World Emoji Day is on July 17 with fun and more than a little emoji mayhem. Fun fact: the reason for this date is that it’s the one depicted in Apple’s emoji of a calendar. With all the attention on emojis heading to smartphone screens everywhere, and more than five billion emojis sent every day via the Facebook Messenger app alone, there’s no time like the present to set the record straight on some privacy pitfalls associated with the darling little characters.

Apple was one of the first major smartphone retailers to incorporate an emoji keyboard into its devices back in 2011. For years, users had to physically type the characters that would result in the understood emotion, such as 😛 or 😉 to express the point. Once the emoji keyboard appeared, though, scammers found a way to embed viruses and other malware into downloadable “aftermarket” emoji keyboards that can get into users’ devices. The enticement was access to additional emoji characters that the manufacturers hadn’t thought to include, and as a result, consumers fell into the trap of downloading malicious software in these files.

Since that time, emojis have become the bait-of-choice for scammers hoping to convince internet users that their posts are genuine and trustworthy. By filling their spammy announcements with hearts, flowers, smiley faces and other tiny symbols, they hope to lure unsuspecting users who think they’re dealing with someone who is friendly and trustworthy. Instead, the false front of light-hearted communication can lead to a far more sinister trap.

Emojis have also been found to be a common indicator in online romance scams. First, predators who are still in the grooming stage might send dozens of periodic messages throughout the day in order to convince the victim they’re thinking about them. Many such messages have been long strings of romance-themed emojis, like hearts and little bouquets of flowers. Also, with the understanding that romance scams are accomplished by crime rings who may have several different people operating as a single personality in shifts, some experts have suggested you can spot the differences in the people who are posing as that one person by how often and which emojis they use.

It’s also worth noting that the use of emojis has become a “language” all its own. Unlike rampant conspiracy theories about what different characters mean, there is some truth to the belief that certain characters have been co-opted and are indicative of sexual or even criminal behavior. Make sure you know which symbols really mean what you meant to say before hitting send!


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

It can happen to anyone, and can happen anywhere. You’re going about your business when you suddenly find a wallet on the ground. You look around to see if you can still spot the person who lost it, but they don’t seem to be nearby. You pick it up, open it carefully, and are shocked by what you see inside.

This scenario happens every single day, and some of the best, most responsible people can be either the wallet loser or the wallet finder. Unfortunately, picking up someone’s personal—and possibly even valuable—property can come with both risks and benefits.

Of course, the very first benefit is the opportunity to be a Good Samaritan, to be a bright spot in someone’s day. After all, they’ve just lost something very important, and the consequences for them can range from aggravating to downright terrible. Returning their property to them in the condition in which they lost it can really make you feel good.

At the same time, you could be opening yourself up to a few risks. What if the owner claims there was a lot of money in it, money that was long gone before you ever found it? What if the owner later accuses you—either innocently or maliciously—of identity theft or financial account takeover? Maybe this chance to help someone is just too big of a burden after all…

Your next steps in a situation like this can vary a little bit depending on where you located the wallet. If you’re in a store or business, your gym, a doctor’s office, or any other location that has a surveillance camera, you’re probably in the clear from accusations. Remain visible while picking it up, and turn it in at the front desk immediately. If you feel it’s necessary, you can wait while the attendant tries to locate the owner. The driver’s license, credit cards, and any retail rewards cards can help; just call the number on the credit cards or rewards cards and provide the name or account number. They should have a contact number for the owner, and can pass along the location of the wallet.

But what if you’re out in the open? A wallet can easily fall out of someone’s pocket, briefcase, or handbag, and there might not be security cameras to help you prove that you had every innocent intention. It’s best in this case to dial the local police department’s non-emergency number—please do not tie up the 911 dispatch system for something like this—and tell them that you are standing near a lost wallet. Ask for a patrol vehicle in the area to come and take over, and wait with the wallet if you can.

