On November 3rd, citizens will cast their votes for governors, state officials, or members of Congress, either continuing to support the incumbent or opting to make a change with a new candidate. In any event, the work of campaigning and elections are big business…especially for scammers.

With so much discussion about the mid-term elections, thieves have launched a wide variety of election season scams to steal personally identifiable information, financial resources, or both.

1. Phishing attempts – Candidates and political parties rely on emails and phone calls to connect with voters, and scammers are using the same tactics. By posing as members of a campaign, scammers target their victims with phony donation requests, fake news articles that encourage them to click and input their information to read, and more. The goal in these scams isn’t just money, but also access to your personal data.

2. Donation requests – It takes a lot of money to put on an effective campaign, so political candidates often request donations, host fundraisers, and more. Thanks to online platforms, candidates or their team members can request money via social media and platforms like GoFundMe or PayPal. However, the natural mechanism that allows candidates to do that effectively also means a scammer can do it, too. Be on your guard for similar names, “patriotic”-sounding organizations, and issue or party-centric groups that are not actually affiliated with anyone campaigning.

3. Fake robocalls – There have already been reports of robocalls associated with particular candidates for promotional purposes, and remember, charitable organizations and political ads are two of the categories that are exempt from the Do Not Call registry. However, some of the robocalls have not only been spoofed or use stolen recordings of the candidates, but some of them have also even been highly offensive and designed to get the listener to interact.

So how are you supposed to protect yourself from elections season scams? By using the exact same good habits that are designed to keep you safe from scams throughout the year. Never give out your information or verify your identity to someone who contacts you; never make a spur-of-the-moment donation or spontaneously pay a fee, fine, or bill; remember that anyone can create an email account or website, and it doesn’t take any effort or know-how to copy or mimic an existing organization.

Keep your identity and your finances secure by being cautious about how you interact with the campaign process this year…and don’t forget to vote!

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: “Vote By Phone” Scam

Natural disasters and large-scale emergencies are part of our reality, no matter how much we wish that weren’t true. Since you cannot prevent the next earthquake, wildfire, or hurricane, you can make sure you have a plan to be identity safe for when a disaster strikes.

While other knowledgeable sources will help you determine how much clean water or prescription medications you need to store, the Identity Theft Resource Center wants you to plan for a different emergency aspect: identity theft protection and fraud prevention during events like these.

Scammers Prey During Vulnerable Times

Identity theft is a threat when any disaster strikes. After a natural disaster, documents may be accessible to looters who can steal them and commit identity theft with your personal information.

The National Center for Disaster Fraud (NCDF) was created in 2005 to improve and further the detection, prevention, investigation and prosecution of fraud related to natural and human-made disasters, and to advocate for the victims of such fraud. Since their creation, they have had over 100,000 disaster fraud complaints.

Make a Plan

September is National Preparedness Month, and the Federal Trade Commission urges all people to make a plan.

In any emergency, you may have to prove your identity while also being cut off from access to your important papers. During the aftermath of a dangerous event, you may need to be able to access your funds and deal with insurance agents, contractors, maintenance specialists and more.

Secure and Access Your Documents and Funds

Your personal papers can play a strange role during a crisis. They are both proof that you are who you say you are, but they are also a hot commodity for scams, fraud and theft.

Keep them protected at all times, be able to access them in a crisis, but do not let them fall into the wrong hands.

Remember, if you’re evacuating in a sudden emergency like a house fire or flash flood, your documents are not necessary for receiving medical care, emergency housing or other basic needs.

However, there will be instances where you need to provide some proof. When planning your emergency supplies, consider including a small, password-protected flash drive that holds pictures of critical documents to keep yourself identity safe. You will not endanger your originals—or leave them stored unsafely when not needed—but you can call them up when the emergency has passed.

For every other time, make sure you secure your papers from harm and theft in a safe deposit box, home fire safe or another protected place.

As part of any preparedness plan, you need to know how you will get to your money and your insurance documents if you need them. Emergency medical services should be provided without documentation or money to those in crisis. Still, if you’re able to provide things like medical insurance cards for less serious issues, it might be helpful.

To stay identity safe, place your expired medical insurance cards in your preparedness items. That way, the hospital will at least have the information they need to contact your provider and verify your current coverage.

To be prepared, make sure your documents are always stored together in a safe place. If you need access to them, you can grab the entire bundle of birth certificates, marriage certificates, property deeds, Social Security cards and more.

If a disaster separates you permanently from your important papers, contact the proper authorities as soon as it’s safe and feasible to do so.

Beware of Scams

Scammers and fraudulent individuals use news of significant events as a gateway to target victims with everything from repair scams to fake government handouts.

