Most of us who own smart phones store a considerable amount of personal data on them which could be very damaging if the phone was lost or stolen. Everything from valuable documents, passwords, personal pictures, banking or credit information, and personal text messages could be compromised. Fortunately, there are several steps one can take to protect the data stored on their phone. What follows are some best practices for protecting the data on your Android Smart phone.

  • Enable the Auto-Lock and Passcode Lock features under the general settings. Go to your settings, and then select “security.” The Auto-Lock feature will automatically lock your phone after it has been sitting idle for an amount of time that you pre-determine. The Passcode Lock feature will require a password, or a trace design anytime someone attempts to access the phone when it is locked. These two simple features provide significant deterrence to the random individual who may try to steal your phone if it’s left unattended.
  • Use a Virtual Private Network (VPN) when using your phone to access the internet via public WiFi. Public WiFi poses a danger to your personal data because hackers can use public WiFi hotspots to monitor what you are doing as well as what information you may be sending over the internet. A Virtual Private Network encrypts the signals from your Android making it impossible for hackers to decipher what you are doing on the internet.
  • Always have an updated antivirus program installed on your Android to help prevent virus or other malware from infecting your phone. Monitoring apps such as Lookout Security can gauge the risk levels of various apps or programs you might be inclined to install on your phone.
  • Always pay attention to what apps you’re downloading. What access rights to your data does it ask for? Is it produced by a reliable/trustworthy entity? Never download an app you’re not 100% sure about, and always pay attention to what rights they require to install their app in your phone.
  • Install a wiping program on your phone so that in the event of a theft or a loss, you will be able to remotely wipe all your sensitive data from the phone so the thief cannot benefit from it.
  • Never pre-store banking passwords or other sensitive passwords on your phone. If someone were to gain access to your Android, there’s no reason that event needs to preclude a thief gaining access to your email or your mobile banking apps.

“Keeping your Information Safe on an Android Device” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original article.

Like millions of other people, I got my first smartphone for work, not personal use. And, just like most other digital device users, my personal life soon became a part of whatever smart phone I was using, and the tasks I expect it to do have broadened greatly since the days of my Kyocera 6035. Without even taking into account iPads, Kindles, and other larger platforms, the activities we now accomplish on a typical smartphone platform are pretty amazing.

wipe or notOf course, many still have corporate email on the device, but almost everyone will also have a couple of personal email accounts that are also installed on the phone, along with Facebook, LinkedIn, GPS navigation information, a raft of pictures and movies that have been taken with the device, probably some downloaded Internet movies, and so on. And, just like the car you have driven the past few years, quite a bit of this stuff will find its way under the seats, into the side pockets, and in the glove box (who the heck ever used a glove box for gloves?). In other words, there may be quite a bit of information stored in places you don’t normally look (until it’s gone). We also tend to make online transactions, including purchases, banking, and other secure sites, which probably stores some fairly important credentials and other information on our smartphones.

I remember the adrenaline rush of getting up one morning and finding that my Blackberry of the moment had just died… All the email, account info, etc. was gone, except for some stuff that was stored on the removable memory card. A similar situation, even worse, is when someone realizes that their phone has been stolen or lost. It is worse, because now any information on the phone, including email, account info, pictures, etc. may be in the hands of someone who has a penchant for taking your money, rather than a job. Two of my family members have managed to “Drown a Droid” in the past couple months. Sooner or later, these events will happen to you.

When loss of a smartphone or the data on it occurs, there are several key concerns:

  • Was the device protected by a PIN, password, or other method to prevent unauthorized access? While not perfect, having a phone protected does a lot to slow down access to your information. You just won’t believe how much information is typically available in a couple years of email!
  • Do I have a method to remotely erase all the information on the device, to prevent its use for identity theft and fraud? Is there a way to track/find the missing phone?
  • How can I recover the majority of the information, contacts, pictures, movies, emails, etcetera?

First, have your phone protected by at least a simple PIN or swipe pattern. Just DO IT. You don’t want the guy who lifted your phone at a party to be able to instantly start sending email and posting on your phone. If you happen to lose the phone, the same situation applies. Some phones have facial recognition now, which is pretty convenient, and reasonably secure. Whatever security method you choose, make sure your phone is locked within a minute or so of when you set it down.

