Phishing attacks are nothing new. However, with scammers increasingly using sophisticated and new methods of harming recipients that experts are not as familiar with, being able to identify a phishing attack has never been more important. They can arrive as emails, texts, social media messages, phone calls or links to websites which appear to come from someone the victim knows or a legitimate business. It might look like a boss or co-worker, someone in an email contact list, a bank or a consumer’s favorite retailer.

Trusted brands are used to provide an air of credibility for scammers, who capitalize on the good reputation and relationships these brands have built. Some brands that have been used in phishing attacks to target consumers include Wells Fargo, Zoom, American Express, Apple and Microsoft. The companies being used are not involved in these scams; in many ways, they are victims of the scammer as much as the targeted consumer.

Every phishing attack has a different goal, depending on what kind of ruse they are using. Some use links or attachments to insert malicious code on the user’s device so they can collect more information. Others attempt to steal people’s personal and business usernames or passwords,  and others still try to get someone to click on a well-disguised link so they can divert them to a place where the user enters even more information that the fraudster will use to his or her benefit. While phishing attacks have different objectives, the attackers’ primary goal is to steal the information needed to scam individuals and businesses.

Fortunately, the age-old advice about avoiding a phishing attack still holds true. These are some things people should keep in mind when trying to identify a phishing attack.

Check the email address and URL to make sure it is not fake

Check unexpected inbound messages very carefully, paying special attention to the sender’s email or website address included in the message; they might notice something strange. If it says “Amaz0n.com,” for example, it is fake. If the website link is Citibank.card.shop.com (as an example), instead of the company’s actual web address, again, it is probably fake. Always go back to the source of the email (or in this case, the company that is being represented) and check for alerts about potential scams of which they are already aware. Many times, the company is aware and has posted information about the scam.

Never click on an unknown link or open an unexpected attachment

Received an unexpected email, text, social media message or phone call with a link or an attachment?  Consumers should reach out directly to the purported “source” of the communication to verify the validity of the message before clicking on a link or opening an attachment (as mentioned above). Clicking on a malicious link or opening a bogus attachment could lead to someone’s personal information being stolen or infect the device with malware.

Check the message for grammatical errors and awkward phrasing

Read unexpected messages carefully and with a critical eye. Grammatical errors and awkward language are two quick indicators that the email isn’t sent by the company indicated. In trying to identify a phishing attack, customers should remember that companies do not send out emails or other messages with glaring errors – in most cases, large, reputable companies have teams checking their communications for just those types of issues. Smaller businesses may have a looser communication style, but loyal customers will know if something is “off.”  If someone sees any strange mistakes, that is probably a sign it is a fake. In fact, sometimes spelling mistakes are intentional so that only more gullible recipients will interact.

Never trust the caller ID

Do not go by what the caller ID may say. It is easy for a scammer to change the phone number or screen name to say anything, like “IRS” or “County Sheriff’s Department.” If someone calls with an attempt to verify identity information or demands for some kind of payment, consumers should hang up immediately and initiate contact with the company directly using a verified phone number from a trusted source. Here’s a tip: people should put numbers in their contact list for companies that are used regularly – but name them something only they would identify. For example, list the bank as “Bank on 4th & Main St.” instead of by the bank’s name. That way, if there’s an inbound call from the number, the person receiving the call will know they can trust it.

Remember that in many cases, fraudsters are using websites that look like the companies they are pretending to be. A web search could also bring someone to a potential fraudulent site. People should always treat the search results with the same critical eye as they would these other steps.

Phishing attacks can be confusing because of how close to real they can look or sound. Scam websites, emails, phone calls and text messages that mimic trusted brands will continue. However, by implementing these tips to identify a phishing attack, it will help reduce the risk of falling for a phishing attack.

Anyone with additional questions about phishing attacks, or believes they have been a victim of one, can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with an expert advisor. They can also use the live-chat feature on the website to get the help they need.


