Fraud Topics

Click each item to learn more. Topics are listed in order of occurrence on WHBL. For general tips for staying safe from fraud, also see our Fraud Prevention page.

Instagram phishing scam

In this scam, criminals are not only trying to get your Instagram password, but also your email credentials.

How it works:

You receive an official-looking email from Instagram. According to the message, you have violated copyright laws, and your account will be deleted within 24 hours. But don’t worry, the email says – if you think that Instagram has made a mistake, all you need to do is click the button and “verify” your account. Then, you are taken to a website that prompts you to input your Instagram credentials. Most scams would end there, but not this one!

Immediately, another message appears. This pop-up claims that you must also verify your email address. You’ll see a list of e-mail providers. Choose yours, and you’ll be urged to enter your email address and password. As a final touch, the scam site redirects to the real Instagram website, which lends to the credibility of the scam.

What you can do:

Don’t panic or feel intimidated. Scammers use intimidation tactics to pressure you into acting quickly and without taking time to verify the information. Legitimate businesses will not use these tactics – stay calm and contact the business directly before acting.
Double check the “from” email address and link destinations. Hover over links to see where they really lead; and verify that the email is actually from who you think.
Never click links in unsolicited emails, especially when they demand urgent action. Email communications are easy to spoof. Go directly to the app or login into the website to confirm the information.

Other popular online scams

For scammers, there’s a lot to like about social media:

It’s a low-cost way to reach billions of people from anywhere in the world.
It’s easy to manufacture a fake persona.
Scammers can hack into an existing profile to find “friends” to con.
There’s the ability to fine-tune their approach by studying the personal details people share on social media. In fact, scammers could easily use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases.

Currently, the number one social media scam involves investment schemes, particularly those involving bogus cryptocurrency investments. Last year, more than half of people who reported losses due to investment scams reported that the scam began on social media. According to the FTC, criminals use social media platforms to promote bogus investment opportunities, and even impersonate supposed “friends” to encourage them to invest.

After investment scams, the FTC identifies romance scams as the second most profitable fraud on social media. Losses to romance scams have climbed to record highs in recent years, with more than a third of people reporting that it began on Facebook or Instagram. These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money.

While investment and romance scams top the list on dollars lost, the largest number of reported scams came from people who said they were conned trying to buy something they saw marketed on social media. About 45% of reports of money lost to social media scams last year were about online shopping. In nearly 70% of these reports, people said they placed an order, usually after seeing an ad, but never got the merchandise. When people identified a specific social media platform in their reports of undelivered goods, nearly 9 out of 10 named Facebook or Instagram.

Click here to go back to the top of the page.

Ukraine Charity Fraud and Medicare Scams (03/10/22)

“Support Ukraine” scams

With the recent events in Ukraine, many people are looking for ways to support those affected by the Russian attacks. And as with many noble causes, scammers have found ways to exploit people’s generosity. If you are inclined to provide financial support, consider the following:

Does the group you are giving to represent a legitimate organization? Before donating, check the site Give.org to see if they meet the BBB Charity Standards.
Be wary of emotional pleas. Scammers may text or email, claiming to be a victim – they may claim their husband and/or children have been killed in an effort to persuade you to give money. Only give to verified charities you trust.
It’s the imposter scam, rebooted. “Help, I’m stuck in Ukraine”; or, “I have lots of money to move out of Ukraine and need your help”; or “I need money to give my loved ones a proper burial”. No matter what the twist, it’s all the same. Imposters are looking to pray on your emotions to separate you from your money.
Avoid crypto. While there may some legitimate organizations that accept cryptocurrency donations, most are scams. And it’s almost impossible to trace your money after its been converted. Stick with official, trusted organizations for making donations, and only use a credit card directly on their website, rather than any links on social media.

Medicare scams surface locally

Locally, people have been receiving phone calls from individuals purporting to represent Medicare. Typically, these criminals will ask for your name, birthdate, and most importantly, your Medicare Number. They want this information to commit identity theft and Medicare fraud. Don’t be fooled:

Medicare will NEVER contact you for your Medicare Number or other personal information unless you’ve given them permission in advance.
Medicare will NEVER call to sell you anything.
You may get calls promising you things if you give them a Medicare Number – DON’T DO IT.
Medicare CANNOT enroll you over the phone unless you called first.

Regularly review your Medicare claims and Medicare Summary Notices for any services billed to your Medicare Number you don’t recognize. Report anything suspicious to Medicare by calling 1-800-MEDICARE.

Click here to go back to the top of the page.

You’ve Won Scams and Zero-Day Vulnerabilities (02/24/22)

Recently, there has been a local uptick in imposter scams, primarily “You’ve Won” type scams. Here’s how it works: You get a call, email, or text from someone who says they are from Publisher’s Clearing House, or some other well-known organization. They tell you you’ve won some amazing prize and all you have to do is pay a “processing fee”, “taxes”, or some other charges to claim your prize. Most often, they demand pre-paid cards as payment. This is always a scam!

Scammers try to push you to a heightened emotional state to lower your guard and steal your money and personal information. To avoid falling victim to these criminals:

NEVER pay to receive a prize. There’s also no reason to give someone your bank account or credit card number in response to a sweepstakes promotion.
NEVER give pre-paid or gift card numbers to someone you don’t know. Using these payment methods is like using cash – once it’s gone, you won’t get it back.
DON’T trust caller ID or email headers. These can be manipulated to appear to come from a trusted source, when in fact it’s an imposter.

If you receive a call from one of these scammers, just hang up and block the number. If you receive an email, don’t respond and delete the message.

Over the past few weeks, several companies, including Google, Apple, and Microsoft have announced critical software updates and patches in response to zero-day vulnerabilities. A zero-day vulnerability refers to a security vulnerability for which no mitigation or patch is available at the time it is disclosed or made public. So, until the company develops a patch, and you update your system, you are potentially at serious security risk.

For example, just visiting a malicious web page, even if you don’t click or download anything, could steal private data, make unauthorized changes, or install malware, including spyware. These exploits can affect computer and mobile phone operating systems, web browsers, “office” applications, and hardware, including IoT (Internet of Things) devices. To protect yourself:

Update software and applications as soon as the security patches are released.
Install and utilize a reputable internet security suite – one that includes smart anti-virus, firewall, and sandboxing techniques.
Use only essential applications. The more software you have, the more vulnerabilities you have.

Click here to go back to the top of the page.

Avoiding Tax Fraud (01/27/22)

It’s tax season, which means scammers are looking to separate you from your money. Last year, between 20 and 30% of Americans reported losing money to fraud, with many involving tax scams. Here’s what you need to know to help keep yourself safe:

The IRS does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. Stay alert for IRS phishing scams:

Recipient may receive an “urgent” email or text claiming to be from the IRS
The message usually involves instructions to click on a link and/or fill out a form
Some tactics that criminals use include: IRS needs to update your online profile, you qualify for a refund, your credit card was fraudulently used, or you’re due a large sum of money
To identify these scams: look for generic greetings, poor grammar or typos, or conflicting web addresses
NEVER click on links, download files, or reply

Scammers are changing their tactics:

Instead of employing high-pressure tactics, or getting you to click a link in email or text message, scammers are now employing an “ask nicely” approach, avoiding links and attachments all together
You may see an email purportedly from a friend or co-worker asking you to contact them by phone
Scammers will try to establish trust and lower your guard

In general, when deciding whether to engage with people you don’t know online:

Be aware before you share. Every little bit you give away about yourself makes it easier for a scammer to charm you, threaten you, or entice you into an online relationship you didn’t ask for in the first place.
If in doubt, don’t give it out. If it feels like a scam, it probably is.
No reply is often the right reply. Never feel compelled to reply out of politeness or completeness.

Be wary of dishonest tax preparers. Remember, when it comes to your tax return, you are ultimately responsible for all the information on your return, no matter who prepares it. It is important to choose a tax preparer wisely: (1) check their qualifications, (2) review your return before the tax preparer signs and submits it, and (3) never sign a blank return.

For more info, visit the HELP tab at irs.gov. There is information about tax fraud, phishing scams, and how to report them.

Click here to go back to the top of the page.

COVID Test Kits and Recent Law Enforcement Scam (01/20/22)

The federal government has recently made COVID test kits available for free, through the US Postal Service web site. Here’s what you need to know:

The only authorized web site is COVIDTests.gov. When you click the “order free at-home tests” button, the web site will re-direct to the USPS site. No credit card or other financial info required and the only personal information required is your first and last name, and shipping address.
The Post Office has initially had some issues verifying certain addresses, which has led to scammers using this to send phishing emails.
Be wary of unsolicited emails offering tests; don’t click links.
Don’t be tricked by similar web addresses, e.g. .com, .org, etc.
Scammers are also selling bogus test kits – make sure you only use FDA approved kits from a reputable vendor.

Recently, the police department has received reports of a previously-known, nationwide scam circulating in this area. The scam involves someone purporting to be a United States Marshal conducting an investigation. The scammers have typically identified themselves as “Agent Michael Edwards, badge number 287061”, but may use other identities. The imposters will frequently threaten arrest if the target does not provide them with money, or other personal or financial information. Law enforcement will never threaten you or ask for payment in this manner. If you receive a similar call, just hang up. If you have questions about a call’s legitimacy, contact your local law enforcement directly.

