• E-signature scams are rising as remote workers rely more on services like DocuSign, HelloSign and other similar services. Recently, some employees at the Identity Theft Resource Center (ITRC) received phishing emails that claimed to have an invoice to sign that was attached to the email.  
  • Other e-signature email scams ask people to enter their personal and financial information, claiming that they either have a notification or their account was suspended.  
  • These e-signature scams and phishing attacks can lead to malware and stolen personal and financial data used to commit different forms of identity crimes.  
  • To avoid these scams, you should ignore any emails you are not expecting, never click on any unknown links and reach out directly to the person the email claims to come from to verify the validity of the message.  
  • If anyone believes they are a victim of an e-signature scam or wants to learn more, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.  

DocuSign and similar services that offer verified electronic signatures have grown in popularity since COVID-19. According to one e-signature company’s recent financial report, their total revenue has increased by more than 50 percent. It’s no surprise more people need the services of an e-signature company. It is also no surprise that e-signature scams are spiking as a result. Multiple Identity Theft Resource Center (ITRC) employees recently received emails claiming to be from DocuSign with “invoices” attached: 

While convenient, e-signature services give threat actors another way to steal identities and financial and personal data. Consumers should keep an eye out for e-signature email scams so they don’t fall victim to a phishing attack.  

Who are the Targets? 

DocuSign users; Email users; Employees 

What is the Scam? 

In the latest e-signature scams, criminals send phishing emails claiming to come from “DocuSign Electronic Service.” The subject line typically tells users they received an invoice or notification from a service – DocuSign Electronic Service – for example. The emails contain malicious attachments that could lead to malware. Other e-signature scams tell people that they have a notification or their account is suspended and to click on a link and enter their personal and financial information. 

What They Want 

Criminals commit malware attacks and steal people’s personal and financial information to execute an array of identity crimes. They use the information to access people’s bank accounts, credit card accounts and work accounts, or they sell the personal information to other criminals. 

How to Avoid Being Scammed 

  • If you have not been requested to sign any documents, be wary of an email asking you to sign something. It is probably a phishing attack. 
  • Look for misspellings in the email. Sometimes scammers will alter a letter in the sender’s email address, hoping you do not notice. For example, if it is a DocuSign email scam, the sender address may be “@docsgn.com” instead of “@docusign.com.” 
  • Always check the sender’s email. If the email comes from an address or name you do not recognize, ignore it. If it claims to be from someone you work with, contact that person directly and ask them if they sent you the document. 
  • Never click on any links in an email you are not expecting. Instead, contact the source of the email directly to verify the validity of the email. 
  • If you’ve receive a phishing email, report it. You can report it to the Federal Trade Commission at www.ftc.gov/complaint.  

To learn more about e-signature scams, or if you believe you were the victim of an e-signature email scam, contact the ITRC toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.   

  • A new cybersecurity executive order will lead to the creation of a Cyber Safety Review Board, removing barriers to sharing threat information and much more.
  • The Cyber Safety Review Board will determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company, and will meet anytime there is a significant event. Also, federal agencies will eliminate legal barriers that prevent the sharing of information about data and security breaches.
  • Since the same companies that sell technology to the government also sell products to consumers and businesses, the level of quality and security will rise for every use and everyone.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. coming in June, you can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Come What May

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor May 28, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will focus on something unusual – a new cybersecurity executive order and solutions to the seemingly endless race against cybercriminals.

In Macbeth, Shakespeare wrote: “Come what come may, time and the hour runs through the roughest day.” Without question, the last six months have been rough on companies, governments and individuals as identity scams and cyberattacks have captured headlines and disrupted lives.

Changes to How the Federal Government Approaches Cybersecurity

From companies most people have never heard of like SolarWinds and Accellion to household names like Microsoft and Peloton, along with critical infrastructure organizations like Colonial Pipeline and the respected Scripps Health system, organizations and institutions alike have been on the wrong side of data and security breaches.

However, federal officials have announced a series of actions that privacy and cybersecurity experts are praising as both needed and welcome changes to how the federal government approaches cybersecurity. Because the U.S. government purchases billions of dollars in IT products and services each year, the private sector, including individual consumers, will also benefit.