You might also like…

A new Netflix phishing email scam has been targeting customers under the guise of a billing issue or account suspension. The attack, claiming to be from Netflix support, looks legitimate enough to get some users to expose their credit card information.

The Netflix phishing email scam is titled “Notice of Verification Failure,” and it claims there is an issue with billing. It asks users to verify their personal information within 24 hours to prevent their account from being canceled.

The link provided takes the user to a CAPTCHA page with Netflix branding. Once it is filled out, they are led to a site aiming to steal credit card details and billing information. While there have been other Netflix phishing scams, this new version uses pages hosted on legitimate domains, making it seem more realistic.

Steps You Should Take

  • Be suspicious of any email or text message asking you to verify personal information or credit card details
  • Check for spelling errors in URL links and email addresses
  • Instead of clicking any links in the email, go directly to your Netflix account through your web browser to see if you have a notification about your billing. Also, reach out to Netflix directly about the email.

Remember, scammers cast a wide net by posing as big companies to scam consumers. Due to the increase in streaming services and online platforms during COVID-19, there may be a continued rise in phishing attacks and other related cyberattacks.

If people have questions regarding Netflix phishing email scams, they are encouraged to contact the Identity Theft Resource Center through the website to live-chat with an expert advisor or call toll-free at 888.400.5530.


You might also like…

Twitter Hack Serves as a Reminder of How Manipulative Bitcoin Scams Can Be

Netflix Email Scam

USS Bonhomme Richard Charitable Giving Scam

Scammers love using instances of crisis to take advantage of consumers and steal their money and personal information. That is exactly what they are doing after a Navy ship caught fire. As reported by Identity Theft Resource Center (ITRC)  partner, the Federal Trade Commission, fake crowdfunding pages have been created as part of a charitable giving scam, after a fire destroyed the USS Bonhomme Richard and sailors lost all their possessions.

Who is it Targeting: Consumers wanting to help sailors in need after the USS Bonhomme Richard fire

What is it: A giving scam using crowdsource funding pages to take advantage of the crisis

What Are They After: The charitable giving scam employs fake crowdsource funding pages to steal people’s money instead of putting it towards the sailors impacted by the USS Bonhomme Richard fire. However, there is no way of knowing whether the money makes it to the sailors in need. Also, scammers can steal people’s personal information, like their credit card number or bank account information, to target them with future scams or, depending on what information the scammers get, commit identity theft and fraud.

How You Can Avoid It: Don’t rely on crowdsource funding pages to make legitimate donations. Crowdsource funding pages make it impossible to know whether the donations make it to the recipient. Always do research and only donate to known and trustworthy charities. Learn more about how to check out a charity before giving at https://www.ftc.gov/charity.

If people have questions regarding charitable giving scams, they are encouraged to contact the ITRC through the website to live-chat with an expert advisor or call toll-free at 888.400.5530.


Read more about charity scams in our related blogs…

Looking to Give During COVID-19? Don’t Fall for a Charitable Giving Scam

Veterans Charity Scam

COVID-19 Catfishing Scams Make a Rebound Amid Pandemic

Bitcoin scams come in many different forms. Scammers use different platforms to try and get people to pay them in bitcoin (also known as cryptocurrency or digital money). Bitcoin scams are a popular way for fraudsters to trick people into sending money. Recently, they used Twitter and some of its most notable accounts to target Twitter users.

On July 15, hackers compromised verified Twitter accounts and sent cryptocurrency scam tweets requesting bitcoin donations with the promise of doubling the investments to “give back to the community.” Scammers responsible for bitcoin scams not only aim to steal people’s money, but also collect their personally identifiable information (PII) and sell it to other cybercriminals.

According to Twitter, attackers are believed to have targeted certain Twitter employees through a social engineering scheme. Twitter says the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through their two-factor protections. While Twitter continues their forensic review, they believe the bad actors may have attempted to sell some of the usernames. The hackers are not believed to have viewed previous account passwords. However, they were able to view personal information, including email addresses and phone numbers.