Second, you may want to use one of the available programs that will allow you to remotely wipe all the personal information from the smartphone in the event of a lost or stolen device. Depending upon the type of phone, iPhone, Android, Blackberry, etc., there are different methods to remotely wipe the phone, and possibly detect its location. For Android phones, Android Lost has been recommended as an app that will allow remotely finding and wiping an Android phone. Microsoft Windows phones can be located and remotely wiped from your user account on a website, www.windowphone.com. Blackberry has always had the remote wipe capability in their administrative software, but it is managed by the system administrator. Apple has a service to find your phone, and remotely lock the phone by using a web based service. Regardless of the type of device you use, you should activate one of the methods before you lose the phone.

Third, recovery of all the data that you have on the phone will also depend upon what steps you have made while you have possession of the phone. You should note that if your main email is provided by a corporate account (Exchange Server), that email can be recreated on a new phone without anything more than setting up your email account on the new device. However, many other types of email, and documents, pictures, videos, etc. will probably require that you set up or activate a backup system for your mobile device. There are many backup systems available for each type of smartphone, and you will have to compare features to choose the one that is best for your protection. Carriers like Verizon offer backup utilities as a part of their service, and Apple offers iCloud Storage.

Mobile device backup has become a growing market, and you will need to choose the system that meets your personal needs. A good place to start is to think “If my phone was ripped out of my hand right now, and would never reappear, what would I need to have on a new phone to be ok?” A second vital question is “What’s on my current phone that could put me at risk if the phone is stolen?” These are questions best answered before your data goes missing.

Now, back to Sudoku. You know, I’d hate to lose my year-long aggregate score….

“Wiped Out? Or Not?” was written by Rex Davis. Rex is the Director of Operations at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post.

Recently here at ITRC, we’ve received several queries about the effectiveness and use of mobile VPNs. What are they? How do they work? Do I need one for my phone if I send and receive a lot of data? Well, we aim to please…

VPN stands for “virtual private network.” A mobile VPN provides mobile devices with access to network resources and software applications on their home network when they connect via other wireless or wired networks. A VPN maintains an authenticated, encrypted tunnel for securely passing data traffic over public networks. This is important because public wireless internet connections (public wi-fi) are one of the easiest and most common ways for identity thieves and hackers to harvest personal information from their victims.

The increased use of mobile devices and a related rise in employee desire to use their own personal devices for work purposes means it is more important than ever that organizations take appropriate steps to protect corporate information and provide access in a safe and effective way. A mobile VPN makes it possible for users to access the internet via public wireless access in a McDonalds or Starbucks, while still staying safe behind a firewall to keep prying eyes from accessing privileged information. When considering whether or not a mobile VPN is a worthwhile tool to have, there are several issues to consider.

1. The need for privacy

It’s always a good idea in personal practice to exercise sound judgment when accessing the internet in public areas. For work purposes, the need for privacy becomes even more paramount. Not only could you compromise your personal information, you could expose company secrets as well. If your job is the type that requires continuous access to shared information, a mobile VPN should be viewed as a near necessity.

2. Connectivity and Convenience

A mobile VPN functions essentially like a portal to your home or office server. The cost of this convenience and safety should be considered necessary only if one is regularly accessing secure or sensitive information (either for personal or professional use) while on the go. If you don’t have access to your office server and/or don’t use your personal phone to send or receive sensitive information, a mobile VPN may be an unnecessary expenditure. A VPN is likely to come attached to a monthly subscription fee, and will also very likely make the speed of data exchange on your phone somewhat slower than it would be otherwise.

3. Frequenting Foreign Websites?

The secure nature of a mobile VPN allows you to usually access foreign hosted sites faster than otherwise possible.

4. Flexibility

VPN’s function on virtually any type of internet connection (wi-fi, 4g/LTE, broadband, etc.)

5. Voice vs. Data Security

It’s important to note that smartphones have both data and voice channels. Mobile VPN ONLY encrypts the data channel i.e., your phone access to a browser, email, and internet resources are encrypted. However, your voice calls are not encrypted through use of a mobile VPN. If you use internet based phone service (Skype for example) that uses the data channel to make phone calls, your voice calls may be encrypted when using your mobile VPN.

