• The Federal Trade Commission reports that people who lost money to scams that started on social media has more than tripled in 2020, with a significant increase in the second quarter of the year. 
  • The increase in social media scams fits the overall 2020 trend of more phishing scams on channels besides email. 
  • Some recent social media scams include romance scamsfake advertisements, and social media messages offering grant money or giveaways. 
  • To reduce the risk of falling for a social media scam, don’t click on any links from unknown messages, do research on any ad seen on social media, and never send money to someone you’ve never met in person. 
  • To learn more, contact the Identity Theft Resource Center toll-free at 888.400.5530, or speak with an expert advisor via live-chat on the company website. 

There is an increase of social media scams in 2020, fitting the overall trend of the year of more phishing scams on channels besides email. Scams strike people in many different ways, ranging from robocalls to phishing attacks. While social media websites are another platform scammers use for their attacks, it’s not always the first place people think to monitor when they hear the phrase “phishing scams.” 

Scammers Take Advantage of More People Online During COVID-19 

However, 2020 is different. Social media is already a great place to connect, but especially right now due to COVID-19. More people are using social media, and scammers are aware. In fact, more scammers are hanging out on the sites, posing a greater threat for scams to users. Scammers know COVID-19 changes the way people live, and they try to take advantage in any way possible. 

New Report on Increase in Social Media Scams 

The Federal Trade Commission (FTC) reports that people who lost money to scams that started on social media has more than tripled in 2020, with a significant increase in the second quarter of the year. The FTC says the growth has been happening for years, reporting social media scam fraud losses of $134 million in 2019.  

However, the first half of 2020 had $117 million in fraud losses from social media scams alone. Some recent social media scams include romance scamsfake advertisements, and social media messages offering grant money or giveaways. Often, scammers create fake profiles of people victims may know to take advantage of them. In some cases, scammers will even take over a real person’s account. 

How to Avoid a Social Media Scam 

Consumers can do a handful of things to reduce their risk of falling victim to a social media scam.  

  1. Check the validity of any ad you see on social media. Do a quick Google search of the supposed business followed by “complaints,” “reviews” or “scam.” This will help you determine whether or not the company has been reported or accused of any suspicious activity. Also, directly search for the company website. Any legitimate company will most likely have contact information on their webpage. 
  1. Never click on a link or open an attachment without verifying the validity of the message or ad. You can do this by directly reaching out to the company to see if they sent the message or posted the ad. If not, it is probably a scam. If you cannot find any contact information for the company, it is probably a scam. 
  1. Reach out directly by phone or email to the friend or family member asking for money or personal information. If they did not send the message, the sender’s account was probably hacked. 
  1. Never send money or personal information to someone you have never met in person. Imposter scams, where scammers try to trick people into giving up personal information or money by posing as someone fake, continue to rise throughout the country.  
  1. Regularly check your privacy settings on all of your social media platforms. Make it more challenging for scammers to target you by limiting what you share online. 

Contact the Identity Theft Resource Center 

Consumers should be aware of the 2020 trend around scams and that scammers will continue to hang out in the social media space. However, if everyone does their part, they can still enjoy the platforms with minimal risk of falling for a social media scam.  

To learn more, or if you believe you are the victim of a social media scam, reach out to the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 or by live-chat on the company website. Also, download the ITRC’s free ID Theft Help app for access to additional resources. 


Read more of our latest articles below

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News

New VPN Security Vulnerability Could Affect Businesses and Consumers

Election Scams Begin to Surface with the General Election Less than One Month Away

  • A new VPN security vulnerability could affect as many as 800,000 internet-accessible SonicWall VPN appliances. 
  • According to researchers, the bug can allow a denial of service cyberattack and crash services, creating widespread damage. 
  • SonicWall VPN users should install the recently released SonicWall patches to eliminate their risk of attackers gaining access. 
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat with an advisor on the company website. 

A virtual private network (VPN) is a tool used by many businesses and consumers and is more important now than ever with so many people working from home. It is a digital tool that helps keep hackers, identity thieves, spammers and even advertisers from seeing someone’s online activity. According to ZDNet, a recently discovered VPN security vulnerability could affect as many as 800,000 internet-accessible SonicWall VPN appliances. 