Top Provisions in New Cybersecurity Executive Order

There are seven key actions in the new Executive Order on Improving the Nation’s Cybersecurity. We don’t have time to go into all seven, so let’s focus on two of the most important provisions:

  1. Establishing a Cyber Safety Review Board; and,
  2. Removing barriers to sharing threat information.

The best news is, we already have a model in other areas that we know works. Here’s what we mean. Southwest Airlines flight 1380 was climbing through 32,000 feet on the morning of April 17, 2018. At approximately 11:03 a.m., fan blade No. 13 in the left engine shattered due to a previously undetected stress fracture. A 12-inch section weighing 6.825 pounds and a two-inch section of a fan blade weighing .650 pounds separated from the rest of the fan blade assembly. The result was an uncontained failure of the jet engine.

We know all of this because the National Transportation Safety Board (NTSB) publishes its findings so the public and industry can benefit from the knowledge gained in accident investigations. This decades-old information-sharing model has resulted in the safest form of transportation on the planet. According to the National Safety Council, the odds in 2019 of you dying while walking were one in 543. Dying in a plane crash? So low as to not be measurable.

What are the odds of a company suffering a cyberattack? It’s not a matter of “if,” but how many times, how frequently and if the attack succeeds. A 2017 study by the University of Maryland claims an attack occurs every 39 seconds. Yet, despite the near-constant level of cyber threats, there is no NTSB-style body to find and share the root causes of cyber incursions and the ways to prevent future attacks.

What the New Cybersecurity Executive Order Means

Due to the new cybersecurity executive order, federal agencies have been instructed to find the legal barriers that prevent the sharing of information about data and security breaches and get rid of them. The Homeland Security Secretary is to form a panel of public and private sector experts to determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company. The group is to convene anytime there is a significant cyber event, just like the NTSB.

Later in the year, federal agencies and the companies that sell them hardware and software will have to adopt strict new quality control standards. Because the same companies that sell technology to Uncle Sam also sell products to consumers and businesses, the overall level of quality and security will rise for every use and everyone.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). And coming in June, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

Synchrony shares with the ITRC in the newest Fraudian Slip podcast the latest in data minimization, privacy laws and their impact on consumers 

  • On this month’s Fraudian Slip podcast, we are talking about the evolution of privacy. In 2018, the European Union adopted a data privacy law (General Data Protection Regulation, known as the GDPR). Since then, multiple states in the U.S. have either adopted laws with many of the same principles, or are actively considering one.  
  • The ITRC sat down with Synchrony, one of the leading financial services companies based in the U.S., to discuss these privacy issues and much more.  
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the privacy, security and identity management topics discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started. 

Below is a transcript of our podcast with special guest Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses.  

This month, May, we are going to talk about the evolution of privacy. Historically, we have always treated privacy, cybersecurity and identity management – that’s how your identity information is created and used – as three separate and distinct issues. We have a handful of federal laws that deal with identity and cybersecurity – primarily around health and financial information  

Every state, the District of Columbia and U.S. territory has a data breach notice law that requires consumers to get an alert if their personal information is exposed in a cyberattack or just good old-fashioned dumpster diving. We also have a patchwork quilt of industry self-regulations and government regulations that address the security required to protect data that companies keep on their customers and prospects. 

However, there is a change, and an evolution of privacy, in the wind. What started in the European Union in 2018 with the adoption of a single, comprehensive data privacy and cybersecurity law has now spread to the U.S. California has adopted many of the principles found in the EU’s General Data Protection Regulation (GDPR). Now, the Commonwealth of Virginia has joined the club.  

A dozen other states are also actively considering new privacy laws that add rights for consumers, obligations for businesses and fundamentally change the way we think about how we create, use, store, share and protect personal information. 