Click here to go back to the top of the page.

Malicious PDFs (01/13/22)

We’ve talked in the past about the importance of not clicking links in messages, but what about attachments? Most people know not to intentionally run executable files (.exe), but many are not suspicious of PDF files – there seems to be a different level of psychological trust with a PDF.

Unfortunately, between 2019 and 2020, there was an approximately 1,200% increase in malicious PDF files, from about 412,000 to over 5.2 million. For scammers, PDF files are an enticing phishing option as they work across different platforms and allow criminals to engage with users, making their schemes more believable as opposed to just a text-based message with a plain link.

Criminals are able to encode PDFs with something called JavaScript, a programming language that is widely used on the World Wide Web – it is most often used on websites to control functionality and content.

There are generally two variations of using malicious PDFs:

Image of fake CAPTCHA, coupon offer, or paused video (actually a static image), usually accompanied by “CONTINUE” or “CLICK HERE” text
Embedded in a PDF attachment to a phishing email, also designed to trick recipient to click a button

If executed, these scripts can initiate all manner of threats to your computer and personal information. But there are several tactics you can employ to mitigate the risk:

Most PDF readers & browsers have controls that will allow you to disable JavaScript
Always use an updated version of your PDF reader, browser, and operating system
Scan attachments with antivirus or malware programs (not foolproof)
Hover over hyperlink to see where it will take you
When in doubt, do not open unsolicited attachments

Click here to go back to the top of the page.

Elder Exploitation and Resolutions for the New Year (12/16/21)

While the elderly are often targeted by scammers, the unfortunate reality is that most elder financial abuse is committed by a family member. According to recent studies, over 85% of elder financial abuse perpetrators are family members – 60% involve the elder’s child. Elder financial abuse is the illegal or improper use of an elder’s funds, property, or assets – and it’s a crime. Due to the nature of this crime it often goes unreported, which is why it’s important to recognize the signs:

large withdrawals of cash
suspicious new accounts opened
signature on checks looks different than before
someone new enters the pictures and starts to isolate the elder from family and friends
elder suddenly becomes defensive about finances

Caring for an elderly parent can be stressful, but nothing justifies exploiting their trust or finances. If you need help caring for an elderly parent, or suspect someone may be the victim of elder financial abuse, contact the Sheboygan County Aging and Disability Resource Center at (920) 467-4100, or your local law enforcement agency.

Many of us make New Year’s resolutions to improve our physical health and well-being. But what about resolutions that will help you stay safe from scammers? Consider these five suggestions:

Change your passwords – create separate, complex passwords for each important online account.
Enable two-factor authentication when available.
Consider freezing your credit – it’s free and is probably the best defense against financial ID theft.
Be highly skeptical – do not respond to unsolicited phone calls, emails, or texts.
NEVER buy a gift card to pay a bill or settle a supposed debt.

Remember, most criminals rely on manipulation known as social engineering to trick people into acting quickly, without thinking. If an offer sounds too good to be true, it probably is a scam. Never act in haste. Don’t let a scammer persuade you to keep something secret; that’s a technique used to isolate victims from people they trust.

Click here to go back to the top of the page.

Holiday Fraud Prevention Tips (12/02/21)

The holidays are here, which means criminals are ramping up efforts to exploit your holiday habits. When shopping for those perfect gifts, there are several things you can do to keep the Grinches at bay:

When purchasing items in store, consider using contactless payment methods. Tapping, instead of swiping, your card or using your phone to pay (e.g. Apple Pay, Google Pay, Samsung Pay) are the most secure ways to pay. For more information, click HERE.
Consider turning credit/debit cards “on and off”. Many banks and credit card issuers offer an app or online service, sometimes called a lock or a freeze, that allows you to secure your card when not in use. Features vary by company – click HERE for some additional information.
Having items delivered? Leaving delivered items unattended while you’re away increases the risk of theft. Consider in-store pick-up or Amazon lockers as an alternative to home delivery.
Avoid gift cards – gift cards have lower security than credit cards and are subject to hacking; scammers use websites intended to check a gift card’s balance to uncover valid card number and pin combinations.

Criminals also use this time of year to exploit people’s generosity by impersonating charities. Before giving any money, remember these tips:

Use online resources to research charities – CharityNavigator.org, GuideStar.org, and Give.org are good places to check.
When receiving calls or emails, DO NOT trust the email header or your caller ID. These can be “spoofed” to appear they are coming from a legitimate source.
NEVER give personal or bank/credit card information to unsolicited requests.

Click here to go back to the top of the page.

Phone Scams, Fraud Reporting, and Holiday Shopping Tips (11/18/21)

Imposter phone scams continue to affect our area – a recent version involves an imposter claiming to be from the Sheriff’s Department and advising the target that they missed jury duty. The scammer threatens the target with arrest/jail and instructs the target to purchase MoneyPak (pre-paid) cards to pay the fine. If successful, the scammer convinces the target to provide the code numbers off the pre-paid cards. In this case, the scammer also “spoofs” their caller ID to make the call more believable. REMEMBER: Law enforcement will NEVER request payment in this fashion. Before paying money, contact the agency or organization directly to verify the information.

The Sheboygan Police Department has updated the process for reporting fraud and identity theft. Unfortunately, many cases involving scams and schemes do not have a known or local suspect and, by their nature, have very low solvability rates. The new reporting process is an attempt to provide better customer service to the public by streamlining the reporting process and providing fraud victims with resources to advocate for themselves. It shifts our focus to education and prevention, not just documentation. For more information, click HERE to visit the Sheboygan Police Department’s fraud reporting page.

As we enter the holiday shopping season, remember these tips:

When shopping for holiday gifts, be wary of unsolicited emails offering “to good to be true” deals.
Avoid clicking on links, and instead visit the product site directly.
When shopping online, use a credit card (not a debit card) or single-use card numbers.
If purchasing IoT devices, ignore “online” reviews on merchant sites (many are fake) – look for independent/objective advice, or talk to someone you know and trust. Research products’ privacy / data collection policies. Stick with mainstream manufacturers to ensure ongoing support (firmware upgrades, etc).

Click here to go back to the top of the page.

WPS “Stop Scams Now” Campaign and Phishing Emails (10/28/21)

Wisconsin Public Service is partnering with law enforcement to stop utility scams. WPS wants you to know that they will NEVER:

Demand payment by cryptocurrency or third-party apps
Threaten or try to scare you
Disconnect you on short notice

When in doubt, hang up and call 800-450-7260.

For more information from WPS, click HERE.

In addition, phishing attempts continue to be prevalent across the area, involving email, text, and phone calls. Click HERE for real life examples.

Remember:

Never click on any links in unsolicited emails and texts
Review the email header for the sender’s address
Grammar and punctuation errors are a tip that the message is phony
Don’t be pressured to “act now” or “respond immediately”
Before sending any money, independently verify the request is legitimate

Click here to go back to the top of the page.

October is Cybersecurity Awareness Month (10/14/21)

What is it?

Cybersecurity is the art and science of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Cybersecurity is making sure that your online presence, your smart devices, your information in cyber space stays safe and out of the hands of the wrong people.

What are the potential threats?

Phishing: Phishing attacks use emails and malicious websites that appear to be trusted organizations, such as charity organizations or online stores, to obtain user personal information.
Malware: A computer can be damaged or the information it contains harmed by malicious code (also known as malware). A malicious program can be a virus, a worm, or a Trojan horse. Hackers, intruders, and attackers, all of whom are in it to make money off these software flaws.
Identity Theft and Scams: Identity theft and scams are crimes of opportunity, and even those who never use computers can be victims. There are several ways criminals can access your information, including stealing your wallet, overhearing your phone call, dumpster diving (looking in your trash) or picking up a receipt that contains your account number.

What can I do to lower my risk?

Use and maintain anti-virus software and a firewall: Use an antivirus program and a firewall to protect your computer from viruses and Trojan horses that could steal or modify your data. When software notifies you of an update, called a patch, be sure to update as soon as possible to prevent hackers from exploiting known issues or vulnerabilities. Also, set-up an automatic, regular spyware scanning routine to catch vulnerabilities.

Establish computer usage guidelines: Help children understand how to use the computer, other connected devices, and the internet safely. Have candid, age appropriate conversations with younger users to help them understand the do’s and don’ts of cybersecurity. These conversations can protect your data by setting clear boundaries and guidelines.

Double check email attachments: An email that looks as if it came from someone you know doesn’t necessarily mean it did. It is possible for viruses to alter the return address so that it looks like the message came from someone other than the sender. Before opening any attachments, verify that the message is legitimate by contacting the person who sent it. Use caution even from people you know, be wary of unsolicited attachments.

Trust your instincts: As the old saying goes, “if it is too good to be true, it probably is.” Some antivirus software might not have the latest virus protections because attackers are constantly releasing new viruses. However, always be sure to scan documents and attachments with antivirus software before opening them. Do not open suspicious emails or attachments and turn off automatically downloading attachments. But always remember: technology can only help so much, so trust your instincts!

For more information, click HERE to review the Tip Sheets on CISA.gov.

Click here to go back to the top of the page.