Twitter says nearly 130 accounts were targeted, and 45 successfully hacked. The Twitter accounts hacked include high profile individuals with verified accounts such as Barak Obama, Kanye West, Elon Musk and Bill Gates. Twitter responded by preventing any blue-check marked accounts from tweeting while security teams responded to the attack. Twitter apologized for the attack; the UK’s National Cyber Security Center, whom Twitter officers reached out to for support, released a statement urging people to treat requests for money or PII on social media with extreme caution.

The recent social-engineering hijack of Twitter accounts highlights a larger issue that has been on the increase since COVID-19 began: the prevalence of cryptocurrency scams. According to the Federal Trade Commission, most bitcoin scams appear as emails trying to blackmail someone, online chain-referral schemes or bogus investment/business opportunities. However, no matter how the scam is executed, a scammer wants the victim to either send money, give-up their PII or a combination of these. Once someone engages, there is usually nothing they can do to get their money back.

The Twitter hack creates a teachable moment – what should consumers do to reduce their risk of falling for a bitcoin scam? It also highlights the need for businesses to ensure their employees are educated on social engineering. This incident proves that even the most technologically-advanced companies are not immune from an employee granting access to bad actors. To avoid a bitcoin scam or other forms of social engineering, people should remember the following:

  • Never share PII through social media channels and always verify the person or business asking. While these scams are designed to steal people’s money, they are also designed to collect PII to sell to other cybercriminals.
  • If someone sees a tweet, email, text message or other social media post that asks for payment in bitcoin, it is – most likely – a scam.
  • High profile individuals will not contact anyone to give away large sums of money – especially in bitcoin – by social media message. There are other methods for informing someone if they are a recipient; if an offer seems too good to be true, it probably is.
  • If a consumer receives a message telling him or her it’s a guarantee to make money, it is probably a scam.
  • No one should ever click a link, download a file or open an attachment if they are unsure of who sent it or what it is; they should be cautious of links that are shared on social media.
  • Keep up with the latest around scams and how they work. The Twitter bitcoin scam employed a lot of common cognitive biases. Understanding how bitcoin or cryptocurrency works reduces the number of people who fall for scams about it.

If someone believes they are a victim of a bitcoin scam or has questions about other scams, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Third-party sellers on Amazon are buying their own products so they can leave five-star reviews, then using victims’ names and addresses to disguise themselves as customers. 

Who Is It Targeting: Amazon customers

What Is It: Brushing scam that uses another person’s information to place fake orders

What Are They After: This Amazon brushing scam is tricky because while victims are not charged for the goods that appear on their doorstep, being a victim still means that someone has gained access to your name, mailing address, and other information. Some people may not think of this as being victims of a scam, but there is no way of knowing what else these scammers could be doing with your personal data.

In a post on Reddit, one user randomly received a weeding tool and posted to understand what he received in the mail by mistake, unknowing it was part of a brushing scam.

Image of Reddit.com

Another Reddit user let the original poster alerted them to the possibility of this being a scam and referred them back to our resources for assistance.

How Can You Avoid It: If you begin receiving packages that are addressed to you but you did not order, contact the retailer immediately. Change your passwords on your online accounts, just in case the scammer got your address by hacking an account.

According to The Verge, Amazon will start disclosing the names and addresses of US-based third-party sellers on its Marketplace platform as part of an effort to fight counterfeiters. The company announced the change in a note sent to sellers on Wednesday, and goes into effect on September 1st.

If you think you may be a victim of identity theft or an Amazon brushing scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. Find more information about current scams and alerts here.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Brushing Scam: Can it Really Hurt You?

Mystery shopping has been around for a long time. Mystery shoppers help businesses, retailers and restaurants get information on the quality of their stores in exchange for money. In the past, scammers have found ways to turn the service into a mystery shopper scam, also known as a secret shopper scam. These scams are resurfacing during the coronavirus due to over 45 million people filing for unemployment and looking for some extra cash.