We talked with Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony, one of the leading financial services companies based in the U.S., about the following: 

  • The role of a Chief Privacy Officer 
  • The benefits to an organization to have a privacy focus 
  • What we have learned about the GDPR after three years that will help U.S. consumers and businesses 
  • The concept of data minimization (don’t collect or store more than you need for longer than you need it) and why it is important 
  • State laws versus a comprehensive federal law 

We also talked with ITRC CEO Eva Velasquez about the following:  

  • The practical effect on consumers of having three separate infrastructures – privacy, security and identity management 
  • The benefits to consumers from having more rights to access data 
  • State laws versus a comprehensive federal law 

For answers to all of these questions, and more on the evolution of privacy, listen to this week’s episode of The Fraudian Slip Podcast.  

Contact the ITRC 

You can learn more about data privacy, cybersecurity and other identity-related issues by visiting the ITRC’s website at www.idtheftcenter.org and by listening to our sister podcast, the Weekly Breach Breakdown

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone, by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip. 

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A recent GEICO data breach led to fraudsters gaining access to nearly 132,000 GEICO customer’s driver’s license numbers. GEICO says they believe threat actors could use the information to apply for unemployment benefits fraudulently.
  • The Pennsylvania Department of Health’s third-party contact tracing vendor, Insight Global, failed to secure phone numbers, email addresses and personal information like gender, age, sexual orientation, COVID-19 diagnosis and exposure status of more than 72,000 Pennsylvania residents. Third-party breaches continue to be a growing trend.
  • Like the Pennsylvania Department of Health, ParkMobile Parking App also suffered a supply chain attack. The ParkMobile data incident exposed the non-sensitive information of 21 million users, putting them at risk of falling victim to social engineering.
  • For more information about April data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable April Data Breaches

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in April, three stand out: GEICO, Pennsylvania Department of Health and the ParkMobile Group. All three data events are notable for unique reasons. In one, the company is very detailed in how criminals are misusing the information and what people should look out for; another event includes a contact tracing service failing to secure the private information of some residents in Pennsylvania – re-affirming a trend identified by the ITRC; the third compromise led to the exposure of data for 21 million people – stemming from a supply chain attack.

GEICO

A security bug led to threat actors stealing personally identifiable information (PII) from approximately 132,000 GEICO customers between January 21 and March 1. According to the GEICO data breach notice, fraudsters used the information they acquired about customers elsewhere to obtain unauthorized access to people’s driver’s license numbers through the online sales system of their website. GEICO says that they believe the information from the breach could be used to apply for unemployment benefits fraudulently. Unemployment benefits fraud continues to impact consumers all over the U.S. There could be over $200 billion lost to the fraud. The ITRC has received over 1,400 cases of unemployment benefits fraud in 2020 and 2021, compared to only 12 cases in 2019.

The GEICO data breach is notable because the insurance company is very detailed in how the information could be used and what people need to keep an eye on. It is not often the ITRC sees this level of detail in a data breach notice.

Pennsylvania Department of Health

Insight Global, a company that has provided COVID-19 contact tracing services for the Pennsylvania Department of Health since 2020, failed to secure the private information of more than 72,000 people.  According to WSKG, a health department spokesman said they recently learned workers at Insight Global disregarded security protocols established in the contract and created unauthorized documents outside the state’s secure data system.

The information exposed in the Pennsylvania Department of Health data compromise includes phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status. The Pennsylvania Department of Health does not know how many people may have viewed or downloaded the documents. Officials say notifications will be mailed to all affected Pennsylvania residents.

The Pennsylvania Department of Health data compromise is the latest third-party exposure to occur. According to the ITRC’s Q1 2021 Data Breach Report, there’s been a 42 percent increase in supply chain attacks, including 27 at third-party vendors impacting 137 U.S. organizations, and 19 supply chain attacks in Q4 2020.

ParkMobile Group

The parking app, ParkMobile, also suffered a data compromise due to a vulnerability in third-party software, affecting 21 million people. According to the ParkMobile notification letter, they became aware of the vulnerability and launched an investigation, which is still ongoing. Information exposed includes license plate numbers, email addresses, phone numbers, mailing addresses and vehicle nicknames. According to KrebsOnSecurity, the data appeared for sale on a Russian-language crime forum.