If someone demands your driver’s license or Social Security card before they’re willing to provide assistance, you might be dealing with a scammer. Be careful about who you deal with after an event, and get all price quotes in writing before work begins.

If you are unsure or uncomfortable with anyone you encounter, even if they claim to be a state or federal emergency management official, do not give out your personal information. It will keep you identity safe when a disaster strikes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Summer has arrived, and usually that signals summer vacations, fun in the sun and time to enjoy summertime events. With the COVID-19 pandemic still impacting people in many ways, some summer plans will look different. It won’t stop scammers from targeting victims, but 2020 summer scams could have a different spin than summer scams in years past.

Employment Scams

Typically, employment scams are a hot summer scam because teachers, school transportation drivers, high school/college students and residents of resort areas look to make some extra money in the summer months. While that may end up still being the case, employment scams could be a 2020 summer scam because over 40 million people are unemployed due to COVID-19 and areas are now loosening restrictions.

Some telltale signs that a job might not be genuine include high hourly rates for minimal work, requirements to pay for supplies and materials, offers that request consumers to provide their sensitive identity credentials (driver’s license or Social Security number) to apply and offers that contain misspellings, vague information or links to click and software to download.

Loyalty Account Scams

Travel is usually at its peak in the summer months as families and friends embark on their vacation plans. However, travel is down due to the coronavirus and it is unknown how many people will be willing to take the risks associated with traveling. That is why scammers may attack loyalty accounts.

A popular 2020 summer scam could end up preying on loyalty accounts because people are not flying and staying at hotels. If anyone receives a message regarding a loyalty account, they should ignore it and reach out to the proper company directly. However, scammers could still strike with too-good-to-be-true offers or create fake websites and steal photos of real properties to lure in their victims. Travelers should avoid any high-pressure (i.e. “Book NOW to receive”) opportunities or messages about their accounts and investigate thoroughly before proceeding.

Moving Scams

Summer is a popular time to move, whether it is recent graduates or families waiting for their kids to finish the school year. Moving scams can still strike at any time. That means moving scams may make a resurgence as a popular 2020 summer scam. There are many different types of moving scams, but some of them involve taking information including PII and payment card information; hidden fees and companies that change their names to circumvent bad reviews.

Ticket Scams

Outdoor concerts, music festivals and big-name concert tours are great summer fun. Ticket scams could be a popular 2020 summer scam. Not because there will be concerts, music festivals and sporting events going on, but because sports and other outdoor activities have many unknowns regarding how ticket sales and refunds will work. Scammers can take advantage of the confusion by overcharging for an event through a fake website that steals people’s information and selling a fake ticket. Scammers have sent messages previously regarding ticket refunds with links to click or files to download. People should only purchase tickets from trusted retailers. If anyone gets a message they are not expecting about a ticket sale or refund, they should ignore it and contact the retailer directly.

Social Media Scams

People’s Facebook accounts and Instagram accounts are also a target when the weather turns warm. Everything from romance scammers and phishing attempts to burglars who scope out who is not home based on their posts can lead to harm. COVID-19 romance scams are already making the rounds and scammers could continue to use that tactic.

People should be mindful of what they post online. Also, they should beware of friend requests from accounts they do not recognize or requests from people they thought they were already connected with (i.e., hacked or spoofed accounts). Finally, people should make sure they are not oversharing or giving away too many details to anyone who can see them. Remember, there are things on social media accounts that could be used to determine the challenge questions for other more sensitive accounts (date of birth, pet’s name, mother’s maiden name, etc.).

If anyone falls for a summer scam or potentially self-compromises their identity information, they can live-chat with an Identity Theft Resource Center expert advisor that will help guide them through the next steps to take. They can also call toll-free at 888.400.5530.

You might also like…




Video game giant Nintendo announced their investigation of a data breach after users began reporting suspicious activity. As part of the Nintendo data breach investigation, the company found that at least 300,000 accounts may have been compromised by unauthorized users due to an issue with legacy login procedures. On 4/29/2020 security provider SpyCloud announced that credential stuffing was the cause of the Nintendo data breach. However, Nintendo would not confirm or deny.

Legacy login systems allow longtime customers the ability to log into updated or revamped platforms for companies they have used in the past. Their old logins enable them to access a new site within the same company without having to create an entirely new account—or lose their previously stored information.

As Nintendo has gone through a variety of iterations over the years, Nintendo’s login system made sense for some time. For example, users who had created a Nintendo Network ID (NNID) for the 3DS system or Wii U did not have to establish brand-new Nintendo accounts now that they were Nintendo Switch owners. Unfortunately, due to the Nintendo data breach, the NNID legacy system was compromised by malicious actors, which allowed unauthorized access to certain accounts. This gave the hackers access to those users’ stored payment methods, including PayPal accounts and payment cards that were stored on file.

