Fraud Topics

Click each item to learn more. Topics are listed in order of occurrence on WHBL. For general tips for staying safe from fraud, also see our Fraud Prevention page.

Recent Scams and Summer Travel Safety (05/25/23)

Recent Scams

Imposter phishing scams remain the most frequent attack vector being reported to law enforcement. Recent examples include:

UPS shipment – claims you have a package on hold, need to reschedule and pay an extra fee
Costco survey – invited to take survey and win a reward (typical iPhone, smart watch, etc.)
Amazon security alert – “Your account has been accessed from another device, click here to verify”
Password expiration – impersonating several well-known companies claiming you need to update password

Tips to stay safe:

Never, ever, ever click on links in unsolicited text messages or emails.
Only use official websites or apps.
Free gifts are always a red flag.
Consider using security software that helps safeguard against malicious and fraudulent websites, as well as viruses and spyware.

Summer Travel Safety

When you’re on vacation this summer, don’t take a vacation from keeping you and your money safe. Here are a few tips to help prevent fraud:

When booking travel, stick to name brand travel sites or book directly with the airline, hotel, or car rental; avoid unsolicited email deals.
Consider a mail hold – visit usps.com/manage/hold-mail.htm for details.
Use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud.
Lock your smart phone or tablet (with biometrics or six-digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client.
Watch out for data skimmers at public charging stations; bring your own portable charger.

Click here to go back to the top of the page.

Phishing Email Trends and QR Codes (05/11/23)

Phishing Email Trends

During the past few weeks, the most prevalent threat type seen in phishing email attachments can be classified as FakePage, at just over 60%. Fake pages are web pages where cybercriminals imitate the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the criminal’s server, or used to induce victims to access other fake websites. InfoStealers were second in line, at around 15%. This form of malware resides on your computer and gathers data saved in web browsers, emails, and social media accounts, and leaks it to the attacker.

The majority of these phishing emails contain hyperlinks to direct you to launch the malware, or send you to a fake website. Some of the most common subject lines include:

Upgrade required
FedEx / UPS / DHL shipment notice
Invoice
Urgent
Overdue payment
Deactivation notice
Congratulations

Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and shipping notices, to induce users to access fake login pages or execute malware. Fake login pages are constantly evolving to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. To mitigate the risks of these cyber threats:

Do not click on links and attachments in emails from unverified senders.
Do not enter sensitive data, such as login account credentials or financial information, unless you’re confident you’re on the legitimate site.
Do not click on email attachments with unfamiliar file extensions.
Use a comprehensive anti-virus software and update it regularly.

Another threat to be aware of are Disguised Image Files. This type of malware is an executable file disguised as an image (eg. image.gif.pif) that is designed to initiate a computer worm. Worms can spread across devices on a network and install spyware and ransomware, delete files, and steal data. Typically, cybercriminals arouse the curiosity of users through eye-catching messages to entice users to click on what appear to be links to images, but in reality, execute the malware. As such, users are advised to take closer looks at the file names of email attachments before opening them and also check if the attachments are related to the subject of the email.

The Dangers of QR codes

As QR codes continue to be heavily used by legitimate organizations, scammers have adapted to abuse this technology for their criminal purposes. A QR (quick response) code is a two-dimensional bar code that can be used for a variety of applications, including opening a web page.

Scammers may post QR codes at restaurants, public venues, or even on your car’s windshield, trying to entice you to scan the code. They may promise a discount or offer free stuff – in reality, they are after your data; or worse, they will convince you to download a third-party app that could drain you bank account.

Use caution when scanning QR codes, especially those posted in public places.
Never download an app using a QR code; use your phone’s app store instead.
And don’t download a QR reader – most phones have a built-in scanner in the camera.
Avoid using QR codes to pay bills, or access financial websites.

Click here to go back to the top of the page.

Searching with Google and Phishing Texts (04/27/23)

Be Careful When Searching with Google

With about 80-90% of the online search market share, Google is undoubtedly the most popular search engine – no other service comes close. The word “google” has become a verb, synonymous with performing an internet query; and Google.com is the most visited website in the world.

According to the most recent statistics, over 90,000 Google searches occur every second…that’s almost 8 billion searches per day. This popularity, unfortunately, means that cybercriminals have found ways to exploit Google’s dominance to victimize unsuspecting users.

Cybercriminals are incredibly creative when trying to trick people into visiting counterfeit websites or clicking on malicious links. One of their tactics is to try to get malicious sponsored ads to appear in Google search results. Typically, a website’s ranking in Google searches depends on several factors, such as monthly users, trustworthiness and the frequency of content. But that ranking can easily be circumvented by paying for a website to rank higher.

Because these sponsored links occur at the top of the search results, people are more inclined to click these links, not realizing it’s a sponsored ad. And since Google doesn’t vet everyone who buys an ad, clicking these sponsored results can be dangerous. They can direct you to imposter websites designed to collect your personal information, or they can download malicious software to your device.

These threats affect businesses and consumers alike. Businesses can be targeted for ransomware attacks; criminals also want your personal data.

Here are three tips on how to mitigate this risk:

Avoid clicking on sponsored links – instead type the web address directly into your browser.
If you’re unsure about a link, hover over it to see where it goes.
Sometimes clicking on a link will result in a pop-up claiming you have a virus – this is almost always a scam. Never call the number or click on any links included in the message. Instead, close your browser immediately and run a scan using your anti-virus software; make sure your AVS is up-to-date.

Phishing Text Messages

Reminder: The police department has received several reports of phishing text messages recently, claiming to be from a government agency or well-known companies. NEVER, NEVER, EVER CLICK THESE LINKS. Instead, if you think there might be a problem, use the website or phone number you now to be legitimate to contact that organization directly.

Click here to go back to the top of the page.

Internet of Things (IoT) Review (04/13/23)

The Internet of Things describes a class of devices with built-in network connectivity that are able to send and receive data. These devices are present in manufacturing, health care, government, and in our homes. The most common IoT device is a cell phone – some other common household examples include:

Home hubs, like Amazon Alexa and Google Home
Televisions and speakers
Security cameras
Thermostats
Light bulbs
Refrigerators

As the technology advances, things like cars, utility meters, and even medical equipment have been included in IoT’s. The number one concern with using these devices is security. Since the idea of networking all these devices is fairly new, security has not always been a top priority when designing these devices. And unfortunately, many vendors often prioritize ease of use and functionality over security. Many devices like cameras (think baby monitors and security cameras) often come with well-known, default passwords that many end-users do not change. Other devices come with no password. In addition, many end-users forget or simply don’t take the time to update the firmware on the device. Since most IoT devices connect to apps on your smartphone or tablet, make sure you have reputable internet security software installed on these devices. Set-up two-factor authentication, and know what data these apps are collecting, and how they use and store that data.

What can you do to add security?

Set-up a secure WiFi router. Your router is like the front door to your home network and needs to be secure. Use a strong encryption method like (WPA2)–WiFi Protected Access and change default usernames and passwords. Also consider setting up a guest network or use a second router (FBI recommendation). This provides increased security. Your fridge and your laptop should not share the same network.
Review the terms of service, default privacy, and security settings of your devices.
Research products carefully before buying – know what steps the manufacturer has taken to protect your privacy.
Update firmware and buy the most up-to-date devices. Avoid used or refurbished devices. Remove old, unsupported devices from your network.

Another major concern is privacy. Before using one of these devices, educate yourself about the following:

What data does the device collect?
Can the data be deleted, or collection disabled?
What are the security vulnerabilities?
Is there support for updates?

Log into the device’s app or website and review what data is collected. Consider limiting or regularly deleting the data that is collected.

Click here to go back to the top of the page.

Popular Cybersecurity Terms (03/23/23)

When discussing strategies for staying safe online, experts may use terms that you are not familiar with. The following is a list of some of the more frequently used terms, and their definitions.

Social Engineering – The art of manipulating a person to take some action, typically involving a breach of security, sending money, or divulging private information.

Phishing – A social engineering tactic designed to collect sensitive information from victims, such as log-in credentials, credit card information, system configuration details, or other personal identity information. Attack vectors include e-mail, text messages (“smishing”), voice calls (“vishing”), or through social media. Phishing attacks are often successful because they mimic legitimate communications from trusted entities or groups.

Malware – Malicious software. Malware is a general term for any computer code created for the specific purpose of causing harm, disclosing information, or otherwise violating the security or stability of a system. Malware includes a wide range of types of malicious programs including: viruses, worms, Trojan horses, ransomware, and spyware.

Spoofing – The act of falsifying the identity of the source of a communication or interaction. It is possible to spoof a phone number, email address, and IP or MAC address.

VPN (Virtual Private Network) – A secure, often encrypted, connection between a device and another network. A VPN prevents unauthorized people from eavesdropping on your internet traffic and makes it more difficult for third parties to track your activity online.

Firewall – A security device, either hardware (router) or software, that filters network traffic based on pre-established security rules and can block outside threats from gaining access to your computer.

Two-factor, or Multi-factor, Authentication – A means of verifying a user’s identity by requiring a combination of two or more credentials to access a system or account. Often, valid authentication factors include: (1) something you know, such as a password or PIN; (2) something you have, such as a smart cards or token; and (3) something you are, such as fingerprints or facial scan (aka biometrics).

Click here to go back to the top of the page.

Credit Card Data Leak and Healthcare Fraud (03/09/23)

Large Credit Card Leak

Last week, a criminal site known as BidenCash, which uses the president’s name and likeness to trade in stolen data on the dark web, leaked over two million credit and debit cards online. The data dump includes full names and unique email addresses, as well as card numbers, including expiration dates and CVV’s (card verification value). Criminals can obviously use this data to commit financial fraud; however, they can also use it to complete dossiers about you using other leaked data to commit identity theft

A consumer advocate organization analyzed the data and estimates approximately 30% of the cards are valid working card numbers. While this number may seem low, that still equates to almost three-quarters of a million card numbers, the majority of which involve Americans.

What can you do to protect yourself?

Monitor your card activity – sign-up for alerts (use the bank’s app).
Be wary of phishing attempts related to this data leak.
Check your credit report at annualcreditreport.com. Sign up for a free Credit Karma account to monitor your credit for free.
Consider a credit freeze.

Health care fraud

You may get a bill for medical exams, procedures, and prescription drugs that you never received; or you may receive a call or email regarding your Medicare account. Sometimes providers commit fraud by double-billing, phantom billing, and upcoding. Scammers also use several tactics to get your personal information, including:

“You’re eligible for discounted health insurance.”
“Your Medicare card has expired, or your coverage is about to be cancelled.”
“You qualify for free medical supplies or medication.”

Remember these tips:

Never surrender Social Security, Medicare, or health insurance numbers to anyone you don’t know and trust.
Medicare doesn’t call you – you call them.
Review your EOB’s.
Report suspected fraud to your insurer or Medicare, or to the FBI.
Consider a credit freeze.

Click here to go back to the top of the page.

Tax Fraud and Local Case Review (02/23/23)

Filing Your Taxes Safely and Securely

You are ultimately responsible for all the information on your tax return, no matter who prepares it, so choose a tax preparer wisely. Check their qualifications and review your return before the tax preparer signs it; never sign a blank return.

Be wary of W2 phishing scams. Scammers may pose as someone high up in a company or organization and send emails asking for copies of W2 forms. Never send this type of information without verifying the legitimacy of the request.

There are also numerous IRS phishing scams. Typically, the recipient with receive an “urgent” email claiming to be from the IRS. This usually involves instructions to click on a link and/or fill out a form.

Some tactics include: “IRS needs to update online profile,” “you qualify for a refund,” “your credit card was fraudulently used,” or “you’re due a large sum of money.”

Look for generic greetings, poor grammar or typos, or conflicting web addresses. Never click, download files, or reply. The IRS will never initiate contact via email, text, or social media.

Set up an IP PIN (Identity Protection Personal Information Number) at irs.gov.

Review of Recent PayPal Scam

In this case, the victim (VC) somehow logged into a fraudulent PayPal account and saw “unauthorized” transactions. The VC called customer service number on website and was prompted to call PayPal security representative, who directed VC to download app. This app allowed the criminal to remotely access VC’s computer under the guise of helping with fraud.

The criminal advised VC that someone was trying to take out a loan and that VC would be liable and needed VC to cover loan amount while it was investigated – said they’d eventually get money back. He convinced VC to wire transfer two amounts of $33,000 and $17,500, and then convinced VC to make two separate purchases of gift cards, totaling $5,000 each.

VC credit card company denied initial gift card purchase as likely fraudulent, however VC called credit card company to say it was legitimate and the transactions were approved.

The criminals wanted more money ($22,000), and inquired about retirement accounts. They convinced VC to open online checking account for purpose of transferring money from retirement accounts. Luckily VC did not transfer this additional money and made a report to the police.

Click here to go back to the top of the page.

SIM Swapping, Romance Scams, and Tax Fraud (02/09/23)

SIM Swapping

SIM swapping occurs when a criminal is able to take control of your phone service by impersonating you and tricking your service provider into activating a new SIM card, connected to your phone number, on a new phone. They may call your provider and say your phone was lost or damaged and ask to activate the new SIM. Why is this a big deal?

Many of us rely on two-factor authentication to keep our important online accounts secure. Two-factor authentication usually involves receiving a numeric code as a text or email from the account you are trying to access, in order to verify your identity. This is usually a decent form of protection, but if a criminal is able to take over control of your phone number and email, they then have access to those codes and can access your bank accounts, social media accounts, and email.

Currently, with the number of recent data breaches, particularly involving T-Mobile customers, there is enough information out there for a criminal to pretty easily trick your provider into allowing the account takeover. In late January, T-Mobile announced that it suffered a data breach that began in November 2022 and affected 37 million customers. Criminals got customers’ names, dates of birth, billing addresses and phone numbers, email addresses, account numbers, and service plan details. So, what can you do?

The good news is, most cell phone service providers offer some security measures to defeat fraudulent SIM swaps. In the case of T-Mobile, they offer services call Account Takeover Protection and SIM Protection. But not all of these services are created equal and offer varying levels of protection. In the end, protecting yourself begins with safe-guarding your personal information:

Use strong and unique passwords and change them often.
Educate yourself about phishing techniques designed to trick you into providing personal information.
Don’t rely on two-factor authentication alone to secure your accounts – consider biometric authentication, authentication apps, and setting up a PIN as added levels of security.

Romance Scams

With Valentine’s Day approaching, scammers are busy preparing to take advantage of those looking for romance. From fake websites selling romantic gifts to exploiting individuals looking for companionship, scammers utilize a variety of tactics to trick people into giving up their money. The scammer might:

Make excuses why they can’t meet in person.
Ask you to leave a dating site or social media to communicate directly.
Request money, usually in ways that are hard to trace or get back. NEVER send money to someone you have not met in person.

When shopping online, before you make a purchase:

Double-check reviews for the website.
Be suspicious of “too-good-to-be-true” deals.
Use a credit card – do not pay with Venmo or PayPal.

Tax Fraud

Visit our Facebook page for a briefing on tax fraud – click here for more info.

Click here to go back to the top of the page.