What Happened 

Infosecurity Magazine says researchers found a vulnerability in the SonicWall’s Network Security Appliance (NSA). An NSA is used as a firewall and VPN portal to filter, control and allow employees to access internal and private networks.  

How It Can Impact You 

Researchers claim the bug can allow a denial of service attack and crash services, creating widespread damage. SonicWall says the CVSS risk score of the VPN vulnerability is 9.4 out of 10, and the bug can be remotely executed without requiring the attacker to have the credentials needed to access the VPN. VPN systems continue to be targeted by attackers looking to take advantage of the large number of remote workers who rely on them.  

What You Need to Do 

SonicWall says, right now, they are not aware of an exploited bug or if the VPN security vulnerability has impacted any customers. However, SonicWall recently released patches for the vulnerability. Customers affected should patch their VPNs to eliminate the risk of attackers gaining access. Employees should check with their IT administrators to ensure the proper steps are taken to keep them and their remote worker peers safe.  

A VPN is a great way for people to stay safe online. It protects all sensitive activities conducted online. However, it is essential to keep VPN software up-to-date by applying security patches and software updates as quickly as possible.  

Need More Help?

Anyone who wants to learn more can call the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat with an advisor on the company website. For on-the-go assistance, consumers are encouraged to check out the free ID Theft Help App from ITRC. 


Read more of our latest articles below

Identity Theft Resource Center® Reports 30 Percent Decrease in Data Breaches so Far in 2020

Election Scams Begin to Surface with the General Election Less than One Month Away

Recent Insider Attacks Stress the Importance of Smart Business Practices

  • Data breaches are down 30 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a single event. 
  • Data breaches are down 10 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a series of data breaches.  
  • Regardless of how the Blackbaud ransomware attack is viewed, the number of individuals impacted by a data breach is down nearly two-thirds.  
  • Anyone who believes they are a victim of a data breach is encouraged to contact the Identity Theft Resource Center to learn more about the next step to take. Victims can call toll-free at 888.400.5530 or live-chat with an expert-advisor on the company website. 

2020 has seen many different data breach trends. In the first half of 2020, the Identity Theft Resource Center (ITRC) reported a 33 percent decrease in data breaches and a 66 percent decrease in individuals impacted. The ITRC has compiled the Q3 2020 data breach statistics, and the number of compromises has dropped. However, there is one data breach that skews all the data. 

Two Ways to Look at the Numbers 

With the ongoing global pandemic and one particularly nasty ransomware attack against IT service provider, Blackbaud, reported in the third quarter, the Q3 numbers can be interpreted in two ways. 

Data Breaches Down 30 Percent Treating Blackbaud as a Single Event 

If we treat the Blackbaud attack as a single event, the number of data compromises reported so far in 2020 remains well below the 2019 trend line, with nearly a 30 percent decrease year-over-year. Looking at the rest of 2020, absent a significant data breach, 2020 could end with just over 1,000 data breaches. That would be the lowest number of breaches in five years, dating back to 2015. 

Data Breaches Down 10 Percent Treating Blackbaud as a Series of Breaches 

If the Blackbaud ransomware attack is treated as a series of data breaches, the year-over-year trend line changes significantly. However, the number of data breaches is still down in comparison to 2019. There have been 247 data breaches reported as a result of the Blackbaud ransomware attack. Once you add those to the overall number of data compromises, we go into Q4 with a 10 percent decrease in data breaches compared to this time last year.  

Individuals Impacted by Data Breaches Down Two-Thirds 

No matter how Blackbaud is categorized, one data point remains the same: the number of individuals who have been impacted in 2020 by an information breach. So far in 2020, roughly 292 million people have had their personal information compromised, nearly two-thirds fewer people than in 2019. The ITRC will have more information to share on our Q3 Data Breach Trends Report, which will be released later in October. We will also discuss the details on our sister podcast, The Fraudian Slip, in two weeks. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the ITRC looks at some of the top data compromises from the previous week, and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we are looking at the Q3 data breach trends and the latest numbers.  

notifiedTM 

For more information about recent data breaches, or any of the data breaches discussed in Q3, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you receive a breach notice due to the Blackbaud ransomware attack or any other data compromise and want to know what steps to take to protect yourself, contact one of the ITRC expert advisors by phone toll-free 888.400.5530, or by live-chat on the company website. Victims of a data breach can also download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Read more of our latest news below