There are different forms of mystery shopper scams. One popular version of the scam is when scammers pose as retailers looking to lure people into being secret shoppers. They ask victims to pay for their products or training and then take off with their money. Fraudsters will also steal a victim’s personally identifiable information (PII) from the application they filled out and commit identity theft.

Another version of the mystery shopper scam includes fake checks. In this scam, the victim signs up to become a secret shopper through an online form – potentially giving away sensitive PII like Social Security numbers, date of birth and address. Then the victim is sent a check in the mail to use to secretly shop at a store. Once the check is posted to their bank account, the victim begins to shop as instructed. In some instances, the victim is told to buy reloadable cards and send pictures of them and their PIN card numbers from the back. Once the bank finds out the check is fake, the victim is on the hook for all of the money that they spent plus bank fees. This particular version of the scam lures victims in with a fake check, like the one pictured below that was sent to the Identity Theft Resource Center (ITRC) from a mystery shopper scam victim:

At first glance the check appears to be legitimate. However, while the check says it is to PNC bank, the routing number is for HSBC. Hanover Insurance Company also has a notice on their website about fraudulent checks.

The ITRC was also sent this letter that went along with the check:

While the letter also seems legitimate at first glance, the company listed is Assign Retailer Metrics Inc. instead of Hanover Insurance Company. The letter also asks people to take pictures of the card numbers and scratched PIN numbers and email them to a Gmail account instead of a company account. These are just a few signs that prove this is a secret shopper scam.

Mystery shoppers can be very effective for retailers because the secret shopper can buy whatever the retailer wants them to buy and then report back their experience. However, it can leave consumers looking for a way to make a little extra money in the difficult economy vulnerable to being taken advantage of by ne’er-do-wells. There are things people can do to reduce their risk of falling for a mystery shopper scam.

To avoid these types of scams, people should:

  • Never pay to be a mystery shopper – don’t wire money or  send a “deposit” via PayPal, Venmo, or Zelle
  • Do NOT give out PII on an application
  • Be wary if offered a lot of money for a simple task
  • Cash the check at an issuing bank or wait until the money has not just posted but cleared the other account; if the check is not good, the victim can return the cash into their account

There are also things people can do to spot a legitimate mystery shopping opportunity. People should:

  • Do their research on legitimate opportunities; search the internet for reviews and comments on mystery shopping jobs
  • Remember they are paid to be a mystery shopper (typically after the task is completed); they do not have to pay to do it

Anyone who believes they are a victim of a mystery shopper scam can live-chat with an ITRC expert advisor or call toll-free at 888.400.5530. Advisors will guide victims on the next steps they need to take.


You might also like…

Identity Theft Resource Center Announces Change to Board of Directors

Google Alert Scam Sends Fake Data Breach Notifications Embedded With Malware

Hackers Take Advantage of COVID-19 Closures to Launch Claire’s Data Breach

A recent Google Alert scam has caught the attention of many. Google Alerts recently caught fraudsters trying to push fake data breach notifications for big-name companies in an effort to distribute malware and damage people’s computer networks. According to Bleeping Computer, fraudsters have been mixing black-hat SEO, Google sites and spam pages to direct users to dangerous locations based on data breach information.

Google Alerts is designed to send notifications to people who sign up for specific keywords monitoring and provide search results. As part of this Google Alert scam, fraudsters were able to create pages and use compromising websites to combine “data breach” with well-known brands. Bleeping Computer reports that some of those well-known brands include Chegg, Canva, EA, Dropbox, Hulu, Shein, Ceridian, PayPalTarget, Hautelook, Mojang, InterContinental Hotel Group and Houzz.