 

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Bring Your Own Device (BYOD), is a growing trend in the business world where employees use their own personal mobile devices for work. This means that sensitive company information including customers’ personal identifying information (PII) and company trade secrets may be accessible from, or might be stored on the employee’s personal phone or other digital device. While there are many benefits from implementing BYOD for businesses, it also creates a new set of security challenges as employees’ personal phones are more difficult to monitor and protect than a company computer that never leaves the office. Below is a comprehensive but not exhaustive list of security measures that companies implementing BYOD should consider:

security tipsPassword Protection: A strong password should be at least 8 characters in length and include case sensitive letters, numbers, and special characters. This password should be required to access any company data on an employee’s mobile device. It is also a good idea for the employee to have a 4 digit pin passcode to be able to turn on the phone at all. Encryption of Company Data: Any company data, or even all data on the phone, should be encrypted using industry standards. Encryption will help protect any company data from being accessed even if a thief has stolen an employee’s mobile device and attempts to hack into it.

Limit use of Apps: Apps pose a security vulnerability, as they are programs that are downloaded by the user, and installed onto the phone. Use of apps on user devices is a hotly argued topic at the moment. These apps can contain malicious software in them, or may simply request and get permissions to access a wide variety of data on the device, in order to complete the install. The possibility that BYOD users might install an app that breaches company data is raising serious concerns in the IT community. This makes it a priority that employees be informed as to what apps are safe and acceptable, and which ones are not. Even with those types of guidelines, it is important for employees to read the reviews of apps to help determine whether it is malicious or not. It is also a smart guideline not to install any app that does not have a significant number of positive reviews. Even with that, it is important that when installing the app that the user be very aware of the permissions the app is requesting, and that they fit the purpose appropriate for the function of the app.

Remote Data Wipe Ability: Employers that allow company data to be stored on a BYOD platform must be able to remotely wipe the device in case the employee either loses the phone or has it stolen from them. Additionally, the employer must also be able to wipe the device upon the employee leaving the company.

Antivirus Software: At a minimum, employees’ devices should have updated antivirus programs installed to help mitigate malicious attacks. In addition to antivirus software, providing VPN connections for employee devices, where appropriate, would greatly reduce risk of breach into the phone’s data.

“Bring Your Own Device Security Tips” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original posting.

There was a time when every parent knew what to tell their children to be safe. Children knew not to take candy from strangers, or go swimming right after eating. These days the rules have all changed and children have a new playground on which they must be trained in order to stay safe.

cyber securityThe cyberworld takes up a huge amount of children’s time and, unfortunately, is very dangerous. Sitting a child down and explaining to them about protecting their private information online or staying away from child predators is not easy. Here are some fun ways to teach your child cybersecurity.

  • Stay Safe Online: Stay Safe Online is a wonderful program put together by the National Cyber Security Alliance. Thier website (www.staysafeonline.org) provides a wealth of information for teachers and parents to use in order to teach children about cyber security. The site is even broken down into grade level so that children will not feel like something is too immature or way over their heads.
  • iKeepSafe: Within iKeepSafe’s website (www.ikeepsafe.org) there are areas for educators, communities and parents. There is also a section for children themselves to peruse and learn as they go. One of iKeepSafe’s programs is called “Prevent & Detect”. It teaches parents how they can use technology to prevent and detect everything from eating disorders to alcohol abuse. This is a great way for parents to learn how to use the cyberworld to help protect their children rather than simply fearing it.

Armed with these wonderful resources, it shouldn’t be such a hassle to help children understand the dangers of the Internet. Parents will be able to spend less time on explaining the intricacies of online identity theft and more time making sure their children look both ways before crossing the street.

“How to Teach Your Child About Cybersecurity” was written by Nikki Junker.  Nikki is the Social Media Manager at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post on the ITRC Blog.

It has been a particularly disturbing couple of weeks as headlines throughout America highlight how some of our most powerful financial institutions were being hacked by alleged foreign powers. It all began on September 17 when the FBI issued a joint Bank Fraud Alert with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center.

whitehouse hackedThe Bank Fraud Alert warned banks and financial institutions that hackers were using Distributed Denial of Service (DDoS) attacks to take down their consumer websites to distract both the consumers and bank cybersecurity while millions of dollars were fraudulently wired out of peoples’ accounts. The very next day, Bank of America was reported to have website problems and consumers were having trouble accessing the website and their bank accounts.