Scam Review and the “Devious Licks” TikTok Challenge (09/23/21)

Let’s review the most common types of scams seen in the Sheboygan area:

Romance scam – criminals pose as interested romantic partners on social media or dating websites in order to gain your trust and extract money from you

Imposter scam – criminals pose as a relative (usually a child or grandchild) claiming to be in immediate financial need, or as a government agency or utility company demanding money

Tech support scam – criminals pose as technology support representatives and offer to fix non-existent computer issues

Lottery/Sweepstakes or Charity scam – criminals claim you’ve won a foreign lottery or sweepstakes, which you can collect for a “fee”, or the scammer claims to work for a charitable organization

To protect yourself, remember these tips:

Stop communications with the suspected scammer immediately
Don’t be pressured to act quickly; take time to verify the story
Never wire money, or provide gift card numbers, to unknown or unverified people or businesses
Do not click on links in unsolicited emails or text messages
Remember the adage, “If it sounds too good to be true, it is.”

What is the “Devious Licks” challenge on TikTok? It’s a social media-driven “challenge” that encourages kids to steal or damage school property, then anonymously share a video with the hashtag on the TikTok platform. The most common acts include stealing soap dispensers and damaging toilets or sinks.

Why are teens participating? It’s a combination of biology and sociology, affected by teens’ brain development and the dopamine rush from “likes, comments, and views”, along with a teen’s need for belonging.

What can you do as a parent?

Help kids understand their digital reputation
Discuss the consequences of illegal or risky behavior
Develop a positive relationship with your child with open lines of communication

Click here to go back to the top of the page.

Keeping Your Cell Phone Secure and Other Fraud Updates (09/09/21)

Hackers and criminals have recently begun to rely more on “zero-click” exploits to breach phone data. These attacks are typically very highly targeted in nature, and deploy far more sophisticated tactics than mass cyber-attacks that we see and know of on a daily basis. Typical cyber-attacks rely on the potential victim being tricked into clicking a malicious URL, or downloading an attachment that contain macros with embedded malware. In a “zero-click” attack, malicious software is usually added to the root file system which makes it more difficult to detect and trace. However, these “in-memory” payloads generally cannot survive a phone re-boot – therefore, people should power cycle their phones at least once a week to help prevent against this form of cyber-attack.

Cell phones are also vulnerable to “SIM swaps”, which allow a criminal to essentially take-over your phone service. To guard against this, you should first make your PIN code for your cell phone billing account hard to guess. Next, set-up account protection with your carrier. It’s referred to by different names: “port freeze”, “account takeover protection”, “account lock”.

There are two additional sources of fraud you should be aware of: using electronic payments apps and fitness club thefts. If you choose to use an electronic payment app like Venmo or Cash App, you should understand that you do not have the same consumer protections as using a credit card. To reduce the risk, set-up a separate bank account to fund your payments and only keep enough money in the account to cover the transactions. Also, only send money to family or close friends.

Finally, be aware that there has been an increase in thefts from fitness clubs, including lockers and vehicles. To avoid being a victim, don’t bring valuables when you work out. If you must, leave them in your LOCKED car, out of sight.

Click here to go back to the top of the page.

T-Mobile Data Breach and Investment Account Fraud (08/19/21)

I’m a T-Mobile customer – what should I know about the recent data breach?

Not all data breaches are created equal – the most recent T-Mobile breach, estimated to affect 50-100 million individuals, deserves your attention if you’re a T-Mobile subscriber. A lot of the information obtained from the hack is likely already widely available online, but the blend of data is what’s concerning. The combination of names, phone numbers, and carrier data makes it much easier for scammers to employ “phishing” methods designed to convince someone to click on a malicious link that advertises, for example, deals or offers for customers. And having all that information in a single data base makes it easier for criminals to commit identity theft. Additionally, having access to your phone’s IMEI (International Mobile Equipment Identity) number could allow a criminal to perform a SIM-swap, thus taking over your account. This would allow the criminal to gain access to two-factor authentication codes and compromise the security of your passwords and accounts.

What to do:

Change your T-Mobile account password and PIN
Sign-up for a credit freeze (click HERE for more info)
Consider using an authenticator app

Possibly the biggest financial fraud theft you’ve never heard about

Criminals are increasingly adapting to exploit technology to steal your money. Instead of robbing banks, criminals are hacking into your accounts through social engineering, since there’s less chance of getting caught and typically the consequences are lower if caught.

It’s not just your checking or savings account that they are after – it’s your retirement and investment accounts. It is estimated that only 10% of money in the U.S. is in banks – the rest is in 401Ks, IRAs, and other investment accounts. And Congress has never passed protections for consumers on hacks against investment accounts. Unlike banks and credit cards, investment accounts have little-to-no regulatory protection from fraud losses. Even though some companies have policies that provide consumer protection against fraud, there are often many hoops to jump through. You are the first line of defense!

What to do:

Set up two-factor authentication on your retirement and investment accounts. While not foolproof, this tactic offers strong protection. Just remember to never give someone your authentication code.
Implement a STRONG password – most people hate dealing with passwords, but the stronger and more unique the password is, the more secure your account. Instead of a common word or random letters and numbers, use a passphrase of at least five or six random words, and consider using a password manager program.
Review your account balances and activity regularly, once a week, and immediately report unauthorized activity. The sooner you identify and report fraud or suspicious activity, the better chance of getting your funds restored.

Click here to go back to the top of the page.

Home Delivery Scam and “Social Media: The Weakest Link” (07/15/21)

One of the more prevalent scams currently being employed by criminals is referred to as the home delivery scam. Typically, you receive a text message appearing to be from a well-known package delivery service (UPS, FedEx, etc). The message advises that the delivery service attempted to deliver a package to you, but no one was home to receive it and a re-delivery needs to be scheduled. The message contains a link to a realistic-looking web site, where they ask you to pay a modest fee (a clue that it’s a scam), typically a few dollars, for re-delivery. The scammers then ask you to enter your personal information (another clue it’s a scam) and payment information. Sometimes, the scammers will go so far as to ask for additional info (“protecting you from fraud”) such as your date of birth and/or mother’s maiden name.

To avoid being the victim of this scam:

Check all URL’s carefully – bookmark legitimate sites in advance.
Steer clear of links in messages and emails – go directly to the company’s web site to conduct business.
Review your bank and card statements – don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through; also, be alert for incoming funds you weren’t expecting, given that you could be responsible for any funds that passes through your hands, even if you neither asked for it nor expected it.
When it comes to personal information, when in doubt DON’T give it out.

Data hacks are everywhere right now – attacking us as individuals, attacking businesses, government agencies, hospitals, and public utilities. How are hackers gaining access to these systems? Often by looking for the weakest link, which many times is the employee’s social media account (Facebook, Linkedin, Twitter).

A recent article in the WSJ noted that a hacker can find everything they need to break-in to your life within 30 minutes of scanning your social media posts. Hackers employ “automation” to scan your posts quickly.

Sometimes we feel helpless against this kind of intrusion – the key to prevention is privacy. During the pandemic, many people turned to social media to connect with one another and posted a lot of personal information. It’s time to get back to more secured profiles.

Things not to do on social media:

Do not post private information for public viewing, such as travel plans, personal interests, details about family members, birthdays, and pet names. These are often the answers to our “security questions” on the sites we visit. Make sure your profile is set to only be viewed by trusted friends and family.
Be careful when responding to “friend” or “follow” requests – pages can be counterfeited.
Use a separate email just for social media sites.

Click here to go back to the top of the page.

Cryptocurrency Primer (06/24/21)

Lately, there have been a lot of stories in the news about cryptocurrencies like Bitcoin. Hackers have demanded payment in Bitcoin for ransomware attacks, and other scammers have used Bitcoin investment schemes to defraud unsuspecting victims. Also, the value of Bitcoin has dropped dramatically over the past month. So, what is Bitcoin and how does it work?

Bitcoin was the first and is arguably the most popular form of cryptocurrency. There are currently over 1,600 available cryptocurrencies. In simplest terms, a cryptocurrency is a form of digital currency. Unlike traditional money, cryptocurrencies are decentralized, meaning no single entity is in charge of it. Cryptocurrency transactions rely on something called a blockchain, which is a shared database that is managed by a global network of computers. When you engage in a transaction using cryptocurrencies, these networks validate and transmit that entry in the blockchain. For example, when you send some Bitcoin to your friend, you’re creating and publishing an entry into the Bitcoin network. The computers in the Bitcoin network will check to make sure that you haven’t already sent the data representing the cryptocurrency to another person previously. When you send the Bitcoins, the receiver’s account is credited and your account is debited.

Each person using the network has a crypto address, similar to an account number. This identifies where to debit and credit the cryptocurrency from and to. One misconception about cryptocurrency transactions is that they are anonymous. While some cryptocurrencies prioritize privacy, most mainstream cryptocurrencies like Bitcoin publish transactions on a public blockchain. This means that anyone with computer access can view the transactions, including the address of the sender and receiver, date and time, and the amount of the transaction. What is generally not publicly available is the identity of the person behind the crypto address. One person could hold multiple addresses, and in theory, there would be nothing to link those addresses together, or to indicate that the person owned them. This is one way criminals exploit the cryptocurrency market to facilitate crimes.

While most people don’t currently use cryptocurrencies for purchases or investments it is important to know that criminals are increasingly employing this payment method in financial crimes and scams. According to the FTC, consumers reported more than $80 million in cryptocurrency-investment scam losses during the past 6 months. That represents a 10-fold jump from the same period last year. Many victims thought they were in a long-distance relationship when their love interest started talking about a new crypto opportunity they had invested in. About 20 percent of the money people reported losing in romance scams in general was sent in cryptocurrency. For more information about cryptocurrency and scams, click HERE.