Shopify Data Exposure Affects Hundreds of Online Businesses

Dunkin Donuts Data Breach Settlement Highlights Busy Week of Data Compromise Updates

50,000+ Fake Login Pages for Top Brands from Credential Theft

  • Scammers are taking advantage of Apple users eager to purchase the iPhone 12 with a chatbot scam offering “a free trial” of the new device.
  • Threat actors are looking to steal people’s credit card information and other identity information. They can use the information to commit financial identity theft.
  • Consumers are urged to ignore any suspicious text messages and verify their validity by going directly to the source.
  • Anyone who believes they are a victim of the phishing scam, or wants to learn more, can call the Identity Theft Resource Center toll-free at 888.400.5530, or live-chat with an expert advisor on our website.

The iPhone 12 is expected to be released in October, and many are restlessly awaiting the anticipated launch. Scammers are aware and are sending iPhone 12 chatbot scams via text message, hoping to steal people’s personal information like names, addresses, and financial information like credit card numbers and security codes. While the scam tries to convince people they have won a free trial of the iPhone 12, the only ones winning with the iPhone 12 chatbot scam are the scammers.

Who It Is Targeting

Apple product users

What It Is

It’s a mobile phishing campaign that is spreading through text messages. The text messages from the iPhone 12 chatbot scam appear to come from an Apple chatbot offering free trials for the iPhone 12 before its release. When people click on the link in the text message, it triggers multiple text messages, ending with one saying the user qualifies for a test group before taking them to a “payment” screen for shipping charges.

What They Are After

The iPhone 12 chatbot scam is ultimately after people’s credit card information. After people click through the questions and learn they are “eligible,” they are taken to the “payment” screen where they are asked to enter their credit card information because there is a “courier delivery charge.” Once victims give out their personally identifiable information (PII), scammers can then use it to commit identity theft.

What You Can Do

  • If you receive a text message you are not expecting that requires you to act, ignore it. Instead, go directly to the source to verify the validity of the message.
  • Look for grammatical errors and stylistic issues in the text message to spot the phishing scam.
  • Remember, if the offer seems too good to be true, it probably is. Do not enter any personal information or click on any links for an offer unless you confirm it is legitimate.

If you believe you have fallen victim to the iPhone 12 chatbot scam or have additional questions, you can call the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530. You can also live-chat with an expert advisor on the company website.


Read more of our latest blogs below

50,000+ Fake Login Pages for Top Brands from Credential Theft

Cyber-Hygiene Tips to Keep Consumers Safe

SCAM ALERT: Is this an Amazon Brushing Scam?

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

Right now, there is a particular kind of data exposure that is mystifying security experts around the world. Every week, the Identity Theft Resource Center (ITRC) takes a look at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, we are looking at an attacker who is erasing insecure cloud databases and leaving a single word as their calling card: meow. Yes, it is a “meow” attack.

Where It All Began

The story begins 20 years ago when threat actors were known as hackers. They were just as likely to be your neighbors’ kid than a criminal mastermind in a foreign country. For visual, you can think of the 1980’s movie War Games where Matthew Broderick breaks into a super-secret pentagon weapons system to challenge the computer to a game of thermonuclear war and tic-tac-toe.

Fast forward to today, and the average threat actor is part of a well-organized criminal enterprise where stealing and selling personal and company information is the bottom line. It is a multi-billion-dollar business that runs like a regular business – that is, if it weren’t illegal.

Unsecured Databases

Every week the ITRC talks about data breaches from the previous week and how they happen. In July, one week we focused on the top reasons data breaches occur, and pointed out that IBM’s latest research shows misconfigured cloud databases are tied for the number one reason personal information is compromised, even if it is not stolen.

Unsecured databases have been a growing cybersecurity problem since 2018, and some of the world’s biggest data compromises have been the result of poor cybersecurity practices. In 2019, a mystery web database containing four billion records linked to 1.2 billion people had no password protection and was accessible on any web browser.

Later in 2019, databases that included hundreds of millions of records were exposed at First American Financial Corp., email validation firm Verifications.io, and Capital One Bank.