On September 19, J.P. Morgan Chase Bank was reported to have similar problems as their website went down and consumers could not access their bank accounts. That same day, FS-ISAC raised its Current Financial Services Cyber Threat Advisory from “elevated” to “high” for the first time in its history. A few days later on September 25, Wells Fargo suffered website outages followed by website problems for U.S. Bank and PNC Bank the next day.

A hacker group by the name of Izz ad-din Al qassam Cyber Fighters has been claiming responsibility for these DDoS attacks, but experts warn that it is more likely that an organization with far more money and capabilities is responsible for these attacks. Senator Joseph Lieberman, Chairman of the Homeland Security Committee, stated in a C-SPAN interview that he believed Iran’s government sponsored the cyber-attacks.

Now, the Washington Free Beacon reported on Sunday that alleged Chinese government hackers had breached a computer system associated with the White House Military Office. A White House official confirmed that hackers had breached an unclassified computer network, but emphasized that the network had no unclassified information and no data appeared to have been stolen.

Apparently, the breach was made possible by a spear phishing attack, which involves the use of a message that appears to be authentic and contains a file or link to be clicked on which then installs malicious software onto the computer. The Senate blocked the Cybersecurity Act of 2012 in August which was designed to help bolster cybersecurity in critical infrastructures in the United States, leaving the Obama administration to consider issuing an executive order to improve cybersecurity instead.

“First the Banks, Now the White House” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC_Blog.

Last week someone in my family asked me if I could help them with their computer. I asked them what was seemed to be wrong with the machine. They told me that it would start normally at first, but as soon as Windows was done loading they would get a pop-up that they had been infected with a virus that was above the level of what their normal anti-virus could handle. They were told that they needed to pay for this additional coverage to remove the problem. Unfortunately, they continued, and paid for the “extra service.”

This person, like so many of us, is not stupid. In fact, they are very intelligent. However, what is taken for granted as basic computer safety knowledge by theransomware younger generations is may be an unknown area of knowledge to those who never created a Word document for a paper in High School, never had a Facebook account that their parents monitored, and were never taught even the fundamentals about Cybersecurity. Today, when the Internet is no longer an option but a necessity for most of us, cyber criminals are finding an easy target in people who may be using the Internet and a personal computer for the first time.

I asked this family member if they had current updated anti-virus security on the computer, and they were not quite sure what I was talking about. This I could believe, as many people who were raised in the age of Internet still don’t know the importance of having an anti-virus with updated virus definitions installed on their computers. Good antivirus programs are perhaps the best way to protect yourself (and computer) from many of the threats, including viruses, malware, and cybercrime exploits. This ounce of prevention can save people from spending a pound on a cure.

Unfortunately for my family member, it was “too little, too late” for the prevention approach, and they had to take their computer in to have it fixed. This one event cost much more than an anti-virus program would have cost, not to mention the money paid to the Cybercriminals behind the Ransomware, and the time and frustration of the related computer problems. While it comes as little comfort to my family member now, this story has taught a lesson; use an anti-virus, and keep it up to date, always.

This experience also shows how easy it is to fall for the Ransomware scams, and how important it is to educate people about the current Cybercrime trends. Perhaps the next family night we will not be breaking out the Scrabble, but instead a Power Point presentation on Cybersecurity.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Two days ago, the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center jointly issued a Fraud Alert to financial institutions warning them of alarming trends in unauthorized wire transfers overseas in amounts ranging from $400,000 to $900,000. The Fraud Alert explains that after targeting financial institution employees with spam and phishing e-mails, the cyber criminals installed keystroke loggers and Remote Access Trojans to be able to completely access internal networks and logins to third party systems. In other cases, the cyber criminals stole employee and administrative credentials allowing them to avoid verification methods used by the financial institutions to prevent fraudulent activity.

This enabled them to peruse through multiple accounts, selecting those accounts with the highest balances to conduct wire transfers from. According to the Fraud Alert, the cyber criminals were able to “handle all aspects of a wire transaction, including the approval… obtain account transaction histories, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payment systems.” The Fraud Alert theorized that the cyber criminals used distributed denial of service (DDOS) attacks against the financial institutions’ public websites as a distraction to keep them occupied and distracted while fraudulent wire transfers were being conducted.