Safer Internet Day and Three Scams to Be Aware Of (01/26/23)

Safer Internet Day is Tuesday, February 7^th. The purpose of this global event is to bring awareness to strategies for creating an internet where people can come together safely to share information and ideas. This year’s theme is “Together for a Better Internet.” A few of the topics being focused on include:

Media literacy and critical thinking (responsible creation/consumption of information)
Civility (bullying and harassment)
Wellness and self-respect (impact of influencers and celebrities)
Scams and predators (phishing and child exploitation)

Use this opportunity to talk with your family about how they are using the internet, and discuss the following questions:

What are your favorite apps and websites? Who do you follow online? Where do you get your information from?
How are you protecting your privacy? Do you know how to change the privacy settings on your devices (tracking, location services)? Have you read, and do you understand, the privacy policies of the web sites you visit and the apps you use?
Are you able to spot phishing emails or texts? How to you deal with spam messages?
Do you know how to report abusive or threatening content? Who would you tell?

ConnectSafely is the official U.S. host of Safer Internet Day. Their website contains resources to help parents and educators discuss these topics with kids and teens. These resources include parent guides for a variety of apps, services, and platforms that are popular with kids. They also have posted a series of quick guides, some of which are linked below:

Click here to go back to the top of the page.

Five Phishing Scams You Need to Know About (01/12/23)

Phishing is a type of fraud that involves someone trying to trick you into giving scammers personal or financial information, like passwords and credit card numbers. Cybercriminals may do this by sending you an email or text message that looks like it’s from a trusted person or business, or by creating a fake website that looks legitimate. Here are five versions of phishing attacks that involve well-known companies:

American Express (security alert)

You may receive an email claiming your account is on hold due to outdated or incorrect information. The email includes link to click for account verification, but clicking the link takes you to a fake AmEx page, where scammers can record all the log-in information you submit.

Amazon (security alert)

Similarly, you may receive a text or email alerting you that your account has been locked due to “suspicious activity” on your account. Clicking on the link will take you to fake log-in page which could expose your account credentials.

Netflix (security alert)

In this scenario, criminals will send you a text message claiming your Netflix membership has ended due to trouble with account information. The message includes a link to validate your account information, and the link directs you to fake log-in page.

Costco (gift card scam)

This scam involves receiving an email offering a $90 gift card for participating in online survey. But, by clicking on the links in the email, you will be directed to a fraudulent survey site where you’ll be asked to enter personal information.

Walmart (delivery scam)

Finally, in this example, scammers send text messages informing you that your shipment was delivered to a drop-off point – the message may include a link to view the “pick-up location”. Following the link takes you to fake page where you are asked to enter your address and credit card information, and to take a survey, which may expose additional sensitive information.

You can identify these scams by looking for these indicators:

Most fraudulent messages contain spelling or grammatical errors.
These messages convey a sense of urgency.
Double-check senders email address to see if it matches the organization they claim to be representing.
Pay close attention to URL’s – are they legitimate?

To help prevent yourself from falling for one of these scams:

Never click on any links in unsolicited emails or text messages.
Visit the official website or app instead.
If you’ve already clicked on a suspicious link, change your password as soon as possible.
Consider a credit freeze.

Click here to go back to the top of the page.

Holiday Scams (12/08/22)

Be Mindful of These Holiday Scams:

Misleading social media ads: As you scroll through your social media feed, you often see products advertised. Always research before you buy. There are countless reports of people paying for items that they never receive, getting charged monthly for a free trial they never signed up for, or receiving an item that is counterfeit or much different from the one advertised. The 2022 BBB Online Scams Report found that online purchase scams were the most common cons reported to Scam Tracker. Before ordering, check out the business profile on BBB.org and read the reviews.

Social media gift exchanges: Each holiday season this scheme pops back up, and this year is no different. A newer version of this scam revolves around exchanging bottles of wine; another suggests purchasing $10 gifts online. Another twist asks you to submit your email into a list where participants get to pick a name and send money to strangers to “pay it forward.” There is even a twist about “Secret Santa Dog” where you buy a $10 gift for your “secret dog.”

In all of these versions, participants unwittingly share their personal information, along with those of their family members and friends, and are further tricked into buying and shipping gifts or money to unknown individuals. And– it’s an illegal pyramid scheme.

Holiday apps: Apple’s App Store and Google Play list dozens of holiday-themed apps where children can video chat live with Santa, light the menorah, watch Santa feed live reindeer, track his sleigh on Christmas Eve, or relay their holiday wish lists. Review privacy policies to see what information will be collected. Be wary of free apps, as they can sometimes contain more advertising than apps that require a nominal fee. Free apps can also contain malware.

Alerts about compromised accounts: BBB has been receiving reports on Scam Tracker about a con claiming your Amazon, Paypal, Netflix or bank account has been compromised. Victims receive an email, call, or text message which explains that there has been suspicious activity on one of their accounts, and it further urges them to take immediate action to prevent the account from being compromised. Be extra cautious about unsolicited calls, emails, and texts.

Free gift cards: Nothing brings good cheer like the word “FREE.” Scammers have been known to take advantage of this weakness by sending bulk phishing emails requesting personal information to receive free gift cards. In some of these emails, scammers impersonate legitimate companies and promise gift cards to reward their loyal customers. They may also use pop-up ads or send text messages with links saying you were randomly selected as the winner for a prize. If you have received an unsolicited email with gift card offers, do not open it. Instead, mark it as spam or junk. However, if you opened the email, do not click on any links.

Temporary holiday jobs: Retailers typically hire seasonal workers to help meet the demands of holiday shoppers. Shippers and delivery services are top holiday employers this year because of the increase in online orders and the need to get most of these packages delivered before Christmas. These jobs are a great way to make extra money, sometimes with the possibility of turning into a long-term employment opportunity. However, job seekers need to be wary of employment scams aimed at stealing money and personal information from job applicants. Keep an eye out for opportunities that seem too good to be true.

Look-alike websites: The holiday season brings endless emails offering deals, sales, and bargains. Be wary of emails with links enclosed. Some may lead to look-alike websites created by scammers to trick people into downloading malware, making dead-end purchases, and sharing private information. If you are uncertain about the email, do not click any of the links. Instead, hover over them to see where they reroute.

Fake charities: The last few weeks of the year is a busy time for charitable donations. Donors are advised to look out for fraudulent charities and scammers pretending to be individuals in need. Avoid impromptu donation decisions to unfamiliar organizations. Responsible organizations will welcome a gift tomorrow as much as they do today. Verify a charity at BBB’s Give.org – where possible, donate to the charity through their website and use a credit card.

Fake shipping notifications: More consumers are making purchases online, and there is also an increase in the number of notifications about shipping details from retailers and carriers. Scammers are using this new surge to send phishing emails with links enclosed that may allow unwanted access to your private information or download malware onto your device. They may also try to trick people into paying new shipping fees.

Click here to go back to the top of the page.

Sextortion Targeting Adolescents (11/17/22)

Sextortion describes a crime that happens when someone threatens to expose sexual images in order to blackmail a person. Statistics suggest that this crime often goes unreported, however and that about a quarter of victims include children age 13 or younger. Teenage boys have been the most common targets in recent cases reported to the national Cyber Tipline. Incidents involving adolescents frequently begin when the criminal connects with a child or teen over an online game, app, or social media account. Through deception, manipulation, or threats, the criminal convinces the young person to produce an explicit video or image. Sometimes, the explicit content is shared voluntarily, with the expectation that it remains private. However, sometime these images are shared without consent, which results in opportunities for extortion. Young people don’t seem to have a guarded mentality when it comes to engaging with strangers they meet on the internet, and generally feel less inhibited about sharing content online.

Tragically, there has been a dramatic increase in adolescent suicide as a result of these incidents. Kids often lack the maturity and foresight to appreciate the consequences of engaging in sharing explicit images. There are even cases of criminal gangs based overseas targeting families of teenage victims who took their own lives after sending nude images.

What can you do as a parent?

Most importantly, make sure you talk with you kids about their online activities. And let them know that whatever mistakes they make online, nothing is worth their lives. Candidly discuss what they should do if someone ever tries to use a photo of them to get them to do something they don’t want to do.

The people that commit these crimes have studied how to reach and target children. Online accounts are easily faked and criminals often offer money or gifts to earn trust. Teach your kids to be extremely cautious when speaking with someone online that they have not met in person. Consider blocking strangers that try to connect.

Kids and teens should:

Be selective what information you share online – make you accounts private.
Know that people can pretend to be anyone or anything online.
Be suspicious of people you meet on one game or app who ask you to start talking to them on a different platform.
Realize that any content you create online can be made public – don’t trust someone to keep it private.
Be willing to ask for help.

Click here to go back to the top of the page.

Brand Phishing, Data Backups, Loan Forgiveness (11/03/22)

Brand Phishing Attacks – The Most Common Form of Social Engineering

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and web-page design to the genuine site. The link to the fake website can be sent to targeted individuals:

by email or text message,
a user can be redirected during web browsing,
or it may be triggered from a fraudulent mobile application.

The fake website often contains a form intended to steal users’ credentials, payment details, or other personal information. In the third quarter of 2022, the top phishing brands included (globally):

DHL (22%)
Microsoft (16%)
LinkedIn (11%)

LinkedIn lead brands in the first two quarters of the year, illustrating that cybercriminals will often switch tactics to increases their chances of success. Shipping is one of the top industry sectors for brand phishing, second only to technology. As we head into the busiest retail period of the year, criminals will undoubtedly employ shipping related scams in their efforts to take advantage of online shoppers.

The use of phishing via text messages (smishing) creates even more opportunity:

People may be distracted, and on the move.
There’s no way to check for a fake sender domain (only a phone number, which is easily faked).
There are typically fewer words in a text, and therefore fewer opportunities to spot poor grammar.
There’s no logo for the bad guys to spoof.

To reduce you risk of falling victim to these delivery scams:

Don’t click on links to enter personal information, including login credentials and financial information, from an unsolicited email or text message.
Watch for the tell-tale signs of a phishing scam: urgency, out-of-the-blue requests for financial or other information, imposter URLs, spelling and grammatical errors, and requests for money in return for delivery.
If you receive an email that looks suspicious, visit the official website of the delivery company rather than follow a link embedded into the message.
Regularly perform back-ups and install reputable security software on all your devices.

3-2-1 Rule for Data Back-ups

Whether you are a large company or an individual, we all could be susceptible to ransomware. When it comes to backing up data, the best practice is to follow the 3-2-1 rule, which involves creating a minimum of three backups of data, in at least 2 different locations, with one of those copies stored securely in a secondary location. The three backups consist of the primary backup and at least two copies. For individuals, this means at minimum creating periodic back-ups on your device, on some type of external drive, and to the cloud. For businesses and organizations, real-time back-ups are recommended. A recent survey found that only about 1 in 5 organizations follow this 3-2-1 rule, putting them at significant risk. Paying a ransom for data is dependent on many factors, but past incidents show that only about 8% of companies were able to recover their data after paying a ransom.

Student Loan Forgiveness Scam Update

The Better Business Bureau states that victims of student loan forgiveness scams are reporting that the scammers have the victim’s social security number, graduation date, and FAFSA information. In most cases, the criminals try to get victims to pay fees to enroll in the program. Remember:

Never pay fees for a free government program.
When in doubt, contact the government agency directly – visit ED.gov or StudentAid.gov.

Click here to go back to the top of the page.

October is Cybersecurity Awareness Month (10/20/22)

Cybersecurity is the practice of protecting networks, devices, and data from unauthorized access or criminal use. Cybersecurity is making sure that your online presence, your smart devices, your information in cyber space stays safe and out of the hands of the wrong people.

What are the potential threats?

Phishing: Phishing attacks use emails and malicious websites that appear to be trusted organizations, such as charity organizations or online stores, to obtain user personal information.
Malware: A computer can be damaged or the information it contains harmed by malicious code (also known as malware); a malicious program can be a virus, a worm, or a Trojan horse.
Identity Theft and Scams: Identity theft and scams are crimes of opportunity and even those who never use computers can be victims. There are several ways criminals can access your information, including stealing your wallet, overhearing your phone call, dumpster diving (looking in your trash) or picking up a receipt that contains your account number.

What can I do to lower my risk?

Use and maintain anti-virus software and a firewall: update as soon as possible to prevent hackers from exploiting known issues or vulnerabilities; set-up an automatic, regular spyware scanning routine to catch vulnerabilities.
Use strong passwords: use a different password for every site; passwords should be at least 10-12 characters in length and contain letters, numbers, and symbols – consider a passphrase; utilize a password manager to create and store passwords
Avoid public wi-fi: With little effort, hackers can easily exploit public wi-fi to gain access to your computer; they can even trick you into connecting to what appears to be a legitimate wi-fi access point; if you must use public wi-fi, avoid entering sensitive data (passwords, financial info) and use a VPN.
Establish computer usage guidelines: Help children understand how to use the computer, other connected devices, and the internet safely; have candid, age appropriate conversations with younger users to help them understand the do’s and don’ts of cybersecurity.
Back-up your data: back-up frequently to a physical hard drive, not just the cloud; if your device is lost or stolen, or you are the victim of ransomware attack, you will still have access to your important data.

Current Scams

Open enrollment (insurance)
Student loan forgiveness
Hurricane relief

Click here to go back to the top of the page.

“Brushing” and “Pig Butchering”: Two Scam Techniques You Need to be Aware of (10/06/22)

“Brushing” Scams

In a brushing scam, an online retailer sends people items and products they didn’t purchase in order to fraudulently improve their store’s ratings. Creating a fake transaction and mailing the item to a random person gives the seller credit for a sale, which boosts that seller’s rating on online marketplaces like Amazon.
They may also write a fake positive review of the item in the recipient’s name to increase their rating even more. The intention is to give the impression that the recipient is a verified buyer who has written positive online reviews of the merchandise.
The term “brushing” comes from a translation of the Chinese word for cleaning, similar to how in English we talk about money laundering, e.g. the transaction is “cleaned.”
Brushing scams are illegal in the U.S., but enforcement is difficult as most brushing scams are committed by overseas sellers. Amazon and other online marketplaces prohibit brushing scams, so reporting the incident to the platform is the best way to hold that seller accountable.
If you receive an item you didn’t order, it could mean that your personal information was compromised, or just that a scammer found your information on a public data broker site for free.
What should you do if you receive an unsolicited package? First, check the package to see if it was delivered to you by mistake, in which case it’s not yours to keep. On the other hand, if it’s addressed to you and you didn’t order it, you can choose to keep or discard the item, or you can try to return it to the sender if a return address is listed.

“Pig Butchering”

Pig Butchering is a technique used by criminals in which they build up trust with their victim, before pressuring them to give up increasingly bigger sums of money. This can be under the pretext of a romance scam, investment scam, or other imposter scam – the phrase alludes to the practice of fattening a hog before slaughter.
This con begins with the scammer creating a fake online persona; they then start sending messages to people on social media or dating sites, or may use other messaging apps like WhatsApp to pretend to have stumbled on a “wrong number.”
Once connected, the scammer will start-up conversations hoping to gain the target’s trust, often initiating benign chats about life, family, and work; they hope to use this information later to manipulate their victims.
Eventually, the scammers will re-direct the conversation to an investment opportunity and convince the target to open a brokerage account, which is fraudulent and controlled by the scammer. Soon, the victims of this scam are being instructed how to wire money from their bank account to a crypto wallet and eventually to the fake brokerage account.
Over time, the scammers work to manipulate victims into investing more and more, exploiting their targets’ emotional and financial vulnerabilities. The scammers may promise risk-free investments with high returns, and pressure victims into taking out loans or liquidating their retirement savings.
Once targets reach a limit and become unwilling to deposit more funds, their seeming investment success comes to a sudden stop – withdrawals become impossible, or they suffer a big “loss” that wipes out their entire investment. Scammers may then turn the screws of manipulation tighter by telling victims there’s a potential solution: if they deposit more cash into their account, they can regain what they lost. In another version, the scammers claim that the investment is successful — but there’s a “tax problem” that requires paying additional funds. And if the victim pays, the scammer will claim that new obstacles have arisen that require paying new fees. No matter how much targets pay, it’s never enough.
If you’ve been victimized, report the crime to your bank and law enforcement — the FBI, the Secret Service and local police — as quickly as possible. The longer you wait, the harder it is for your bank to reverse any fraudulent transactions and for law enforcement to trace, freeze, or seize stolen funds.