In the Google Alerts, fraudsters offer giveaways and download offers, which leads to the dangerous malware. The threat actors are also believed to have used the Google Sites tool to build webpages to host their content. Bleeping Computer says they found that the scammers were pushing unwanted search-related extensions. As part of the Google Alert scam, malicious links were also believed to be sent to people with an iPhone 11 device for a fake giveaway. It claimed to be set up by Google as part of a “Membership Rewards Program” and the offer said the gift was “exclusively and only for Verizon Fios users.” Users had to fill out a survey, allowing scammers to get their money. Browser extension scams can pose a risk to browsing privacy because malware can be used as part of this method.

Consumers who use Google Alerts should be aware of this particular scam; going directly to the source (the purported breached entity) instead of clicking on an unknown link. The Identity Theft Resource Center has been tracking publicly-notified data breaches since 2005 and has the most comprehensive and the most readily available data breach information for publicly-notified breaches. For any consumer that wants to fact check about the latest information regarding a publicly reported breach is encouraged to access our resources to confirm any new circumstances. Consumers can sign up for the monthly data breach newsletter, as well as view monthly and yearly data breach reports. They can also receive a “risk score” on what their true concerns should be by visiting Breach Clarity and entering the particular breach on which they would like information. Anyone who believes they might have fallen victim to a Google Alert scam can live-chat with an ITRC expert advisor, or can call toll-free at 888.400.5530. They can also download the free ID Theft Help App. The app will provide consumers and victims access to advisors, resources, a case log to track their steps and much more.


You might also like…

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

WATCH OUT FOR 2020 SUMMER SCAMS

CREDIT REPORTING AGENCIES ANNOUNCE FREE CREDIT REPORTS EVERY WEEK THROUGH 2021

Summer has arrived, and usually that signals summer vacations, fun in the sun and time to enjoy summertime events. With the COVID-19 pandemic still impacting people in many ways, some summer plans will look different. It won’t stop scammers from targeting victims, but 2020 summer scams could have a different spin than summer scams in years past.

Employment Scams

Typically, employment scams are a hot summer scam because teachers, school transportation drivers, high school/college students and residents of resort areas look to make some extra money in the summer months. While that may end up still being the case, employment scams could be a 2020 summer scam because over 40 million people are unemployed due to COVID-19 and areas are now loosening restrictions.

Some telltale signs that a job might not be genuine include high hourly rates for minimal work, requirements to pay for supplies and materials, offers that request consumers to provide their sensitive identity credentials (driver’s license or Social Security number) to apply and offers that contain misspellings, vague information or links to click and software to download.

Loyalty Account Scams

Travel is usually at its peak in the summer months as families and friends embark on their vacation plans. However, travel is down due to the coronavirus and it is unknown how many people will be willing to take the risks associated with traveling. That is why scammers may attack loyalty accounts.

A popular 2020 summer scam could end up preying on loyalty accounts because people are not flying and staying at hotels. If anyone receives a message regarding a loyalty account, they should ignore it and reach out to the proper company directly. However, scammers could still strike with too-good-to-be-true offers or create fake websites and steal photos of real properties to lure in their victims. Travelers should avoid any high-pressure (i.e. “Book NOW to receive”) opportunities or messages about their accounts and investigate thoroughly before proceeding.

Moving Scams

Summer is a popular time to move, whether it is recent graduates or families waiting for their kids to finish the school year. Moving scams can still strike at any time. That means moving scams may make a resurgence as a popular 2020 summer scam. There are many different types of moving scams, but some of them involve taking information including PII and payment card information; hidden fees and companies that change their names to circumvent bad reviews.

Ticket Scams

Outdoor concerts, music festivals and big-name concert tours are great summer fun. Ticket scams could be a popular 2020 summer scam. Not because there will be concerts, music festivals and sporting events going on, but because sports and other outdoor activities have many unknowns regarding how ticket sales and refunds will work. Scammers can take advantage of the confusion by overcharging for an event through a fake website that steals people’s information and selling a fake ticket. Scammers have sent messages previously regarding ticket refunds with links to click or files to download. People should only purchase tickets from trusted retailers. If anyone gets a message they are not expecting about a ticket sale or refund, they should ignore it and contact the retailer directly.

