• Businesses are re-hiring team members after COVID-19 lockdowns. However, the Identity Theft Resource Center (ITRC) is also seeing a rise in online job scams, particularly mystery shopper scams. The ITRC has seen a 250 percent increase in mystery shopper scams from June to July.
  • Job scams are not uncommon. According to the FBI’s Internet Crime Complaint Center (IC3), 16,012 people reported being victims of employment scams in 2020, with losses totaling more than $59 million.
  • Law enforcement agencies across the country are also seeing the rise. The St. Martin Parish Sheriff’s Office in Louisiana is asking its citizens to be on the lookout for online job scams. The FBI wants people to watch for fake job listings.
  • To avoid a job scam, only use a reputable website for employment opportunities, be careful how much personal information you share and don’t pay upfront costs.
  • To learn more about online job scams, contact the ITRC toll-free by phone (888.400.5530) or live-chat by visiting www.idtheftcenter.org.

Updated 7/21/2021: With many people vaccinated for COVID-19, most businesses are reopening and rehiring team members. Criminals are also looking to take advantage of the surge in hiring. The Identity Theft Resource Center (ITRC) has seen a rise in the number of online job scam reports to its contact center, particularly mystery shopper scams. In fact, the ITRC has seen a 250 percent increase in mystery shopper scams from June 2021 to July 2021.

The ITRC is not the only organization to see the job scam uptick. The St. Martin Parish Sheriff’s Office in Louisiana is urging its citizens to be on the lookout for online job scams. The FBI wants people to keep an eye out for fake job listings.

Work-From-Home Job Scams

While vaccinations are on the rise, the pandemic is still ongoing, meaning many people are still looking for jobs where they can work from their homes. According to the Federal Trade Commission (FTC), criminals are aware of this and are posting the “perfect” work-from-home jobs, claiming you can be your own boss and set your schedule. They claim you can make a lot of money in a short amount of time and with little effort.

Mystery Shopper Scams

Mystery shopping has been around for a long time. Mystery shoppers help businesses, retailers and restaurants get information on the quality of their stores in exchange for money. In the past, scammers have found ways to turn the service into a mystery shopper scam, also known as a secret shopper scam. The ITRC saw a spike in 2020, and is seeing a rise again. There are different forms of mystery shopping scams. Click here to learn more.

Tips to Avoid an Online Job Scam

According to the FBI’s Internet Crime Complaint Center (IC3), 16,012 people reported being victims of employment scams in 2020, with losses totaling more than $59 million. While you are looking for the right job, there are a few things to remember:

  • Know the source of the job listing and only use reputable websites to find employment opportunities. This will require you to do some research. Look online for independent sources of information. While the company’s website or advertisement may show testimonials or reviews from satisfied employees, they could still be fake. Instead, you should search the name of the company or the person who’s hiring you and add a word like “scam,” “review” or “complaint.” Searching for “Acme Co Scams” will give you search results that show if the company is legitimate and if it has been associated with fraud. You will often see what other employees and customers think of the would-be employer.
  • If it seems too good to be true, it probably is. Be mindful of unsolicited emails and offers with outrageous claims, such as “Earn $3,000 a week working from home.”
  • Once you find a job posting, be careful how much personal information you share, at least during the application period. If a company claims they want to do a phone, Skype or Zoom interview due to social distancing and safety, that’s okay. However, it does not mean you should turn over sensitive personal information like your Social Security number (SSN) until you have been given a job offer contingent on passing a background check (which requires an SSN). Also, before you accept an offer or send a potential employer your personal information, run the job offer or posting by someone you trust.
  • Legitimate jobs don’t usually require any upfront fees or costs. Even things like company uniforms or specialized equipment like steel-toed shoes are often deducted from the first paycheck or purchased by the employee through an outside company. Typically, a form of payment is not requested. If an employer asks for a finder’s fee, administrative fee, background check fee or other funds, it is probably a scam. Even for legitimate actions like submitting a bank account number and routing number for direct depositing of paychecks, it’s vital to ensure the company is legitimate and the job has already been awarded before submitting the information. Also, don’t pay for the promise of a job. Only scammers will ask you to pay to get a job.
  • Don’t send money to your new boss. If a potential employer or new boss sends you a check, asks you to deposit it and then buy gift cards, it is a scam. While the check may look like it cleared and the funds look available in your account, the check is still fake and you will be responsible for any purchases.
  • Never pay to be a mystery shopper. Don’t wire money or send a “deposit” via PayPal, Venmo or Zelle. Also, to avoid a mystery shopper scam, cash the check at an issuing bank or wait until the money has not just posted but cleared the other account. If the check is not good, the victim can return the cash into their account.