Anyone who uses the ParkMobile parking app, used by cities and universities across the U.S., could be at risk of falling victim to social engineering. While no sensitive information was exposed, if hackers get enough information about people, they can put all of the information they have gathered together to commit identity fraud.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.  

GEICO encourages its customers to check their account statements and credit reports regularly for any suspicious activity.

The Pennsylvania Department of Health has set up a hotline (855.535.1787) for those concerned about the security of their information.

notified

For more information about April data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • The U.S. Attorney’s Office for the District of Maryland, working with the Homeland Security Investigations (HSI) in Baltimore, recently seized the fake COVID-19 vaccine website “Freevaccinecovax.org.”
  • The website collected personal information from people who visited it by asking them to download a PDF file to their device to apply for more information.
  • Interacting on a malicious website offering COVID-19 vaccines could lead to an array of identity crimes, including a phishing attack, malware attack and different forms of social engineering.
  • COVID-19 vaccines are not being sold online. Any link that claims to take someone to a website to purchase one is fake. To find a vaccine appointment online, people should go through their local department of health, pharmacy or health care provider.
  • For more information on fake COVID-19 vaccine websites, or if you believe you are a victim of a COVID-19 vaccine scam, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the website www.idtheftcenter.org.

Federal officials shut down a fake COVID-19 vaccine website after discovering the website was stealing people’s personal information for cybercriminal activity. According to Threatpost, the U.S. Attorney’s Office for the District of Maryland, working with Homeland Security Investigations (HSI) in Baltimore, seized “Freevaccinecovax.org,” “which purported to be the website of a biotechnology company developing a vaccine for the COVID-19 virus,” according to a news release on the office’s website.

Since the U.S. began administering the COVID-19 vaccines, cybercriminals have tried to take advantage of consumer’s desire for vaccinations. According to NBC 4 Washington, BrandShield, a global cybersecurity firm protecting some of the world’s largest pharmaceutical companies from cyberthreats, found a 4,200 percent increase in potentially fraudulent COVID-19 vaccine websites from January 2020 through the end of February 2021. The news of the latest malicious website highlights the importance of being cautious with COVID-19 vaccine websites and how to use them.

Who are the Targets?

People looking to receive the COVID-19 vaccine

What is the Scam?

Threat actors created “Freevaccinecovax.org” to collect personal information from people who visited the website to commit identity crimes like fraud, phishing attacks or to deploy malware. Threatpost says the fake COVID-19 vaccine website used trademarked logos for Pfizer, the World Health Organization (WHO) and the United Nations High Commissioner for Refugees (UNHCR) on its homepage to trick people into believing it was a legitimate site. The malicious website had a drop-down menu that asked users to apply for information by downloading a PDF file to their device.

What They Want

Identity criminals are after people’s personal information to commit phishing attacks, malware attacks, social engineering and other forms of identity-related fraud.

How to Avoid Being Scammed

To avoid a fake COVID-19 website:

  • Ignore websites trying to sell a vaccine. COVID-19 vaccines are not being sold online. Any link that claims to take you to a website to purchase one is fake.
  • Do not click on any posts or ads claiming to sell cures. Remember, if it seems too good to be true, it probably is.
  • If you are checking for a vaccine appointment online, make sure you do it through your local department of health, pharmacy or health care provider. Never follow a link randomly sent to you.

To learn more about COVID-19 vaccine scams, malicious websites, or if you believe you were on a fake COVID-19 vaccine website, contact the Identity Theft Resource Center toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

  • The Federal Emergency Management Agency (FEMA) reports that criminals are creating COVID-19 funeral scams. The announcement comes just days after the federal agency launched a new program to provide relief to the families of loved ones who died from COVID-19.
  • As part of the funeral scam, criminals contact people offering to register them for funeral assistance. Identity thieves are looking to steal money, as well as personal and financial information, to commit identity theft.
  • If you receive an unsolicited message offering to assist in registering for the program, you should contact FEMA directly. Also, you should never pay a fee or share personal information with anyone who sends an unsolicited message to obtain a government benefit on your behalf.
  • To report a funeral scam, call FEMA’s Helpline at 800.621.3362. To learn more, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at the company website www.idtheftcenter.org.