Click here to go back to the top of the page.

Malvertising on Microsoft Edge, U-Haul Data Breach, Reporting Spam Texts (09/22/22)

Microsoft Edge Tech Support Scams

Microsoft Edge is the default browser for the Windows platform and is the third most popular web browser; as such, scammers are looking to take advantage of its popularity.
For the past couple months, criminals have exploited the Edge News Feed to trick users into clicking on malicious links; the News Feed is a collection of thumbnails offering news content, traffic and weather updates, and advertisements.
When a user clicks on one of the malicious ads (typically shocking/strange stories), a script runs to determine the users’ “value”, weeding out bots, VPN’s and locations not of interest – those users are directed to a harmless page related to the ad.
However, some users will be directed to a tech support scam page displaying a fake, urgent warning to contact “Microsoft Support” at a telephone number provided; if you call, the scammers will try to convince you to let them access your computer – once they’re in, they’ll tell you that you need to pay for their services to fix a problem (which doesn’t exist).
Be careful what you click and don’t call any numbers without verifying their authenticity.

U-Haul Data Breach

Recently, U-Haul announced that criminals were able to access the company’s internal customer contract search tool which gave the hackers access to rental contracts completed between November 2021 and April 2022.
The breach was reportedly discovered in July and affected over two million customers – the data contained names, birth dates, and driver’s license numbers (no financial info was involved).
U-Haul says it will notify affected customers by mail and offer credit monitoring services from Equifax (who was also the target of a data breach in 2017 affecting 147 million people).
What else should you do? Consider a credit freeze if you haven’t already done so. Set-up a free Credit Karma account to monitor your credit. Review bank statements and your credit reports. Beware of phishing emails and texts related to this breach. Check haveibeenpwned.com to check which data breaches you may be involved in.

Reporting Spam Text Messages

Scammers are increasingly using text messages to trick people into clicking malicious links and giving up their personal or financial information – what can you do if you receive a spam text?
First, NEVER click on any link – if you think the message may be real, contact the company using a phone number or website you know is real.
Second, block the sender using your device’s native settings, through your wireless provider, or with a call-blocking app – visit citia.org for more information.
Finally, forward the message to the FTC at 7726 (SPAM), or on their website.
For more information, check out this informative briefing from the FTC: https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.

Click here to go back to the top of the page.

Review of Common Scams Part 2 (08/18/22)

“You’ve Won” Emails

Scammers use fake offers of free gifts or services to trick you into clicking a link; current examples include: Ace Hardware (170 piece Stanley tool set), Walmart (iPhone 13), AT&T (free reward), and Kohls (Ninja food processor).
Some sites are legally operated, but are designed to convince you to agree to terms and conditions and/or recurring charges on your credit card; others are just looking for your personal or financial information to steal your money and identity – almost all of these emails are scams or imposters and never provide the promised prize.
Look for multiple emails promising the same prize; scrutinize the email for spelling and grammatical errors; hover over the “From” field to see the sender’s email address.
Avoid clicking links in any of these emails – just delete them.

Utility Scams

You get a call or text message from someone pretending to be your utility company; the caller or text says you owe money, which is a lie.
The scammers then threaten to shut off your service if you don’t pay money immediately; they may ask you to pay by money transfer (MoneyGram or Western Union), gift cards, or cryptocurrency (Bitcoin).
Know that only scammers demand payment using these methods and before it shuts of service, all real utility companies will notify you in writing and offer a payment plan.
If you are worried about an amount due, call the number on your bill or on the company’s website.

Ticketmaster Lookalike

People are back to attending concerts and sporting events in droves, and scammers are exploiting this enthusiasm by impersonating the popular ticket seller Ticketmaster.
You may be looking to buy tickets to an upcoming concert or need to transfer tickets for a show that was postponed due to COVID-19; you do an internet search for your question, which brings up results for Ticketmaster – you click through to the website and everything looks normal.
The website prompts you to enter your personal information and a credit card number; however, as soon as you complete a transaction, you notice some suspicious activity: you might receive tickets with someone else’s name on them, or you may never receive your tickets at all; in other cases, you get the tickets, but the site charges you a much higher rate than advertised.
Upon closer inspection, you realize you were not on the Ticketmaster site at all – it was a lookalike site with a similar name, such as “TicketSmarter” or “TicketFaster”; when you call the customer service number, they are either unreachable, unhelpful, or downright aggressive.
The safest way to purchase event tickets is to go directly through the venue, either in person or through their official website; if you purchase from a third-party company, make sure they are a reputable ticket vendor or reseller – check reviews on BBB.org; watch out for fake websites – take a close look at the website’s URL to ensure there are no slight misspellings; finally, always make online purchases with your credit card – you can dispute fraudulent charges and have a better chance of getting your money back.

Virtual Kidnapping

This scam typically begins with a phone call saying your family member is being held captive – you may hear someone screaming in the background; another variant has a family member being held because he/she caused an auto accident, is injured and won’t be allowed to go to the hospital until damages are paid.
Scammers may threaten violence unless a ransom, typically in the form of a wire transfer, is paid; sometimes the scammer may claim not to have received the money and may demand more payment.
This type of scam can understandably cause panic and adrenaline, which can convince victims that the voice they hear is their son/daughter, grandchild, spouse, and so on; social engineering, combined with publicly available information, can make the scam even more believable (eg. spoofing caller ID).
To avoid falling victim, follow these tips: (1) remain calm – try not to get caught up in the emotion of the moment; (2) discuss this scam with family members, especially grandparents – consider having a family “password” to confirm identity; take measures to protect your personal information online – keep social media accounts private and limit the details you share.

Click here to go back to the top of the page.

Review of Common Scams Part 1 (07/28/22)

Online Shopping

Scammers use fake online shops offering free items or great discounts to lure people into buying items.
Look for red flags such as too-good-to-be-true prices, incomplete item descriptions, and aggressive sales tactics.
Also, be alert for phishing text messages impersonating well-known companies like Amazon, Walmart, and Best Buy.

Fake Gas Cards

You may see a post, or receive a message, that you won a free gas card (most common currently is $500 from Shell, but could be other brands).
When you reply, you are asked to pay a small shipping fee and provide some personal info.
Never pay to win, do your research, and avoid acting on impulse.

Romance

Romance scams aren’t new, but their popularity continues to increase.
Scammers create fake profiles on social media and dating apps to look for victims; after they gain your trust, they will ask you to send money or buy items for them.
Avoid sending money to people you’ve never met in person.

Rental Properties

You respond to an online rental listing that touts a beautiful home, low rent, and great amenities; it may look legitimate, but con artists often use real photos and descriptions stolen from other websites.
The “landlord” replies to your message claiming to be unable to show the property – they may claim to be out of town for work or in the hospital with a health emergency.
The scammer will then create a false sense of urgency, telling you that others are interested, so you must act immediately, and they will ask for a security deposit and/or the first month’s rent to reserve the property; they may also require prospective tenants to complete an application form, which asks for personal details like a Social Security number.
No matter the details, once you send the money, the result is the same – the “landlord” will stop responding to messages and disappear.
To avoid falling victim, watch out for deals that are too good – scammers lure you in by promising low rents, extra amenities, and a great location; search online for similar properties – if you find the same ad listed in other cities, that’s a huge red flag; don’t send money to someone you’ve never met for an apartment you haven’t seen – never pay a stranger with cash transfer app like Venmo or Zelle, or wire transfers.

Cryptocurrency

These scams entice you with celebrity endorsements and promises of easy money to try to trick you into downloading harmful apps and exposing your personal information.
These scams also employ phishing emails embedded with fake links, which, when opened, take you to a fake crypto trading website that looks identical to a legitimate one – it can be exceptionally hard to tell a fake site apart from a real one.
Like online shopping scams, be wary of too-good-to-be-true offers; avoid investing in things you don’t understand.

Employment Offers

The pandemic has had a negative impact on employment, and people are eager to seek out new opportunities; you might receive text messages and emails appearing to be from well-known companies, but they may contain links that will install malicious apps or lead you to phishing websites.
Some scammers even conduct fake job interviews; there is no job, but they will collect the personal information from your application form or ask you to buy equipment or pay for training sessions.
Do your research by visiting the company’s website and avoid unsolicited offers.

Click here to go back to the top of the page.

Summer Travel Safety Tips, Credit Reports & Freezes (06/09/22)

Summer travel safety tips

When you’re on vacation this summer, don’t take a vacation from keeping you and your money safe. Here are a few tips to help prevent fraud:

When booking travel, stick to name brand travel sites or book directly with the airline, hotel, or car rental; avoid unsolicited email deals.
Consider a mail hold – visit usps.com/manage/hold-mail.htm for details.
Use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud.
Lock your smart phone or tablet (with biometrics or six-digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client.
watch out for data skimmers at public charging stations; bring your own portable charger.

Revisiting the Credit Freeze

During our conversations, we often focus on steps to protect your money and personal information by spotting and avoiding scams. But there’s another important way to help protect yourself – regularly check your credit reports. Through December 2022, everyone in the U.S. can get a free credit report each week from all three nationwide credit bureaus (Equifax, Experian, and TransUnion).

By checking your credit reports, you’ll be able to see if someone is misusing your personal information to run up charges on your credit cards, get new credit or open a new account in your name, and steal your identity. The sooner you spot this fraud, the sooner you can act to stop the harm and correct the errors. Follow these steps:

Order your free credit reports at www.annualcreditreport.com, or call 877-322-8228.

Read the reports carefully. Do you recognize the accounts? Do they list credit applications? Did you apply for credit at those places? Check your personal information too. Are your name, address, and Social Security number correct?

Dispute mistakes. Contact the credit bureau and the business that reported the information. Ask both to correct their records. Include as much detail as possible, plus copies of supporting documents, like payment records.

If you don’t recognize an account, visit IdentityTheft.gov to report it to the FTC and get a recovery plan. IdentityTheft.gov will also help you create a sworn Identity Theft Report that you can send to the credit bureaus to block identity theft-related debts from appearing on your credit report.

Click here to go back to the top of the page.

Scam Update and Online Marketplace Safety (05/26/22)

Scam update

Student Loan Forgiveness

Payments are paused on most federal student loans; however, scammers are taking advantage of recent changes to confuse borrowers. Watch out for companies promising to reduce debt by lowering payments through enrollment in student loan forgiveness or other programs; they may also falsely promise to apply monthly payments to consumers’ student loans, consolidate loans, and improve credit scores, all for a small fee. Research the lender before proving personal info or committing to a service – don’t be in a rush and never pay an up-front fee. The FTC has helpful information on their website: https://consumer.ftc.gov/articles/how-student-loans-work-how-avoid-scams.

Workers’ Comp (Facebook)

A scammer impersonates one of your FB friends; they allegedly saw your name on a list of people who are owed workers’ compensation; they provide you with a number of a person who can help you collect the money. You think the info is from a trusted friend, so you call the number; an “agent” either (1) confirms you are owed money, or (2) asks you to pay a small fee so they can check. In the end, the scammers wil ask you to pay a fee upfront, and may give you a choice of payout amounts – they bigger the amount, the larger the fee; they’ll ask you to wire or give them pre-paid card numbers. Never pay money to get money and don’t share your personal information; if it sounds too good to be true, it probably is.

Employment Recruiter

You receive a message that someone is interested in hiring you and asks you to download a messaging app like Telegram – they may claim to have seen your resume and want to interview you. Once you download the app, the “recruiter” will ask you a few interview questions and ultimately will offer you a job; they will send you official looking contracts and forms, asking for personal info, including banking info for “payroll”. It may not end there – some scammers offer to buy you a computer and other supplies for your home office; they send you a check, later claiming you were accidentally overpaid and need to return a portion of the check, which was counterfeit in the first place. Research job offers first – visit the company’s website and look up their contact info; never participate in “overpayment” schemes – they are always a scam; and be wary of sharing too much personal information – don’t let someone pressure you because it’s a “now or never” opportunity.

Consumer Safety When Using Online Marketplaces (Walmart and Amazon)

Beware of third-party sellers
Research the seller before making a purchase (Google the company name and “complaints” or “scam”)
Do not trust the reviews – some estimates are that 50-60% of Amazon review are fake
If the deal sounds too good to be true, it probably is
Pay with a credit card, not a debit card or money transfer

Click here to go back to the top of the page.

Passwords and Peer to Peer Payment Apps (05/12/22)

Passwords

Passwords are the key to almost everything you do online, and you probably have multiple passwords that you use throughout the day. Choosing hard-to-hack passwords and managing them securely can sometimes seem inconvenient. And in an era of botnets and data breaches, it’s more important than ever to use strong passwords. Fortunately, there are simple ways to make your passwords as secure as possible. Doing so can keep hackers from taking over your accounts, and prevent theft of your information or money from your bank.

What You Can Do:

Use different passwords for different accounts – don’t use “login with…” (eg. Google, Facebook, etc)
Length trumps complexity – consider 12-16 characters
But complexity still counts – avoid single words and info that is readily available about you
Use a password manager – LastPass, Dashlane, 1Password
Turn on multi-factor identification, when available
Never reveal or share your passwords with others – nobody needs to know them but you

Peer to Peer Payment Apps (Zelle)

An increasing number of scams involve peer to peer payment apps, rather than traditional wire transfers like Western Union or MoneyGram. These payment apps are popular because they are free, fast, and convenient. But they lack meaningful consumer protection and can be easily exploited by criminals. Arguably one of the most popular is Zelle, a payment app created in 2017 by the nation’s largest banks to enable instant digital money transfers. Last year, an estimated $490 billion was sent through this service.

However, Zelle’s immediacy has also made it a favorite of fraudsters. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There’s no way for customers — and in many cases, the banks themselves — to retrieve the money.

Currently, many banks are refusing to reimburse customers in these cases citing a federal law that only requires them to cover “unauthorized” transactions. Criminals often trick victims into transferring the money themselves and customers argue this deception makes the transaction “unauthorized”. Banks and regulators often feel differently.

If you choose to use apps like Zelle, follow these guidelines:

educate yourself about the risks of using these services
check with your bank to see if Zelle had been activated on your account automatically
consider a stand-alone checking or savings account just for Zelle transactions
only use Zelle to send payments to known and trusted recipients

Click here to go back to the top of the page.

QR Codes and Phishing Scam Updates (04/28/22)

QR Codes

Most people have become familiar with the little, square barcodes known as Quick Reaction, or QR, codes. These codes stepped into the mainstream during the pandemic, used by organizations to visit websites, view menus, and make payments. Unfortunately, criminals have found ways to exploit vulnerabilities in this technology to steal personal data, install malware, and redirect payments for the criminals’ benefit. Like most phishing attempts, the success is based on a sense of urgency or convenience.