Contact the ITRC

There are many different job scams, particularly online job scams. If you have questions, want to learn more or if you believe you were the victim of an online job scam, contact us. You can speak with an expert advisor by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

  • If you have a Venmo account, you may have been asked recently to re-verify your identity on Venmo. The payment app asks  users to do so as part of compliance with government regulations. Anyone who does not take part in the identity verification process will not be able to store money on the app. Instead, money will have to go to and from a bank account or credit card.
  • While there is always a risk in providing sensitive information to a company, identity verification is necessary to reduce the number of identity crimes. Venmo also made changes to its privacy settings. Users can now select a “public,” “friends” or “private” setting for their friends list. They can also opt-out of being seen on the friends lists of other Venmo users.
  • To learn more, or if you believe you were the victim of a payment app identity crime, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

Have you recently received a message asking you to verify your identity on Venmo? Has the payment app asked you to verify information like your Social Security number (SSN), address and other personal information? If so, it’s not a scam. Venmo is in the middle of making some changes, including updating its privacy settings and doing identity verification with all of its users. The payment app is reaching out to users asking them to re-verify their identity as required by government regulations.

What the Changes Mean

If you are asked to verify your identity on Venmo, you have to do it, or else you will not be able to store money on the app. You can still use it, but money would have to go to and from a bank account or credit card, according to Venmo’s rules. While some are skeptical about the messages they are receiving, and about providing their personal information, the goal of identity verification is to avoid phishing attacks and other scams.

Venmo is also now giving people an option to select a “public,” “private” or “friends” setting for their friends list and to opt-out of being seen on the friends lists of other Venmo users.

The Rise in Cash App Scams

Cash app scams have seen a rise since COVID-19. Over the last year and a half, scammers have been out in full force targeting cash app users on social media, via email and through texts in hopes to steal user’s money and identities. Asking you and others to verify your identity on Venmo and offering more privacy settings could slow down the pace of cash app scams by limiting the use of fraudulent accounts, especially when more people are using payment apps.

Why You Should Verify Your Identity on Venmo

If a company stores sensitive information, the user is always at risk if the company is ever breached. However, as Identity Theft Resource Center (ITRC) president and CEO Eva Velasquez told Slate Magazine in a recent interview, identity authentication and verification is still a really important step that has to be taken to stem  identity crimes. It is why the ITRC encourages people, if it is legitimate, to participate in the identity verification process. It is an important way for you to protect yourself and it creates more barriers criminals must try to successfully evade to commit payment app scams.

If you decide you want to verify your identity with Venmo, you can do so by going to your Venmo app, opening up your settings, and tapping “identity verification.” Prompts will then guide you throughout the process. You can only do this on the Venmo app and not the website.

How to Stay Safe on Venmo

While you are better protected if you verify your identity on Venmo, scams and identity crimes can still happen. Here are some tips to keep you safe:

  • Enable all the security features like screen lock/biometric lock and Find my Phone to keep hackers from accessing your payment app and stealing login credentials or money.
  • Use a strong and unique password to reduce the risk of hacking. The ITRC recommends a passphrase that is at least 12 characters long.
  • Beware of phishing attacks and avoid unsolicited emails or text messages that ask you to send money directly through Venmo. Never click on any links or attachments in messages you aren’t expecting. Criminals may send people an unsolicited payment request through a mobile app.
  • Look for red flags like payments you did not make using Venmo. If you are victimized, you should report it to Venmo, change your account password and consider scanning your device with antivirus software.
  • Consider other cyber-hygiene practices like multifactor authentication using an app on your phone. Also, consider taking advantage of Venmo’s new privacy settings and limit the number of people who can see your account by going to “Settings” and then “Privacy” in the Venmo app. Additional layers of protection will keep your account more secure.

