Posts

  • On the Identity Theft Resource Center’s (ITRC) last Weekly Breach Breakdown podcast, we discussed our inaugural Business Aftermath Report. The report shows how data and security compromises impact small businesses. 
  • In this week’s episode, we look at what businesses can do to protect themselves. To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to regular operation is the top priority.
  • Make sure team members know their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. Also, have good back-ups and patch software as soon as possible.
  • To learn about recent data compromises or small business data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

No Small Attacks

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 5, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Last week, we focused on our inaugural Business Aftermath Report findings that show how small businesses, including solopreneurs, are impacted by data and security compromises. This week we look at how to protect your business from cyberattacks.

In the entertainment business, the saying goes that there are no small parts, only small actors. In the security world, you might say there are no small attacks, only small attackers. That’s the name of this week’s episode: No Small Attacks. This week, we will talk about what you should do to protect your business from cyberattacks and prevent data breaches.

2021 Business Aftermath Report Findings

First, a brief recap of what we found in our survey of small business owners and leaders – nearly two-thirds of which had fewer than 50 employees.

  • Fifty-eight (58) percent of the small business owners or leaders reported a data breach, a security breach or both.
  • Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven percent said they had not returned to pre-breach performance levels at the time of the survey earlier this year.
  • Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger companies with ransomware. It also means this is likely to be a permanent condition.
  • Forty (40) percent of compromises were caused by outside cybercriminals. However, 35 percent were attributed to malicious insiders – an employee or a contractor.

That last statistic – the number of malicious employees is much higher than for larger enterprises with more tools and processes to detect bad actors. In fact, through the first half of 2021, there were zero data breaches attributed to a malicious insider in the U.S. Given this information, what should a business do?

How to Protect Your Business from Cyberattacks or Prevent Data Breaches

There is no going back to the days when small businesses could get by with minimal cybersecurity and data privacy protections. Every business owner, leader and team member should operate as if you are already under attack (because you probably are).

To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to normal operation is priority number one. Once that’s done, the highest long-term priority is restoring trust among your customers and prospects. Ensuring you know what happened, why it happened, and taking steps to prevent another breach are the bare minimum actions.

Be prepared to invest in more training, more policies and more solutions. Then, communicate all of that to your stakeholders – employees, investors, customers and community. If you don’t tell them, no one else will.

Additional Tips

  • Make sure every team member knows their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. There’s no such thing as too much training.
  • Patch software as soon as updates are available and make sure you have good back-ups. If you don’t have in-house resources, hire a managed security service provider (MSSP) to handle all your routine IT and OT tasks and monitoring.
  • Require multi-factor authentication (MFA) for your team and vendors, and offer it to your customers. MFA linked to an authenticator app is best.
  • Threat actors don’t just want your money. They want your data, too. The more you have, the bigger the target you become. To protect your business from cyberattacks, practice data minimization and don’t collect more information than you need. Also, don’t keep it longer than necessary to complete a transaction. You can’t lose control of what you don’t have.
  • Know your vendor’s security posture, too. It’s not enough that you have good cybersecurity. Everyone you work with also needs protections equal to or better than yours. That’s the law in some states now, and it is non-negotiable when it comes to protecting your customers.

Contact the ITRC

The ITRC offers low-cost training and vendor due diligence for small businesses. For more information on those services or how to protect your business from cyberattacks, contact us at www.idtheftcenter.org.

Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.

  • According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • A recent GEICO data breach led to fraudsters gaining access to nearly 132,000 GEICO customer’s driver’s license numbers. GEICO says they believe threat actors could use the information to apply for unemployment benefits fraudulently.
  • The Pennsylvania Department of Health’s third-party contact tracing vendor, Insight Global, failed to secure phone numbers, email addresses and personal information like gender, age, sexual orientation, COVID-19 diagnosis and exposure status of more than 72,000 Pennsylvania residents. Third-party breaches continue to be a growing trend.
  • Like the Pennsylvania Department of Health, ParkMobile Parking App also suffered a supply chain attack. The ParkMobile data incident exposed the non-sensitive information of 21 million users, putting them at risk of falling victim to social engineering.
  • For more information about April data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable April Data Breaches

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in April, three stand out: GEICO, Pennsylvania Department of Health and the ParkMobile Group. All three data events are notable for unique reasons. In one, the company is very detailed in how criminals are misusing the information and what people should look out for; another event includes a contact tracing service failing to secure the private information of some residents in Pennsylvania – re-affirming a trend identified by the ITRC; the third compromise led to the exposure of data for 21 million people – stemming from a supply chain attack.