The card numbers and account numbers were not accessible. The only thing hackers could do with the cards was make purchases in the Nintendo system for things like V-Bucks, a virtual currency used in the game Fortnite. However, NNIDs that were linked to Nintendo accounts may have also compromised information like usernames, email addresses and birthdates, all of which can be used to target victims with spam, phishing attempts and ransomware.

The legacy NNID was being used to gain access to the current Nintendo network, which means current payment methods. That creates a single point of failure.

Due to the Nintendo data breach, the video game company launched a forced reset for the affected passwords and disconnected the ability to use an NNID to log into a Nintendo account. For all account holders, the company recommends activating two-factor authentication to protect these accounts. This incident serves as a reminder that old or reused login credentials can still be used for harm, and should, therefore, be protected and updated frequently or canceled if no longer used. If someone has been affected by the Nintendo data breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor.

You might also like…




In what has become a common occurrence, another company—this time a credit card payment processing start-up —has suffered an accidental overexposure. A Paay data exposure left credit card details and transactions exposed for anyone to see. Accidental overexposures happen when a database of information is stored in an online or cloud-based server, then the information’s owner fails to protect it with a password. The result is the data housed in the database is open for anyone to discover online.

The New York-based processor acknowledged on April 3 that the incident happened after the data was discovered by a security researcher. The researcher contacted Tech Crunch for help in verifying the information and notifying the company so they could take protective steps. After further review, Paay discovered that the database involved had been unsecured for about three weeks, containing more than two million separate card transaction records dating back to September 2019.

One of the major factors in several data breaches recently is the failure to protect information that the company did not even realize they had. Experts have cautioned businesses to delete information they do not need to store and to stop collecting information that they do not need. In this case, it appears that Paay might not have been aware they stored credit card numbers and then failed to protect that data as a result.

Paay will issue data breach notification letters to the individual consumers whose numbers were left exposed in the Paay data exposure. While expiration dates were visible in this incident, no security codes or account holders’ names were compromised. In the event anyone’s card number was exposed, it is a good idea to contact their financial institution for a new card number. Those affected should also monitor their accounts closely for any suspicious activity and unauthorized transactions.

In the Paay data exposure or any other incident, anyone who suspects their identity has been used fraudulently should file a police report. If anyone needs further assistance, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor. The ITRC also offers a free app for iOS and Android called the IDTheftHelp app, which offers resources, a location to store the steps victims have completed and the option to chat with an agent.

You might also like…




Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.

You might also like…




More than 7,000 businesses applying for emergency loans may have had their personal information exposed by a Small Business Administration (SBA) data exposure. The SBA’s failure to secure the data, which was discovered on March 25, was due to a programming error in the administration’s online application portal for Economic Injury Disaster Loans (EIDL).  

According to POLITICO, the application system may have disclosed personal information to other applicants of the program. Some of the personal information from the SBA data exposure may have included Social Security numbers, contact information, names, addresses and income amounts.

According to the SBA, the Paycheck Protection Program (PPP) was not affected because it began April 3 and is also handled by a separate online system. However, businesses that applied for an EIDL were notified about the Small Business Administration data exposure and have been offered one year of free credit monitoring services.

In a statement, the SBA said “We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal. SBA continues to process applications submitted via email, paper and online.”

While exposing business data might not always rise to the same level of risk as personal data, personal and business data is often co-mingled when the business entity is a small business. Due to that, it is important that people impacted by the SBA data exposure protect both sets of data by freezing their personal and business credit if both are involved. The Identity Theft Resource Center (ITRC) also recommends those who could have been impacted monitor their accounts carefully for any suspicious activity, change the passwords for any accounts with sensitive information and to consider the free credit monitoring services that are being offered.

If anyone believes they are a victim of identity theft or have had their information exposed due to the Small Business Administration data exposure, they are encouraged to call the ITRC toll-free at 888.400.5530 or to live chat with an expert advisor. Advisors can help small businesses – who utilize a personal Social Security number – and consumers create an action plan that is tailored to their unique circumstances. Victims can also download the ITRC’s ID Theft Help App where they can track their steps in a customized case log. Documenting the process post-breach is more important now than ever with the recent requirements of victims to provide proof in order to receive compensation after a data breach settlement.

You might also like…




Scammers are looking to scare people into falling for a COVID-19 contamination scam that contains a link that is designed to steal personal information.  Scammers are sending potential victims a text message informing them that someone they know tested positive for the coronavirus. However, it is just a trap.

Who Is It Targeting: Text message users

What Is It: A phishing scam based on fears of COVID-19

What Are They After: Text message users have reportedly received alerts that someone they know has tested positive for COVID-19. The message instructs them to self-isolate immediately, and then to click the link for further information and action. However, it is all part of a COVID-19 contamination scam. Police have warned that the link is likely designed to steal people’s personal data.