The Federal Emergency Management Agency (FEMA) is doing what it can to help the families of loved ones who died from COVID-19. However, due to criminals, everyone needs to be on the lookout for COVID-19 funeral scams.

FEMA started a program in mid-April that offers up to $9,000 in relief to help families cover the funeral expenses for those who passed after June 20, 2020, from COVID-19. However, criminals have found a way to take advantage of the newest program.

FEMA has sounded the alarm with a fraud alert. They have received reports of scammers reaching out to people by phone, email, and online, offering to register them for funeral assistance. However, FEMA says that is not how the program works.

The Identity Theft Resource Center (ITRC) has received more than 1,500 reports of identity fraud related to government benefits since the beginning of the pandemic.

Who are the Targets?

The families and friends of loved ones who died from COVID-19 who are applying for FEMA’s COVID-19 Funeral Assistance Program.

What is the Scam?

FEMA says criminals are contacting people and offering to register them for funeral assistance. However, the criminals are asking for “fees” and other options to “expedite the process” to register for funeral expenses.

According to FEMA, any efforts that charge fees to assist in the application process are scams. The application process begins when you call the agency’s Funeral Assistance Line at 844.684.6333. FEMA will not contact you about the program unless you have already contacted them.

What They Want

Scammers hope to make away with either money or you or your deceased loved one’s personal information to commit an identity crime in you or your loved one’s name.

How to Avoid Being Scammed

  • If someone contacts you about the assistance program and you did not either apply or call FEMA directly, ignore it because it is a COVID-19 funeral scam. FEMA will not reach out until you either call them or apply for assistance.
  • Do not pay a fee for quicker service because that is another sign of a funeral scam. The government will not ask you to pay anything to get the FEMA benefits.
  • Do not provide your own or your deceased loved one’s personal or financial information to anyone based on an unsolicited call, text message, or email claiming to come from FEMA or another federal agency.
  • If you received a COVID-19 funeral scam call or email, report it to the FEMA Helpline at 800.621.3362.

Contact the ITRC

If you believe you are a victim of the COVID-19 funeral scam, received a suspicious message and want to know if it is a funeral scam, or want to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • A new Apple privacy update, iOS 14.5, lets consumers stop Apple apps from tracking them.
  • Unless someone gives permission to an app, it cannot use their data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.
  • If you do not want to be tracked by your Apple device, download Apple’s latest update (14.5), and select Settings > Privacy > Tracking, and toggle off Allow Apps to Request to Track. You can also decide on an app-by-app basis by selecting “Ask App Not to Track” or “Allow” once you download a new app.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

He Loves Me Not

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 30, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re going to focus on the seismic event in the data privacy world.

In Henry IV, Shakespeare’s play about taking action while others fail to act, Lady Percy says, “Some heavy business hath my lord in hand, And I must know it, else he loves me not.”

In this case, she’s referring to plans for a rebellion. However, in the context of this week’s episode, we’re talking about the new Apple privacy update, which gives consumers more control over their data as a substitute for privacy legislation. Later in the article, we will tell people how to take advantage of a new feature from the makers of the iPhone and iPad.

New Apple Privacy Update Feature

In an earlier episode, we talked about Apple’s controversial decision to add a built-in privacy feature that would block the ability of applications to track users. That data is used to serve ads to people either by the app owner, or if it’s sold to a third party that uses the information to target people with ads as they travel around the digital world.

Consumers Can Opt-Out of Being Tracked By their Apple Apps

Apple announced the new App Tracking Transparency feature in June 2020 to give app developers plenty of time to prepare for the change. And a big change it is. Unless someone gives permission to an app – including those made by Apple – it can’t use one’s data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.

Many Privacy Experts & Consumer Advocates Favor the Change

Privacy experts and consumer advocates think the new Apple privacy update is a great step forward in giving people more direct control over their data, who has access to it, and how it is used. Advocates have long sought a shift in the U.S. to a more European privacy model where consumers must give their permission before personal information is collected and used.

From the beginning of the digital economy, the U.S. has built business models on a no-option basis. That means people have no choice but to surrender their personal information, which then becomes the property of the business, not them.