Similar to wire transfers, gift card payments, and sending cash in the mail, cryptocurrency transactions generally cannot be undone. And the pseudo-anonymous nature of cryptocurrencies makes it difficult for law enforcement to identify the people behind the transactions. At least currently, most legitimate businesses and government entities will never ask you to pay using a cryptocurrency. And many so-called “investment” opportunities are fraudulent as well. The bottom line is, if you receive an email, call, or text from a business, love interest, or anyone else who insists on dealing in cryptocurrency, you can bet it’s a scam.

Click here to go back to the top of the page.

Recent Local Scams and Summer Travel Safety Tips (06/10/21)

Here are two additional scams that have been reported in the Sheboygan area, as well as some summer travel safety tips.

Social Security Assistance

Recently, a local service organization reported that they received a call from someone purporting to be a Social Security Administration (SSA) “Public Affairs Specialist” and offers to provide financial assistance for that organization’s clients. The caller attempted to obtain personal identifying information of the organization’s clients, including Social Security numbers and other personal information. The caller ID displayed a number, which through investigation was later found to be an old SSA number, no longer in service. Fortunately, the call recipient knew it was a scam and did not provide any of the requested information. Remember, never provide personal identifying information over the phone when the call was unsolicited, and don’t trust caller ID.

‘Pay to Drive’ Checks

In this scam, the victim receives what appears to be a cashier’s check and a letter in the mail, often unsolicited, instructing the victim to deposit the check and keep a small portion for themselves. The balance, the letter says, will be forwarded to a third party for payment of services. The check will probably initially clear the bank, but within a short time will be identified as fraudulent, and you’ll be on the hook for the money. Any time someone asks you to deposit a check, then send part of the proceeds to a third party, don’t do it – it’s a scam! To see actual images of these types of checks and the letter that accompanies them, visit our website HERE.

Legitimate Check from FTC

Despite all the fraudulent checks, there are actual legitimate checks that are currently circulating. One such example involves refunds from the FTC for people who paid for certain debt relief services. These checks will include an explanation and details about the case, and can be looked up on their website. Also, an example of a legitimate check and letter can be found on our website, HERE. Remember, the FTC will never require you to pay upfront fees or asks for your personal identifying information, like SSN or bank account information.

Summer Travel Safety

When you’re on vacation this summer, don’t take a vacation from keeping you and your money safe. Here are a few tips to help prevent fraud:

when booking travel, stick to name brand travel sites or book directly with the airline, hotel, or car rental; avoid unsolicited email deals
consider a mail hold – visit www.usps.com/manage/hold-mail.htm for details
use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud
lock your smart phone or tablet (with biometrics or six-digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client
watch out for data skimmers at public charging stations; bring your own portable charger

Click here to go back to the top of the page.

Local Case Studies (05/13/21)

Recent scams, warning signs, and prevention strategies were discussed on air. Two recent scams included:

Amazon unauthorized charge (current phone scam)

Victim noticed an “unauthorized” charge while reviewing account activity online. She searched the internet for an Amazon customer service number and unknowingly called a number not belonging to Amazon.
The scammer claimed there was another charge on her account in the amount of $10,000 and subsequently convinced her to allow him remote access to her computer. He claimed he was transferring her to a “financial manager” at her bank, who told her they needed to withdraw $10,000 from her account so the original charge “bounces.”
Victim was instructed to purchase gift cards at local stores, $500 each (“should be able to buy $6,500”). She was told “act calm and smile” and if questioned by store employees to say the gift cards are for a birthday party. She bought $3,000 (six cards) at the first store and gave the codes to the scammer who was on the line the entire time.
Victim went to a second store and was going to buy four $500 cards. She was told by staff she could only buy one, due to scams, and gave that code to scammer. She then went to a third store to buy six $500 gift cards. The cashier prevented the sale and told her to call police.

Bank smishing (phishing via text message) scam

Victim received what appeared to be a legitimate text from her bank asking to confirm possible fraudulent charge in Las Vegas. The victim then received a phone call advising of an ATM withdrawal in Las Vegas.
The scammer told the victim that he would cancel the victim’s card, issue a new one, and also disable online banking. The victim provided a PIN that was texted to her.
At some point, the victim felt that this was suspicious, called the bank directly, and realized it was a scam but not before $400 was transferred electronically via a direct pay service (sent to email address). Providing the PIN to the scammers compromised her account, which needed that two-factor authentication code to get into it.

Visit our Real Life Fraud Examples page to see various examples of real life fraudulent checks, currencies, and letters. These examples highlight common warning signs and elements to watch out for when considering whether something is fraudulent or a scam.

Click here to go back to the top of the page.

Elder Financial Exploitation (04/29/21)

The financial exploitation of older adults is often referred to as a form of elder abuse. In Wisconsin, elder abuse is defined under WI Statute §46.90 – the law applies to persons age 60 or older who are subject to any of the following four categories: abuse (physical, sexual, emotional), neglect, self-neglect, and financial exploitation.

Each state defines financial exploitation a little differently, but in general it refers to the illegal or improper use of an elder’s funds, property, or assets. Some examples include: (1) taking money or property, (2) forging an elder’s signature, (3) using their property without permission, and (4) using scams or deceptive acts for financial gain.

Unfortunately, these cases are often not reported. There are several reasons why, but one of the biggest factors is that the victim is often scared or embarrassed to make a report because of their relationship with the offender. Statistics show that over 85% of perpetrators are family members, most often the elder’s child. Other trusted abusers can include: friends/neighbors, affinity groups (religious and cultural group leaders), health care providers, service providers, and other professionals. Elders are also frequently exploited by strangers.

Why are elders targeted? Generally, people in this demographic have established assets. They may also be isolated and lonely, or unfamiliar with financial matters. As noted above, elders often are reluctant to report financial abuse, and might have disabilities that make them dependent on others for help. It is estimated that over 5 million Americans over age 65 suffer from dementia.

Financial abuse often leads to other forms of abuse. Consequences of elder abuse include: declines in mental and physical health, higher risk of dementia, and increased financial loss. The National Council on Aging estimates that the cost of elder financial abuse exceeds $36 billion annually. Elder abuse victims are also estimated to be at 300% higher risk of death.

Whether you are a family member or a professional working with an elder, there are possible warning signs to be aware of that someone may be trying to exploit them financially:

large withdrawals of cash, or checks written to “Cash”
suspicious new accounts opened
signature on checks looks different than before
unpaid bills despite adequate income
someone new enters the pictures and starts to isolate the elder from family and friends
Elder suddenly becomes defensive about finances

If you live in Sheboygan County and suspect than an elder you know may be the victim of financial exploitation, you can make a report to your local law enforcement agency or contact the Aging and Disability Resource Center at (920) 467-4100.

Protecting vulnerable adults from financial exploitation is everyone’s business. These people are our family, friends, and neighbors. Education and training about these issues leads to awareness and prevention.

Click here to go back to the top of the page.

Robocall Update and the Recent Facebook Data Breach (04/15/21)

There is some good news when it comes to preventing fraudulent robocalls and it should be happening soon. The Federal Communications Commission (FCC) has established a deadline of June 30, 2021 for the implementation of the STIR/SHAKEN framework for calls carried over Internet Protocol (IP) networks. As a sign how serious they are, the FCC recently denied two major cell phone carriers’ petitions for extension of the deadline. STIR and SHAKEN are acronyms for the specific protocols and standards involved in this technology – STIR refers to the Secure Telephone Identity Revisited standard and SHAKEN refers to Signature-based Handling of Asserted Information Using toKENS. In simplest terms, this technology authenticates the Caller ID of the person using the network. Most major carriers began implementing this program at the end of 2020.

What does this mean for you? This framework is designed to prevent spoofed Caller ID’s and theoretically guarantees the Caller ID displayed on phones can be trusted. The system will still allow certain “robocalls” signed and authenticated by the carrier, such as school closing information, reverse 911, and other community notifications. This technology, combined with other proposed legislation such as the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act, should reduce or eliminate most fraudulent robocalls.

Another day, another data breach. Recently, it has been reported that Facebook experienced a data breach involving an estimated half a billion people world-wide; an estimated 30-40 million Americans were reportedly affected, but no one really knows for sure how many. The data breach occurred sometime before August 2019 and the data has recently been made available in public online database.

Don’t know about it? That’s because Facebook chose not to notify individual users, claiming the vulnerability that allowed hackers to get the data has been fixed, and there’s nothing the user could do to fix it. What information did the hackers get? These thieves were able to access full names, phone numbers, location data, email addresses, and other biographical data.

So, what have the hackers done with all that info? They’ve sold it. Criminals, and others, can easily buy your information to engage in a variety of fraudulent activities – the low hanging fruit is to apply for credit as you. As we’ve discussed before, your best protection against this form of identity theft is a credit freeze. Information about credit freezes can be found on the Sheboygan Police Department website, or by clicking HERE. If you are a FB user and have not frozen your credit, you are opening up yourself to having to deal with a multi-year mess of potential ID theft.

If you want to check to see if your email or phone number has been involved in a data breach, visit www.haveibeenpwned.com.