How Can You Avoid It:

  • Stay informed; COVID-19 information is not yet being shared this way
  • Never click a link, download an attachment or open a file that you were not specifically expecting
  • Follow trusted sources like the CDC or your local EMA for accurate information on the virus

If you think you may be a victim of identity theft or a COVID-19 contamination scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530 or live chat with an expert advisor. Find more information about current scams and alerts here. For full details of this scam check out this article from

You might also like…




With news of the economic hardship surrounding the containment of COVID-19, scammers are out in full force trying to get consumers to fall for CashApp scams by clicking on fraudulent and malicious links that could steal people’s money and identity.

Who Is It Targeting: Social media users, email recipients, text messaging platforms

What Is It: A phishing scam that claims to donate money to its victims

What Are They After: Like all newsworthy events, scammers have come up with a variety of ways to capitalize on the current concerns surrounding COVID-19 in order to steal money, identities or both. In this version, it is messages that offer the would-be victims’ free money via CashApp to help them through this difficult time with a link to participate. However, since it is a CashApp scam, the link is fraudulent and malicious and can lead to problems for anyone who follows it.

How Can You Avoid It:

  • No one will ever contact you out of nowhere to give you money
  • Never click a link, download a file or open an attachment that you were not expecting
  • Never input your login credentials for someone who requests them

If you think you may be a victim of identity theft or a CashApp scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530, or live chat with an expert advisor. Find more information about current scams and alerts here. For full details of this scam check out this article from

You might also like…




The IRS has started distributing stimulus check payments to the nearly 140 million Americans that are eligible. While many have received their stimulus payment through direct deposit, according to CNN, 60 million Americans are still waiting for their money.

The IRS created a portal in hopes that people would be able to check the status of their stimulus check payment. However, due to overload and glitches being worked out, the website has not worked for everyone.

One reason why people might not have received their stimulus check payment is because they are victims of tax identity theft. However, there are many other reasons why people might not have received their payment that they should explore first:

1. People who are not normally required to file a tax return. Individuals who make less than $12,200 a year (or less than $24,400 for married couples) are generally not required to file a tax return. For the process of receiving a stimulus check payment, these people have to enter their information into a new IRS portal to get their money.

2. Someone’s refund went to a temporary account that was set up by a tax preparer. According to a report by WALA-TV, when people use tax preparation services, sometimes a temporary account is set up to handle the transactions, which could lead to a longer wait for a stimulus check payment.

3. Not everyone got a federal tax refund in 2018 or 2019. Some consumers did not get a refund after their last two tax filings. In fact, if someone owed taxes the last two years, they could still qualify for the stimulus. Only consumers who received a refund from the IRS to a direct deposit account will be processed for stimulus direct payment.

4. Some people’s refunds might have gone to an old bank account. This could happen if someone filed their 2018 tax return with bank account formation that is no longer valid and has yet to file a 2019 tax return. For people who have not filed their 2019 tax returns, the IRS is using information from their 2018 tax refunds.

5. Some people might have filed a paper return in 2019. People who filed their taxes with paper returns will mostly receive their stimulus check by mail because the IRS has stopped processing paper returns until they can reopen their centers.

6. It has been seized by a private debt collector. If someone owes money for private student loans, credit cards or medical bills, their stimulus check could be at risk. The CARES Act does not restrict private debt collectors from taking the check to pay off debt.

7. If there is anyone who does not fall under any of the categories listed above, they could be a victim of tax identity theft. The Identity Theft Resource Center (ITRC) is receiving calls and live chats from victims claiming their stimulus checks were intercepted. According to the Treasury Inspector General for Tax Administration, the agency has already begun to see scammers pose as the IRS to get personal information from payment receipts they can use to steal money. While the IRS Criminal Investigation Unit is doing what they can to combat the problem, they have seen scams that are preying on vulnerable individuals who are not sure how they will get their stimulus check payment.

To avoid falling victim to tax identity theft due to the stimulus check, consumers are urged to not respond to any messages they receive that they are not expecting. Instead, they should contact the company, organization, or entity directly to verify the validity of the message. Also, it is important for people to stay informed about what is happening. The IRS will not contact anyone asking for personal information. If someone receives a phone call, email or text message claiming to be the IRS, it is probably a scam.

If anyone thinks their stimulus check landed in the hands of a thief, they can visit to get started on a personal recovery plan.

If someone believes they are a victim of tax identity theft, they can live chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Callers are encouraged to leave a message due to advisors working remotely. However, they will return calls as quickly as they can.

You might also like…