Example: malicious actors placed QR-code stickers on parking meters in major Texas cities, directing drivers to a fraudulent website where they supposedly could pay for parking.

What You Can Do:

Think before you scan – be especially wary of codes posted in public places. Is the code printed directly on the device or material, or is it a sticker?
Where does the code send you? Does the sight look legitimate? Is it asking for personal information that doesn’t seem needed?
Avoid QR codes in emails or paper junk mail. These are usually always a scam.
Preview the code’s URL – most smartphones will give you a preview of the website as you start to scan it. Better yet, use a secure scanner app instead of your camera. But be sure to download the app from a reputable source.
Avoid downloading apps from a QR code. Practice caution when entering login, personal, or financial information on a site navigated to by a QR code.

Phishing Scam Updates

There are two phishing scams that are currently very prevalent in our area.

Amazon Pre-Text

You get an email or text message containing an invoice or shipping confirmation for an order you didn’t place, or a message that there’s a “problem” with your Amazon account or payment method.

Free Gift

You receive an email that says, “Your bill is paid for April. Thanks, here’s a little gift for you. <link>”

Both of these scams attempt to trick you into clicking a link which will direct you to a site where the criminals will try to elicit your personal information. According to the FTC, Amazon scams have increased by 500 percent in the last year. And last month, over 11.6 billion scam text messages were sent on American wireless networks, up 30 percent from February.

What to Look For:

Scam texts usually come from numbers that are 10 digits or longer. Authentic commercial entities generally come from four-, five-, or six-digit numbers.
Fraudulent messages often contain misspelled words and grammatical errors.
Be wary of tactics implying urgency or consequences for inaction.

Never click on links in unsolicited emails or text messages – and don’t reply, either. If you suspect a problem, go directly to that website by typing the known URL in your web browser. If you do fall victim, change your password immediately and consider a credit freeze.

Western Union Refund Claim

Refunds are still available to people who were tricked into wiring money to scammers through Western Union between January 1, 2004 and January 19, 2017. If you didn’t file a claim for a refund yet, you have until July 1, 2022 to file. The refunds are part of a $586 million settlement Western Union reached with the FTC and Department of Justice in 2017 for violating the law when it failed to guard against fraud in its system.

For more information about how to file a claim, visit https://www.ftc.gov/enforcement/refunds/western-union-refunds.

Click here to go back to the top of the page.

Instagram phishing scam

In this scam, criminals are not only trying to get your Instagram password, but also your email credentials.

How it works:

You receive an official-looking email from Instagram. According to the message, you have violated copyright laws, and your account will be deleted within 24 hours. But don’t worry, the email says – if you think that Instagram has made a mistake, all you need to do is click the button and “verify” your account. Then, you are taken to a website that prompts you to input your Instagram credentials. Most scams would end there, but not this one!

Immediately, another message appears. This pop-up claims that you must also verify your email address. You’ll see a list of e-mail providers. Choose yours, and you’ll be urged to enter your email address and password. As a final touch, the scam site redirects to the real Instagram website, which lends to the credibility of the scam.

What you can do:

Don’t panic or feel intimidated. Scammers use intimidation tactics to pressure you into acting quickly and without taking time to verify the information. Legitimate businesses will not use these tactics – stay calm and contact the business directly before acting.
Double check the “from” email address and link destinations. Hover over links to see where they really lead; and verify that the email is actually from who you think.
Never click links in unsolicited emails, especially when they demand urgent action. Email communications are easy to spoof. Go directly to the app or login into the website to confirm the information.

Other popular online scams

For scammers, there’s a lot to like about social media:

It’s a low-cost way to reach billions of people from anywhere in the world.
It’s easy to manufacture a fake persona.
Scammers can hack into an existing profile to find “friends” to con.
There’s the ability to fine-tune their approach by studying the personal details people share on social media. In fact, scammers could easily use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases.

Currently, the number one social media scam involves investment schemes, particularly those involving bogus cryptocurrency investments. Last year, more than half of people who reported losses due to investment scams reported that the scam began on social media. According to the FTC, criminals use social media platforms to promote bogus investment opportunities, and even impersonate supposed “friends” to encourage them to invest.

After investment scams, the FTC identifies romance scams as the second most profitable fraud on social media. Losses to romance scams have climbed to record highs in recent years, with more than a third of people reporting that it began on Facebook or Instagram. These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money.

While investment and romance scams top the list on dollars lost, the largest number of reported scams came from people who said they were conned trying to buy something they saw marketed on social media. About 45% of reports of money lost to social media scams last year were about online shopping. In nearly 70% of these reports, people said they placed an order, usually after seeing an ad, but never got the merchandise. When people identified a specific social media platform in their reports of undelivered goods, nearly 9 out of 10 named Facebook or Instagram.

Click here to go back to the top of the page.

Ukraine Charity Fraud and Medicare Scams (03/10/22)

“Support Ukraine” scams

With the recent events in Ukraine, many people are looking for ways to support those affected by the Russian attacks. And as with many noble causes, scammers have found ways to exploit people’s generosity. If you are inclined to provide financial support, consider the following:

Does the group you are giving to represent a legitimate organization? Before donating, check the site Give.org to see if they meet the BBB Charity Standards.
Be wary of emotional pleas. Scammers may text or email, claiming to be a victim – they may claim their husband and/or children have been killed in an effort to persuade you to give money. Only give to verified charities you trust.
It’s the imposter scam, rebooted. “Help, I’m stuck in Ukraine”; or, “I have lots of money to move out of Ukraine and need your help”; or “I need money to give my loved ones a proper burial”. No matter what the twist, it’s all the same. Imposters are looking to pray on your emotions to separate you from your money.
Avoid crypto. While there may some legitimate organizations that accept cryptocurrency donations, most are scams. And it’s almost impossible to trace your money after its been converted. Stick with official, trusted organizations for making donations, and only use a credit card directly on their website, rather than any links on social media.

Medicare scams surface locally

Locally, people have been receiving phone calls from individuals purporting to represent Medicare. Typically, these criminals will ask for your name, birthdate, and most importantly, your Medicare Number. They want this information to commit identity theft and Medicare fraud. Don’t be fooled:

Medicare will NEVER contact you for your Medicare Number or other personal information unless you’ve given them permission in advance.
Medicare will NEVER call to sell you anything.
You may get calls promising you things if you give them a Medicare Number – DON’T DO IT.
Medicare CANNOT enroll you over the phone unless you called first.

Regularly review your Medicare claims and Medicare Summary Notices for any services billed to your Medicare Number you don’t recognize. Report anything suspicious to Medicare by calling 1-800-MEDICARE.

Click here to go back to the top of the page.

You’ve Won Scams and Zero-Day Vulnerabilities (02/24/22)

Recently, there has been a local uptick in imposter scams, primarily “You’ve Won” type scams. Here’s how it works: You get a call, email, or text from someone who says they are from Publisher’s Clearing House, or some other well-known organization. They tell you you’ve won some amazing prize and all you have to do is pay a “processing fee”, “taxes”, or some other charges to claim your prize. Most often, they demand pre-paid cards as payment. This is always a scam!

Scammers try to push you to a heightened emotional state to lower your guard and steal your money and personal information. To avoid falling victim to these criminals:

NEVER pay to receive a prize. There’s also no reason to give someone your bank account or credit card number in response to a sweepstakes promotion.
NEVER give pre-paid or gift card numbers to someone you don’t know. Using these payment methods is like using cash – once it’s gone, you won’t get it back.
DON’T trust caller ID or email headers. These can be manipulated to appear to come from a trusted source, when in fact it’s an imposter.

If you receive a call from one of these scammers, just hang up and block the number. If you receive an email, don’t respond and delete the message.

Over the past few weeks, several companies, including Google, Apple, and Microsoft have announced critical software updates and patches in response to zero-day vulnerabilities. A zero-day vulnerability refers to a security vulnerability for which no mitigation or patch is available at the time it is disclosed or made public. So, until the company develops a patch, and you update your system, you are potentially at serious security risk.

For example, just visiting a malicious web page, even if you don’t click or download anything, could steal private data, make unauthorized changes, or install malware, including spyware. These exploits can affect computer and mobile phone operating systems, web browsers, “office” applications, and hardware, including IoT (Internet of Things) devices. To protect yourself:

Update software and applications as soon as the security patches are released.
Install and utilize a reputable internet security suite – one that includes smart anti-virus, firewall, and sandboxing techniques.
Use only essential applications. The more software you have, the more vulnerabilities you have.

Click here to go back to the top of the page.

Avoiding Tax Fraud (01/27/22)

It’s tax season, which means scammers are looking to separate you from your money. Last year, between 20 and 30% of Americans reported losing money to fraud, with many involving tax scams. Here’s what you need to know to help keep yourself safe:

The IRS does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. Stay alert for IRS phishing scams:

Recipient may receive an “urgent” email or text claiming to be from the IRS
The message usually involves instructions to click on a link and/or fill out a form
Some tactics that criminals use include: IRS needs to update your online profile, you qualify for a refund, your credit card was fraudulently used, or you’re due a large sum of money
To identify these scams: look for generic greetings, poor grammar or typos, or conflicting web addresses
NEVER click on links, download files, or reply

Scammers are changing their tactics:

Instead of employing high-pressure tactics, or getting you to click a link in email or text message, scammers are now employing an “ask nicely” approach, avoiding links and attachments all together
You may see an email purportedly from a friend or co-worker asking you to contact them by phone
Scammers will try to establish trust and lower your guard

In general, when deciding whether to engage with people you don’t know online:

Be aware before you share. Every little bit you give away about yourself makes it easier for a scammer to charm you, threaten you, or entice you into an online relationship you didn’t ask for in the first place.
If in doubt, don’t give it out. If it feels like a scam, it probably is.
No reply is often the right reply. Never feel compelled to reply out of politeness or completeness.

Be wary of dishonest tax preparers. Remember, when it comes to your tax return, you are ultimately responsible for all the information on your return, no matter who prepares it. It is important to choose a tax preparer wisely: (1) check their qualifications, (2) review your return before the tax preparer signs and submits it, and (3) never sign a blank return.

For more info, visit the HELP tab at irs.gov. There is information about tax fraud, phishing scams, and how to report them.

Click here to go back to the top of the page.

COVID Test Kits and Recent Law Enforcement Scam (01/20/22)

The federal government has recently made COVID test kits available for free, through the US Postal Service web site. Here’s what you need to know:

The only authorized web site is COVIDTests.gov. When you click the “order free at-home tests” button, the web site will re-direct to the USPS site. No credit card or other financial info required and the only personal information required is your first and last name, and shipping address.
The Post Office has initially had some issues verifying certain addresses, which has led to scammers using this to send phishing emails.
Be wary of unsolicited emails offering tests; don’t click links.
Don’t be tricked by similar web addresses, e.g. .com, .org, etc.
Scammers are also selling bogus test kits – make sure you only use FDA approved kits from a reputable vendor.

Recently, the police department has received reports of a previously-known, nationwide scam circulating in this area. The scam involves someone purporting to be a United States Marshal conducting an investigation. The scammers have typically identified themselves as “Agent Michael Edwards, badge number 287061”, but may use other identities. The imposters will frequently threaten arrest if the target does not provide them with money, or other personal or financial information. Law enforcement will never threaten you or ask for payment in this manner. If you receive a similar call, just hang up. If you have questions about a call’s legitimacy, contact your local law enforcement directly.

Click here to go back to the top of the page.

Malicious PDFs (01/13/22)

We’ve talked in the past about the importance of not clicking links in messages, but what about attachments? Most people know not to intentionally run executable files (.exe), but many are not suspicious of PDF files – there seems to be a different level of psychological trust with a PDF.

Unfortunately, between 2019 and 2020, there was an approximately 1,200% increase in malicious PDF files, from about 412,000 to over 5.2 million. For scammers, PDF files are an enticing phishing option as they work across different platforms and allow criminals to engage with users, making their schemes more believable as opposed to just a text-based message with a plain link.

Criminals are able to encode PDFs with something called JavaScript, a programming language that is widely used on the World Wide Web – it is most often used on websites to control functionality and content.

There are generally two variations of using malicious PDFs:

Image of fake CAPTCHA, coupon offer, or paused video (actually a static image), usually accompanied by “CONTINUE” or “CLICK HERE” text
Embedded in a PDF attachment to a phishing email, also designed to trick recipient to click a button

If executed, these scripts can initiate all manner of threats to your computer and personal information. But there are several tactics you can employ to mitigate the risk:

Most PDF readers & browsers have controls that will allow you to disable JavaScript
Always use an updated version of your PDF reader, browser, and operating system
Scan attachments with antivirus or malware programs (not foolproof)
Hover over hyperlink to see where it will take you
When in doubt, do not open unsolicited attachments

Click here to go back to the top of the page.

Elder Exploitation and Resolutions for the New Year (12/16/21)

While the elderly are often targeted by scammers, the unfortunate reality is that most elder financial abuse is committed by a family member. According to recent studies, over 85% of elder financial abuse perpetrators are family members – 60% involve the elder’s child. Elder financial abuse is the illegal or improper use of an elder’s funds, property, or assets – and it’s a crime. Due to the nature of this crime it often goes unreported, which is why it’s important to recognize the signs:

large withdrawals of cash
suspicious new accounts opened
signature on checks looks different than before
someone new enters the pictures and starts to isolate the elder from family and friends
elder suddenly becomes defensive about finances

Caring for an elderly parent can be stressful, but nothing justifies exploiting their trust or finances. If you need help caring for an elderly parent, or suspect someone may be the victim of elder financial abuse, contact the Sheboygan County Aging and Disability Resource Center at (920) 467-4100, or your local law enforcement agency.

Many of us make New Year’s resolutions to improve our physical health and well-being. But what about resolutions that will help you stay safe from scammers? Consider these five suggestions:

Change your passwords – create separate, complex passwords for each important online account.
Enable two-factor authentication when available.
Consider freezing your credit – it’s free and is probably the best defense against financial ID theft.
Be highly skeptical – do not respond to unsolicited phone calls, emails, or texts.
NEVER buy a gift card to pay a bill or settle a supposed debt.

Remember, most criminals rely on manipulation known as social engineering to trick people into acting quickly, without thinking. If an offer sounds too good to be true, it probably is a scam. Never act in haste. Don’t let a scammer persuade you to keep something secret; that’s a technique used to isolate victims from people they trust.

Click here to go back to the top of the page.

Holiday Fraud Prevention Tips (12/02/21)

The holidays are here, which means criminals are ramping up efforts to exploit your holiday habits. When shopping for those perfect gifts, there are several things you can do to keep the Grinches at bay:

When purchasing items in store, consider using contactless payment methods. Tapping, instead of swiping, your card or using your phone to pay (e.g. Apple Pay, Google Pay, Samsung Pay) are the most secure ways to pay. For more information, click HERE.
Consider turning credit/debit cards “on and off”. Many banks and credit card issuers offer an app or online service, sometimes called a lock or a freeze, that allows you to secure your card when not in use. Features vary by company – click HERE for some additional information.
Having items delivered? Leaving delivered items unattended while you’re away increases the risk of theft. Consider in-store pick-up or Amazon lockers as an alternative to home delivery.
Avoid gift cards – gift cards have lower security than credit cards and are subject to hacking; scammers use websites intended to check a gift card’s balance to uncover valid card number and pin combinations.