Contact the ITRC

If you want to learn more about how to verify your identity on Venmo, have questions or concerns about the process, or believe you are the victim of a cash app identity crime, contact the ITRC. You can speak with an advisor toll-free by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

On June 28, 2021, the Identity Theft Resource Center (ITRC) discovered a particular form of a phishing attack (also known as a brand spoofing attack) imitating our non-profit organization. The spoofed email, which was determined to be an identity monitoring services scam, sent offers of an “elite search account” with monitoring services to “track your social security, name, address, phone, and any other pertinent information that may be compromised over the web.”

The ITRC Never Charges Consumers or Collects Sensitive Information

The ITRC never charges consumers for assistance and any communication you receive claiming to offer an ITRC service for a fee is a scam. The ITRC only provides no-cost identity theft victim remediation services for individuals that does not include a monitoring service.

The ITRC also does not request or collect sensitive personal information like Social Security numbers, driver’s license numbers or physical addresses. The ITRC may ask for your email or phone number to send you free identity theft resources and educational advice. The limited information you share is never sold to anyone and only to be shared with our research partners with your permission.

What is a Brand Spoofing Attack?

For Consumers:

With this attack style, a cybercriminal imitates a well-known brand to offer a product or service. The attack may also include a live operator acting as a contact center service representative.  Consumers need to follow the best practices for avoiding phishing attacks:

  • Be suspicious of emails that claim you must pay, click for your offer or open an attachment immediately.
  • Think about if you have ever interacted with the company before. If this is a new company or account, go directly to their website or call to ask them if the offer is legitimate.
  • If you think you clicked on a malicious attachment, be sure to run an update on your computer and consider anti-virus software.
  • If you gave away your personal or financial information, place a credit freeze on your credit reports and monitor your accounts regularly.

For Businesses:

If your business email, website, social media accounts, or text services were used in a brand spoofing attack, notify your customers or visitors of the spoof and the steps they should take if they have given their account password or financial information to a criminal. You may direct victims to the ITRC’s contact center or website for free assistance.

Read more about business email imposter recovery steps to take with advice from the Federal Trade Commission.

What You Need to Know About Identity Monitoring Services Scams

In an identity monitoring services scam, an identity thief poses as a well-known brand or government agency and contacts you to say your identity has been compromised. They have discovered your personal information on the dark web and insist you should pay for services to monitor your identity.

The identity monitoring services scam is similar to the IT support scam where the cybercriminal poses as Microsoft, Apple, etc. to say your computer has been infected with malware and is alerting you. They then urge you to clean it up as soon as possible and will take your credit card information or payment through gift card to clean up the infection for you.

Report to the ITRC

If you receive an email, phone call or other communication that asks for your personal or financial information to pay for a service, report it directly to the ITRC to receive our free remediation services to help protect your identity and help prevent additional identity crimes. The ITRC’s expert advisors will help you take additional steps if required, to secure your identity.

Contact the ITRC for Free Identity Theft Information

If you accidentally click on a link of a brand phishing attack or provide information to what you discover later was a fake website form, contact the ITRC toll-free at 888.400.5530 or live-chat with an expert advisor on the company website www.idtheftcenter.org. An advisor will walk you through the steps to take to protect yourself from any possible identity misuse. 


The ITRC is a non-profit organization established in 1999 to empower and guide consumers, victims, business, and government to minimize risk and mitigate the impact of identity compromise and crime. Read more about our mission.