What should you do if someone comes up and claims to be the owner? Let it go. Whether they are the owner or not is not really in your wheelhouse. You are not responsible for someone who may or may not have criminal intentions, and getting into an argument over the property is not worth it in the end.

NOTE: It’s very tempting to post about the wallet on social media sites like Facebook in order to track down the owner, but that is not a good idea. You have no way of identifying the real owner, and you could risk compromising that person’s identity if you post a photo that includes part of the driver’s license, a credit card, a checking account number, or other details.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

With all of the fun and frolic surrounding the Fourth of July, it’s easy to forget there can be a downside. Holidays are an especially active time for scammers, and “patriotic” scam attempts can strike in a variety of ways. They can target consumers through different methods of attack, like phishing emails or spam texts and they often include a variety of premises to lure you in.

Here are some of the more popular phishing attempts, scam tactics and frauds:

  1. Patriotic emails and social media posts – Phishing messages and fraudulent social media posts can tug at your heartstrings at any holiday, and Independence Day is no exception. In this case, it may be a more such as an active duty or veteran’s scam, political or election scam, or any other country-specific theme. Remember that wonderful charities and organizations doing great work all year long, so avoid the temptation to impulse-click on an untrustworthy source.
  2. Shopping – There are incredible retail deals advertised during the July 4th holiday, and that can also mean bogus web coupons and sales links to click. Protect yourself from online shopping scams by only doing business with trusted sources, using a secure payment method for your purchases and steering clear of “time is running out!” impulse shopping scams.
  3. Fireworks scams – If you live in a state that allows citizens to shoot their own fireworks, beware: roadside stands and temporary shops make sense when selling a product that is only popular a few times a year, but that also means you’re handing your payment information to someone who may be skipping town in a day or two. If feasible, cash may be the way to go, instead of giving a transient businessperson your payment information.
  4. Virus attacks and tech support scams – In years past, there have been reports of malicious software attacking on or around the Fourth of July, playing off of the theme of rebellion, overthrowing tyranny and more. Be very mindful both of genuine cyberattacks and fake ones that pretend to lock up your computer or inform you that you’re already infected. Beware of phony tech support scams too, trying to get your money and access to your computer in exchange for “cleaning” out a cyberthreat.

Remember, there are a variety of threats that can have a stronger impact on the holiday, both physically and from a data security standpoint. Be mindful of scams, fraud and be safe in whatever summer activities you choose to enjoy. And have a Happy Fourth!


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Researchers with mobile security firm Appthority have disturbing news for iOS and Android mobile users: a vulnerability on the developers’ end exposed sensitive data collected via more than 1,000 common enterprise device apps. This exposed information, which included personal identifiable information, plain text passwords, and more, was compromised due to what experts are calling the Firebase vulnerability.

Similar to other previously discovered app vulnerabilities, this one occurred in relation to how the app “speaks” to the Google Firebase cloud database. Specifically, when authentication wasn’t required, any attacker could access information through the unsecured Firebase. Developers needed to initiate an additional step to require that authentication, but for too many apps, that step wasn’t put in place.

As a result, this vulnerability leaked around 100 million records from unsecured Firebase databases.

Appthority’s team isolated 28,502 mobile apps—more than 27,000 on the Android platform and another 1200-plus on iOS—that connected to a Firebase database. More than 3,000 were vulnerable because of this lack of authentication. Unfortunately, these numbers meant one out of every ten Firebase databases was left unsecured.

There is a wide variety of app categories involved in this finding, especially business-oriented apps like productivity tools, financial and business apps, and even dating app. The business users of these impacted apps include companies in banking, telecom, ride hailing, travel, and schools scattered through the US, Europe, South America, and Asia.

So what was exposed? Researchers found millions of plain text usernames and passwords, private health records, stored GPS coordinates to past locations, online payment and cryptocurrency activity records, and access to millions of users’ social media platforms.