Criminals also use this time of year to exploit people’s generosity by impersonating charities. Before giving any money, remember these tips:

Use online resources to research charities – CharityNavigator.org, GuideStar.org, and Give.org are good places to check.
When receiving calls or emails, DO NOT trust the email header or your caller ID. These can be “spoofed” to appear they are coming from a legitimate source.
NEVER give personal or bank/credit card information to unsolicited requests.

Click here to go back to the top of the page.

Phone Scams, Fraud Reporting, and Holiday Shopping Tips (11/18/21)

Imposter phone scams continue to affect our area – a recent version involves an imposter claiming to be from the Sheriff’s Department and advising the target that they missed jury duty. The scammer threatens the target with arrest/jail and instructs the target to purchase MoneyPak (pre-paid) cards to pay the fine. If successful, the scammer convinces the target to provide the code numbers off the pre-paid cards. In this case, the scammer also “spoofs” their caller ID to make the call more believable. REMEMBER: Law enforcement will NEVER request payment in this fashion. Before paying money, contact the agency or organization directly to verify the information.

The Sheboygan Police Department has updated the process for reporting fraud and identity theft. Unfortunately, many cases involving scams and schemes do not have a known or local suspect and, by their nature, have very low solvability rates. The new reporting process is an attempt to provide better customer service to the public by streamlining the reporting process and providing fraud victims with resources to advocate for themselves. It shifts our focus to education and prevention, not just documentation. For more information, click HERE to visit the Sheboygan Police Department’s fraud reporting page.

As we enter the holiday shopping season, remember these tips:

When shopping for holiday gifts, be wary of unsolicited emails offering “to good to be true” deals.
Avoid clicking on links, and instead visit the product site directly.
When shopping online, use a credit card (not a debit card) or single-use card numbers.
If purchasing IoT devices, ignore “online” reviews on merchant sites (many are fake) – look for independent/objective advice, or talk to someone you know and trust. Research products’ privacy / data collection policies. Stick with mainstream manufacturers to ensure ongoing support (firmware upgrades, etc).

Click here to go back to the top of the page.

WPS “Stop Scams Now” Campaign and Phishing Emails (10/28/21)

Wisconsin Public Service is partnering with law enforcement to stop utility scams. WPS wants you to know that they will NEVER:

Demand payment by cryptocurrency or third-party apps
Threaten or try to scare you
Disconnect you on short notice

When in doubt, hang up and call 800-450-7260.

For more information from WPS, click HERE.

In addition, phishing attempts continue to be prevalent across the area, involving email, text, and phone calls. Click HERE for real life examples.

Remember:

Never click on any links in unsolicited emails and texts
Review the email header for the sender’s address
Grammar and punctuation errors are a tip that the message is phony
Don’t be pressured to “act now” or “respond immediately”
Before sending any money, independently verify the request is legitimate

Click here to go back to the top of the page.

October is Cybersecurity Awareness Month (10/14/21)

What is it?

Cybersecurity is the art and science of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Cybersecurity is making sure that your online presence, your smart devices, your information in cyber space stays safe and out of the hands of the wrong people.

What are the potential threats?

Phishing: Phishing attacks use emails and malicious websites that appear to be trusted organizations, such as charity organizations or online stores, to obtain user personal information.
Malware: A computer can be damaged or the information it contains harmed by malicious code (also known as malware). A malicious program can be a virus, a worm, or a Trojan horse. Hackers, intruders, and attackers, all of whom are in it to make money off these software flaws.
Identity Theft and Scams: Identity theft and scams are crimes of opportunity, and even those who never use computers can be victims. There are several ways criminals can access your information, including stealing your wallet, overhearing your phone call, dumpster diving (looking in your trash) or picking up a receipt that contains your account number.

What can I do to lower my risk?

Use and maintain anti-virus software and a firewall: Use an antivirus program and a firewall to protect your computer from viruses and Trojan horses that could steal or modify your data. When software notifies you of an update, called a patch, be sure to update as soon as possible to prevent hackers from exploiting known issues or vulnerabilities. Also, set-up an automatic, regular spyware scanning routine to catch vulnerabilities.

Establish computer usage guidelines: Help children understand how to use the computer, other connected devices, and the internet safely. Have candid, age appropriate conversations with younger users to help them understand the do’s and don’ts of cybersecurity. These conversations can protect your data by setting clear boundaries and guidelines.

Double check email attachments: An email that looks as if it came from someone you know doesn’t necessarily mean it did. It is possible for viruses to alter the return address so that it looks like the message came from someone other than the sender. Before opening any attachments, verify that the message is legitimate by contacting the person who sent it. Use caution even from people you know, be wary of unsolicited attachments.

Trust your instincts: As the old saying goes, “if it is too good to be true, it probably is.” Some antivirus software might not have the latest virus protections because attackers are constantly releasing new viruses. However, always be sure to scan documents and attachments with antivirus software before opening them. Do not open suspicious emails or attachments and turn off automatically downloading attachments. But always remember: technology can only help so much, so trust your instincts!

For more information, click HERE to review the Tip Sheets on CISA.gov.

Click here to go back to the top of the page.

Scam Review and the “Devious Licks” TikTok Challenge (09/23/21)

Let’s review the most common types of scams seen in the Sheboygan area:

Romance scam – criminals pose as interested romantic partners on social media or dating websites in order to gain your trust and extract money from you

Imposter scam – criminals pose as a relative (usually a child or grandchild) claiming to be in immediate financial need, or as a government agency or utility company demanding money

Tech support scam – criminals pose as technology support representatives and offer to fix non-existent computer issues

Lottery/Sweepstakes or Charity scam – criminals claim you’ve won a foreign lottery or sweepstakes, which you can collect for a “fee”, or the scammer claims to work for a charitable organization

To protect yourself, remember these tips:

Stop communications with the suspected scammer immediately
Don’t be pressured to act quickly; take time to verify the story
Never wire money, or provide gift card numbers, to unknown or unverified people or businesses
Do not click on links in unsolicited emails or text messages
Remember the adage, “If it sounds too good to be true, it is.”

What is the “Devious Licks” challenge on TikTok? It’s a social media-driven “challenge” that encourages kids to steal or damage school property, then anonymously share a video with the hashtag on the TikTok platform. The most common acts include stealing soap dispensers and damaging toilets or sinks.

Why are teens participating? It’s a combination of biology and sociology, affected by teens’ brain development and the dopamine rush from “likes, comments, and views”, along with a teen’s need for belonging.

What can you do as a parent?

Help kids understand their digital reputation
Discuss the consequences of illegal or risky behavior
Develop a positive relationship with your child with open lines of communication

Click here to go back to the top of the page.

Keeping Your Cell Phone Secure and Other Fraud Updates (09/09/21)

Hackers and criminals have recently begun to rely more on “zero-click” exploits to breach phone data. These attacks are typically very highly targeted in nature, and deploy far more sophisticated tactics than mass cyber-attacks that we see and know of on a daily basis. Typical cyber-attacks rely on the potential victim being tricked into clicking a malicious URL, or downloading an attachment that contain macros with embedded malware. In a “zero-click” attack, malicious software is usually added to the root file system which makes it more difficult to detect and trace. However, these “in-memory” payloads generally cannot survive a phone re-boot – therefore, people should power cycle their phones at least once a week to help prevent against this form of cyber-attack.

Cell phones are also vulnerable to “SIM swaps”, which allow a criminal to essentially take-over your phone service. To guard against this, you should first make your PIN code for your cell phone billing account hard to guess. Next, set-up account protection with your carrier. It’s referred to by different names: “port freeze”, “account takeover protection”, “account lock”.

There are two additional sources of fraud you should be aware of: using electronic payments apps and fitness club thefts. If you choose to use an electronic payment app like Venmo or Cash App, you should understand that you do not have the same consumer protections as using a credit card. To reduce the risk, set-up a separate bank account to fund your payments and only keep enough money in the account to cover the transactions. Also, only send money to family or close friends.

Finally, be aware that there has been an increase in thefts from fitness clubs, including lockers and vehicles. To avoid being a victim, don’t bring valuables when you work out. If you must, leave them in your LOCKED car, out of sight.

Click here to go back to the top of the page.

T-Mobile Data Breach and Investment Account Fraud (08/19/21)

I’m a T-Mobile customer – what should I know about the recent data breach?

Not all data breaches are created equal – the most recent T-Mobile breach, estimated to affect 50-100 million individuals, deserves your attention if you’re a T-Mobile subscriber. A lot of the information obtained from the hack is likely already widely available online, but the blend of data is what’s concerning. The combination of names, phone numbers, and carrier data makes it much easier for scammers to employ “phishing” methods designed to convince someone to click on a malicious link that advertises, for example, deals or offers for customers. And having all that information in a single data base makes it easier for criminals to commit identity theft. Additionally, having access to your phone’s IMEI (International Mobile Equipment Identity) number could allow a criminal to perform a SIM-swap, thus taking over your account. This would allow the criminal to gain access to two-factor authentication codes and compromise the security of your passwords and accounts.

What to do:

Change your T-Mobile account password and PIN
Sign-up for a credit freeze (click HERE for more info)
Consider using an authenticator app

Possibly the biggest financial fraud theft you’ve never heard about

Criminals are increasingly adapting to exploit technology to steal your money. Instead of robbing banks, criminals are hacking into your accounts through social engineering, since there’s less chance of getting caught and typically the consequences are lower if caught.

It’s not just your checking or savings account that they are after – it’s your retirement and investment accounts. It is estimated that only 10% of money in the U.S. is in banks – the rest is in 401Ks, IRAs, and other investment accounts. And Congress has never passed protections for consumers on hacks against investment accounts. Unlike banks and credit cards, investment accounts have little-to-no regulatory protection from fraud losses. Even though some companies have policies that provide consumer protection against fraud, there are often many hoops to jump through. You are the first line of defense!

What to do:

Set up two-factor authentication on your retirement and investment accounts. While not foolproof, this tactic offers strong protection. Just remember to never give someone your authentication code.
Implement a STRONG password – most people hate dealing with passwords, but the stronger and more unique the password is, the more secure your account. Instead of a common word or random letters and numbers, use a passphrase of at least five or six random words, and consider using a password manager program.
Review your account balances and activity regularly, once a week, and immediately report unauthorized activity. The sooner you identify and report fraud or suspicious activity, the better chance of getting your funds restored.

Click here to go back to the top of the page.

Home Delivery Scam and “Social Media: The Weakest Link” (07/15/21)

One of the more prevalent scams currently being employed by criminals is referred to as the home delivery scam. Typically, you receive a text message appearing to be from a well-known package delivery service (UPS, FedEx, etc). The message advises that the delivery service attempted to deliver a package to you, but no one was home to receive it and a re-delivery needs to be scheduled. The message contains a link to a realistic-looking web site, where they ask you to pay a modest fee (a clue that it’s a scam), typically a few dollars, for re-delivery. The scammers then ask you to enter your personal information (another clue it’s a scam) and payment information. Sometimes, the scammers will go so far as to ask for additional info (“protecting you from fraud”) such as your date of birth and/or mother’s maiden name.

To avoid being the victim of this scam:

Check all URL’s carefully – bookmark legitimate sites in advance.
Steer clear of links in messages and emails – go directly to the company’s web site to conduct business.
Review your bank and card statements – don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through; also, be alert for incoming funds you weren’t expecting, given that you could be responsible for any funds that passes through your hands, even if you neither asked for it nor expected it.
When it comes to personal information, when in doubt DON’T give it out.

Data hacks are everywhere right now – attacking us as individuals, attacking businesses, government agencies, hospitals, and public utilities. How are hackers gaining access to these systems? Often by looking for the weakest link, which many times is the employee’s social media account (Facebook, Linkedin, Twitter).

A recent article in the WSJ noted that a hacker can find everything they need to break-in to your life within 30 minutes of scanning your social media posts. Hackers employ “automation” to scan your posts quickly.

Sometimes we feel helpless against this kind of intrusion – the key to prevention is privacy. During the pandemic, many people turned to social media to connect with one another and posted a lot of personal information. It’s time to get back to more secured profiles.

Things not to do on social media:

Do not post private information for public viewing, such as travel plans, personal interests, details about family members, birthdays, and pet names. These are often the answers to our “security questions” on the sites we visit. Make sure your profile is set to only be viewed by trusted friends and family.
Be careful when responding to “friend” or “follow” requests – pages can be counterfeited.
Use a separate email just for social media sites.

Click here to go back to the top of the page.

Cryptocurrency Primer (06/24/21)

Lately, there have been a lot of stories in the news about cryptocurrencies like Bitcoin. Hackers have demanded payment in Bitcoin for ransomware attacks, and other scammers have used Bitcoin investment schemes to defraud unsuspecting victims. Also, the value of Bitcoin has dropped dramatically over the past month. So, what is Bitcoin and how does it work?

Bitcoin was the first and is arguably the most popular form of cryptocurrency. There are currently over 1,600 available cryptocurrencies. In simplest terms, a cryptocurrency is a form of digital currency. Unlike traditional money, cryptocurrencies are decentralized, meaning no single entity is in charge of it. Cryptocurrency transactions rely on something called a blockchain, which is a shared database that is managed by a global network of computers. When you engage in a transaction using cryptocurrencies, these networks validate and transmit that entry in the blockchain. For example, when you send some Bitcoin to your friend, you’re creating and publishing an entry into the Bitcoin network. The computers in the Bitcoin network will check to make sure that you haven’t already sent the data representing the cryptocurrency to another person previously. When you send the Bitcoins, the receiver’s account is credited and your account is debited.

Each person using the network has a crypto address, similar to an account number. This identifies where to debit and credit the cryptocurrency from and to. One misconception about cryptocurrency transactions is that they are anonymous. While some cryptocurrencies prioritize privacy, most mainstream cryptocurrencies like Bitcoin publish transactions on a public blockchain. This means that anyone with computer access can view the transactions, including the address of the sender and receiver, date and time, and the amount of the transaction. What is generally not publicly available is the identity of the person behind the crypto address. One person could hold multiple addresses, and in theory, there would be nothing to link those addresses together, or to indicate that the person owned them. This is one way criminals exploit the cryptocurrency market to facilitate crimes.

While most people don’t currently use cryptocurrencies for purchases or investments it is important to know that criminals are increasingly employing this payment method in financial crimes and scams. According to the FTC, consumers reported more than $80 million in cryptocurrency-investment scam losses during the past 6 months. That represents a 10-fold jump from the same period last year. Many victims thought they were in a long-distance relationship when their love interest started talking about a new crypto opportunity they had invested in. About 20 percent of the money people reported losing in romance scams in general was sent in cryptocurrency. For more information about cryptocurrency and scams, click HERE.

Similar to wire transfers, gift card payments, and sending cash in the mail, cryptocurrency transactions generally cannot be undone. And the pseudo-anonymous nature of cryptocurrencies makes it difficult for law enforcement to identify the people behind the transactions. At least currently, most legitimate businesses and government entities will never ask you to pay using a cryptocurrency. And many so-called “investment” opportunities are fraudulent as well. The bottom line is, if you receive an email, call, or text from a business, love interest, or anyone else who insists on dealing in cryptocurrency, you can bet it’s a scam.

Click here to go back to the top of the page.

Recent Local Scams and Summer Travel Safety Tips (06/10/21)

Here are two additional scams that have been reported in the Sheboygan area, as well as some summer travel safety tips.