  • According to a new study, 74 percent of the participants were not aware of the breaches where there was documented evidence their information was compromised. 
  • While the study also found that most victims blamed themselves, researchers say the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach. 
  • However, the reuse of passwords is also to blame. Participants admitted to using the same or similar passwords on multiple accounts. 
  • While researchers say notice of data breach letters are a great idea in theory, they believe the letters are generally not helpful in practice because poor communication by companies can make them hard to understand. 
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

No Darkness but Ignorance 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 25, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we will talk about some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a notice of data breach letter? 

In Twelfth Night, Shakespeare wrote what was almost certainly a throw-away line: “There is no darkness but ignorance.” The line, referring to a character who was tricked into believing he only thought his jail cell was dark, was actually a reflection of Shakespeare’s belief that education and knowledge solves most ills. 

So, it is true today when it comes to the impacts of data breaches and the actions people take when they learn their identities have been compromised. That is to say, most people don’t know how many times they have been breached. When they learn their information is in the wild, they don’t do much about it. 

Many Consumers Are Unaware When Their Information is Involved in a Breach 

Researchers from the University of Michigan School of Information, along with colleagues at Georgetown University and Germany’s Karlsrhue Institute of Technology, published a study this week that found participants were not aware of 74 percent of the breaches where there was documented evidence their information was compromised. 

The researchers also found that most of the 413 study participants blamed themselves for becoming a victim of a data breach. Only 14 percent said the responsibility for the compromise was with other actors. Victims cited their own use of the same password for multiple accounts, keeping the same email for a long time and signing up for “sketchy” accounts as some of the personal behaviors they believe contributed to their information being breached. 

Researchers Say Victims Are Not Usually at Fault  

However, the researchers point out that the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach.  

This study supports the conclusions of a smaller report from the Carnagie Melon University’s CyLab from May 2020. That study of data breach victims focused on what happened when consumers received a notice of data breach letter. The short answer is “not much.” 

Reuse of Passwords is Also to Blame  

In the Carnagie Melon study, two-thirds of the participants who received data breach notices of compromised email accounts did not change their passwords. Only 13 percent of the breach victims who did change their passwords did so within the first three months following the breach announcement. What is most concerning is the updated passwords were often weaker than the previous passwords that were compromised. 

As in the University of Michigan study, participants admitted to using the same or similar passwords on multiple accounts. The Carnagie Melon cohort had an average of 30 other passwords that were like the breached password. On average, those who changed a breached password changed less than three of the 30 similar passwords. 

Notice of Data Breach Letters May Not Be Very Helpful  

One other common element of the two studies: both sets of researchers believe that notice of data breach letters are a great idea in theory, but are generally not helpful in practice. They believe poor communication practices by companies render the notices difficult to understand and don’t offer any practical advice. 

Contact the ITRC 

That’s not a problem at the ITRC. If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises. Look out for our analysis of data breaches in the first half of 2021 that will be released on July 7.  

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 


LexisNexis talks with the ITRC in the newest Fraudian Slip podcast about the impact of identity fraud in the government & business sectors and how you can prevent identity fraud 

  • This month’s Fraudian Slip podcast talks about the steady growth of cybercriminals using stolen information to commit identity fraud.  
  • In the final ten months of 2020, the Identity Theft Resource Center (ITRC) helped about 750 individuals who were the victims of unemployment identity fraud. On June 2, the ITRC surpassed the number of identity-related unemployment fraud victims for 2020 in only six months.  
  • The ITRC sat down with LexisNexis, a leading provider of information used to mitigate risks, to discuss identity crimes, how you can prevent identity fraud and much more. Listen to this week’s episode of The Fraudian Slip
  • You can also learn more about identity fraud in government and business, other topics discussed in the podcast, and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.  

Below is a transcript of our podcast with special guest Haywood J. “Woody” Talcove, CEO of LexisNexis Special Services 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses.   

This month, June, we’re going to dig into a trend impacting consumers, businesses, government agencies and other institutions. That trend is the steady growth of cybercriminals using stolen information to commit identity crimes. How can you prevent identity fraud? 