GEICO

A security bug led to threat actors stealing personally identifiable information (PII) from approximately 132,000 GEICO customers between January 21 and March 1. According to the GEICO data breach notice, fraudsters used the information they acquired about customers elsewhere to obtain unauthorized access to people’s driver’s license numbers through the online sales system of their website. GEICO says that they believe the information from the breach could be used to apply for unemployment benefits fraudulently. Unemployment benefits fraud continues to impact consumers all over the U.S. There could be over $200 billion lost to the fraud. The ITRC has received over 1,400 cases of unemployment benefits fraud in 2020 and 2021, compared to only 12 cases in 2019.

The GEICO data breach is notable because the insurance company is very detailed in how the information could be used and what people need to keep an eye on. It is not often the ITRC sees this level of detail in a data breach notice.

Pennsylvania Department of Health

Insight Global, a company that has provided COVID-19 contact tracing services for the Pennsylvania Department of Health since 2020, failed to secure the private information of more than 72,000 people.  According to WSKG, a health department spokesman said they recently learned workers at Insight Global disregarded security protocols established in the contract and created unauthorized documents outside the state’s secure data system.

The information exposed in the Pennsylvania Department of Health data compromise includes phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status. The Pennsylvania Department of Health does not know how many people may have viewed or downloaded the documents. Officials say notifications will be mailed to all affected Pennsylvania residents.

The Pennsylvania Department of Health data compromise is the latest third-party exposure to occur. According to the ITRC’s Q1 2021 Data Breach Report, there’s been a 42 percent increase in supply chain attacks, including 27 at third-party vendors impacting 137 U.S. organizations, and 19 supply chain attacks in Q4 2020.

ParkMobile Group

The parking app, ParkMobile, also suffered a data compromise due to a vulnerability in third-party software, affecting 21 million people. According to the ParkMobile notification letter, they became aware of the vulnerability and launched an investigation, which is still ongoing. Information exposed includes license plate numbers, email addresses, phone numbers, mailing addresses and vehicle nicknames. According to KrebsOnSecurity, the data appeared for sale on a Russian-language crime forum.

Anyone who uses the ParkMobile parking app, used by cities and universities across the U.S., could be at risk of falling victim to social engineering. While no sensitive information was exposed, if hackers get enough information about people, they can put all of the information they have gathered together to commit identity fraud.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.  

GEICO encourages its customers to check their account statements and credit reports regularly for any suspicious activity.

The Pennsylvania Department of Health has set up a hotline (855.535.1787) for those concerned about the security of their information.

notified

For more information about April data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • The U.S. Attorney’s Office for the District of Maryland, working with the Homeland Security Investigations (HSI) in Baltimore, recently seized the fake COVID-19 vaccine website “Freevaccinecovax.org.”
  • The website collected personal information from people who visited it by asking them to download a PDF file to their device to apply for more information.
  • Interacting on a malicious website offering COVID-19 vaccines could lead to an array of identity crimes, including a phishing attack, malware attack and different forms of social engineering.
  • COVID-19 vaccines are not being sold online. Any link that claims to take someone to a website to purchase one is fake. To find a vaccine appointment online, people should go through their local department of health, pharmacy or health care provider.
  • For more information on fake COVID-19 vaccine websites, or if you believe you are a victim of a COVID-19 vaccine scam, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the website www.idtheftcenter.org.