Yesterday, the Financial Services Information Sharing and Analysis Center raised their Current Financial Services Sector Cyber Threat Advisory from “elevated” to “high,” leaving the Physical Threat Advisory at “elevated.” Soon after, Reuters reported, “the consumer banking website of JPMorgan Chase & Co was intermittently unavailable to some customers. The problems followed issues with the website of Bank of America Corp on Tuesday amid threats on the Internet that a group was planning to launch cyber attacks on a U.S. bank.”

This incident occurs amid the heated debate in Washington over how to bolster the cybersecurity in the United States and reminds us just how important cybersecurity is in this new digital age. We must consider as a nation, the impact cyber attacks from criminals, terrorists, or other countries can have on us as a whole. Imagine what could happen next time financial institutions were attacked if the main goal was not to steal millions of dollars but to take the whole banking system down? In order to improve, there has to be change on a national level. The challenge now facing us is how best to balance the competing interests of privacy protection, avoiding over-regulation, and providing room for effective individual cybersecurity protocols.

Senator McCain’s SECURE IT Act has yet to reach the Senate floor, but will likely face intense scrutiny over the potential lack of government regulation and concern over privacy protections. Even modest improvements to our national security picture will require that we put aside the contentiousness and work together in earnest. Unfortunately, it seems that Congress may not be up to that task and President Obama might have to resort to issuing an Executive Order. This action, by its nature, will create more strife and disagreement in an already gridlocked Congress.

“Banks Warned of Heightened Cyber Threat by FBI” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

A report released by Norton (Symantec), a leader in cybersecurity that develops antivirus, anti-malware, and other related products and software, demonstrates just how pervasive cybercrime is in today’s digital age. The report was the final product of 19,636 interviews of adults, parents, children, and teachers from 24 developed and emerging countries.

cybercrimeThe report confirms that cybercrimes are becoming more common than normal “offline” crimes. This may be due to the fact that cybercriminals are very difficult to find, even as they continue to commit more criminal acts. Norton found that there are approximately 1,000,000 cybercrime victims every single day of the year. This amounts to a cost to society in the amount of $388,000,000,000 ($388 Billion) in just 2011. Of that amount, $114 billion accounts for money actually stolen or money spent to resolve cybercrimes. The remaining $274 billion of that money is in the form of time and costs to victims dealing with cybercrimes. To give a better idea of the staggering size of cybercrime’s financial costs, Norton compares the $388 billion cybercrime cost to the global black market of marijuana, cocaine, and heroin combined at $288 billion. In fact, the sum of all global drug trafficking is valued at $411 billion, only $23 billion more than cybercrime costs.

Unfortunately, the spread of cybercrime is unlikely to slow down as the number of people using the Internet, computers, and especially mobile devices increases. Of those surveyed, 69% of all adults have been a victim of cybercrime, and of those, 65% were victims in 2011 alone. The report shows that the more time one spends online, the more likely they are to become a victim of cybercrime. This is supported by their results which show that 75% of “millennials” (aged 18-31) have been victimized at some point compared to only 61% from the boomer generation. Usage of mobile devices to peruse the Internet is widespread and growing, with 44% of mobile device owners using their device to surf the Internet, and nearly 60% of millennials doing the same.

Even more disturbing is that the spread of cybercrime to these mobile users is just beginning. In 2011, 10% of all mobile device users online had fallen victim to cybercrime. Considering that the number of mobile users surfing the Internet is already large, and that the number will certainly go up as time goes on, it is safe to assume that mobile device related cybercrime is inevitably going to increase. In this society, even a minor increase in percentage of victimized users, will be a very large number of individuals affected.

Despite the staggering number of cybercrimes being committed on a yearly basis, the public perception of these crimes continues to underestimate how severe and common they are. Of the people interviewed, 44% had been a victim of cybercrime in the last year while only 15% had been a victim of some form of offline crime. That mean that cybercrime is nearly three times more common than “off-line” crimes. The perception problem is that, of the people surveyed, only 31% thought that they were more likely to become a victim of cybercrime than offline crime.

This misconception helps explain why 40% of adults surveyed did not have an up to date security suite to protect their personal data. Not only are consumers not adequately protecting themselves online, but only 21% of actual victims reported the cybercrime to the police after becoming a victim. This perception that cybercrimes aren’t quite the same as offline crimes might be reinforced by the lack of avenues to get help after becoming a cybercrime victim. Of those who reported suffering both cybercrime and offline crime, 59% felt there were fewer ways to get help after the cybercrime.