Click here to go back to the top of the page.

Grandparent Scam / ID Theft and the Importance of Credit Monitoring (03/25/21)

The “grandparent scam” is a version of an imposter scam, when the criminal poses as a grandchild asking for money. Often, the criminal will use personal information gleaned from social media accounts and other publicly available resources to make the contact more believable. Typically, the caller claims to need money for bail or some other legal matter, claiming that the matter is “urgent”. Recently, a local woman was contacted by someone purporting to be her granddaughter (by name) and said that she was in legal trouble and needed money. The imposter convinced the victim to send $10,000 cash via UPS to an out-of-state address. An investigation revealed that the delivery address was a vacant house which was listed for sale, and the cell phone number used by the criminal was registered out of Canada, making obtaining subscriber information difficult.

So, what can you do to protect yourself? First, if you receive one of these calls, don’t panic. Take the time to check out the story by contacting the grandchild or other family member. When possible, use internet search engines to look up addresses and/or phone numbers to verify their authenticity. Whatever you do, never, never, not ever send cash through the mail. Perhaps most importantly, if you have older parents or grandparents, share this information with them. Instruct them to contact you or a family member if they receive a similar phone call or email, especially before sending any money.

Identity theft continues to be a leading cause of financial fraud in our community. The Sheboygan PD recently investigated two cases of identity theft – one involving using a person’s personal information to fraudulently open a credit card account; the other using a person’s personal information to establish utility services in another state. In both cases, the victims did not suffer an actual loss, but are having to dispute charges and repair their credit files. Since payments were not being made on the fraudulent accounts, the unpaid balances were sent to collection agencies, thus adversely affecting the victims’ credit scores.

These cases reinforce the importance of credit freezes and regular credit monitoring. Viewing your credit reports is free through the website www.annualcreditreport.com. In the past, you were entitled to one report from each bureau (Trans Union, Equifax, and Experian) per year; however, under new COVID provisions, you are allowed to view a copy of your report from each bureau once per week, recently extended through April 2022. By regularly viewing your credit report, you can become aware of potentially fraudulent activity sooner than later, making it easier to correct.

The single best protection against identity theft continues to be a credit freeze. A credit freeze prevents criminals from opening lines of credit in your name and does not affect currently established credit. For more information about credit freezes and how they work, click HERE.

Other services like Credit Karma (www.creditkarma.com) provide additional credit monitoring for free. You can monitor your credit score for changes and get notifications about activity on your credit file (through Trans Union and Equifax). If you’ve already frozen your credit, you will need to temporarily thaw it to establish Credit Karma account. If you haven’t yet, but intend to freeze your credit, set up a Credit Karma account (if you wish) first.

Click here to go back to the top of the page.

Kroger Data Breach and Tips for Filing Your Taxes Safely (03/11/21)

Kroger (Pick ‘n Save and Copps) recently became one of the latest companies to experience a data breach of customer information. Kroger was one of several companies using a company called Accellion to provide third-party data file transfer services (a simple way to share large files). Due to its age, hackers were able to exploit a vulnerability in the file transfer software to access the sensitive customer data. Kroger says that no credit or debit card data was stolen, but reported that the attack affected their money service (money orders, bill pay, check cashing) and pharmacy records, including personal data. Kroger believes that approx. 2% of customers have been impacted.

This is another example of a “supply chain attack” – supply chain attacks involve using an outside partner or provider to access an organization’s systems or data. So, what can you do to protect yourself against these types of threats? The best defense remains implementing a credit freeze with the three credit reporting bureaus (Trans Union, Experian, and Equifax). Remember, credit freezes prevent any new credit from being taken out without your knowledge, and do not affect current credit accounts. Credit freezes are fairly easy to set-up and temporarily “thaw”, if needed. Click HERE for more information about credit freezes.

Spring is upon us and that means that it’s tax season. Last year, between 20 and 30% of Americans reported losing money to fraud, with many involving tax scams. And not all losses are a result of a scam – some involve dishonest tax preparers. Remember, when it comes to your tax return, you are ultimately responsible for all the information on your return, no matter who prepares it. It is important to choose a tax preparer wisely: (1) check their qualifications, (2) review your return before the tax preparer signs and submits it, and (3) never sign a blank return.

Tax payers should also be wary of W2 phishing scams. These scams involve criminals posing as someone high up in a company or organization. The scammers send what may appear to be legitimate emails asking for copies of your W2 forms. NEVER send this type of information without verifying the legitimacy of the request.

In addition, criminals employ IRS phishing scams to obtain money from victims. Typically, the recipient with receive an “urgent” email or text claiming to be from the IRS. The message usually involves instructions to click on a link and/or fill out a form. Some tactics that criminals use include: IRS needs to update your online profile, you qualify for a refund, your credit card was fraudulently used, or you’re due a large sum of money. To identify these scams, look for generic greetings, poor grammar or typos, or conflicting web addresses. Like other phishing scams, NEVER click on links, download files, or reply – the IRS will never initiate contact via email, text, or social media.

Click here to go back to the top of the page.

Payment Apps and Car Infotainment Systems (02/25/21)

Payments apps like Venmo, Cash App, and Zelle offer convenient ways to send and receive money. According to a recent study, about 80% of U.S. adults use mobile payment apps. Unfortunately, many people assume that payment apps offer protections similar to those of credit or debit cards, but that’s not the case. Generally, transactions cannot be reversed if there’s a problem or if you change your mind, even if your account is linked to a credit card. In addition, some financial institutions are activating Zelle without customers’ knowledge, which could be an issue if your banking credentials are compromised and criminal gets access to your account.

If you decide to use a payment app, consider setting up a separate bank account for that purpose, and only put in money needed to fund those transactions. If you don’t, and have linked your savings account to your checking or payment account, the scammer may get access to those funds as well, through automatic overdraft protection, or compromised credentials. It is generally recommended that you never use these apps to send money to strangers – only use them with family, friends, or trusted sources.

Many newer cars on the road today offer a great deal of technology and connectivity. People often forget that these cars are really computers on wheels and present a variety security and privacy concerns. Today’s technology allows you to connect your smartphone to your vehicle to have easy access to your contacts, messages, photos, navigation services, and internet connection. Manufacturers generally refer to these systems as “infotainment systems” – they offer convenience, but at a price.

When you plug-in your smartphone, the system may collect a wide variety of personal information: home address, wi-fi passwords, contacts, emails, texts, and photos. In addition, if your car’s computer has been infected by malware, you could download that onto your phone, further compromising its contents. This is particularly relevant when using a rental car – because you don’t know who used the car before you, you take a big risk connecting your phone to that vehicle.

To limit your vulnerability when renting a vehicle, avoid connecting your phone at all. If you do decide to connect it, perform a “factory reset” of the infotainment system when turning-in the vehicle to hopefully erase your data. Remember, if you just need to charge your phone, use a cigarette lighter charger, not the USB port. When selling or trading-in your car, perform a “factory reset” on system as well. To ensure a full reset, ask the dealer to wipe the hard drive.

Click here to go back to the top of the page.

Four More Recent Local Case Studies (02/11/21)

Variations of different scams continue to affect people in our community. By explaining what these scams look like and educating the public about the red flags to look for, we hope to prevent others from becoming victims.

Military “Romance Scam”

Romance scams are extremely prevalent and account for highest financial loss of all internet-facilitated crimes. The Internet Crime Complaint Center (IC3) says it received over 15,000 romance scam complaints last year, with losses exceeding $230 million. The FBI puts the true number higher as they estimate only 15% of these crimes are reported to law enforcement.

In this scam, the scammer usually originates contact with the target on legitimate dating sites or social media apps. The scammer identifies themselves as a “soldier” serving oversees and says they need money. Here are some red flags to look for:

all contact is online; no phone or video
scammer alleges “lack of support” by military, or requests money for basic needs (transportation costs, communication fees, medical expenses)
obvious grammatical errors, or pledges their love at warp speed
deployed soldiers do not find large sums of money and do not need your help to get that money out of the country

Car Rental Scam

This scam reinforces the importance of verifying what web sites you are visiting and limiting your business to known, legitimate companies. In this case, the victim used an online search to locate discounted car rental deals. She clicked on a link which took her to what appeared to be a well-known car rental company, but in fact was an imposter site. Sometimes the scammer also employs a fraudulent phone number to facilitate contact. The scammer ultimately tries to get the target to pay for the rental using pre-paid value cards. Red flags to watch for include:

prices too good to be true
offer requires payment other than a credit card
always take the time to verify the web address, or search the phone number online for reports of fraud

Apartment for Rent

This scam has been around for a while and is very effective. The scammer lists a vacant home or home for sale on a legitimate website (Craigslist, Apartments.com), advertising it “for rent”. When people respond to the fraudulent ad, they are pressured to quickly submit a security deposit, typically being told the apartment is in “high demand”. The scammer requires payment via wire transfer, electronic payment (Zelle, Venmo), or pre-paid cards. Look for the following red flags:

renter claims to be out of town / cannot show apartment
renter says they will FedEx keys
renter wants you to move in “right away” or does not complete any screening process

Before sending money or signing any documents, identify the owner of the property and request to meet in person – be sure to visit the property in person.