It’s important for business device users to understand that this kind of vulnerability not only exists, but may even become more widespread based on the increasing numbers of Firebase users since it was launched. It’s worth noting that any vulnerability that exposes sensitive data from an enterprise account can mean the risk of violating regulatory compliance, regardless of how the information was leaked or who was responsible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When the public hears about the latest data breach, they might envision a network of hackers working in the dark web. The reality, though, is sometimes a lot more mundane. Accidental data breaches can happen when information is allowed to fall into the wrong hands for any number of reasons, but the concerns that can arise can be just as serious.

In the past, accidental data breaches have occurred due to issues like losing an unencrypted laptop or flash drive. Other incidents were the result of unsecured servers whose information was unintentionally posted online. In some cases, though, the breach occurred through intentionally sharing information, only it was with the wrong recipient.

That’s the case for Chicago Public Schools (CPS) in a recent data breach that compromised students’ and families’ personal data. Families in the school system were sent an email providing them with a necessary enrollment form. The link included in the email was inadvertently attached to a spreadsheet containing information for nearly 4,000 students and parents in the district. The link was active for several hours before someone noticed the error and removed the information from the link. In this specific data breach, students’ names, phone numbers, email addresses, and student ID numbers were exposed.

Experts looking into the CPS breach point to a far bigger concern than just sending out a link rather than attaching the document that was supposed to go to the parents: why is there a speadsheet of student information stored online that is accessible by anyone who finds it? The spreadsheet was not password protected, and hours after CPS officials informed parents of the error—they requested the families delete the email rather than take down the link—the spreadsheet, however, was still readily accessible. Concerned officials see that as a lack of training and awareness of how to secure students’ personal data.

Unfortunately, this incident is the third such accidental data breach in the CPS school district since 2016. In 2016, an employee sent out sensitive information to unauthorized parties, providing them with access to students’ information.  In 2017, unsecured web documents were posted on the CPS website exposing medical conditions, students’ names, identification numbers and other information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

There was a time when child identity theft was thought of as a family problem, and it’s true that many cases over the years have been perpetrated by a custodial or non-custodial parent, a close relative, or even a family friend. Once the individual gained access to the child’s sensitive documents, they could open numerous lines of credit with the child’s “untarnished” credit record. In many cases, the identity thief may have been trying to get out of a dire financial situation, and fully intended to pay off any debt incurred in the child’s name; at the same time, some unscrupulous thieves didn’t care what consequences waited for the child down the road.

Too often, the children didn’t even know they’d been victimized until they reached adulthood and tried to use their legitimate credit.

In more recent years, though, hackers and identity thieves have begun targeting kids in order to take advantage of clean credit that no one will be monitoring for years to come. Schools, doctor’s offices, daycare centers, even school lunch computers have suffered data breaches intent on nabbing kids’ personal identifiable information.

According to Javelin Strategy and Research’s 2018 Child Identity Fraud Study, there were more than one million reported cases of child identity theft in the US last year, with the majority of those cases victimizing children under the age of eight. Another 20 percent of the victims were between the ages of eight and twelve.

Unfortunately, those are just the cases that were reported, which means the actual number of victims may be much higher.

But this new avenue of data breaches leading to identity theft doesn’t mean that parents can let their guards down about friends or relatives. The same Javelin study found that in 60 percent of the cases last year, the child knew their identity thief; that’s very different from the data point that says only 7 percent of adult victims know their identity thief.

One of the increasingly common methods of using children’s stolen credentials is to grab a Social Security number and combine it with a fake name, address, phone number, and more. Known as “synthetic identity theft,” the thief isn’t using the child’s complete identity, but rather has created a whole new person with this information. That makes it a little harder for victims and law enforcement to notice the problem in the first place or take action after the fact.