What Is Happening Today

Now, in a throwback to the time before professional hackers, either someone or some group is trolling the internet using the same automated tools as professional data thieves. They are looking for cloud databases that do not have proper security. However, instead of stealing the information, the Grey Hat attacker is deleting the information it finds and is replacing it with the word meow.

As ITRC COO James Lee says in the podcast, “In other words, a modern-day Robinhood is treating the internet as their own personal Sherwood Forest and taking from the data-rich to protect the personal information of the masses.”

When the Attacks Were Discovered

The “meow” attacks were discovered in early July by cybersecurity researcher Bob Diachenko. Diachenko has since identified more than 4,000 “meow” attacks, including one where 3.1 million patient records were erased at a medical software company because the database housing the sensitive information did not have a password to secure the data.

What the ITRC Recommends

The ITRC disapproves of vigilante justice, even when protecting consumers from having their personal information misused. The ITRC condones and strongly encourages businesses to make sure they have properly configured their security tools before putting an internet-accessible cloud database into production. To use a pun, doing so may help “keep the cat in the bag,” where it belongs.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.



Read more of our latest news below

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Ransomware is something no one wants to end up with. It is a type of malicious software that is designed to deny access to data or a computer system until the hacker is paid. Ransomware is just one of many forms of malware, code that is developed by cyberattackers to cause damage to data and systems or gain unauthorized access. While there are many different types of ransomware, the operators behind the Maze ransomware attacks are some of the bad-actors at the core of many of these types of data compromises or phishing emails.

Maze is considered a sophisticated Windows ransomware type with the threat actors using it to ambush many organizations with demands of cryptocurrency payments in exchange for the stolen data. The impact of the Maze group and other similar ransomware exploits has led to a growing problem.

According to healthitsecurity.com, in May, the Maze operators published two plastic surgeons’ stolen data for sale on the dark web after a successful ransomware attack. A little over a month earlier Maze operators hit Chubb, a cybersecurity insurance provider for businesses that fall for data breaches. According to CRN, the Maze group just recently stole 100 GB of files from Xerox.

However, there are actions that consumers and businesses can take to reduce their chances of an attack:

  • Consumers should use reputable antivirus software and a firewall
  • People should consider using a virtual private network (VPN) when accessing public Wi-Fi or untrusted Wi-Fi
  • Consumers and businesses are both encouraged to make sure all systems and software are up-to-date and have the relevant patches
  • People should not provide any personal information in an email, phone call or text message they are not expecting
  • It is important that consumers do not click on any links from emails, text messages or instant messages they are not expecting; instead, they should go directly to the source

The Maze ransomware has impacted many; businesses and consumers should do what they can to protect themselves and their data.

Anyone who has questions or believes they are a victim of a Maze ransomware attack, or any sort of malware attack, can live-chat with an Identity Theft Resource Center expert advisor for tips.

They can also call toll-free at 888.400.5530. Finally, victims can download the free ID Theft Help App for instant access to advisors and resources.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

This post will be updated as more information becomes available

Contact tracing scams have begun to pick up steam with the evolving technology coming closer to becoming a reality. Some of those scams include hackers and fraudsters posing as contact tracers – both online and in person – trying to steal personally identifiable information (PII), personal health information (PHI) and other personal data.

The United States began the re-opening process after the COVID-19 pandemic closed many aspects of daily life. That is expected to include many precautions to keep people safe, including contact tracing – a method used to find the people who may have come into contact with someone infected with COVID-19. In fact, many people anticipate contact tracing will play a large part in keeping people informed of their risk of exposure until a vaccine is available.

Apple and Google are cooperating to ensure the different phone operating systems are compatible for contact tracing purposes. Apple and Google are also working with health departments across the country to figure out how to roll-out an effective contact tracing Bluetooth-based system that would allow public health departments to create their own contact tracing apps. Despite doubts from some health officials on how useful Apple and Google’s optional systems will be, the two tech companies have developed the digital contact tracing system, and have included it in their latest software updates. Contact tracing apps have already rolled out in other countries. According to MIT Technology Review, so far, there are 25 contact tracing efforts globally. However, none of those apps work in the U.S. Consumers should beware of any attempt to entice them or someone else to download and register for an app.

