It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

Question and answer site Quora announced a data breach that affected about 100 million users’ accounts. The hacked information included names, email addresses, and encrypted passwords. While most people who participate in online discussion via the platform may establish an account, anyone who has posted through Quora anonymously does not need to worry about their name getting “out there” since they never provided it.

Names, email addresses, and Quora passwords might not seem like a big deal to some users. After all, the company discovered the breach on November 30th and has already begun issuing notification letters. They’ve also forced a reset of all account passwords, so everything should be fine.

Unless… unless you’re one of the incredibly high numbers of people—52%, in fact—who reuses their passwords on multiple websites.

For years, security experts have tracked the use of “popular” passwords, and have found bizarrely simple passwords to be the most popular. These include things like “password,” “123456,” and “QWERTY,” just to name a few. But password strength—or lack thereof—isn’t really the problem in this case.

With the Quora breach, it doesn’t matter how amazing your password is, like “h2E9Nb17LW.” If you reuse that same password on any other website on the web, the hackers who have your Quora email and password have those same credentials to try on other sites. Hopefully, your online banking, credit card, PayPal, Amazon, and other vital accounts aren’t connected to those credentials this way.

This incident and so many others that only affect login credentials can be mistaken for being “not a big deal,” but the reality is just the opposite. When web users reuse their credentials like this, they leave themselves vulnerable to other account breaches and identity theft. It’s essential to create a strong password for every account you have, but it’s equally important to keep each strong password limited to one account.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

The term “data breach” serves as a catch-all word for any kind of event in which someone entrusted with information—usually for large groups of people, like one’s customers or patients—allows that information to be exposed. While some data breaches are the work of highly-skilled hackers who can access a billion email accounts at once, others could be something as simple as an electrician leaving his work phone behind on a job site, possibly exposing customers’ info.

However, no matter how it happened, who was at fault, or what information was exposed, all data breaches are serious. They carry the potential for someone to misuse information or harm others.

A recently reported data breach of the United States Postal System’s website appears to be accidental, but since about 60 million users’ information were exposed for at least a year, there’s no telling what damage could have occurred…or has already occurred.

This breach involves the website’s API, or “application program interface.” API is computer lingo for the set of parameters that help legitimate users interact with a website. The API was connected to the USPS “Informed Visibility Mail Tracking & Reporting” service, a mail tracking preview program, where the weakness was found. Unfortunately, by exploiting any security holes found in the tracking service, hackers can interact with the API, too.

Here’s what security researchers found: the USPS website was accidentally left “unlocked,” meaning anyone with an account could change the search parameters and find other users’ accounts and information. They could even make changes to those accounts in some cases.

Think of it like this example: pretend you went to a major retailer’s website to look up a pair of socks you ordered two years ago. You go to your order history, type in your name and zip code, and then your order history appears. Now pretend that you could simply change the zip code or the last name, or your city or street address. What would you do if all of the information for every person in your zip code, last name, city, or street address appeared? What if it showed you every single item those people had ever ordered?

That’s similar to what happened here, and there are a few unfortunate issues with this breach. First, the information was never secured in the first place. It was only a matter of time before someone decided to test out different data points. Also, the USPS was supposedly informed of this website problem a year ago. Recently, the person who informed them then contacted Krebs on Security to report that the matter had still not been resolved, and Brian Krebs reached out to the postal service. After he contacted them, the USPS patched the problem and made it stop.

This certainly isn’t the first time a government agency has suffered a data breach. The Office of Personnel Management, reported in June 2015, and the US State Department, reported in September 2018, for example, have both endured exposures of users’ sensitive information. However, that doesn’t make the issue any easier for the consumers who now need to monitor their USPS accounts and make sure that nothing out of the ordinary has taken place.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

At one point not too long ago, the IRS was reportedly issuing billions of dollars each year in fraudulent tax refunds filed by identity thieves. Thankfully, with better information and new regulations to help curb this problem, improvements have already been made. That doesn’t mean there isn’t still a long way to go towards fighting back against tax return fraud.

One of the chief issues the agency faces is simply the sheer volume of compromised taxpayer records that are floating around, available for identity thieves to purchase and use. Record-setting numbers of data breaches have resulted in hundreds of millions of consumer records exposed, ready to be used by the original thieves or those who buy them online.