Concerned parents or guardians have a few steps they can take, though. If the child in question is over 14, they can request a credit report in the same way that any consumer does. Visiting annualcreditreport.com will provide the minor in question with a free credit report, and allow them to look it over for signs of suspicious activity. If the child is under the age of 14, the steps are a little harder. The adult must prove they have a right to access and see the information, but it’s a worthwhile step if there’s reason to believe a child’s identity may have been compromised.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

There are a wide variety of social media platforms, many of which cater to a very specific group of users. LinkedIn, the career-minded social media site, helps users connect with each other through and across various industries. As such, it’s for messaging, finding new contacts, exploring new career opportunities and other related activity.

But LinkedIn may just be the latest platform to fall victim to a flood of “spoofing” scams. Reports to the Better Business Bureau show some LinkedIn users have been receiving personal loan offers that appear to come from legitimate site users who work for real companies. However, these loan offers are scams.

According to the BBB, “You get a LinkedIn message offering you financing for a personal loan. It comes from someone who appears to work for a legitimate company. You check out their LinkedIn profile, and it looks real. You may even have several LinkedIn connections in common. Some scammers will also set up a fake company website.”

There are several possibilities related to how this may be happening. The first is that scammers, as indicated above, make fake profiles and spend some time gathering connections in order to reach new victims. Another possibility is that someone can hack an account; the person whose account sent out the message may not even realize someone is using their account. Also, a scammer can create a whole new profile using an existing person’s name, photo and work experience in order to lure existing connections into falling for the message.

Once the message goes out, the thief is after personal information via the bogus loan application and money in the form of a “processing fee” to complete the loan application.

As with any method of social media messages, users have to be very careful about the kinds of information they share and how they respond. Scams and hoaxes are quite common on the different platforms, so using good judgment means treating every potential opportunity—whether it comes from a stranger, a connection or an account belonging to a trusted friend or colleague—with an air of caution.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The era of the Internet of Things ushered in innovations, better convenience, and more personal safety, but it also brought with it a host of security flaws.

Wi-Fi routers were some of the first devices to be attacked on a large scale, giving hackers access to entire networks. Wireless medical implants have also been infiltrated, leading to terrifying speculation about what a nefarious operative could do with access to a patient’s pacemaker or an insulin pump. Now, even our homes can be a target… not just the devices in the home, but the building itself.

The Ring doorbell, an IoT gadget that replaces your existing doorbell, connects over your home Wi-Fi to your smartphone. It lets you “answer” the door with your phone, giving you the ability to see who is at the door, hear that person’s voice and even speak back. The range on Ring is virtually limitless since the home Wi-Fi is talking to the smartphone app, which receives its signal over Wi-Fi or cellular. You could answer the door while you’re at work or on vacation, theoretically thwarting an intrusion.

Ring even offers the ability to record what’s going on outside the house, turning your doorbell into a security camera. There have already been several instances where the homeowner’s Ring either prevented an attack or led to an arrest in a crime.

So what about the flaw? Ring has to connect to your smartphone via its app in order to offer you this convenience and peace of mind. The app is installed on every users’ phone in that household, or at least the people who should be answering the door. One Ring user found out the hard way that the app remains connected to the doorbell even if a particular smartphone owner no longer lives at the residence and even if there’s a password change.

The Ring owner in question made news recently after suffering a romantic breakup. Unbeknownst to the homeowner, the member of the relationship who’d moved out was still able to access the video footage from the doorbell and therefore was able to see who was coming over. This person was also able to ring the doorbell at any time, including in the middle of the night.

The problem was in the way the account and the app “spoke” to each other. Changing the password on the account didn’t block anyone or require the password to be re-entered on the app. Ring has now announced that they’ve fixed this flaw but also reports that it can take up to an hour to remove someone’s app access once the password is changed.

This issue might seem minor compared to other kinds of newsworthy security breaches, but it demonstrates a few key points about our technology. First, we might be a little too quick to adopt the latest connected device, especially if it doesn’t have all the bugs worked out. Also, what are we giving up when we download an app or connect a new gadget to our Wi-Fi? Finally, those permissions and passwords that we turn over to an app don’t work the same way in every app, so it’s up to consumers to understand how it functions.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.