Posts

Bitcoin scams come in many different forms. Scammers use different platforms to try and get people to pay them in bitcoin (also known as cryptocurrency or digital money). Bitcoin scams are a popular way for fraudsters to trick people into sending money. Recently, they used Twitter and some of its most notable accounts to target Twitter users.

On July 15, hackers compromised verified Twitter accounts and sent cryptocurrency scam tweets requesting bitcoin donations with the promise of doubling the investments to “give back to the community.” Scammers responsible for bitcoin scams not only aim to steal people’s money, but also collect their personally identifiable information (PII) and sell it to other cybercriminals.

According to Twitter, attackers are believed to have targeted certain Twitter employees through a social engineering scheme. Twitter says the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through their two-factor protections. While Twitter continues their forensic review, they believe the bad actors may have attempted to sell some of the usernames. The hackers are not believed to have viewed previous account passwords. However, they were able to view personal information, including email addresses and phone numbers.

Twitter says nearly 130 accounts were targeted, and 45 successfully hacked. The Twitter accounts hacked include high profile individuals with verified accounts such as Barak Obama, Kanye West, Elon Musk and Bill Gates. Twitter responded by preventing any blue-check marked accounts from tweeting while security teams responded to the attack. Twitter apologized for the attack; the UK’s National Cyber Security Center, whom Twitter officers reached out to for support, released a statement urging people to treat requests for money or PII on social media with extreme caution.

The recent social-engineering hijack of Twitter accounts highlights a larger issue that has been on the increase since COVID-19 began: the prevalence of cryptocurrency scams. According to the Federal Trade Commission, most bitcoin scams appear as emails trying to blackmail someone, online chain-referral schemes or bogus investment/business opportunities. However, no matter how the scam is executed, a scammer wants the victim to either send money, give-up their PII or a combination of these. Once someone engages, there is usually nothing they can do to get their money back.

The Twitter hack creates a teachable moment – what should consumers do to reduce their risk of falling for a bitcoin scam? It also highlights the need for businesses to ensure their employees are educated on social engineering. This incident proves that even the most technologically-advanced companies are not immune from an employee granting access to bad actors. To avoid a bitcoin scam or other forms of social engineering, people should remember the following:

  • Never share PII through social media channels and always verify the person or business asking. While these scams are designed to steal people’s money, they are also designed to collect PII to sell to other cybercriminals.
  • If someone sees a tweet, email, text message or other social media post that asks for payment in bitcoin, it is – most likely – a scam.
  • High profile individuals will not contact anyone to give away large sums of money – especially in bitcoin – by social media message. There are other methods for informing someone if they are a recipient; if an offer seems too good to be true, it probably is.
  • If a consumer receives a message telling him or her it’s a guarantee to make money, it is probably a scam.
  • No one should ever click a link, download a file or open an attachment if they are unsure of who sent it or what it is; they should be cautious of links that are shared on social media.
  • Keep up with the latest around scams and how they work. The Twitter bitcoin scam employed a lot of common cognitive biases. Understanding how bitcoin or cryptocurrency works reduces the number of people who fall for scams about it.

If someone believes they are a victim of a bitcoin scam or has questions about other scams, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Each year, about half of U.S. taxpayers rely on a tax preparer and a tax preparation service to help them file their required tax returns. These professionals offer a wide array of options, from a very simple franchise that plugs in the numbers on the consumer’s behalf to certified public accountants that know the ins and outs of the entire U.S. tax code. From accounting firms to walk-in services like H&R Block, TurboTax/Intuit, Credit Karma or Jackson Hewitt, these tax preparation services often have one major similarity: they are a hot target for hackers and identity thieves.

Trusting an outsider with highly-sensitive personal data is not something that people should take lightly. Having a professional take responsibility for the paperwork, helping to navigate the annual changes to tax laws and even assisting in the event of an IRS audit are all reason enough to pay someone to take care of the filing. However, the sheer volume of personally identifiable information (PII) that a tax preparer must collect and store means there are literal treasure troves of identities waiting to be compromised by a malicious actor.

There are plenty of ways that stolen PII from a tax preparation service can benefit a hacker. First, accessing a stolen return not only means the hacker can file the return for themselves and steal any refunds the consumer was expecting, it also means having the ability to file a fraudulent return every year. Hackers can cause even more harm with information gleaned from a tax preparer’s computer; credential stuffing is another major concern, as the complete information they might steal can be used to access the victim’s other accounts.