Social Security Assistance

Recently, a local service organization reported that they received a call from someone purporting to be a Social Security Administration (SSA) “Public Affairs Specialist” and offers to provide financial assistance for that organization’s clients. The caller attempted to obtain personal identifying information of the organization’s clients, including Social Security numbers and other personal information. The caller ID displayed a number, which through investigation was later found to be an old SSA number, no longer in service. Fortunately, the call recipient knew it was a scam and did not provide any of the requested information. Remember, never provide personal identifying information over the phone when the call was unsolicited, and don’t trust caller ID.

‘Pay to Drive’ Checks

In this scam, the victim receives what appears to be a cashier’s check and a letter in the mail, often unsolicited, instructing the victim to deposit the check and keep a small portion for themselves. The balance, the letter says, will be forwarded to a third party for payment of services. The check will probably initially clear the bank, but within a short time will be identified as fraudulent, and you’ll be on the hook for the money. Any time someone asks you to deposit a check, then send part of the proceeds to a third party, don’t do it – it’s a scam! To see actual images of these types of checks and the letter that accompanies them, visit our website HERE.

Legitimate Check from FTC

Despite all the fraudulent checks, there are actual legitimate checks that are currently circulating. One such example involves refunds from the FTC for people who paid for certain debt relief services. These checks will include an explanation and details about the case, and can be looked up on their website. Also, an example of a legitimate check and letter can be found on our website, HERE. Remember, the FTC will never require you to pay upfront fees or asks for your personal identifying information, like SSN or bank account information.

Summer Travel Safety

When you’re on vacation this summer, don’t take a vacation from keeping you and your money safe. Here are a few tips to help prevent fraud:

when booking travel, stick to name brand travel sites or book directly with the airline, hotel, or car rental; avoid unsolicited email deals
consider a mail hold – visit www.usps.com/manage/hold-mail.htm for details
use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud
lock your smart phone or tablet (with biometrics or six-digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client
watch out for data skimmers at public charging stations; bring your own portable charger

Click here to go back to the top of the page.

Local Case Studies (05/13/21)

Recent scams, warning signs, and prevention strategies were discussed on air. Two recent scams included:

Amazon unauthorized charge (current phone scam)

Victim noticed an “unauthorized” charge while reviewing account activity online. She searched the internet for an Amazon customer service number and unknowingly called a number not belonging to Amazon.
The scammer claimed there was another charge on her account in the amount of $10,000 and subsequently convinced her to allow him remote access to her computer. He claimed he was transferring her to a “financial manager” at her bank, who told her they needed to withdraw $10,000 from her account so the original charge “bounces.”
Victim was instructed to purchase gift cards at local stores, $500 each (“should be able to buy $6,500”). She was told “act calm and smile” and if questioned by store employees to say the gift cards are for a birthday party. She bought $3,000 (six cards) at the first store and gave the codes to the scammer who was on the line the entire time.
Victim went to a second store and was going to buy four $500 cards. She was told by staff she could only buy one, due to scams, and gave that code to scammer. She then went to a third store to buy six $500 gift cards. The cashier prevented the sale and told her to call police.

Bank smishing (phishing via text message) scam

Victim received what appeared to be a legitimate text from her bank asking to confirm possible fraudulent charge in Las Vegas. The victim then received a phone call advising of an ATM withdrawal in Las Vegas.
The scammer told the victim that he would cancel the victim’s card, issue a new one, and also disable online banking. The victim provided a PIN that was texted to her.
At some point, the victim felt that this was suspicious, called the bank directly, and realized it was a scam but not before $400 was transferred electronically via a direct pay service (sent to email address). Providing the PIN to the scammers compromised her account, which needed that two-factor authentication code to get into it.

Visit our Real Life Fraud Examples page to see various examples of real life fraudulent checks, currencies, and letters. These examples highlight common warning signs and elements to watch out for when considering whether something is fraudulent or a scam.

Click here to go back to the top of the page.

Elder Financial Exploitation (04/29/21)

The financial exploitation of older adults is often referred to as a form of elder abuse. In Wisconsin, elder abuse is defined under WI Statute §46.90 – the law applies to persons age 60 or older who are subject to any of the following four categories: abuse (physical, sexual, emotional), neglect, self-neglect, and financial exploitation.

Each state defines financial exploitation a little differently, but in general it refers to the illegal or improper use of an elder’s funds, property, or assets. Some examples include: (1) taking money or property, (2) forging an elder’s signature, (3) using their property without permission, and (4) using scams or deceptive acts for financial gain.

Unfortunately, these cases are often not reported. There are several reasons why, but one of the biggest factors is that the victim is often scared or embarrassed to make a report because of their relationship with the offender. Statistics show that over 85% of perpetrators are family members, most often the elder’s child. Other trusted abusers can include: friends/neighbors, affinity groups (religious and cultural group leaders), health care providers, service providers, and other professionals. Elders are also frequently exploited by strangers.

Why are elders targeted? Generally, people in this demographic have established assets. They may also be isolated and lonely, or unfamiliar with financial matters. As noted above, elders often are reluctant to report financial abuse, and might have disabilities that make them dependent on others for help. It is estimated that over 5 million Americans over age 65 suffer from dementia.

Financial abuse often leads to other forms of abuse. Consequences of elder abuse include: declines in mental and physical health, higher risk of dementia, and increased financial loss. The National Council on Aging estimates that the cost of elder financial abuse exceeds $36 billion annually. Elder abuse victims are also estimated to be at 300% higher risk of death.

Whether you are a family member or a professional working with an elder, there are possible warning signs to be aware of that someone may be trying to exploit them financially:

large withdrawals of cash, or checks written to “Cash”
suspicious new accounts opened
signature on checks looks different than before
unpaid bills despite adequate income
someone new enters the pictures and starts to isolate the elder from family and friends
Elder suddenly becomes defensive about finances

If you live in Sheboygan County and suspect than an elder you know may be the victim of financial exploitation, you can make a report to your local law enforcement agency or contact the Aging and Disability Resource Center at (920) 467-4100.

Protecting vulnerable adults from financial exploitation is everyone’s business. These people are our family, friends, and neighbors. Education and training about these issues leads to awareness and prevention.

Click here to go back to the top of the page.

Robocall Update and the Recent Facebook Data Breach (04/15/21)

There is some good news when it comes to preventing fraudulent robocalls and it should be happening soon. The Federal Communications Commission (FCC) has established a deadline of June 30, 2021 for the implementation of the STIR/SHAKEN framework for calls carried over Internet Protocol (IP) networks. As a sign how serious they are, the FCC recently denied two major cell phone carriers’ petitions for extension of the deadline. STIR and SHAKEN are acronyms for the specific protocols and standards involved in this technology – STIR refers to the Secure Telephone Identity Revisited standard and SHAKEN refers to Signature-based Handling of Asserted Information Using toKENS. In simplest terms, this technology authenticates the Caller ID of the person using the network. Most major carriers began implementing this program at the end of 2020.

What does this mean for you? This framework is designed to prevent spoofed Caller ID’s and theoretically guarantees the Caller ID displayed on phones can be trusted. The system will still allow certain “robocalls” signed and authenticated by the carrier, such as school closing information, reverse 911, and other community notifications. This technology, combined with other proposed legislation such as the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act, should reduce or eliminate most fraudulent robocalls.

Another day, another data breach. Recently, it has been reported that Facebook experienced a data breach involving an estimated half a billion people world-wide; an estimated 30-40 million Americans were reportedly affected, but no one really knows for sure how many. The data breach occurred sometime before August 2019 and the data has recently been made available in public online database.

Don’t know about it? That’s because Facebook chose not to notify individual users, claiming the vulnerability that allowed hackers to get the data has been fixed, and there’s nothing the user could do to fix it. What information did the hackers get? These thieves were able to access full names, phone numbers, location data, email addresses, and other biographical data.

So, what have the hackers done with all that info? They’ve sold it. Criminals, and others, can easily buy your information to engage in a variety of fraudulent activities – the low hanging fruit is to apply for credit as you. As we’ve discussed before, your best protection against this form of identity theft is a credit freeze. Information about credit freezes can be found on the Sheboygan Police Department website, or by clicking HERE. If you are a FB user and have not frozen your credit, you are opening up yourself to having to deal with a multi-year mess of potential ID theft.

If you want to check to see if your email or phone number has been involved in a data breach, visit www.haveibeenpwned.com.

Click here to go back to the top of the page.

Grandparent Scam / ID Theft and the Importance of Credit Monitoring (03/25/21)

The “grandparent scam” is a version of an imposter scam, when the criminal poses as a grandchild asking for money. Often, the criminal will use personal information gleaned from social media accounts and other publicly available resources to make the contact more believable. Typically, the caller claims to need money for bail or some other legal matter, claiming that the matter is “urgent”. Recently, a local woman was contacted by someone purporting to be her granddaughter (by name) and said that she was in legal trouble and needed money. The imposter convinced the victim to send $10,000 cash via UPS to an out-of-state address. An investigation revealed that the delivery address was a vacant house which was listed for sale, and the cell phone number used by the criminal was registered out of Canada, making obtaining subscriber information difficult.

So, what can you do to protect yourself? First, if you receive one of these calls, don’t panic. Take the time to check out the story by contacting the grandchild or other family member. When possible, use internet search engines to look up addresses and/or phone numbers to verify their authenticity. Whatever you do, never, never, not ever send cash through the mail. Perhaps most importantly, if you have older parents or grandparents, share this information with them. Instruct them to contact you or a family member if they receive a similar phone call or email, especially before sending any money.

Identity theft continues to be a leading cause of financial fraud in our community. The Sheboygan PD recently investigated two cases of identity theft – one involving using a person’s personal information to fraudulently open a credit card account; the other using a person’s personal information to establish utility services in another state. In both cases, the victims did not suffer an actual loss, but are having to dispute charges and repair their credit files. Since payments were not being made on the fraudulent accounts, the unpaid balances were sent to collection agencies, thus adversely affecting the victims’ credit scores.

These cases reinforce the importance of credit freezes and regular credit monitoring. Viewing your credit reports is free through the website www.annualcreditreport.com. In the past, you were entitled to one report from each bureau (Trans Union, Equifax, and Experian) per year; however, under new COVID provisions, you are allowed to view a copy of your report from each bureau once per week, recently extended through April 2022. By regularly viewing your credit report, you can become aware of potentially fraudulent activity sooner than later, making it easier to correct.

The single best protection against identity theft continues to be a credit freeze. A credit freeze prevents criminals from opening lines of credit in your name and does not affect currently established credit. For more information about credit freezes and how they work, click HERE.

Other services like Credit Karma (www.creditkarma.com) provide additional credit monitoring for free. You can monitor your credit score for changes and get notifications about activity on your credit file (through Trans Union and Equifax). If you’ve already frozen your credit, you will need to temporarily thaw it to establish Credit Karma account. If you haven’t yet, but intend to freeze your credit, set up a Credit Karma account (if you wish) first.

Click here to go back to the top of the page.

Kroger Data Breach and Tips for Filing Your Taxes Safely (03/11/21)

Kroger (Pick ‘n Save and Copps) recently became one of the latest companies to experience a data breach of customer information. Kroger was one of several companies using a company called Accellion to provide third-party data file transfer services (a simple way to share large files). Due to its age, hackers were able to exploit a vulnerability in the file transfer software to access the sensitive customer data. Kroger says that no credit or debit card data was stolen, but reported that the attack affected their money service (money orders, bill pay, check cashing) and pharmacy records, including personal data. Kroger believes that approx. 2% of customers have been impacted.

This is another example of a “supply chain attack” – supply chain attacks involve using an outside partner or provider to access an organization’s systems or data. So, what can you do to protect yourself against these types of threats? The best defense remains implementing a credit freeze with the three credit reporting bureaus (Trans Union, Experian, and Equifax). Remember, credit freezes prevent any new credit from being taken out without your knowledge, and do not affect current credit accounts. Credit freezes are fairly easy to set-up and temporarily “thaw”, if needed. Click HERE for more information about credit freezes.

Spring is upon us and that means that it’s tax season. Last year, between 20 and 30% of Americans reported losing money to fraud, with many involving tax scams. And not all losses are a result of a scam – some involve dishonest tax preparers. Remember, when it comes to your tax return, you are ultimately responsible for all the information on your return, no matter who prepares it. It is important to choose a tax preparer wisely: (1) check their qualifications, (2) review your return before the tax preparer signs and submits it, and (3) never sign a blank return.

Tax payers should also be wary of W2 phishing scams. These scams involve criminals posing as someone high up in a company or organization. The scammers send what may appear to be legitimate emails asking for copies of your W2 forms. NEVER send this type of information without verifying the legitimacy of the request.

In addition, criminals employ IRS phishing scams to obtain money from victims. Typically, the recipient with receive an “urgent” email or text claiming to be from the IRS. The message usually involves instructions to click on a link and/or fill out a form. Some tactics that criminals use include: IRS needs to update your online profile, you qualify for a refund, your credit card was fraudulently used, or you’re due a large sum of money. To identify these scams, look for generic greetings, poor grammar or typos, or conflicting web addresses. Like other phishing scams, NEVER click on links, download files, or reply – the IRS will never initiate contact via email, text, or social media.

Click here to go back to the top of the page.

Payment Apps and Car Infotainment Systems (02/25/21)

Payments apps like Venmo, Cash App, and Zelle offer convenient ways to send and receive money. According to a recent study, about 80% of U.S. adults use mobile payment apps. Unfortunately, many people assume that payment apps offer protections similar to those of credit or debit cards, but that’s not the case. Generally, transactions cannot be reversed if there’s a problem or if you change your mind, even if your account is linked to a credit card. In addition, some financial institutions are activating Zelle without customers’ knowledge, which could be an issue if your banking credentials are compromised and criminal gets access to your account.

If you decide to use a payment app, consider setting up a separate bank account for that purpose, and only put in money needed to fund those transactions. If you don’t, and have linked your savings account to your checking or payment account, the scammer may get access to those funds as well, through automatic overdraft protection, or compromised credentials. It is generally recommended that you never use these apps to send money to strangers – only use them with family, friends, or trusted sources.

Many newer cars on the road today offer a great deal of technology and connectivity. People often forget that these cars are really computers on wheels and present a variety security and privacy concerns. Today’s technology allows you to connect your smartphone to your vehicle to have easy access to your contacts, messages, photos, navigation services, and internet connection. Manufacturers generally refer to these systems as “infotainment systems” – they offer convenience, but at a price.

When you plug-in your smartphone, the system may collect a wide variety of personal information: home address, wi-fi passwords, contacts, emails, texts, and photos. In addition, if your car’s computer has been infected by malware, you could download that onto your phone, further compromising its contents. This is particularly relevant when using a rental car – because you don’t know who used the car before you, you take a big risk connecting your phone to that vehicle.

To limit your vulnerability when renting a vehicle, avoid connecting your phone at all. If you do decide to connect it, perform a “factory reset” of the infotainment system when turning-in the vehicle to hopefully erase your data. Remember, if you just need to charge your phone, use a cigarette lighter charger, not the USB port. When selling or trading-in your car, perform a “factory reset” on system as well. To ensure a full reset, ask the dealer to wipe the hard drive.

Click here to go back to the top of the page.

Four More Recent Local Case Studies (02/11/21)

Variations of different scams continue to affect people in our community. By explaining what these scams look like and educating the public about the red flags to look for, we hope to prevent others from becoming victims.