Thanks to a strong European privacy law that went into effect in 2018 – and several state laws and regulations in California, New York and Virginia – we are beginning to see the ability of consumers to “opt-out” of certain types of data collection and sales. That is to say consumers can tell a company to stop collecting, selling or sharing their information.

However, that approach is not universal since the U.S. has no national privacy law, and 48 of the 50 states have not passed specific data privacy laws. Enter the Apple privacy update that allows customers to block data collection.

What You Should Do If You Don’t Want to Be Tracked by Your Apple Device

If you don’t want to be tracked by your Apple devices, here’s what do you need to do:

  • Download and install the new iOS version 14.5 on your iPhone or iPad.
  • Once you do that, you can block access on an a la cart basis. When you download a new app, you will be asked if you want to let the app track your activity. You can select “Ask App Not to Track” or “Allow” if you are okay with that application collecting and using your data.
  • You can also opt-out of app tracking across every app you download by going to Settings > Privacy > Tracking, and toggling off Allow Apps to Request to Track. That way, any new app will be automatically informed you have requested not to be tracked. Also, all apps (unless you’ve already permitted them to track you) will be blocked from accessing your device’s information used for advertising. 
  • For apps that you have already downloaded and agreed to allow tracking, you can still turn those permissions on or off on a per-app basis in your device settings. 

The Lasting Effects Are Still Unknown

Predictions on how the Apple privacy update will affect consumer behavior, data sales, and ad revenues range from “meh” to Chicken Little-level “the sky is falling.” We will revisit this topic once we know if we can go about our business or need a hard hat.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, or on the new Apple privacy update, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Facebook and LinkedIn recently suffered data incidents that led to personal information like full names, emails and phone numbers being posted in identity marketplaces where cybercriminals buy and sell data.
  • While some have called the recent data leaks “data breaches,” technically and legally, they are not in the U.S. Rather, it is a legitimate and legal technique called “scraping.”
  • Even though these events are not data breaches, the Identity Theft Resource Center (ITRC) is creating an additional category of identity data compromises called “data leaks” to keep track of and report these kinds of events.
  • The Facebook and LinkedIn data leaks serve as good reminders to never post information online that you wouldn’t want people you don’t know or trust to see.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Data Breaches, Exposures, and Leaks! Oh, My!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 23, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. In the movie version of The Wizard of Oz, Dorothy Gale of Kansas, along with the Scarecrow and Tin Man, are following the Yellow Brick Road through a dark and scary forest on their way to the Emerald City. They fear that wild animals are present as they chant “Lions…and Tigers…and Bears! Oh, my!” just before they meet the Cowardly Lion. Apply that principle to data security, and you get the title of today’s episode – “Data Breaches, Exposures, and Leaks! Oh, My!

Facebook and LinkedIn’s Recent Data Leaks

People may have seen media coverage about the recent data leaks at Facebook and LinkedIn. Personal information like full names, emails and phone numbers posted to user profiles were found in the identity marketplaces where cybercriminals buy and sell data.

In the case of Facebook, which would be the third-largest country in the world behind China and India if it were a Nation/State, the information on some half-a-billion people was exposed. Approximately 30 million live in the U.S. An even larger number of LinkedIn users were impacted by a similar event. To date, 837 million profiles have been exposed.

Facebook and LinkedIn Events Not Considered Data Breaches

These two recent data leaks have created quite the controversy in data privacy and security circles. People may have noticed that the ITRC has not referred to these events as data breaches. It’s because they technically and legally are not, at least under U.S. law. European Data Protection authorities have launched an investigation into both companies for potential violations of privacy laws. However, in the U.S., it’s a lot more complicated.

If you are a Facebook or LinkedIn user, you voluntarily provide the information posted to those and other social media websites. The companies try to limit the ability to copy user’s data. However, depending on how you configure your privacy settings, that information is, in fact, available for viewing by anyone. And if it can be seen, it can be misused.

Facebook and LinkedIn Suffered “Scraping”

There is a legitimate technique known as “scraping,” where companies copy large amounts of information that otherwise would require manual entry into a database. It is perfectly legal and typically involves getting permission and being transparent about how the data is used.