Identity theft occurs when a person’s or business’s information is stolen. Identity fraud is when that information is misused, and there is a lot of misuse going on these days. At the ITRC, in the final ten months of 2020, we helped about 750 individuals who were the victims of unemployment identity fraud – which is to say a criminal used their personal information to apply for unemployment benefits in their home state or other states.  

On June 2, the ITRC surpassed the number of identity-related unemployment fraud victims for 2020 in only six months, with four months left until the enhanced benefits that are attracting criminals expire.  

At the root of the rise in identity fraud is the billions of bits of personal information available to cybercriminals that can be used to pretend to be just about any adult in the U.S. While that may sound intimidating, there are groups whose mission is to help prevent information misuse and to ensure people “are who they say they are” to make sure benefits and privileges go to the actual person who needs them. They ensure the benefits do not go to a professional imposter halfway around the world, an organized crime ring or just garden variety criminals down the street. 

Helping us make sense of how you can prevent identity fraud is the ITRC’s CEO Eva Velasquez and Haywood J. “Woody” Talcove, CEO of LexisNexis Special Services, a leading provider of information used to mitigate risks.   

We talked with Haywood J. “Woody” Talcove about the following: 

  • What LexisNexis does to help mitigate risk. 
  • The impact of identity fraud in the government and business sectors. 
  • What can be done to prevent and mitigate identity fraud by government and business (information as both a risk and the solution). 

We talked with Eva Velasquez about the following: 

For answers to all of these questions and more on how you can prevent identity fraud, listen to this week’s episode of The Fraudian Slip Podcast.   

Contact the ITRC 

You can learn more about identity fraud as well as get help if you have been the victim of an identity crime by visiting the ITRC’s website at www.idtheftcenter.org. While you are there, sign up for our emails that alert you to the latest scams, monthly data breach updates and tips to protect your identity. 

Be sure and join us next week for our sister podcast, the Weekly Breach Breakdown, and next month for another episode of The Fraudian Slip.  

  • Scripps Health cyberattack led to a pause in the healthcare provider’s medical services for weeks and the exposure of personal and financial information for more than 147,000 people.  
  • A Herff Jones data compromise was discovered after multiple students reported fraudulent transactions with their payment cards. 
  • A data exposure of an unsecured database divulged an elaborate Amazon review scam. The database had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 
  • For more information about May data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.  

Notable May Data Breaches 

Of all the data compromises the Identity Theft Resource Center (ITRC) tracked in May, three stand out: Scripps Health, Herff Jones, and an unsecured database with fake Amazon reviews. All three data events are notable for unique reasons. In one, a ransomware attack led to the exposure of sensitive information and a healthcare system having to shut down its systems, impacting thousands of patients. Another event was discovered after graduating students from several universities in the U.S. noticed fraudulent transactions on their payment cards. The third compromise revealed an Amazon review scam after messages were found between Amazon vendors and customers willing to provide fake Amazon reviews for free products. 

Scripps Health 

On May 1, Scripps Health, a San Diego-based healthcare system, suffered a ransomware attack that shut down many of its systems for nearly a month. According to HealthITSecurity, attackers gained access to the network, deployed malware, and exfiltrated copies of data on April 21. It was recently revealed that more than 147,000 patients, staff and physicians may have had their personal and financial information compromised as part of the Scripps Health cyberattack. However, electronic medical record applications were not accessed during the attack. Instead, the data was stolen from other documents stored on the network. 

The information exposed in the Scripps Health cyberattack includes names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and clinical information such as physician name, dates of service and treatment information. According to a notice from Scripps Health, for less than 2.5 percent of patients, Social Security numbers and driver’s license numbers were also affected.  

The Scripps Health ransomware attack is just the latest in a long list. Ransomware attacks are considered one of the top cybersecurity threats in 2021. Cybersecurity firm Proofpoint found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a survey from earlier in the year. 