Military “Romance Scam”

Romance scams are extremely prevalent and account for highest financial loss of all internet-facilitated crimes. The Internet Crime Complaint Center (IC3) says it received over 15,000 romance scam complaints last year, with losses exceeding $230 million. The FBI puts the true number higher as they estimate only 15% of these crimes are reported to law enforcement.

In this scam, the scammer usually originates contact with the target on legitimate dating sites or social media apps. The scammer identifies themselves as a “soldier” serving oversees and says they need money. Here are some red flags to look for:

all contact is online; no phone or video
scammer alleges “lack of support” by military, or requests money for basic needs (transportation costs, communication fees, medical expenses)
obvious grammatical errors, or pledges their love at warp speed
deployed soldiers do not find large sums of money and do not need your help to get that money out of the country

Car Rental Scam

This scam reinforces the importance of verifying what web sites you are visiting and limiting your business to known, legitimate companies. In this case, the victim used an online search to locate discounted car rental deals. She clicked on a link which took her to what appeared to be a well-known car rental company, but in fact was an imposter site. Sometimes the scammer also employs a fraudulent phone number to facilitate contact. The scammer ultimately tries to get the target to pay for the rental using pre-paid value cards. Red flags to watch for include:

prices too good to be true
offer requires payment other than a credit card
always take the time to verify the web address, or search the phone number online for reports of fraud

Apartment for Rent

This scam has been around for a while and is very effective. The scammer lists a vacant home or home for sale on a legitimate website (Craigslist, Apartments.com), advertising it “for rent”. When people respond to the fraudulent ad, they are pressured to quickly submit a security deposit, typically being told the apartment is in “high demand”. The scammer requires payment via wire transfer, electronic payment (Zelle, Venmo), or pre-paid cards. Look for the following red flags:

renter claims to be out of town / cannot show apartment
renter says they will FedEx keys
renter wants you to move in “right away” or does not complete any screening process

Before sending money or signing any documents, identify the owner of the property and request to meet in person – be sure to visit the property in person.

Counterfeit Money

Counterfeit bills of various denominations have been circulating in Sheboygan. When accepting cash, particularly denominations of $50 or $100, carefully scrutinize the bill:

Does it say “For Motion Picture Purposes” or “Copy”?
Carefully review the layout for signs of altering (uneven spacing, blurry letters, odd markings).
Do any of the bills have identical or sequential serial numbers?
Do not rely solely on “counterfeit detection pens” – they aren’t fool-proof and are not sanctioned by the U.S. Treasury.

When in doubt, do not accept the bill. With advances in technology, counterfeiters are becoming more sophisticated in creating bills that appear genuine.

Click here to go back to the top of the page.

Marketplace Scams and Social Engineering Refresher (01/28/21)

Online scams are prevalent and rely on empty promises and the anonymity of the internet to be successful. Two current scams utilize online marketplaces to separate people from their money.

$99 Windshield Repair (Facebook)

Scammers use fake/hijacked profiles to advertise $99 windshield repair, occasionally referencing know local businesses. Scammers utilize Facebook Messenger to initiate communication, then persuade the target to call a Google Voice or similar phone number to continue transaction – the goal is to get target to pre-pay for repair, which doesn’t really exist. A brief review of the associated Facebook accounts reveal that they are clearly not related to windshield repair.

Puppy Scam

This scam exploits subjects looking to purchase a puppy online, typically a unique breed, suggesting a higher purchase price. The target responds to an ad on Craigslist or Facebook, with the “seller” requesting 50% down. The “seller” may subsequently also request additional money for “issues” with the dog’s crate, vaccinations, etc., with the objective being to get the target to wire as much money as possible. There is never actually any puppy for sale.

With both of these scams, remember – don’t pay upfront for a promise and consider how you pay. Avoid wire transfers, mobile payments like Venmo and Zelle, and pre-paid value cards.

In addition, it is important to always keep in mind the pervasiveness and effectiveness of social engineering scams. This time of year, IRS scams are very common. COVID vaccination scams also continue to be prevalent. These types of scams rely on “social engineering” to be successful. Remember, social engineering tactics involve creating a situation in which the victim provides information of value to the scammer, under perceived pressure or duress. They are design to exploit human behavior and tap into emotions that would cause the victim to disregard their better judgment.

To avoid falling victim to these types of scams, remember the 4 P’s:

The scammer PRETENDS to be a person, or from an organization, you know.
The scammer says there’s a PROBLEM or a PRIZE.
The scammer PRESSURES you to act immediately.
The scammer tells you to PAY in a specific way.

Click here to go back to the top of the page.

Recent Local Case Studies (01/14/21)

The following is a description of recent scams reported to the Sheboygan Police Department.

“You’ve Won” Lottery Scam

In this scam, the target receives a phone call stating “you’ve won” some type of lottery or cash prize. All you have to do, they say, is send money to cover fees associated with the prize (taxes, processing fees). The target is instructed to pay these fees via wire transfer or by using pre-paid cards. This is ALWAYS a scam – you should never have to pay to win a prize. In this case, further indications of fraud included that the target never entered a lottery or sweepstakes, and when checking the address provided by the scammer, the address was found not to exist.

Imposter Scam

There are many variations of this type of fraud. In this case, the victim received phone calls from persons purporting to be from the FBI and DEA, using the names of actual prominent agency officials. The callers alleged the victim’s involvement in violations of federal law and drug trafficking, and threatened arrest or imprisonment. The victim was told not to tell anyone, and the caller aggressively demanded payment of thousands of dollars in wire transfers and/or pre-paid cards. In some cases, the scammers will also ask for personal information like DOB or social security number.

Unfortunately, the victim initially purchased $5,000 in Nike pre-paid cards, then was convinced to withdraw a cashier’s check for almost $110,000 from her bank account. The victim’s request was initially denied at her primary bank, but she went to a different branch that processed transaction. The victim then deposited the cashier’s check at a different local bank belonging to the scammer’s accomplice in California. The money was promptly transferred out of that account and made its way out of the country.

This case illustrates the importance of “front line” awareness and prevention efforts. If you work in an industry that is involved in perpetuating these scams (banks, investment firms, grocery stores), please educate yourself about the indicators of these scams and be aware of suspicious activity. Take the time to talk with your customers to determine legitimacy of the transaction. Remember that often, victim’s will be scared and will have been told not to tell anyone.

Click here to go back to the top of the page.

Supply Chain Attacks and COVID Vaccination Scams (12/17/20)

Recently, the Solar Winds “cyber-attack” has been making the news. So, what’s the big deal? To begin with, SolarWinds is a software vendor that helps government agencies and Fortune 500 companies monitor the health of their IT networks. More than 425 of the Fortune 500 companies utilize their services. In addition, all five branches of the military and hundreds of universities and colleges are also customers of Solar Winds. The recent hack could potentially affect any number of the more than 300,000 companies they service worldwide.

During this attack, hackers used a “supply chain attack” to infiltrate an unknown number of organizations. What is a supply chain attack? These attacks involve using an outside partner or provider to access an organization’s systems or data. Locally, the Sheboygan Police Department continues to receive reports of compromised email and/or billing systems. The scammers utilize vulnerabilities in these systems to introduce malware and/or attempt to get their victims to change or bypass traditional payment methods to obtain money by using hacked data (invoices, emails, bank info).

To avoid being victimized:

never get pressured into circumventing policies and procedures for an alleged “emergency”
verify anomalies or exceptions with supervisors or customers directly
report suspicious contact to IT department; consider having IT or outside cybersecurity firm run risk assessment of network

Another set of scams that has been increasing in frequency relates to the COVID 19 pandemic. With the recent news of a COVID vaccine, criminals are creating various ways get your money, or try to trick you, which could result in serious injury or death. Remember, you can’t pay to put your name on a list to get the vaccine. Also, you can’t pay to get early access to the vaccine. And nobody legitimate will call about the vaccine and ask for your social security number, bank account, or credit card information.

Remember these tips:

ignore any offers that demand money or ask for personal information
don’t fall for pressure tactics; i.e. “limited supply”, “act now”
before acting, double-check claims with info from credible sources
when in doubt, seek advice from your health care provider

Click here to go back to the top of the page.

Holiday Security Tips (12/03/20)

It’s the holiday season, and many people are spending time shopping for gifts, travelling, and giving to charitable organizations. During this usually joyful time, fraud attempts increase about 30 percent. To help protect yourself from fraud, consider these tips:

Shopping

When shopping for holiday gifts, be wary of unsolicited emails offering “to good to be true” deals
Avoid clicking on links and instead visit the product site directly
When shopping online, use a credit card (not a debit card) or single-use card numbers
If purchasing IoT devices, ignore “online” reviews on merchant sites (many are fake). Look for independent/objective advice, or talk to someone you know and trust. Research products’ privacy / data collection policies. Stick with mainstream manufacturers to ensure ongoing support (firmware upgrades, etc)

Home Security

Bring in delivered packages as soon as possible to prevent theft
If you’ll be travelling, consider installing timers on lights, and arrange for snow removal and mail hold
When travelling, remember to avoid unsecured WiFi and/or use a VPN client; use credit cards instead of cash

Charitable giving

Avoid responding to unsolicited texts or emails
Know who you’re donating to. Check out charitynavigator.org or give.org to determine which charities are reputable.
When in doubt, give directly to a local charity

Social media scams

“Secret Sister” Gift Exchange is popular on Facebook. It promises windfall of gifts if you send one $10-15 gift to someone on the list. Gifts never materialize, and it’s against Federal law.

Click here to go back to the top of the page.

Social engineering is the use of deception to manipulate people into divulging confidential information, or obtaining money. It is a commonly used tactic by criminals to successfully commit acts of fraud and identity theft, and is used to deceive both individuals and businesses. Below are two examples of actual recent cases targeted at businesses which occurred in Sheboygan:

Example #1

A local business legitimately orders equipment from vendor through a supplier. Several months later, the accounting department receives an emailed invoice purported to be from the vendor, requesting payment. The invoice states that the vendor is having issues processing checks because of a counterfeit check recently paid into their account, and as a result they are only accepting ACH or Wire transfers to their bank account. The fraudulent invoice contained specific account and routing information, and approximately $70,000 was wired to the suspect account, aka “funnel account”. Investigation by law enforcement identified that the funds were immediately transferred from the funnel account to a different account, then wire transferred to a bank specializing in cryptocurrency.

Red flags: suspicious reason for deviation from normal payment; review of email that sent invoice was misspelled – “billstrut” vs “billtrust”.

Example #2

A business received a fax purporting to be from a company that they had done business with previously. Because the “company” hadn’t order for a while, their credit line had been reduced and the business required a new credit application. The scammer submitted a new application with the names of three representatives from their “company”, along with corresponding social security numbers. Based on that information, a credit check was run and the legitimate business approved the new line of credit. They conducted business with the “company”, and over several months the “company” ordered almost $40,000 worth of product. No payments were ever made, and when the business contacted the actual company, they advised there was no record of any employees by the names provided. Also, the address that the business was shipping product to was a storage unit, not the legitimate company.

Red flags: sudden new contact from old customer; failed to verify information

Click here to go back to the top of the page.

Protecting Your Security When Using IoT Devices (10/22/20)

Many of us remember watching “The Jetsons” with fascination, dreaming about the technology of the future. Well, much of that technology is here today and is often referred to as the Internet of Things. Simply put, the Internet of Things (IoT) is a class of devices with built-in network connectivity. These devices are present in manufacturing, health care, government, and in our homes. Some common devices you’re probably familiar with include: televisions, cameras, thermostats, light bulbs, and refrigerators. As technology advances, things like cars, utility meters, and even medical equipment have even been included in the IoT universe.

The number one concern with using these devices is security. Since the idea of networking all these devices is fairly new, security has not always been a top priority during their design phase. And unfortunately, many vendors often prioritize ease of use and functionality over security. Many devices like cameras (think baby monitors and security cameras) often come with well-known, default passwords that many end-users do not change. Other devices come with no password.

In addition, many end-users forget or simply don’t take the time to update the firmware on the device. Since most IoT devices connect to apps on your smartphone or tablet, make sure you have reputable internet security software installed on these devices. Set-up two-factor authentication, and know what data these apps are collecting, and how they use and store that data.

What can you do to be more secure?

Set up a secure Wi-Fi router – your router is like the front door to your home network and needs to be secure. Use a strong encryption method (WPA2), set up a guest network, and change default usernames and passwords.
Review the default privacy and security settings of your devices.
Research products carefully before buying – know what steps the manufacturer has taken to protect your privacy.
Update firmware.
Consider upgrading older devices.

Click here to go back to the top of the page.

PCH Scam / National Cybersecurity Awareness Month (10/08/20)

Recently, our area has seen an increase in reports of a “you’ve won money” scam. You get a call from someone claiming to be from Publisher’s Clearing House, notifying you that you’ve won the sweepstakes. They ask for your social security number and bank account information to verify your identification and send you your winnings. The caller may also direct you to purchase pre-paid cards or gift cards and provide them with the numbers to pay the “fees” or “taxes” associated with your winnings. Unfortunately, there are no winnings and this type of scenario is ALWAYS a scam. If you do provide personal information like your social security number or bank info, make sure you immediately follow the following steps:

Freeze your credit, if not already frozen, with each credit bureau – click HERE for instructions
File a report at identitytheft.gov
Periodically monitor your credit reports at annualcreditreport.com
Consider setting up a My Social Security account at ssa.gov

October is National Cybersecurity Awareness Month (NCSAM), sponsored by the Department of Homeland Security. The theme for 2020 is:

“Do Your Part. #BeCyberSmart.”

The purpose of this campaign is to bring awareness to the importance of being safe and secure while online. Here are a few tips:

Pick Proper Passwords

make them hard to guess
go as long and complex as you can
consider using a password manager
one account, one password

Stop-Think-Connect

be thoughtful about what sites you visit and what info you share
regularly update software, firmware, and operating systems
shut down old accounts
check your app “permissions”

If in doubt, don’t give it out

protect your personal information
don’t reply to unsolicited offers
avoid online surveys that may reveal clues about your passwords

Each week, the campaign will focus on a different area of cybersecurity:

Week of October 5 (Week 1): If You Connect It, Protect It
Week of October 12 (Week 2): Securing Devices at Home and Work
Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
Week of October 26 (Week 4): The Future of Connected Devices

For more information, click HERE to visit the campaign’s website.

Click here to go back to the top of the page.

Crime Prevention Tips (09/24/20)

Today, we switch gears from talking about fraud and scams as Detective Kehoe offers some general crime prevention tips:

Ensure that all doors and windows are locked to homes, garages, and vehicles – many preventable thefts and burglaries occur because a door or window is left unsecured
Keep valuables in a safe and secure location – often police take reports of firearms and other valuables that are left in plain view
During hours of darkness, keep your property well lit – low cost LED lighting makes this an affordable and efficient way to keep your home and property safe (consider adding motion sensors as well)
Install exterior and/or interior cameras – the advancement of technology has created affordable solutions to keep an eye on your property while away
Get involved with your neighbors – neighborhood associations and watch programs are a great opportunity to meet your neighbors and learn more about what’s going on around your home; residents working together is a great tool when it comes to crime prevention
Be mindful of what you post on social media – posting photos of newly purchased, valuable items can be risky, especially if you have a public account; be cautious of who can see what you post
Report suspicious activity or victimization to the police – for a variety of reasons, people often chose not to contact the police for property crimes; our department’s patrol methodology is based, in part, upon data and crime trends, making timely reporting an important element of crime prevention
If you are the victim of a property crime, take steps to prevent re-victimization; studies suggest that people are 67% more likely to have a thief return with a two week period after being the victim of a crime

For additional crime prevention strategies, click HERE.