While app development efforts continue, scammers are tricking people into contact tracing scams using fake apps that steal their personal information. The Better Business Bureau of Connecticut warns people about text messages in their area that appear to be linked to COVID-19 contact tracing, alerting people that they were near someone who tested positive for coronavirus. Police in Washington state are alerting residents of contact tracing scams going around trying to steal sensitive information, including credit card information and Social Security numbers. The Champaign-Urbana Public Health District urges residents not to fall for contact tracing scams, adding that they will never alert people of a positive test via text.

In all of these scams, fraudsters are trying to steal people’s personal information, whether it is by trying to get them to click on unknown malicious links or simply asking for them to provide it. Hackers then have the ability to turn right around and sell the information, which could lead to identity theft. Even when legitimate apps are available, users should check to see if the data they share will be used for marketing purposes without their permission or sold for other purposes.

To avoid a contact tracing scam, people should stay informed on the latest contact tracing details, as well as the most up-to-date COVID-19 information from their state and local health departments. Local health departments will inform people of what a legitimate contact tracer will ask and any protocols they will follow. If anyone gets a text or notification they are not expecting that they were in contact with someone who tested positive for COVID-19, they should ignore it and call their local health department to confirm the validity of the message. They should not provide any information they are asked for, nor should they click any links, open any attachments or download any files.

If anyone believes they have fallen victim to a contact tracing scam or is a victim of identity theft, they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. An advisor can help victims create an action plan on the steps they need to take that are customized to their needs.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

Five State Unemployment Department Data Exposures Uncover System Flaws

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Unemployment identity theft, also known as unemployment fraud, continues to skyrocket across the United States during the COVID-19 pandemic; particularly hard-hit is Washington state. A possible Nigerian fraud ring could be to blame for many of the cases involved in the uptick. According to the New York Times, a group of international fraudsters from Nigeria are believed to be behind a sophisticated attack on the U.S. employment systems, an attack that has already led to millions of dollars being stolen. While the U.S. Secret Service is still working to identify everyone involved, Special Agent Roy Dotson believes the unemployment identity theft is being aided by mules (people who transfer illegally acquired money on behalf of or at the direction of another) being used for money laundering after making connections with fraudsters online.

According to a memo from the U.S. Secret Service in the New York Times article, investigators received information that suggested the scheme was coming from a Nigerian fraud ring, and that hundreds of millions of dollars could be lost. Washington state is believed to be the primary target for the unemployment identity theft and unemployment fraud attacks. However, there has also been evidence of similar attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Maryland and Wyoming.

The Identity Theft Resource Center (ITRC) believes many fraudsters are trying to take advantage of more people, money and activity running through state employment offices due to the unusual lengths that government has gone to support Americans in light of the COVID-19 pandemic financial impacts. The ITRC has received reports from victims where workers have received notifications that their unemployment application was approved, even though they did not apply or are still working.

There are things consumers can do to prevent the likelihood of becoming a victim of identity theft as a result of an unemployment identity theft attack. If someone has an account with a government agency, they should upgrade to a passphrase and check to see if their information has been changed. If it has been changed, it should be reported to the state agency. It is also important for people affected to update all of their accounts to passphrases, to make sure their passphrases are not reused, or that a work passphrase is shared at home and vice versa. It is important to update passphrases and not use them across multiple accounts because identity thieves use stolen login information from data breaches to commit other crimes like unemployment benefits identity theft.

It is also a good idea for people to freeze their credit because it prevents new accounts and new obligations from being created that require a credit report. However, it will not stop the creation of an account with a state agency. To help protect personal information from being used in a cyberattack, it is a good idea for people to keep all of their software up-to-date, including their anti-virus software.

If someone believes they are a victim of unemployment identity theft or unemployment fraud, they are urged to live-chat with an ITRC expert advisor. Victims can also call toll-free at 888.400.5530 to leave a message for an advisor to return the call. Advisors will help guide victims and walk them through the process by creating an action plan that is tailored to their needs.


You might also like…

Five State Unemployment Department Data Exposures Uncover System Flaws

Key Ring Data Leak Exposes 14 Million Users Sensitive Information

Online Shopping Safety a Priority During COVID-19 Pandemic