Social Media Scams

People’s Facebook accounts and Instagram accounts are also a target when the weather turns warm. Everything from romance scammers and phishing attempts to burglars who scope out who is not home based on their posts can lead to harm. COVID-19 romance scams are already making the rounds and scammers could continue to use that tactic.

People should be mindful of what they post online. Also, they should beware of friend requests from accounts they do not recognize or requests from people they thought they were already connected with (i.e., hacked or spoofed accounts). Finally, people should make sure they are not oversharing or giving away too many details to anyone who can see them. Remember, there are things on social media accounts that could be used to determine the challenge questions for other more sensitive accounts (date of birth, pet’s name, mother’s maiden name, etc.).

If anyone falls for a summer scam or potentially self-compromises their identity information, they can live-chat with an Identity Theft Resource Center expert advisor that will help guide them through the next steps to take. They can also call toll-free at 888.400.5530.


You might also like…

DARK WEB DATA BREACH LEADS TO THIEVES STEALING FROM THIEVES

AERIES DATA BREACH AFFECTS SCHOOL DISTRICTS ACROSS CALIFORNIA

PURPORTED LIVEJOURNAL DATA BREACH LEADS TO 26 MILLION USER RECORDS BEING STOLEN

State and local governments around the country are working hard on plans, and in some cases, starting to execute, to carefully reopen their communities and businesses in the wake of the COVID-19 pandemic. Data is being tracked; task forces are mobilizing and planning; and the “new normal” is beginning to take shape. However, this could lead to an increase in reopening job scams.

More jobs could be a welcomed sight for over 40 million U.S. workers who have had to file for unemployment benefits since mid-March. Some consumers expect to return to their old jobs. However, many others will be looking for a new one.

According to a survey issued by FlexJobs, 19 percent of respondents reported that they have already been victimized by an employment scam. The company further stated that for every legitimate work-from-home job—a highly sought-after option during the pandemic—there are between sixty and seventy scam offers. Out of concern for consumers, as they seek employment, the FBI is warning the public about reopening job scams or fake job offers that would ordinarily raise some red flags if not for the specific changes that quarantine has required.

The FBI says they have seen an uptick in fake job and hiring scams with cybercriminals posing as legitimate employers by spoofing company websites and posting fake job openings on popular online job boards. One of the scams involves fraudsters going as far as conducting false interviews with applicants, then requesting personal information or money that could be transferred to a private location. The Better Business Bureau told FOX 13 in Memphis that fraudsters are using the COVID-19 pandemic in their employment scams to make them more believable.

Fortunately, much of the same caution that applied to job-seeking before COVID-19 still applies. Consumers should know the source of the job listing and only use reputable websites to find employment opportunities. To avoid a reopening job scam, consumers should also be mindful of unsolicited emails and offers with outrageous claims—such as, “Earn $3,000 a week working from home.”

Once a job posting is found, consumers should also be careful about how much personal data they share, at least during the application period. If a company claims they want to do a phone, Skype or Zoom interview due to social distancing and safety, that’s okay. However, it does not mean candidates should turn over information like their Social Security numbers until they have been hired.

Finally, to avoid a job reopening scam, consumers should remember that legitimate jobs don’t usually require any upfront fees or costs. Even things like company uniforms or specialized equipment such as steel-toed shoes are often deducted from the first paycheck or purchased by the employee through an outside company. Typically, they are not charged in the form of a payment. If an employer asks for a finder’s fee, administrative fee, background check fee or any other funds, it is probably a reopening job scam. Even for legitimate actions like submitting a bank account number and routing number for direct depositing of paychecks, it’s important to be sure the company is legitimate and the job has already been awarded before submitting the information. If someone believes they are victim to a COVID-19 reopening job scam, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

ShinyHunters Hacks Expose Business Vulnerabilities

Stolen Stimulus Checks Creating Concerns for Consumers

College Student Stimulus Check Scams Begin to Heat Up