Counterfeit Money

Counterfeit bills of various denominations have been circulating in Sheboygan. When accepting cash, particularly denominations of $50 or $100, carefully scrutinize the bill:

Does it say “For Motion Picture Purposes” or “Copy”?
Carefully review the layout for signs of altering (uneven spacing, blurry letters, odd markings).
Do any of the bills have identical or sequential serial numbers?
Do not rely solely on “counterfeit detection pens” – they aren’t fool-proof and are not sanctioned by the U.S. Treasury.

When in doubt, do not accept the bill. With advances in technology, counterfeiters are becoming more sophisticated in creating bills that appear genuine.

Click here to go back to the top of the page.

Marketplace Scams and Social Engineering Refresher (01/28/21)

Online scams are prevalent and rely on empty promises and the anonymity of the internet to be successful. Two current scams utilize online marketplaces to separate people from their money.

$99 Windshield Repair (Facebook)

Scammers use fake/hijacked profiles to advertise $99 windshield repair, occasionally referencing know local businesses. Scammers utilize Facebook Messenger to initiate communication, then persuade the target to call a Google Voice or similar phone number to continue transaction – the goal is to get target to pre-pay for repair, which doesn’t really exist. A brief review of the associated Facebook accounts reveal that they are clearly not related to windshield repair.

Puppy Scam

This scam exploits subjects looking to purchase a puppy online, typically a unique breed, suggesting a higher purchase price. The target responds to an ad on Craigslist or Facebook, with the “seller” requesting 50% down. The “seller” may subsequently also request additional money for “issues” with the dog’s crate, vaccinations, etc., with the objective being to get the target to wire as much money as possible. There is never actually any puppy for sale.

With both of these scams, remember – don’t pay upfront for a promise and consider how you pay. Avoid wire transfers, mobile payments like Venmo and Zelle, and pre-paid value cards.

In addition, it is important to always keep in mind the pervasiveness and effectiveness of social engineering scams. This time of year, IRS scams are very common. COVID vaccination scams also continue to be prevalent. These types of scams rely on “social engineering” to be successful. Remember, social engineering tactics involve creating a situation in which the victim provides information of value to the scammer, under perceived pressure or duress. They are design to exploit human behavior and tap into emotions that would cause the victim to disregard their better judgment.

To avoid falling victim to these types of scams, remember the 4 P’s:

The scammer PRETENDS to be a person, or from an organization, you know.
The scammer says there’s a PROBLEM or a PRIZE.
The scammer PRESSURES you to act immediately.
The scammer tells you to PAY in a specific way.

Click here to go back to the top of the page.

Recent Local Case Studies (01/14/21)

The following is a description of recent scams reported to the Sheboygan Police Department.

“You’ve Won” Lottery Scam

In this scam, the target receives a phone call stating “you’ve won” some type of lottery or cash prize. All you have to do, they say, is send money to cover fees associated with the prize (taxes, processing fees). The target is instructed to pay these fees via wire transfer or by using pre-paid cards. This is ALWAYS a scam – you should never have to pay to win a prize. In this case, further indications of fraud included that the target never entered a lottery or sweepstakes, and when checking the address provided by the scammer, the address was found not to exist.

Imposter Scam

There are many variations of this type of fraud. In this case, the victim received phone calls from persons purporting to be from the FBI and DEA, using the names of actual prominent agency officials. The callers alleged the victim’s involvement in violations of federal law and drug trafficking, and threatened arrest or imprisonment. The victim was told not to tell anyone, and the caller aggressively demanded payment of thousands of dollars in wire transfers and/or pre-paid cards. In some cases, the scammers will also ask for personal information like DOB or social security number.

Unfortunately, the victim initially purchased $5,000 in Nike pre-paid cards, then was convinced to withdraw a cashier’s check for almost $110,000 from her bank account. The victim’s request was initially denied at her primary bank, but she went to a different branch that processed transaction. The victim then deposited the cashier’s check at a different local bank belonging to the scammer’s accomplice in California. The money was promptly transferred out of that account and made its way out of the country.

This case illustrates the importance of “front line” awareness and prevention efforts. If you work in an industry that is involved in perpetuating these scams (banks, investment firms, grocery stores), please educate yourself about the indicators of these scams and be aware of suspicious activity. Take the time to talk with your customers to determine legitimacy of the transaction. Remember that often, victim’s will be scared and will have been told not to tell anyone.

Click here to go back to the top of the page.

Supply Chain Attacks and COVID Vaccination Scams (12/17/20)

Recently, the Solar Winds “cyber-attack” has been making the news. So, what’s the big deal? To begin with, SolarWinds is a software vendor that helps government agencies and Fortune 500 companies monitor the health of their IT networks. More than 425 of the Fortune 500 companies utilize their services. In addition, all five branches of the military and hundreds of universities and colleges are also customers of Solar Winds. The recent hack could potentially affect any number of the more than 300,000 companies they service worldwide.

During this attack, hackers used a “supply chain attack” to infiltrate an unknown number of organizations. What is a supply chain attack? These attacks involve using an outside partner or provider to access an organization’s systems or data. Locally, the Sheboygan Police Department continues to receive reports of compromised email and/or billing systems. The scammers utilize vulnerabilities in these systems to introduce malware and/or attempt to get their victims to change or bypass traditional payment methods to obtain money by using hacked data (invoices, emails, bank info).

To avoid being victimized:

never get pressured into circumventing policies and procedures for an alleged “emergency”
verify anomalies or exceptions with supervisors or customers directly
report suspicious contact to IT department; consider having IT or outside cybersecurity firm run risk assessment of network

Another set of scams that has been increasing in frequency relates to the COVID 19 pandemic. With the recent news of a COVID vaccine, criminals are creating various ways get your money, or try to trick you, which could result in serious injury or death. Remember, you can’t pay to put your name on a list to get the vaccine. Also, you can’t pay to get early access to the vaccine. And nobody legitimate will call about the vaccine and ask for your social security number, bank account, or credit card information.

Remember these tips:

ignore any offers that demand money or ask for personal information
don’t fall for pressure tactics; i.e. “limited supply”, “act now”
before acting, double-check claims with info from credible sources
when in doubt, seek advice from your health care provider

Click here to go back to the top of the page.

Holiday Security Tips (12/03/20)

It’s the holiday season, and many people are spending time shopping for gifts, travelling, and giving to charitable organizations. During this usually joyful time, fraud attempts increase about 30 percent. To help protect yourself from fraud, consider these tips:

Shopping

When shopping for holiday gifts, be wary of unsolicited emails offering “to good to be true” deals
Avoid clicking on links and instead visit the product site directly
When shopping online, use a credit card (not a debit card) or single-use card numbers
If purchasing IoT devices, ignore “online” reviews on merchant sites (many are fake). Look for independent/objective advice, or talk to someone you know and trust. Research products’ privacy / data collection policies. Stick with mainstream manufacturers to ensure ongoing support (firmware upgrades, etc)

Home Security

Bring in delivered packages as soon as possible to prevent theft
If you’ll be travelling, consider installing timers on lights, and arrange for snow removal and mail hold
When travelling, remember to avoid unsecured WiFi and/or use a VPN client; use credit cards instead of cash

Charitable giving

Avoid responding to unsolicited texts or emails
Know who you’re donating to. Check out charitynavigator.org or give.org to determine which charities are reputable.
When in doubt, give directly to a local charity

Social media scams

“Secret Sister” Gift Exchange is popular on Facebook. It promises windfall of gifts if you send one $10-15 gift to someone on the list. Gifts never materialize, and it’s against Federal law.

Click here to go back to the top of the page.

Social engineering is the use of deception to manipulate people into divulging confidential information, or obtaining money. It is a commonly used tactic by criminals to successfully commit acts of fraud and identity theft, and is used to deceive both individuals and businesses. Below are two examples of actual recent cases targeted at businesses which occurred in Sheboygan:

Example #1

A local business legitimately orders equipment from vendor through a supplier. Several months later, the accounting department receives an emailed invoice purported to be from the vendor, requesting payment. The invoice states that the vendor is having issues processing checks because of a counterfeit check recently paid into their account, and as a result they are only accepting ACH or Wire transfers to their bank account. The fraudulent invoice contained specific account and routing information, and approximately $70,000 was wired to the suspect account, aka “funnel account”. Investigation by law enforcement identified that the funds were immediately transferred from the funnel account to a different account, then wire transferred to a bank specializing in cryptocurrency.

Red flags: suspicious reason for deviation from normal payment; review of email that sent invoice was misspelled – “billstrut” vs “billtrust”.

Example #2

A business received a fax purporting to be from a company that they had done business with previously. Because the “company” hadn’t order for a while, their credit line had been reduced and the business required a new credit application. The scammer submitted a new application with the names of three representatives from their “company”, along with corresponding social security numbers. Based on that information, a credit check was run and the legitimate business approved the new line of credit. They conducted business with the “company”, and over several months the “company” ordered almost $40,000 worth of product. No payments were ever made, and when the business contacted the actual company, they advised there was no record of any employees by the names provided. Also, the address that the business was shipping product to was a storage unit, not the legitimate company.

Red flags: sudden new contact from old customer; failed to verify information

Click here to go back to the top of the page.