Herff Jones 

Bleeping Computer reports that students from several universities in the U.S. recently made claims about fraudulent transactions after using payment cards at cap, gown and class ring maker Herff Jones. Most students reported losses between $80 and $1,200, while one student reported a friend was charged $4,000 for a PS5 gaming system.  

Herff Jones, unaware of the compromise until students complained on social media about the fraudulent charges, immediately began an investigation. While the investigation is still ongoing, the company says they identified the theft of certain customers’ payment information. It is still unknown the impact of the Herff Jones data compromise, including the number of records exposed and what records may have been compromised aside from payment card information. In a statement, Herff Jones said that they have taken steps to mitigate the potential impact and notified law enforcement.  

Unsecured Database with Fake Amazon Reviews 

A data exposure of an Elasticsearch database divulged an elaborate Amazon review scam. According to Safety Detectives, the database, which contained over 13 million records and anywhere from 200,000 to 250,000 affected users, had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 

The Safety Detectives research team says the server was left open without any password protection or encryption. The personal data of people providing fake Amazon reviews, as well as Amazon vendors, could be found in leaked messages on the database. The information exposed includes full names, emails, usernames, PayPal addresses, links to Amazon profiles and more. The data exposure reminds us that no one is immune from being impacted by a data compromise, whether it is a cybercriminal or a regular consumer. For more information on this data compromise, read the ITRC’s blog on the incident. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.   

In an interview with NBC 7 San Diego on the Scripps Health cyberattack, ITRC CEO Eva Velasquez advises anyone impacted to freeze their credit and report the incident to their creditors and bank.  

Regarding the Herff Jones data compromise, the company encourages people with questions to reach out to their customer service team at 855.535.1795 between 9 a.m. and 9 p.m. EST Monday through Friday until they identify and notify impacted customers.  

notified 

For more information about May data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.  

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.     

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.  

  • Multiple states including California, Florida, Colorado and more, are offering lottery & sweepstakes incentive programs for COVID-19 vaccine recipients but scammers are taking advantage of the eager consumers. 
  • Scammers are posing as government officials and informing vaccine recipients they have won a lottery and follow-through by asking for bank details and Social Security numbers. 
  • To avoid these scams, be on alert for anyone asking for banking and personal information that can lead to financial identity theft. 
  • If anyone believes they are a victim of a COVID-19 lottery or sweepstakes scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.  

Millions of U.S. residents have already received their COVID-19 vaccine and are automatically entered into their state’s lottery or sweepstakes program, which scammers are cashing in on as well. For example, California residents are reporting  COVID-19 vaccine scams where criminals pose as government officials with fake notifications claiming they have won the lottery. The scammer then asks for personal or banking data to claim their prize. 

Who are the Targets? 

Residents of states with lotteries or other vaccination incentives; vaccine recipients 

What is the Scam? 

Criminals are posing as government officials and informing vaccine recipients they have won the lottery and ask for bank details and Social Security numbers.   

What They Want 

Scammers can use your banking information from these COVID-19 vaccine lottery scams to commit financial identity theft or sell your information to other cybercriminals. They are also looking to collect “lottery fees” upfront. Remember, you should never pay money to receive money especially in a contest, sweepstakes or lottery. 

How to Avoid Being Scammed 

  • California and Colorado state residents 18 and older who receive the vaccine are automatically entered to win based on shot registration information and do not need to enter. However, Kentucky and Oregon residents must enter through the official website. Be sure to check with your state’s program on entering rules. 
  • If you are a lottery winner, you do not need to pay money or provide your banking information to claim your prize. 
  • Always go directly to the source to verify if the information is coming from a legitimate source. In this case, check with the Department of Public Health or lottery authority in your state. 
  • If you’ve received a phishing email, text or phone call, report it. You can report it to the Federal Trade Commission at www.ftc.gov/complaint.  