Federal officials shut down a fake COVID-19 vaccine website after discovering the website was stealing people’s personal information for cybercriminal activity. According to Threatpost, the U.S. Attorney’s Office for the District of Maryland, working with Homeland Security Investigations (HSI) in Baltimore, seized “Freevaccinecovax.org,” “which purported to be the website of a biotechnology company developing a vaccine for the COVID-19 virus,” according to a news release on the office’s website.

Since the U.S. began administering the COVID-19 vaccines, cybercriminals have tried to take advantage of consumer’s desire for vaccinations. According to NBC 4 Washington, BrandShield, a global cybersecurity firm protecting some of the world’s largest pharmaceutical companies from cyberthreats, found a 4,200 percent increase in potentially fraudulent COVID-19 vaccine websites from January 2020 through the end of February 2021. The news of the latest malicious website highlights the importance of being cautious with COVID-19 vaccine websites and how to use them.

Who are the Targets?

People looking to receive the COVID-19 vaccine

What is the Scam?

Threat actors created “Freevaccinecovax.org” to collect personal information from people who visited the website to commit identity crimes like fraud, phishing attacks or to deploy malware. Threatpost says the fake COVID-19 vaccine website used trademarked logos for Pfizer, the World Health Organization (WHO) and the United Nations High Commissioner for Refugees (UNHCR) on its homepage to trick people into believing it was a legitimate site. The malicious website had a drop-down menu that asked users to apply for information by downloading a PDF file to their device.

What They Want

Identity criminals are after people’s personal information to commit phishing attacks, malware attacks, social engineering and other forms of identity-related fraud.

How to Avoid Being Scammed

To avoid a fake COVID-19 website:

  • Ignore websites trying to sell a vaccine. COVID-19 vaccines are not being sold online. Any link that claims to take you to a website to purchase one is fake.
  • Do not click on any posts or ads claiming to sell cures. Remember, if it seems too good to be true, it probably is.
  • If you are checking for a vaccine appointment online, make sure you do it through your local department of health, pharmacy or health care provider. Never follow a link randomly sent to you.

To learn more about COVID-19 vaccine scams, malicious websites, or if you believe you were on a fake COVID-19 vaccine website, contact the Identity Theft Resource Center toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

  • The data of 533 million Facebook users has been published on a low-level hacker forum.
  • The information is believed to have been copied in 2019 or earlier from Facebook user pages and includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.
  • The leaked data could help cybercriminals commit different forms of phishing attacks and other social engineering-based identity scams.
  • LinkedIn also recently suffered a similar attack, affecting over 500 million users and exposing user IDs, names, email addresses, phone numbers, professional titles and other work-related data.
  • The LinkedIn and Facebook data leaks are a great reminder to be careful what you share online. Users willingly posted all of the information copied from LinkedIn and Facebook into cybercriminal markets. If you don’t want to see the data in a hacker forum, don’t post it online.
  • To learn more, or if you believe you a victim of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

A recent Facebook data leak resulted in the personal data of more than 500 million users being copied (an often-legal process known as scraping) and later posted on a hacker forum. A similar attack happened with LinkedIn, leaving users to wonder what they could have done to prevent their personal information from being copied by data thieves. While the data was scraped from Facebook in 2019 because of a software flaw that the company says was patched the same year, the incident serves as a good reminder to be careful what you share online.

What Happened

According to Business Insider, a user in a low-level hacking forum scraped the phone numbers and personal data of 533 million Facebook users in 109 different countries – enough people to qualify as the third largest nation on Earth. The data file, published in a forum where identity information is bought and sold, includes more than 32 million records on users in the U.S. Information exposed in the Facebook data leak includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.

What Does This Mean for You?

The scraped data from the LinkedIn and Facebook data leaks could help cybercriminals commit different forms of identity fraud, including phishing attacks and scams that require social engineering to convince you to give up even more personal information. Users should be on the lookout for phishing schemes or fraud using their own data.

