threat to you, you have bigger issues. If you do not have your new card and receive an email or call about it, either go directly to the issuer’s site or call them directly and communicate with a representative. Don’t take the bait!

3. Summer Jobs & First Jobs

New college and high school graduates, and kids home for the summer exploring the job market — possibly for the first time — are getting duped into putting their personally identifiable information (PII) to work for fraudsters via fake job scams, according to a warning from the Better Business Bureau of Central Oklahoma. Sometimes the scam is focused on collecting PII to be used in identity-related crimes, but there are other scams that involve handing over bank account information.

TIP: Check out the company online, and don’t provide your bank account number or any other sensitive personal information. While I know this is incredibly painful for anyone born after 1980, pick up the phone and call your prospective employer.

4. A Moving Scam

A Georgia family learned the hard way that hiring a “man with a van” or any other mover can be risky business. According to the Atlanta Journal-Constitution, a woman who asked not to be identified hired movers she found through an online classified ad. They delivered her things, minus about $75,000 worth of personal items. Authorities later learned that the truck used by the suspects had been stolen shortly before the “job.”

TIP: Summertime is when many people choose to relocate. If you’re moving and you need help, hire a reputable company. And always check references.

5. Summer Rental Scam

Here’s an old favorite: You begin your search for a summer place way too late and assume there will be nothing available. But hold on — suddenly you fall upon the absolutely best summer rental ever! You reach the owner or realtor (it makes no difference to a scammer if he or she pretends to be one or the other), and you send a check to the address provided or wire money to an account. He or she then gives you the details about the place. Unfortunately, you have just rented a vacant lot or an empty warehouse. Or when you show up, you discover that you are but one of five families who also rented the house — or landfill.

TIP: If you get a real estate agent on the phone, get his or her license number and check it. Also request references if there are no reviews online, confirm that the address is real and the premises are truly available for rent. Use common sense.

6. Scalpers

Summertime is tour time for the record industry, and the hottest acts can sell out thanks to ticket brokers who horde big blocks of seats for resale at extortionate prices seconds after they go on sale. While this isn’t a scam per se, it creates a fertile field for fraudsters, who offer tickets at more reasonable prices, though they’re often still more than face value. The only problem: They don’t have tickets, or at least not real ones.

TIP: If you are tempted to buy tickets secondhand, be exceedingly careful because there are all sorts counterfeit tickets for sale. Go to reputable sites or deal with folks whom you trust and have established a relationship with.

The Takeaway

Unfortunately, in a world where identity theft has become a near certainty, the season is pretty much irrelevant. When it comes to scams and other kinds of fraud, it’s always open season on you.

Minimize the damage by monitoring your credit for signs of fraud. You can do so by pulling your credit reports for free each year at AnnualCreditReport.com, and viewing your credit scores, also for free, each month on Credit.com.

More on Identity Theft:

Image: Robert Vautour

The post 6 Scams to Watch Out for This Summer appeared first on Credit.com.

The Typo That Can Get You Hacked

online_security

Here’s another reason to be extra careful about what you type into your web browser.

Cybersecurity firm Endgame has unearthed a new spin on the good old “typosquatting” scam — the practice of purchasing domain names similar to legitimate websites (Think Gooogle.com) in hopes that a small keyboard snafu nets hackers access to your computer.

The new scam aims to install malware on devices after users accidentally type “.om” instead of “.com” after popular urls. Endgame discovered the scheme after one of its employees mistakenly typed “Netflix.om” instead of Netflix.com when attempting to watch the latest season of House of Cards earlier this month.

Per a company blog post:

“He did not get a DNS resolution error, which would have indicated the domain he typed doesn’t exist.  Instead, due to the registration of “netflix.om” by a malicious actor, the domain resolved successfully. His browser was immediately redirected several times, and eventually landed on a ‘Flash Updater’ page with all the usual annoying (and to an untrained user, terrifying) scareware pop-ups.”

After doing some more research, Endgame found the streaming service wasn’t the only popular url being “om’ed. Though some sites bearing that ending were legitimate, 319 .om domains appeared to have some type of scheme attached to them. (Fake Flash Updates, for instance, are commonly linked to a well-known malware named Genio that attaches itself to web browsers and mines for data.)

You can see a full list of the potentially dangerous domains here. It’s important to note you could also be in trouble if you typed the “c”, but misplaced the period. (Example: bestbuyc.om or cnnc.om.) This particular typosquatting game was easy for hackers to play, Endgame said, since “.om” is the country-specific domain name for Oman.

Protecting Yourself

Phishing and malware schemes are common attempts by scammers to get your personal information. For better Internet safety, it’s generally recommended you stick to trusted and encrypted websites (double-check, of course, the spelling of each address); refrain from clicking on links in unsolicited emails and keep your security software up to date.

It’s also good to monitor financial accounts regularly for fraud, and keep a close eye on your credit since a sudden drop in credit scores or unfamiliar line items on a credit report are signs identity theft is occurring. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)  If have fallen victim to an Internet scam, you might also consider freezing your credit reports to keep new accounts from being opened in your name. And you can go here to learn what to do if you’ve already spotted identity theft on your credit report.

More Reads From Credit.com:

Image: moodboard

The post The Typo That Can Get You Hacked appeared first on Credit.com.

Tax Email Scams Are Up 400%

tax-email-scams

Filers beware: There’s a good chance there’s a tax scam email in your inbox.

According to the Internal Revenue Service, there’s been an approximate 400% surge in phishing and malware incidents so far this tax season. In other words, plenty of thieves are currently sending out texts and emails under the guise of the IRS or other tax industry players this year. These messages are an attempt to steal personal information or data related to your tax refunds, filing status, transcripts and/or PIN information either directly or through malware that gets downloaded onto your computer when you click on infected links. The information can be used to file false tax returns.

“Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes,” IRS Commissioner John Koskinen said in a consumer alert re-issued earlier this week. “We urge people not to click on these emails.”

Tax Fraud on the Rise

The IRS’s findings aren’t exactly surprising. The agency announced earlier this year that it’s anticipating $21 billion in tax refund fraud this year. And, just this month, Intuit warned consumers that a fake TurboTax email was making the rounds. Still, the stats should inspire everyone to be a little more careful about what they click on this tax season. Per the agency’s latest consumer alert:

  • There were 1,026 incidents reported in January, up from 254 from a year earlier.
  • The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1 to Feb. 16, compared to the 201 incidents reported for the entire month of February 2015.
  • This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.

How to Spot a Tax Scam Email

Fortunately, there are a few simple ways to spot a tax scam email. For starters, be extremely skeptical of any emails purportedly from the IRS. The agency says it generally does not initiate contact with taxpayers by email regarding personal or financial information. Be similarly wary of emails that ask you to update important tax information by clicking on a link. (Recent scam emails the IRS has come across included the subject lines referencing “Get my E-file Pin”, “Order a transcript” and “Get my IP Pin”.) And look for typos or misspellings in the body of the message — they’re a big sign something is amiss.

If you do receive a shady email, refrain from clicking on any line and, instead, forward it to phishing@irs.gov.

Remember, filing your taxes as early as possible is the best way to minimize the odds of falling victim to taxpayer identity theft. But, if you have reason to believe your personal information was compromised, you should keep an eye on your credit. A sudden drop in credit scores is a sign your identity has been stolen. You can monitor your standing by viewing your two free credit scores each month on Credit.com.

More on Income Tax:

Image: iStock

The post Tax Email Scams Are Up 400% appeared first on Credit.com.