If anyone believes they are a victim of a COVID-19 lottery or sweepstakes scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

  • Amazon recently connected to its new network, “Sidewalk,” leaving some people wondering how to opt-out of Amazon Sidewalk. It takes a little piece of people’s network bandwidth, who have either an Amazon Echo or a Ring doorbell connected to their Wi-Fi, and shares it with others who have Amazon devices to create a mesh network.
  • While Amazon says the information will not be shared with other devices on the network, it still connected to people’s devices without their permission.
  • To opt-out of Amazon Sidewalk on an Amazon speaker, open the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk and choose Disable. For Ring doorbell,in the app go to the Control Center Amazon SidewalkDisableConfirm.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Sharing is Not Caring

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 11, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will talk about how your parents, grandparents and teachers were wrong when you were young – at least when it comes to cybersecurity. We will also discuss how to opt-out of Amazon Sidewalk, a new mesh network.

How many times did you hear someone tell you that you need to share your toys with your sister or brother? “Share what you have” with your friends probably was thrown in there, too – along with this chestnut: sharing is caring.

That might be true on the playground when you’re talking about a cup of goldfish crackers. However, in today’s episode, we are talking about privacy and cybersecurity. Sharing is definitely NOT caring, especially when you’re forced to give up a piece of your internet bandwidth to your neighbors.

Amazon’s New Mesh Network “Sidewalk”

We are talking about Amazon’s new mesh network known as “Sidewalk.” Sounds innocent enough, right? It makes you think of walking around your neighborhood waving at your friends sitting on their front porch while you take a stroll with your trusty dog Rex.

Except in this scenario, you have an Amazon Echo smart speaker and a Ring doorbell connected to your Wi-Fi. Rex is wearing a tile smart tag, so you can find him when he runs away to make a deposit on a neighbor’s lawn. All of those Amazon smart devices are now automatically connected to the new Sidewalk network that went live on June 8, without your permission.

What the New Sidewalk Network Does

Right about now, you may be wishing you could trade that glass of lemonade you have been nursing on your walk for something a little stronger because chances are you’ve never heard of Sidewalk. That’s what Amazon calls its new local network that takes a little piece of your network bandwidth, up to 500 MB per month, and shares it with your neighbors who also have Alexa hanging around their houses.

The idea is it boosts Wi-Fi signals in weak areas by pooling the bandwidth of every house that has an Amazon device on a network. This “take a little here and give a little there” approach is known as a mesh network.

What It Means

Amazon hasn’t been shy about touting the benefits of this kind of expanded network. It means when Rex runs away, that tile smart tag you put on his collar can be tracked as long as Rex is near the new neighborhood-wide network. It means a sketchy signal will not prevent your Ring doorbell from showing you that pimply-faced kid who just showed up to take your daughter to the movies. Also, it means you can ask Alexa to tell you a joke in parts of your house where you couldn’t connect until Sidewalk launched.

What it doesn’t mean, according to Amazon, is that Alexa will share your information with the other devices in your neighborhood that are now connected to the wider network. There are also strict limits on how much bandwidth Sidewalk can use per month, so your internet bill doesn’t go through the roof.

While that’s good to know, it doesn’t change the fact that Sidewalk is, like Alexa and Ring, always on and you were not asked if you wanted to join the network.

How Opt-Out of Amazon Sidewalk

Fortunately, there is a way to jump off the Sidewalk by changing the settings on your Amazon devices. Here’s how to opt-out of Amazon Sidewalk:

  • For the Echo family of speakersopen the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk. Choose Disable, and you’re done.
  • In the Ring app, go to the Control Center Amazon SidewalkDisableConfirm.

While you’re busy putting your Wi-Fi back in the house where it belongs, make sure you have a strong password on your home network to keep cybercriminals and your cheapskate neighbor off your network. Sorry, we can’t do anything about the kids or dogs on your lawn.

Contact the ITRC

If anyone has questions about keeping their personal information secure or on how to opt-out of Amazon Sidewalk, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).

Thanks to Experian for supporting the ITRC and this podcast. Next week be sure to check out our sister podcast, The Fraudian Slip when we talk with the CEO of LexisNexis Special Services about the role of information in preventing identity crimes. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
  • API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
  • To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

  • Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
  • Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
  • Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
  • One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.