Protecting Your Security When Using IoT Devices (10/22/20)

Many of us remember watching “The Jetsons” with fascination, dreaming about the technology of the future. Well, much of that technology is here today and is often referred to as the Internet of Things. Simply put, the Internet of Things (IoT) is a class of devices with built-in network connectivity. These devices are present in manufacturing, health care, government, and in our homes. Some common devices you’re probably familiar with include: televisions, cameras, thermostats, light bulbs, and refrigerators. As technology advances, things like cars, utility meters, and even medical equipment have even been included in the IoT universe.

The number one concern with using these devices is security. Since the idea of networking all these devices is fairly new, security has not always been a top priority during their design phase. And unfortunately, many vendors often prioritize ease of use and functionality over security. Many devices like cameras (think baby monitors and security cameras) often come with well-known, default passwords that many end-users do not change. Other devices come with no password.

In addition, many end-users forget or simply don’t take the time to update the firmware on the device. Since most IoT devices connect to apps on your smartphone or tablet, make sure you have reputable internet security software installed on these devices. Set-up two-factor authentication, and know what data these apps are collecting, and how they use and store that data.

What can you do to be more secure?

Set up a secure Wi-Fi router – your router is like the front door to your home network and needs to be secure. Use a strong encryption method (WPA2), set up a guest network, and change default usernames and passwords.
Review the default privacy and security settings of your devices.
Research products carefully before buying – know what steps the manufacturer has taken to protect your privacy.
Update firmware.
Consider upgrading older devices.

Click here to go back to the top of the page.

PCH Scam / National Cybersecurity Awareness Month (10/08/20)

Recently, our area has seen an increase in reports of a “you’ve won money” scam. You get a call from someone claiming to be from Publisher’s Clearing House, notifying you that you’ve won the sweepstakes. They ask for your social security number and bank account information to verify your identification and send you your winnings. The caller may also direct you to purchase pre-paid cards or gift cards and provide them with the numbers to pay the “fees” or “taxes” associated with your winnings. Unfortunately, there are no winnings and this type of scenario is ALWAYS a scam. If you do provide personal information like your social security number or bank info, make sure you immediately follow the following steps:

Freeze your credit, if not already frozen, with each credit bureau – click HERE for instructions
File a report at identitytheft.gov
Periodically monitor your credit reports at annualcreditreport.com
Consider setting up a My Social Security account at ssa.gov

October is National Cybersecurity Awareness Month (NCSAM), sponsored by the Department of Homeland Security. The theme for 2020 is:

“Do Your Part. #BeCyberSmart.”

The purpose of this campaign is to bring awareness to the importance of being safe and secure while online. Here are a few tips:

Pick Proper Passwords

make them hard to guess
go as long and complex as you can
consider using a password manager
one account, one password

Stop-Think-Connect

be thoughtful about what sites you visit and what info you share
regularly update software, firmware, and operating systems
shut down old accounts
check your app “permissions”

If in doubt, don’t give it out

protect your personal information
don’t reply to unsolicited offers
avoid online surveys that may reveal clues about your passwords

Each week, the campaign will focus on a different area of cybersecurity:

Week of October 5 (Week 1): If You Connect It, Protect It
Week of October 12 (Week 2): Securing Devices at Home and Work
Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
Week of October 26 (Week 4): The Future of Connected Devices

For more information, click HERE to visit the campaign’s website.

Click here to go back to the top of the page.

Crime Prevention Tips (09/24/20)

Today, we switch gears from talking about fraud and scams as Detective Kehoe offers some general crime prevention tips:

Ensure that all doors and windows are locked to homes, garages, and vehicles – many preventable thefts and burglaries occur because a door or window is left unsecured
Keep valuables in a safe and secure location – often police take reports of firearms and other valuables that are left in plain view
During hours of darkness, keep your property well lit – low cost LED lighting makes this an affordable and efficient way to keep your home and property safe (consider adding motion sensors as well)
Install exterior and/or interior cameras – the advancement of technology has created affordable solutions to keep an eye on your property while away
Get involved with your neighbors – neighborhood associations and watch programs are a great opportunity to meet your neighbors and learn more about what’s going on around your home; residents working together is a great tool when it comes to crime prevention
Be mindful of what you post on social media – posting photos of newly purchased, valuable items can be risky, especially if you have a public account; be cautious of who can see what you post
Report suspicious activity or victimization to the police – for a variety of reasons, people often chose not to contact the police for property crimes; our department’s patrol methodology is based, in part, upon data and crime trends, making timely reporting an important element of crime prevention
If you are the victim of a property crime, take steps to prevent re-victimization; studies suggest that people are 67% more likely to have a thief return with a two week period after being the victim of a crime

For additional crime prevention strategies, click HERE.

Click here to go back to the top of the page.

Review of Phishing Scams and Revisiting Credit Freezes (09/10/20)

Pre-text, or “phishing”, emails and text messages continue to be the primary form of scam activity in the Sheboygan area. These emails purport to be from well-known organizations like UPS, PayPal, Amazon, or the IRS, and contain logos and links that may seem legitimate. To avoid putting your personal information in jeopardy, never click on links in these messages, or divulge any personal information. When in doubt, go directly to organization’s known website to verify the email is legitimate, or call a confirmed phone number to speak with a customer service representative.

A credit freeze, fraud alert, and credit lock are ways to protect your credit reports from being used by scammers to open new accounts. Click HERE to learn the difference between a credit freeze and a fraud alert. The best defense against your information being used maliciously is to implement a credit freeze. Credit freezes offer a higher level of security than fraud alerts, but require a little more work to implement and “thaw”. Both are free and do not affect your current credit or your credit score. Credit locks are not always free and are not governed by federal law.

Prior to setting up a credit freeze or fraud alert, consider signing-up for a free credit monitoring service such as Credit Karma. These services allow you to monitor your credit and be alerted to new accounts in your credit report. You can also check your credit weekly for free at annualcreditreport.com.

Click here to go back to the top of the page.

What’s Up with TikTok / Preventing Fraud During the 2020 Census (08/27/20)

Recently, the social media platform TikTok has been in the news regarding security concerns with using the app. TikTok is a social network for sharing user-generated music videos, and is owned by ByteDance, a Chinese company. Some fear that ByteDance may be compelled by the Chinese government to provide its user data to the Chinese government. This user data includes sign-up information like the user’s phone number/email and a birth date (which the app does not verify), and user content, such as videos, messages, and location data. The risks of using the app are comparable to other social media platforms, and because of the potential to encounter explicit or inappropriate content, the app is not recommended for children under 13 years of age.

To protect yourself or your teens while using the app, consider the following:

while there are valid concerns about how the Chinese government may use your data, TikTok collects fewer data points than apps like Facebook
for younger teens, parents should consider enabling parental controls and monitoring the content their children upload; click HERE for more information
set your account to “private” to limit people that can see your content
use a different, more secure platform for private messaging

The U.S. Census Bureau is currently visiting homes to collect responses for the 2020 Census. Census takers are hired from the area they survey and work from 9am-9pm, including weekends. They will ask general questions like the number of people in your home; age, race, ethnicity; and verify address and phone number.

What do you need to know to avoid scammers?

check to make sure the surveyor has a valid ID badge, with their photograph, a U.S. Department of Commerce watermark, and an expiration date
the U.S. Census Bureau will never ask for your social security number or bank account / credit card numbers
they will also never send unsolicited emails
if in doubt, call the U.S. Census Bureau at 844-330-2020
you can also search a staff directly at census.gov; click “About Us”, then “Staff Directory”

Click here to go back to the top of the page.

Review of Imposter Scams / COVID-19 Schemes (08/06/20)

An imposter scam is when a scammer pretends to be someone you trust and tries to convince you to send them money, or divulge personally identifiable information.

Two of the most recent versions of this scam have been facilitated using Facebook Messenger and the Facebook.com social media platform. One form of this scam involves the scammer impersonating a celebrity or charitable cause. Using social engineering, the scammer develops a relationship with the victim and gains their trust. The scammer relies on the victim’s emotional response and desire to help in order to exploit the victim for money. The other variation involves “extorting” the victim for money. Using a false identity, the scammer initiates a romantic relationship with the victim, ultimately convincing the victim to send compromising photos or videos of themselves. The scammer then threatens to send the images to family and friends unless a ransom is paid. Occasionally, the scammer will employ some kind of fictional noble cause to justify the ransom, e.g. a sick or dying child. Due to the sensitive nature of these scams, they frequently go unreported.

To avoid falling victim to these scams:

never trust the identity of someone you’ve only met through social media; confirm someone’s profile in person if possible
never send money to someone you met on social media
don’t send explicit images or videos, even to people you know; once these images are sent, you lose control of them forever

Scammers also continue to exploit the COVID-19 pandemic to defraud victims – an estimated $35 million has been lost by victims of this type of fraud since May 18^th. These crimes are usually perpetrated by using robocalls and various messaging services.

Some of the schemes used by criminals include posing as “contact tracers” to obtain your personal information; selling counterfeit test kits, masks, and other PPE; peddling products that claim to be vaccinations or curse for coronavirus; targeting college students with promises of student loan forgiveness; and causing voter disruption by creating confusion about election dates and polling sites.

Here’s what you can do to protect yourself:

do not respond to unsolicited messages
do not answer calls from numbers you don’t recognize
authenticate product/service offers through verified websites

Click here to go back to the top of the page.

Social engineering is the art of manipulating people so they give up confidential information. Of successful data breaches, 70-90% involve phishing or social engineering, 20-30% involve unpatched software, and only 1-10% account for everything else.