Part of the effort to stem the flow of fraudulent refunds has meant slowing down the process significantly. Of course, we all want to receive a speedy refund that gets automatically deposited into our bank accounts, but that level of efficiency means it’s even easier for thieves to get to your money first. By automatically flagging certain returns for review—especially ones that use some of the more common standard deductions like dependent children or child care expenses—the agency hopes to block even higher numbers of phony refunds.

At the same time, the IRS is also taking a close look at its own mechanisms, namely its websites and taxpayer-centric user portals. The anonymity of the internet makes committing this kind of fraud even easier, and by finding ways to lock down their sites for better verification of taxpayer identities, the IRS hopes to stop even more fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

There are a lot of ways data breaches can occur; some are accidental, others are the work of “inside job” actors within the company. Some rely on social engineering, like getting you to download a virus to your computer or click a link to a malicious site. Still others are the work of highly-skilled cybercriminals who can infiltrate a network and steal important information.

What all of those have in common, though, is the need to report them to the government. Under certain legal guidelines, companies that experience a data breach can be required to file a notice with the Securities and Exchange Commission upon discovering the breach. If the breach affected the victims’ highly-sensitive personally identifiable information (like Social Security numbers), the company can also be responsible for providing extended protections like credit or identity monitoring.

Chegg, an online tutoring and textbook rental service, discovered a data breach last month, but their investigation showed it had actually begun in April of this year. The company doesn’t have reason to think any sensitive PII or credit card numbers were exposed, so victims should only have to fear for their login credentials.

Why? If you’ve reused your username and password on different accounts, a hacker who accesses one account now has instant access to all of those other accounts as well. So far, the company has stated that the passwords were hashed with encryption, but depending on the type of encryption used, they may still be easily viewable by anyone with the right tools.

Just to be safe, Chegg reset all of its users’ passwords in an effort to prevent any significant damage. As the hackers did manage to access customers’ shipping addresses and email addresses, users should be on the lookout for any upticks in spam email messages, scams or phishing attempts that appear to originate from Chegg or its partners, or other similar tactics.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

With all of the high-tech hacking, malware attacks that cripple entire networks, and new ways to steal or fabricate someone’s complete identity, it’s easy to forget that some of the things that used to be problems in the past are, still a problem.

On Aug. 16, a data breach was discovered that affected multiple Cheddar’s Scratch Kitchen restaurants in numerous states. Investigators believe the operative first launched the breach in early November of 2017 and continued through Jan. 2. More than 500,000 payment cards were compromised in the breach.

The company has sent out notification letters to the victims and offered identity monitoring for the affected customers. They also revamped the payment card system in April of this year, but still advise all of their customers to monitor their account information very closely for any signs of suspicious activity.

This incident clearly demonstrates that “old-fashioned” methods of stealing identifying and financial information are still out there, even if they’re sometimes overshadowed by larger events like the or the cyber attack that hit last year. Even old tactics like dumpster diving for your junk mail or health insurance statements can lead to identity theft crimes, even if they’re on a much smaller scale than a data breach like this one.

To help minimize the risks associated with this kind of incident, there are steps that consumers can take:

1. Enable alerts on your payment cards – If your financial institution offers it, you can set up text or email alerts that tell you any time your card number is used without the physical card being present. If your account info is stolen in a breach like this one, you’ll know if someone uses your card fraudulently. One person who contacted the Identity Theft Resource Center was on her child’s school trip when she received an alert; a quick call to her credit card company showed that someone had used her account number to buy several iPhones at a cellular store. The transaction was promptly canceled and a new card sent to the victim.

2. Monitor your accounts closely – By taking even a quick peek at your account statements on a regular basis (something you can even set up to do online or on your mobile device), you can stay on top of any unusual activity.

3. Place a credit freeze – This event only compromised the customers’ payment card numbers, but in this climate of record-setting data breaches, some consumers are opting for preventive credit freezes. New legislation goes into effect next month that will remove the fee associated with freezing and unfreezing your credit, which helps prevent new accounts from being opened with your identifying information. If more sensitive information is stolen in other data breaches, you’ll be better prepared to fend off identity theft and fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media