Be Careful What You Share Online

While there is not a lot that Facebook and LinkedIn users can do to protect themselves from the latest incidents now, it is a great reminder to be careful what you share online to help prevent future identity fraud. The data thief did not gain access to the systems and steal private data. Instead, they copied (or scraped) information that people willingly posted on their own profiles and combined the information in a database that can be bought, sold or shared in criminal marketplaces.

If you post enough information about yourself online, hackers can connect the dots about your life, relatives and friends to commit identity fraud by pretending to be you. Be careful what you share online, including what you write in your posts and include in your profile. Also, check your privacy settings to ensure you are not sharing personal information with people you do not know or trust. A good rule of thumb is, “If you don’t want to see the data in a hacker forum, don’t post it online.”

Contact the ITRC

If you believe you were the victim of the latest Facebook data leak and want steps on how to protect yourself, or if you want to learn more about how to be careful what you share online, contact us. You can reach a contact advisor toll-free by phone (888.400.5530) or live-chat. You can find the latest resources on an array of identity-related topics. Just visit www.idtheftcenter.org to get started.

  • According to a report from Javelin Strategies, traditional identity theft is declining. However, what one might think of as identity theft is being replaced by identity fraud.
  • trend identified by the Identity Theft Resource Center (ITRC) in 2020. Cybercriminals continue to move away from mass data breaches of consumer information to more targeted attacks like phishing, ransomware and supply chain attacks.
  • There is no reason for consumers to panic. One record exposed is one too many, but one can’t determine the risk represented by a data breach based on the size of the breach. Knowing what records are exposed is far more important than how many records are compromised.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Path is Smooth That Leadeth on to Danger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 2, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about the FBI’s most recent cybercrime report that shows an exponential increase in cybercrime and the losses associate with it. This week we look at how people can assess what that really means for them or their business.

In his poem, Adonis and Venus, Shakespeare wrote, “The path is smooth that leadeth on to danger.” That is the title of this week’s episode, reflecting how our desire for convenience often leads to risky behaviors.

Traditional Identity Theft is on the Decline

Let’s start with a good and bad news trend. A report from Javelin Strategies is the latest to show that “traditional identity theft” is declining. That’s good news. However, here is the “but” people may be expecting: what we think of as identity theft is being replaced by identity fraud.

Identity Fraud Cases Are on the Rise

What does that mean? It’s part of the general trend we’ve discussed where cybercriminals move away from mass data breaches of consumer information to more targeted attacks. Phishing, ransomware and supply chain attacks are good examples of the kinds of exploits that allow criminals to hit a company. The criminals reap hundreds of thousands of dollars from a single organization instead of the old-school way of attacking thousands of consumers.

However, less risk to individuals is not the same as low or no risk. In fact, the whole concept of identity fraud is based on using consumer behaviors to lure people into a scam. Maybe it’s a text that says someone’s Amazon account has been frozen, and the user needs to click on a link to verify their password to unlock it – and they do. They have just given them their login and password, which regulars of the podcast know are 10x more valuable to a data thief than a consumer’s credit card information.

Maybe someone gets an email from Google or Microsoft claiming their payment card is about to expire. All the user needs to click on is a link to log in and update their information. However, the email and login webpage are deep fakes, and the user just shared their login, password and credit card information with criminals.

All of these phishing techniques are predicated on our behaviors as humans, the need to instantly address any issue that appears by text or email in the most convenient way possible.

While different research reports come up with different identity fraud case totals, they all agree it is on the rise, and the dollar value starts with a B, as in billions. Right now, one might be thinking, “Well, that’s just great. Do I panic now or panic later?”

No Reason for Consumers to Panic

First, there is no reason to panic at all. People may have seen a media headline that talked about more records being exposed in data breaches in 2020 than in the past 15 years combined. While that is attention-grabbing, it’s not particularly meaningful.

One record exposed is one too many, but the reality is one can’t determine the risk represented by a data breach based on the size of the breach. Someone’s date of birth and Social Security number are two records. They may have been exposed thousands of times over the past 15 years, but they are still only two data points, and they don’t change.  However, the risk associated with each data point is very different.