Human behavior is the weakest link in the cybersecurity chain. Scammers rely on your strong emotional response to fear or uncertainty. Their goal is to create chaos, whether real or perceived. Scammers also try to exploit people’s tendency to want to be helpful.

Cybercriminals routinely profile us. They research company websites and social media accounts. Scammers know that people age 35 and over primarily use email as their means of communication, so most attacks occur via email. For those 35 and under, scammers exploit social media messaging platforms, which are more popular with that demographic. A scammer’s goal is to get you to click a link, claiming you won a gift card, or posing as friend, school, or employer. Scammers are also keen on exploiting a person’s desire to accumulate “likes” and “followers”, a concept known as “gamification” and “FOMO” (fear of missing out).

Phishing and social engineering attacks have become more sophisticated, targeting officers of a company, or people with an emotional connection. For example: an employee might receive an email purported to be from their boss regarding a “secret” law enforcement investigation. The boss says people might go to jail and you must keep this confidential. He says the company’s legal team will be calling w/ questions and you should cooperate fully. The scammer’s goal is to make you feel a sense of urgency and willingness to help, therefor tricking you into divulging confidential information. For those in corporate world, education and regular training, not just awareness, is crucial because of the enormous exposure risk (information, access to funds).

To prevent yourself from falling victim to social engineering scams, look for these clues:

you are being rushed
asked to bypass normal procedures
confusing jargon
overly curious or prying behavior
too good to be true

Click here to go back to the top of the page.

Unemployment Insurance Fraud / “Car Wrap” Scam (06/11/20)

The United States Secret Service has received reporting of a well-organized Nigerian fraud ring exploiting the COVID-19 crisis to commit large-scale fraud against state unemployment insurance programs. The primary state targeted so far is Washington, but there have also been reported cases in Massachusetts, North Carolina, Rhode Island, Oklahoma, Wyoming, and Florida. Individuals residing out-of-state are receiving multiple ACH deposits from certain state unemployment benefit programs, all in different individuals’ names with no connection to the account holder. Scammers convince victims to allow out-of-state unemployment insurance deposit into their account under false pretenses, then victims forward money to another person via MoneyGram, cashier’s check, or Bitcoin. The original deposited money is fraudulent and victim is on the hook for re-payment to the bank. This crime frequently develops out of the “romance scam”, where scammer already has access to victims’ bank account. This fraud network is believed to consist of hundreds, if not thousands, of victims with potential losses in the hundreds of millions of dollars. The banks targeted have been at all levels including local banks, credit unions, and large national banks.

Another scam seen recently in our area is referred to as the “car wrap scam”. The FTC has a briefing about this scam here. In summary, the victim typically receives a check to “wrap” their car with ad for product or business. The check is much more than originally offered as payment, explaining the victim should deposit the check, keep part of it as their share, and wire the rest to another company that will wrap the car. Weeks after the money is wired, the check bounces and the victim is on the hook for paying back the bank…needless to say, no one’s wrapping your car.

Click here to go back to the top of the page.

Combatting Fraud During the Summer Travel Season (05/28/20)

With the summer travel season upon us, vacationers face increased risks of fraud and identity theft. Here are a few tips to help keep you and your money secure:

when booking travel, stick to name brand travel sites like Priceline, Expedia, and AirBnB; or book directly with the airline, hotel, or car rental; avoid unsolicited email deals
consider a mail hold – visit usps.com/manage/hold-mail.htm for details
use a credit card, not cash or debit card, for added fraud/theft protection; make sure your bank or credit card company has your current email/phone to notify you in case of fraud
lock your smart phone or tablet (with biometrics or six digit code), turn off automatic connection to Wi-Fi, use only cellular data or private, password-protected Wi-Fi, and avoid unsecured public Wi-Fi; consider using a VPN client
watch out for data skimmers at public charging stations; bring your own portable charger

Click here to go back to the top of the page.

Tips for Using Credit Cards Safely (05/14/20)

Despite advancements in security, credit card fraud is still a common form of identity theft. There are several strategies you can employ to mitigate the risk of using credit cards and prevent you from falling victim to this type of fraud:

ensure that your card has the EMV chip; while not invincible from all fraud, the EMV chip is superior to the older magnetic strip
consider “contactless” payments; this method, accessible using most cell phones and some credit cards, employs NFC technology and is one of the most secure payment options available
when shopping online, only use your credit card on websites you trust; ensure secure sites by checking the URL for “https://” and for a lock icon in the address bar
avoid using a debit card online – credit cards offer more protection against fraudulent charges than debit cards; most credit cards impose a maximum liability of $50, or zero liability if reported immediately; however, with debit card fraud, you could face unlimited liability
watch out for skimmers at gas pumps; consider paying inside
sign-up for paperless billing; this decreases the chance of your account number being compromised
if you do want to receive paper statements, sign-up for Informed Delivery with the Post Office; click here to sign up

Click here to go back to the top of the page.

COVID-19 Scams (04/30/20)

There are a variety of scams being perpetrated by criminals exploiting the COVID-19 pandemic. Some examples include:

scammers posing as Amazon, UPS, etc., asking you to “confirm you order status”
scammers posing as the IRS, Dept. of Labor, etc., offering stimulus money or other payments
scammers impersonating charities seeking donations
counterfeit goods (masks, gloves, sanitizer)
“work at home” scams
COVID-19 tracking websites containing malware and spyware

To reduce your risk, consider these suggestions:

do not click on links from sources you don’t know
watch for imposter emails claiming to be from the World Health Organization or CDC; also be alert for calls from cybercriminals pretending to be government organizations, family members in distress, or banks/credit card companies
ignore online offers for vaccinations or home test kits
do your homework before making donations; do not pay using gift cards or money transfers
only purchase items from reputable retailers
carefully scrutinize “investment opportunities”

Helpful websites:

Click here to go back to the top of the page.

Three Things to Do Right Now (04/09/20)

Criminals exploit fear and uncertainty to victimize targets of fraud and identity theft. While no one strategy can protect you from fraud, there are three things you can do immediately to limit your risk:

Freeze your credit – this will prevent scammers from opening fraudulent accounts using your information. For the difference between a fraud alert and a freeze, click here; for steps how to freeze your credit, click here.
Review a free copy of each of your three credit reports (TransUnion, Experian, and Equifax) at annualcreditreport.com. Check for errors and fraudulent activity at least once a year.
Do not respond to unsolicited requests for personal information – these may be in the form of emails, text messages, or phone calls. Watch for “phishing” attempts from criminals posing as government agencies or well-known companies. Also, refrain from completing surveys on Facebook and similar sites that attempt to illicit clues to your passwords and security question answers.

Click here to go back to the top of the page.

2022 Episodes

2021 Episodes

2020 Episodes

Current Scams Involving Social Media (03/24/22)

Ukraine Charity Fraud and Medicare Scams (03/10/22)

You’ve Won Scams and Zero-Day Vulnerabilities (02/24/22)

Avoiding Tax Fraud (01/27/22)

COVID Test Kits and Recent Law Enforcement Scam (01/20/22)

Malicious PDFs (01/13/22)

Elder Exploitation and Resolutions for the New Year (12/16/21)

Holiday Fraud Prevention Tips (12/02/21)

Phone Scams, Fraud Reporting, and Holiday Shopping Tips (11/18/21)

WPS “Stop Scams Now” Campaign and Phishing Emails (10/28/21)

October is Cybersecurity Awareness Month (10/14/21)

Scam Review and the “Devious Licks” TikTok Challenge (09/23/21)

Keeping Your Cell Phone Secure and Other Fraud Updates (09/09/21)

T-Mobile Data Breach and Investment Account Fraud (08/19/21)

Home Delivery Scam and “Social Media: The Weakest Link” (07/15/21)

Cryptocurrency Primer (06/24/21)

Recent Local Scams and Summer Travel Safety Tips (06/10/21)

Local Case Studies (05/13/21)

Elder Financial Exploitation (04/29/21)

Robocall Update and the Recent Facebook Data Breach (04/15/21)

Grandparent Scam / ID Theft and the Importance of Credit Monitoring (03/25/21)

Kroger Data Breach and Tips for Filing Your Taxes Safely (03/11/21)

Payment Apps and Car Infotainment Systems (02/25/21)

Four More Recent Local Case Studies (02/11/21)

Marketplace Scams and Social Engineering Refresher (01/28/21)

Recent Local Case Studies (01/14/21)

Supply Chain Attacks and COVID Vaccination Scams (12/17/20)

Holiday Security Tips (12/03/20)

Social Engineering Review (11/12/20)

Protecting Your Security When Using IoT Devices (10/22/20)

PCH Scam / National Cybersecurity Awareness Month (10/08/20)

Crime Prevention Tips (09/24/20)

Review of Phishing Scams and Revisiting Credit Freezes (09/10/20)

What’s Up with TikTok / Preventing Fraud During the 2020 Census (08/27/20)

Review of Imposter Scams / COVID-19 Schemes (08/06/20)

Social Engineering (06/25/20)

Unemployment Insurance Fraud / “Car Wrap” Scam (06/11/20)

Combatting Fraud During the Summer Travel Season (05/28/20)

Tips for Using Credit Cards Safely (05/14/20)

COVID-19 Scams (04/30/20)

Three Things to Do Right Now (04/09/20)