It is clear from Norton’s Cybercrime Report that cybercrime is here to stay and should be considered a high priority by law enforcement and consumers who use the Internet. People must be educated about the risks associated with Internet use and encouraged to protect their personal information in this digital world. The next time you are about to log onto the Internet from your desktop or mobile device, take a moment to consider whether you have taken enough steps to protect yourself from cybercrime.

“Norton Cybercrime Report 2011: Painting a Dismal Picture” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC_Blog.

If you have scratched below the surface of the avalanche of articles on identity theft, scams, cyber-security, or related topics, you have probably run across the term “spoofing.” However, even many of us that work in the field are not very good at explaining to others what the term means, and the various ways the term might be used. So, here goes….

From www.dictionary.com:

spoof; noun

  1. a mocking imitation of someone or something, usually light and good-humored; lampoon or parody: The show was a spoof of college life.
  2. a hoax; prank.

In the context of cyber-security and related subjects, “spoofing” means providing false information in order to make the intended victim think the communications has come from either someone they know, or a business or entity that they would tend to trust. However, there are a number of types of “spoofing”, some more technical than others:

  • IP spoofing is a technique used to make a computer user think that a particular Internet IP being presented is a safe computer/server, and should be trusted. Most of us don’t directly confront this type of spoofing, and probably are unaware of how it works. Just like phone numbers, IP addresses are supposed to signal a unique address or location across the Internet, so faking an IP address can be used by criminals as a method of becoming part of a trusted network. A consumer is unlikely to be directly confronted with IP spoofing, unless they are working in a technical field.
  • Caller ID Spoofing is used to make an incoming call present a phone number that the intended victim might know or trust. However, the number appearing on the Caller ID is not the real calling number, and “spoofing” the number is used for exactly that purpose, to gain trust in a situation when none should be given. With the advent of VOIP or Internet-based phones, the ability to make an incoming call look like it was from San Diego, when the caller is in Russia, is a fact. Caller ID cannot be trusted to determine anything about the caller. Caller ID Spoofing is done quite often, and the average consumer is often in the dark as far as knowing who is really making the call. If in doubt, the best policy is to disengage from the call, then look up the company by name, and call a listed number for the company to inquire about the contact. It should be remembered that people who do business with you already have the information about you, your account number, etc. It is an entirely different situation if you call the company, and are asked for credentials before they will discuss your business with them. However, if the call is coming from them to you, they are the ones that need to prove who they are before you give them any information. Be warned!
  • Email Address Spoofing is probably the most common type of spoofing. Most of us have seen this many times on incoming email, although we may not have recognized it. All of us observe the senders name/address on incoming emails to see who the sender might be, and whether we think about it or not, we tend to give credibility to that email based upon any previous knowledge we may have of the purported sender. Spoofing the “From:” address is often done as part of a fraudulent scheme. If the “From:” address makes you think the email should be trusted, then you are much more likely to click on a link or take other action, or otherwise give some credibility to an email that is coming from a complete stranger, and possibly a thief. Many of the emails used in “Phishing” schemes will have spoofed sending addresses. In fact, a more deadly form of this attack, called “Spear Phishing” uses email addresses from someone recognized as an authority, such as a highly placed executive of your company, to make your response even more likely. You are not going to turn down a request from your Vice President are you? And, it’s a given that website links in these spoofed emails cannot be trusted: they are spoofed also, and will very rarely point your web browser to the address that the link purports to be. Altogether, it is wise for all of us to be wary of incoming email, unless we are very sure of the sender and the authenticity of the message.
  • SMS or Text Spoofing: In a similar fashion to Caller ID and email spoofing, it is also possible for a text message (SMS) to appear to be from a trusted source, while it really is from a quite different sender. In a manner similar to other types of spoofing, be very aware when a text message invites you to take actions, or strongly implies a course of action that you had not anticipated. Like other forms of spoofing, the best answer is to be suspicious and fact check, before you act.

Spoofing is a part of the world we live in now, and it is a key element of the “social engineering” used against consumers in attempts to commit fraud and identity theft. Being skeptical and checking information by other means is really the key to avoid becoming a victim.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.