There are some important steps that consumers can take to protect themselves when using a tax preparation service. First, people should only choose a professional tax preparer who has a valid IRS Preparer Tax Identification Number (PTIN), but also understand that there are many different services, ability-levels and offerings that a professional can provide. It is also important for a consumer to find out what the preparer’s credentials are—such as having an accounting degree or being a member of a professional organization—before signing on to work with them. Consumers should not hesitate to ask what information the preparer will be able to access, how that information will be stored and for how long, who will be able to access that information and other related questions. There have been many situations where tax preparation services and professionals have been the target of malicious actors and understanding how they are going to safeguard information is just as important as their capabilities.

More guidelines from the IRS are available, but consumers are also cautioned to begin using a nine to ten character passphrase in place of the traditional eight-character password. A passphrase is longer and easier to remember, which makes it both harder for fraudsters to guess and more likely that consumers will deploy a different passphrase for each account.

If someone falls victim to identity theft from a data breach, they can live-chat with an Identity Theft Resource Center expert advisor through the organization’s website, as well as call toll-free at 888.400.5530 for an action plan that is customized to their needs. The free ID Theft Help App for iOS and Android also provides a number of resources for consumers to use in the event of a data breach or suspected identity theft.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Mystery shopping has been around for a long time. Mystery shoppers help businesses, retailers and restaurants get information on the quality of their stores in exchange for money. In the past, scammers have found ways to turn the service into a mystery shopper scam, also known as a secret shopper scam. These scams are resurfacing during the coronavirus due to over 45 million people filing for unemployment and looking for some extra cash.

There are different forms of mystery shopper scams. One popular version of the scam is when scammers pose as retailers looking to lure people into being secret shoppers. They ask victims to pay for their products or training and then take off with their money. Fraudsters will also steal a victim’s personally identifiable information (PII) from the application they filled out and commit identity theft.

Another version of the mystery shopper scam includes fake checks. In this scam, the victim signs up to become a secret shopper through an online form – potentially giving away sensitive PII like Social Security numbers, date of birth and address. Then the victim is sent a check in the mail to use to secretly shop at a store. Once the check is posted to their bank account, the victim begins to shop as instructed. In some instances, the victim is told to buy reloadable cards and send pictures of them and their PIN card numbers from the back. Once the bank finds out the check is fake, the victim is on the hook for all of the money that they spent plus bank fees. This particular version of the scam lures victims in with a fake check, like the one pictured below that was sent to the Identity Theft Resource Center (ITRC) from a mystery shopper scam victim:

At first glance the check appears to be legitimate. However, while the check says it is to PNC bank, the routing number is for HSBC. Hanover Insurance Company also has a notice on their website about fraudulent checks.

The ITRC was also sent this letter that went along with the check:

While the letter also seems legitimate at first glance, the company listed is Assign Retailer Metrics Inc. instead of Hanover Insurance Company. The letter also asks people to take pictures of the card numbers and scratched PIN numbers and email them to a Gmail account instead of a company account. These are just a few signs that prove this is a secret shopper scam.

Mystery shoppers can be very effective for retailers because the secret shopper can buy whatever the retailer wants them to buy and then report back their experience. However, it can leave consumers looking for a way to make a little extra money in the difficult economy vulnerable to being taken advantage of by ne’er-do-wells. There are things people can do to reduce their risk of falling for a mystery shopper scam.

To avoid these types of scams, people should:

  • Never pay to be a mystery shopper – don’t wire money or  send a “deposit” via PayPal, Venmo, or Zelle
  • Do NOT give out PII on an application
  • Be wary if offered a lot of money for a simple task
  • Cash the check at an issuing bank or wait until the money has not just posted but cleared the other account; if the check is not good, the victim can return the cash into their account

There are also things people can do to spot a legitimate mystery shopping opportunity. People should:

  • Do their research on legitimate opportunities; search the internet for reviews and comments on mystery shopping jobs
  • Remember they are paid to be a mystery shopper (typically after the task is completed); they do not have to pay to do it

Anyone who believes they are a victim of a mystery shopper scam can live-chat with an ITRC expert advisor or call toll-free at 888.400.5530. Advisors will guide victims on the next steps they need to take.


You might also like…

Identity Theft Resource Center Announces Change to Board of Directors

Google Alert Scam Sends Fake Data Breach Notifications Embedded With Malware

Hackers Take Advantage of COVID-19 Closures to Launch Claire’s Data Breach