There are still some grey areas when it comes to private information being posted publicly on websites. In fact, there is a case pending before the U.S. Supreme Court directly on this question of copying information from LinkedIn. Lower courts have said publicly posted information is fair game for scraping even if LinkedIn’s terms and conditions say it is not.

Facebook and LinkedIn Events Fall Between the Cracks of Current Laws

What makes the recent data leaks at Facebook and LinkedIn so troubling is that they fall between the cracks of existing laws. If a criminal gained access to a company’s customer records that included names, addresses, phone numbers and email addresses, that would be a crime and considered a data breach.

Copying the same information posted voluntarily and publicly is not considered illegal today. Also, the current laws did not envision the ability to copy millions of unrelated records and combine them into a single database that could be used to commit identity fraud.

The ITRC to Create “Data Leak” Category of Identity Data Compromises

Even though these recent data leaks are not data breaches, the ITRC is creating an additional category of identity data compromises to keep track of and report these kinds of events. We’re going to call this new category “data leaks.”

It is also a good time to issue a reminder. Be careful what you post online. If you don’t want people you don’t know or trust to see your private information, don’t post it online.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach – like the recent data leaks – and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

 Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • The proper disposal of e-waste – old electronic devices that are no longer used – is a priority, particularly for protecting personal data. The Identity Theft Resource Center (ITRC) reported 78 data compromises in 2020 around “physical attacks”; 52 percent of them from device theft and improper disposal.
  • E-waste puts personal information at risk and can have environmental impacts, too. It is why individuals need to adopt good e-waste solutions by educating themselves on the issue, re-evaluating their needs for more electronics and safeguarding their information.
  • Most people do not know how to recycle e-waste. Individuals should reuse electronics, if possible, and donate their old devices to be recycled if not. When people get rid of old electronics, they should put all of the data on a backup system and then wipe the device clean of personal information.
  • For more information, or if you believe you are a victim of identity theft, contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

According to the Identity Theft Resource Center’s (ITRC) 2020 Data Breach Report, there were 78 “physical attacks” in 2020. Device theft and improper disposal (which includes electronic devices) made up 52 percent of the attacks. The Verizon 2020 Data Breach Investigations Report finds more than one thousand cases of loss involving mobile devices in 2019.

As technology continues to evolve, users and manufacturers are finding more ways to keep safety, environmental impact and security measures in mind – which revolve around how to recycle e-waste. Issues range from the risk of fire from batteries, devices being sent to landfills, and disposal of information that could lead back to a user’s account and put them at risk of identity theft.

What Are E-Waste Solutions?

There are a handful of e-waste solutions consumers should keep in mind.

  1. Education: People should learn about the dangers of e-waste and what they can do about it.
  2. Re-evaluating the need: One e-waste solution is to minimize e-waste itself. Do you need that extra device? What are you doing with your devices once you are done with them? Are you reusing electronics? Re-evaluating your need for electronics can help cut down on how many devices end up in a landfill.
  3. Safeguarding information: Before you dispose of any electronics, you should make sure you save your data on a backup system or hard drive and then wipe the device clean. That way, no one can access your files if the device is improperly recycled or ends up in the wrong hands. If you are getting rid of a phone, do a factory reset to restore the phone to “empty status.” By taking these steps, you are protecting your personal information.

How to Recycle E-Waste

Instead of discarding electronics, the best e-waste solution is to reuse or recycle devices. Local governments are increasingly hosting e-cycling initiatives. These programs keep electronics out of landfills and ensure devices are wiped clean of all user data. You can search online for e-cycling centers near you before disposing of electronics, including IoT devices and medical devices.

Many device manufacturers also accept old devices to be refurbished or recycled and provide credit toward a new device. Some will take a device from any manufacturer for recycling. Check with your device maker to see if they offer a recycling program.

Contact the ITRC

It is vital everyone does their part to help address e-waste to protect the environment and people’s personal information. If you have questions about how to recycle e-waste, other e-waste solutions, or you believe you are the victim of identity theft, contact us. You can speak with one of our expert advisors toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.