Knowing what records are exposed is far more important than how many records are compromised. Knowing how to protect your own information is the most important information, and that’s where the ITRC can help.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

  • A new Google Photo sharing scam is the latest attempt to steal your credentials to hack and access your accounts.
  • You receive a message claiming to be from Google Photo that says someone is sharing a photo album with you. You’re asked to log into your account, except the message isn’t real, and the criminals take off with your Google credentials.
  • If you receive a message you are not expecting or from someone you don’t know, don’t click on any link in the message.
  • If you want to learn more about the Google Photo sharing scam or if you are a victim, contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat. Just visit www.idtheftcenter.org to get started.

Scammers always try to find different ways to attack consumers. One new attempt is through a text or email that appears to come from Google Photo. The Identity Theft Resource Center (ITRC) recently received a suspicious message that appeared to be a legitimate attempt to share a Google Photo album. However, it was actually a phishing scam.

Like many phishing attacks, the Google Photo sharing scam is an attempt to steal your credentials. The tactic has become more common with cybercriminals shifting away from attacks seeking consumer information and towards attacks that target logins and passwords. 

Who is the Target?

Text message users; email users

What is the Scam?

You receive what appears to be a real attempt to share a Google Photo album. The message claims that someone has shared a photo album with you. However, there is no photo album. Once you click the “View Photo” link, you are prompted to another website to log into your Google account. Since the website captures the login information, you then provide the identity thieves with access to your credentials and account.

What They Want

It’s always easier to steal something when you have the key to a lock instead of having to break into where valuables are kept. Identity criminals want to access personal and work accounts because that’s easier and faster than trying to break into a system. The Google Photo sharing scam is a way for identity criminals to get the credentials needed to access and steal personal and company information. According to the FBI, email compromises cost U.S. businesses $1.8 billion, and phishing schemes cost individuals $54 million in 2020.

How to Avoid Being Scammed

  • Never click on a link in a suspicious or unexpected message. While the message might look legitimate, the links and attachments could still have malware. Instead, if the message comes from a “company,” reach out to the company directly to verify whether the message is real. If it comes from an unknown person, delete the message without clicking any links.
  • Check the URL link and be on the lookout for short links. Sometimes, there are signs in the link that give away it is a scam. For example, a link address might read “Goo.gle” instead of “Google.” You are more likely to see that when a link is shortened, a favorite tactic of cybercriminals. Another tactic is typing out a hyperlinked text to what looks like a legitimate website (like Google.com). However, it actually displays an unknown site when you hover over the link.
  • Use Multifactor Authentication (MFA) on important accounts. Even trained cybersecurity professionals fall for sophisticated phishing attempts that look real. That’s why it’s important to use MFA on any account that offers the feature. Use an authenticator app when possible – Microsoft and Google offer them for free – because they are more secure than just having a code texted to your mobile device. With MFA in place, having your login and password won’t help a criminal access your protected accounts.
  • Never reuse or share passwords. Criminals steal logins and passwords because they know most people use the same password on multiple accounts. Too many people also use the same passwords at home and work. Make sure each account has a unique password that is at least 12 characters long.

If you believe you are a victim of a Google Photo sharing scam or would like to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • The third round of stimulus payments is on the way. Scammers are aware, too, which means another round of scams as well.
  • Remember, the Internal Revenue Service (IRS) will not text, email or call anyone about a stimulus payment. If someone receives an unsolicited message from someone claiming to be with the IRS, it is probably a stimulus payment scam. Consumers should contact the IRS directly to verify before they respond. 
  • Offers that require people to pay to receive a stimulus benefit or to use a service to get a payment faster are also signs of a stimulus payment scam. 
  • Consumers can track their new stimulus checks once they are sent. Then can visit the IRS “Get My Payment” page to follow their payments.  
  •  To learn more about stimulus payment scams, the new stimulus payment or if someone suspects they are the victim of a stimulus scam, they can contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat on the company website.  