Click here to go back to the top of the page.

Review of Phishing Scams and Revisiting Credit Freezes (09/10/20)

Pre-text, or “phishing”, emails and text messages continue to be the primary form of scam activity in the Sheboygan area. These emails purport to be from well-known organizations like UPS, PayPal, Amazon, or the IRS, and contain logos and links that may seem legitimate. To avoid putting your personal information in jeopardy, never click on links in these messages, or divulge any personal information. When in doubt, go directly to organization’s known website to verify the email is legitimate, or call a confirmed phone number to speak with a customer service representative.

A credit freeze, fraud alert, and credit lock are ways to protect your credit reports from being used by scammers to open new accounts. Click HERE to learn the difference between a credit freeze and a fraud alert. The best defense against your information being used maliciously is to implement a credit freeze. Credit freezes offer a higher level of security than fraud alerts, but require a little more work to implement and “thaw”. Both are free and do not affect your current credit or your credit score. Credit locks are not always free and are not governed by federal law.

Prior to setting up a credit freeze or fraud alert, consider signing-up for a free credit monitoring service such as Credit Karma. These services allow you to monitor your credit and be alerted to new accounts in your credit report. You can also check your credit weekly for free at annualcreditreport.com.

Click here to go back to the top of the page.

What’s Up with TikTok / Preventing Fraud During the 2020 Census (08/27/20)

Recently, the social media platform TikTok has been in the news regarding security concerns with using the app. TikTok is a social network for sharing user-generated music videos, and is owned by ByteDance, a Chinese company. Some fear that ByteDance may be compelled by the Chinese government to provide its user data to the Chinese government. This user data includes sign-up information like the user’s phone number/email and a birth date (which the app does not verify), and user content, such as videos, messages, and location data. The risks of using the app are comparable to other social media platforms, and because of the potential to encounter explicit or inappropriate content, the app is not recommended for children under 13 years of age.

To protect yourself or your teens while using the app, consider the following:

while there are valid concerns about how the Chinese government may use your data, TikTok collects fewer data points than apps like Facebook
for younger teens, parents should consider enabling parental controls and monitoring the content their children upload; click HERE for more information
set your account to “private” to limit people that can see your content
use a different, more secure platform for private messaging

The U.S. Census Bureau is currently visiting homes to collect responses for the 2020 Census. Census takers are hired from the area they survey and work from 9am-9pm, including weekends. They will ask general questions like the number of people in your home; age, race, ethnicity; and verify address and phone number.

What do you need to know to avoid scammers?

check to make sure the surveyor has a valid ID badge, with their photograph, a U.S. Department of Commerce watermark, and an expiration date
the U.S. Census Bureau will never ask for your social security number or bank account / credit card numbers
they will also never send unsolicited emails
if in doubt, call the U.S. Census Bureau at 844-330-2020
you can also search a staff directly at census.gov; click “About Us”, then “Staff Directory”

Click here to go back to the top of the page.

Review of Imposter Scams / COVID-19 Schemes (08/06/20)

An imposter scam is when a scammer pretends to be someone you trust and tries to convince you to send them money, or divulge personally identifiable information.

Two of the most recent versions of this scam have been facilitated using Facebook Messenger and the Facebook.com social media platform. One form of this scam involves the scammer impersonating a celebrity or charitable cause. Using social engineering, the scammer develops a relationship with the victim and gains their trust. The scammer relies on the victim’s emotional response and desire to help in order to exploit the victim for money. The other variation involves “extorting” the victim for money. Using a false identity, the scammer initiates a romantic relationship with the victim, ultimately convincing the victim to send compromising photos or videos of themselves. The scammer then threatens to send the images to family and friends unless a ransom is paid. Occasionally, the scammer will employ some kind of fictional noble cause to justify the ransom, e.g. a sick or dying child. Due to the sensitive nature of these scams, they frequently go unreported.

To avoid falling victim to these scams:

never trust the identity of someone you’ve only met through social media; confirm someone’s profile in person if possible
never send money to someone you met on social media
don’t send explicit images or videos, even to people you know; once these images are sent, you lose control of them forever

Scammers also continue to exploit the COVID-19 pandemic to defraud victims – an estimated $35 million has been lost by victims of this type of fraud since May 18^th. These crimes are usually perpetrated by using robocalls and various messaging services.

Some of the schemes used by criminals include posing as “contact tracers” to obtain your personal information; selling counterfeit test kits, masks, and other PPE; peddling products that claim to be vaccinations or curse for coronavirus; targeting college students with promises of student loan forgiveness; and causing voter disruption by creating confusion about election dates and polling sites.

Here’s what you can do to protect yourself:

do not respond to unsolicited messages
do not answer calls from numbers you don’t recognize
authenticate product/service offers through verified websites

Click here to go back to the top of the page.

Social engineering is the art of manipulating people so they give up confidential information. Of successful data breaches, 70-90% involve phishing or social engineering, 20-30% involve unpatched software, and only 1-10% account for everything else.

Human behavior is the weakest link in the cybersecurity chain. Scammers rely on your strong emotional response to fear or uncertainty. Their goal is to create chaos, whether real or perceived. Scammers also try to exploit people’s tendency to want to be helpful.

Cybercriminals routinely profile us. They research company websites and social media accounts. Scammers know that people age 35 and over primarily use email as their means of communication, so most attacks occur via email. For those 35 and under, scammers exploit social media messaging platforms, which are more popular with that demographic. A scammer’s goal is to get you to click a link, claiming you won a gift card, or posing as friend, school, or employer. Scammers are also keen on exploiting a person’s desire to accumulate “likes” and “followers”, a concept known as “gamification” and “FOMO” (fear of missing out).

Phishing and social engineering attacks have become more sophisticated, targeting officers of a company, or people with an emotional connection. For example: an employee might receive an email purported to be from their boss regarding a “secret” law enforcement investigation. The boss says people might go to jail and you must keep this confidential. He says the company’s legal team will be calling w/ questions and you should cooperate fully. The scammer’s goal is to make you feel a sense of urgency and willingness to help, therefor tricking you into divulging confidential information. For those in corporate world, education and regular training, not just awareness, is crucial because of the enormous exposure risk (information, access to funds).

To prevent yourself from falling victim to social engineering scams, look for these clues:

you are being rushed
asked to bypass normal procedures
confusing jargon
overly curious or prying behavior
too good to be true

Click here to go back to the top of the page.

Unemployment Insurance Fraud / “Car Wrap” Scam (06/11/20)

The United States Secret Service has received reporting of a well-organized Nigerian fraud ring exploiting the COVID-19 crisis to commit large-scale fraud against state unemployment insurance programs. The primary state targeted so far is Washington, but there have also been reported cases in Massachusetts, North Carolina, Rhode Island, Oklahoma, Wyoming, and Florida. Individuals residing out-of-state are receiving multiple ACH deposits from certain state unemployment benefit programs, all in different individuals’ names with no connection to the account holder. Scammers convince victims to allow out-of-state unemployment insurance deposit into their account under false pretenses, then victims forward money to another person via MoneyGram, cashier’s check, or Bitcoin. The original deposited money is fraudulent and victim is on the hook for re-payment to the bank. This crime frequently develops out of the “romance scam”, where scammer already has access to victims’ bank account. This fraud network is believed to consist of hundreds, if not thousands, of victims with potential losses in the hundreds of millions of dollars. The banks targeted have been at all levels including local banks, credit unions, and large national banks.

Another scam seen recently in our area is referred to as the “car wrap scam”. The FTC has a briefing about this scam here. In summary, the victim typically receives a check to “wrap” their car with ad for product or business. The check is much more than originally offered as payment, explaining the victim should deposit the check, keep part of it as their share, and wire the rest to another company that will wrap the car. Weeks after the money is wired, the check bounces and the victim is on the hook for paying back the bank…needless to say, no one’s wrapping your car.

Click here to go back to the top of the page.

Combatting Fraud During the Summer Travel Season (05/28/20)

With the summer travel season upon us, vacationers face increased risks of fraud and identity theft. Here are a few tips to help keep you and your money secure:

when booking travel, stick to name brand travel sites like Priceline, Expedia, and AirBnB; or book directly with the airline, hotel, or car rental; avoid unsolicited email deals
consider a mail hold – visit usps.com/manage/hold-mail.htm for details
use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud
lock your smart phone or tablet (with biometrics or six digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client
watch out for data skimmers at public charging stations; bring your own portable charger

Click here to go back to the top of the page.

Tips for Using Credit Cards Safely (05/14/20)

Despite advancements in security, credit card fraud is still a common form of identity theft. There are several strategies you can employ to mitigate the risk of using credit cards and prevent you from falling victim to this type of fraud:

ensure that your card has the EMV chip; while not invincible from all fraud, the EMV chip is superior to the older magnetic strip
consider “contactless” payments; this method, accessible using most cell phones and some credit cards, employs NFC technology and is one of the most secure payment options available
when shopping online, only use your credit card on websites you trust; ensure secure sites by checking the URL for “https://” and for a lock icon in the address bar
avoid using a debit card online – credit cards offer more protection against fraudulent charges than debit cards; most credit cards impose a maximum liability of $50, or zero liability if reported immediately; however, with debit card fraud, you could face unlimited liability
watch out for skimmers at gas pumps; consider paying inside
sign-up for paperless billing; this decreases the chance of your account number being compromised
if you do want to receive paper statements, sign-up for Informed Delivery with the Post Office; click here to sign up

Click here to go back to the top of the page.

COVID-19 Scams (04/30/20)

There are a variety of scams being perpetrated by criminals exploiting the COVID-19 pandemic. Some examples include:

scammers posing as Amazon, UPS, etc., asking you to “confirm you order status”
scammers posing as the IRS, Dept. of Labor, etc., offering stimulus money or other payments
scammers impersonating charities seeking donations
counterfeit goods (masks, gloves, sanitizer)
“work at home” scams
COVID-19 tracking websites containing malware and spyware

To reduce your risk, consider these suggestions:

do not click on links from sources you don’t know
watch for imposter emails claiming to be from the World Health Organization or CDC; also be alert for calls from cybercriminals pretending to be government organizations, family members in distress, or banks/credit card companies
ignore online offers for vaccinations or home test kits
do your homework before making donations; do not pay using gift cards or money transfers
only purchase items from reputable retailers
carefully scrutinize “investment opportunities”

Helpful websites:

Click here to go back to the top of the page.

Three Things to Do Right Now (04/09/20)

Criminals exploit fear and uncertainty to victimize targets of fraud and identity theft. While no one strategy can protect you from fraud, there are three things you can do immediately to limit your risk:

Freeze your credit – this will prevent scammers from opening fraudulent accounts using your information. For the difference between a fraud alert and a freeze, click here; for steps how to freeze your credit, click here.
Review a free copy of each of your three credit reports (TransUnion, Experian, and Equifax) at annualcreditreport.com. Check for errors and fraudulent activity at least once a year.
Do not respond to unsolicited requests for personal information – these may be in the form of emails, text messages, or phone calls. Watch for “phishing” attempts from criminals posing as government agencies or well-known companies. Also, refrain from completing surveys on Facebook and similar sites that attempt to illicit clues to your passwords and security question answers.

Click here to go back to the top of the page.

2023 Episodes

2022 Episodes

2021 Episodes

2020 Episodes

Recent Scams and Summer Travel Safety (05/25/23)

Phishing Email Trends and QR Codes (05/11/23)

Searching with Google and Phishing Texts (04/27/23)

Internet of Things (IoT) Review (04/13/23)

Popular Cybersecurity Terms (03/23/23)

Credit Card Data Leak and Healthcare Fraud (03/09/23)

Tax Fraud and Local Case Review (02/23/23)

SIM Swapping, Romance Scams, and Tax Fraud (02/09/23)

Safer Internet Day and Three Scams to Be Aware Of (01/26/23)

Five Phishing Scams You Need to Know About (01/12/23)

Holiday Scams (12/08/22)

Sextortion Targeting Adolescents (11/17/22)

Brand Phishing, Data Backups, Loan Forgiveness (11/03/22)

October is Cybersecurity Awareness Month (10/20/22)

“Brushing” and “Pig Butchering”: Two Scam Techniques You Need to be Aware of (10/06/22)

Malvertising on Microsoft Edge, U-Haul Data Breach, Reporting Spam Texts (09/22/22)

Review of Common Scams Part 2 (08/18/22)

Review of Common Scams Part 1 (07/28/22)

Summer Travel Safety Tips, Credit Reports & Freezes (06/09/22)

Scam Update and Online Marketplace Safety (05/26/22)

Passwords and Peer to Peer Payment Apps (05/12/22)

QR Codes and Phishing Scam Updates (04/28/22)

Current Scams Involving Social Media (03/24/22)

Ukraine Charity Fraud and Medicare Scams (03/10/22)

You’ve Won Scams and Zero-Day Vulnerabilities (02/24/22)

Avoiding Tax Fraud (01/27/22)

COVID Test Kits and Recent Law Enforcement Scam (01/20/22)

Malicious PDFs (01/13/22)

Elder Exploitation and Resolutions for the New Year (12/16/21)

Holiday Fraud Prevention Tips (12/02/21)

Phone Scams, Fraud Reporting, and Holiday Shopping Tips (11/18/21)

WPS “Stop Scams Now” Campaign and Phishing Emails (10/28/21)

October is Cybersecurity Awareness Month (10/14/21)

Scam Review and the “Devious Licks” TikTok Challenge (09/23/21)

Keeping Your Cell Phone Secure and Other Fraud Updates (09/09/21)

T-Mobile Data Breach and Investment Account Fraud (08/19/21)

Home Delivery Scam and “Social Media: The Weakest Link” (07/15/21)

Cryptocurrency Primer (06/24/21)

Recent Local Scams and Summer Travel Safety Tips (06/10/21)

Local Case Studies (05/13/21)

Elder Financial Exploitation (04/29/21)

Robocall Update and the Recent Facebook Data Breach (04/15/21)

Grandparent Scam / ID Theft and the Importance of Credit Monitoring (03/25/21)

Kroger Data Breach and Tips for Filing Your Taxes Safely (03/11/21)

Payment Apps and Car Infotainment Systems (02/25/21)

Four More Recent Local Case Studies (02/11/21)

Marketplace Scams and Social Engineering Refresher (01/28/21)

Recent Local Case Studies (01/14/21)

Supply Chain Attacks and COVID Vaccination Scams (12/17/20)

Holiday Security Tips (12/03/20)

Social Engineering Review (11/12/20)

Protecting Your Security When Using IoT Devices (10/22/20)

PCH Scam / National Cybersecurity Awareness Month (10/08/20)

Crime Prevention Tips (09/24/20)

Review of Phishing Scams and Revisiting Credit Freezes (09/10/20)

What’s Up with TikTok / Preventing Fraud During the 2020 Census (08/27/20)

Review of Imposter Scams / COVID-19 Schemes (08/06/20)

Social Engineering (06/25/20)

Unemployment Insurance Fraud / “Car Wrap” Scam (06/11/20)

Combatting Fraud During the Summer Travel Season (05/28/20)

Tips for Using Credit Cards Safely (05/14/20)

COVID-19 Scams (04/30/20)

Three Things to Do Right Now (04/09/20)