New Stimulus Payments Approved by Lawmakers 

Lawmakers voted to approve the third stimulus package since the coronavirus pandemic. The package includes a $1,400 stimulus payment for anyone who earns $75,000 or less (the payments start to phase out at $75,000), extends jobless aid supplement and programs making more people eligible for unemployment insurance, and much more. However, it could mean more stimulus payment scams.

Late in 2020, lawmakers agreed on a new stimulus package, which included a $600 stimulus payment for anyone who earned $75,000 or less. There was also a reduced payment for anyone who made $75,000-$99,000.

In the spring of 2020, the first batch of stimulus payments assisted Americans in need of financial relief due to the economic impacts of COVID-19. Criminals took advantage of the situation by offering to help benefit recipients speed access to their stimulus funds. Criminals stole checks from nursing home residents, out of people’s mailboxes, and even from postal trucks. The Identity Theft Resource Center (ITRC) saw some of those methods used to steal identity information and stimulus payments the second time around, and expect to see it again. The ITRC has also had a sharp rise in reported stolen stimulus payments and stimulus payment scams cases.

As of March 10, 2021, the Federal Trade Commission (FTC) had logged more than 382,000 consumer complaints related to COVID-19 and stimulus payments totaling more than $366 million in losses. Two-thirds of the complaints involved fraud or identity theft. The median fraud loss per person is $325.

New stimulus checks mean more scams are on the way. With more stimulus payment fraud expected, consumers should know how to spot a scam and what to do if an identity criminal contacts them.

Possible Stimulus Payment Scams 

According to the Washington Post, researchers recently discovered a campaign of thousands of emails that sought to trick Americans into filling out a phony form to “apply” for American Rescue Plan checks from the IRS before the third stimulus package was even passed by congress. The emails encouraged recipients to download an Excel sheet that launched malicious software that steals personal banking information and other login credentials once downloaded.

Criminals use different schemes to trick people, and they can be expected to do the same this time, as seen above. Here are a few things for people to watch for that indicate that someone might be the target of a stimulus payment scam:

  • Text messages and emails about stimulus payments – Criminals use text messages and emails to send malicious links in hopes that people will click on them to divulge personal information or insert malware onto someone’s device. If anyone receives a text message or email about a stimulus check or direct deposit with a link to click or a file to open, they should ignore it. It’s a scam because the IRS will not contact anyone unsolicited by text, email or phone to discuss a stimulus payment. 
  • Asked to verify financial information – The IRS will not call, text or email anyone to verify their information. If information needs to be confirmed, people will be directed to an IRS web page. This includes retirees who might not typically file a tax return.  
  • A fake check in the mail – Anyone who earns $75,000 or less will get $1,400. People who make between $75,000-$80,000 will receive a reduced amount. Anyone who gets a check and has questions about the amount, or thinks the check seems suspicious, should contact the IRS.
  • Offers for faster payments – Any claim offering payment faster through a third-party is a scam. All new stimulus checks will come from the IRS, and the IRS says there is no way to expedite a payment.  
  • Pay to get a check – No one has to pay to receive a stimulus check. New stimulus checks will be deposited directly into the same banking account used for previous stimulus payments or the most recent tax refund. If the IRS does not have someone’s direct deposit information, a check or prepaid card will be mailed to the last known address on file at the IRS.
  • Stolen checks – The ITRC has received numerous complaints from consumers about their stimulus checks being stolen. If anyone believes their payment is stolen, they should visit IDTheft.gov, where they can report, “Someone filed a Federal tax return – or claimed an economic stimulus payment – using my information.”

What to Do If You’re a Victim of Stimulus Payment Scams 

 If anyone believes their information may have been compromised or their stimulus payment was stolen, the IRS suggests people report it to the IRS and FTC simultaneously through IdentityTheft.gov. If anyone wants to learn more about stimulus payment scams or if someone believes they are the victim of a stimulus payment scam, they may also contact the Identity Theft Resource Center toll-free. Consumers can call (888.400.5530) or live-chat on the website. People can go to www.idtheftcenter.org to get started.

The post was originally published on 12/22/20 and was updated on 3/10/21