Ever wonder if you are getting a fact or is it just an opinion on important matters? Knowing what to look for and how to spot what the truth is are two very different yet important distinctions that need to be addressed if you need to have the empowering information to make progress in life.
Consider this: A boss says, I think your services for what you do in this particular line of work is X amount of dollars. That's one person's opinion. Want the straight facts? Visit: www.salary.com and find out what statistics are saying.
Consider this: An appraiser opines that your house is worth X amount of dollars. The "appraisal" is one man's opinion. Want to know for sure? Check out www.Zillow.com and see what the houses are running in your neighborhood or ask a qualified real estate agent who specializes in residential real estate for an second opinion.
Consider this: A used car dealer says he'll give you a trade in on your car and says it's only worth $1,500. Visit www.kelleybluebook.com to get a good assessment.
There's a lot to be said when it comes to considering opinions and looking at facts. Make sure you check your facts before settling with an opinion. Otherwise, it might cost you more than you realize.
Michael L Hathman
VP - Smart Solutions Financial Services, LLC
636-533-4070
www.SmartSolutionsCreditRepair.com
Info@SmartSolutionsFS.com
Monday, August 23, 2010
Tuesday, August 17, 2010
The Fair & Accurate Credit Transactions Act (FACTA)
When it comes to identity theft and credit, everyone should know their rights. So, as a courtesy, I am reposting the FACTA here. If you don't understand your rights under the law, please consult with a licensed attorney who is familiar with consumer law.
Here it is (in summary):
IDENTITY THEFT RED FLAGS AND ADDRESS DISCREPANCIES UNDER THE FAIR AND
ACCURATE CREDIT TRANSACTIONS ACT OF 2003
On November 9, 2007, the Federal Trade Commission published final rules implementing part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)regarding the duties of creditors, card issuers and users of consumer reports with respect to the prevention of identity theft. These new regulations went into effect on January 1, 2008 and compliance is required by November 1, 2008. The regulations are organized in three parts which are summarized in this memo.
I. Duties of Users of Consumer Reports Regarding Address Discrepancies
This regulation is set forth at 16 CFR 681.1 and applies to users of consumer reports that are subject to administrative enforcement of the Fair Credit Reporting Act (FCRA) by the Federal Trade Commission (FTC) pursuant to 15 U.S.C. 1681s(a)(1). A user is someone who obtains a consumer report from a consumer reporting agency for a purpose permitted by FCRA, such as for employment or credit purposes. A university that obtains consumer reports would be subject to this regulation.
A user of consumer reports has the following duties:
1. A user must develop and implement reasonable policies and procedures designed to
enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy. A notice of address discrepancy means a notice sent to a user by a consumer reporting agency, that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
Examples of reasonable policies and procedures that a user may implement to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report are:
(i) Comparing the information in the consumer report provided by the consumer
reporting agency with information the user:
(A) Obtains and uses to verify the consumer's identity;
(B) Maintains in its own records, such as applications, change of address
notifications, or other customer account records; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by the consumer
reporting agency with the consumer.
2. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that the consumer report relates to the consumer
about whom the user requested the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnishes information to the
consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
The user may reasonably confirm an address is accurate by:
(i) Verifying the address with the consumer about whom it has requested the report;
(ii) Reviewing its own records to verify the address of the consumer;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
3. The policies and procedures developed in accordance with paragraph 2 above must
provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information the user regularly furnishes for the reporting period in which it establishes a relationship with the consumer.
II. Duties of Creditors Regarding the Detection, Prevention, and Mitigation of Identity Theft. This regulation is set forth at 16 CFR 681.2 and applies to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the FTC pursuant to 15 U.S.C. 1681s(a)(1). The term ``creditor'' means any person who regularly extends, renews, or continues credit; any person
who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 15 U.S.C. 1681a(r)(5). The term ``credit'' means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor. 15
U.S.C. 1681a(r)(5). A university that meets the definition of a creditor would be subject to this regulation.
1. Each creditor must periodically determine whether it offers or maintains covered
accounts. As a part of this determination, a creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts. An Account means a
continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. A covered account is:
(i) An account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account, or savings
account; and
(ii) Any other account that the creditor offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness of the
creditor from identity theft, including financial, operational, compliance,
reputation, or litigation risks.
Such risk assessment should take into consideration:
(i) The methods it provides to open its accounts;
(ii) The methods it provides to access its accounts; and
(iii) Its previous experiences with identity theft.
2. Each creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. The Program must include reasonable policies and procedures to:
(i) Identify relevant Red Flags for the covered accounts that the creditor offers or
maintains, and incorporate those Red Flags into its Program. A Red Flag
means a pattern, practice, or specific activity that indicates the possible existence
of identity theft;
(ii) Detect Red Flags that have been incorporated into the Program of the creditor;
(iii) Respond appropriately to any Red Flags that are detected to prevent and mitigate
identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be relevant) is
updated periodically, to reflect changes in risks to customers and to the safety
and soundness of the creditor from identity theft.
3. Each creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(i) Obtain approval of the initial written Program from either its board of directors
or an appropriate committee of the board of directors;
(ii) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development,
implementation and administration of the Program;
(iii) Train staff, as necessary, to effectively implement the Program; and
(iv) Exercise appropriate and effective oversight of service provider arrangements.
4. Each creditor that is required to implement a Program must consider the guidelines in Appendix A of the regulations and include in its Program those guidelines that are appropriate.
III. Duties of Card Issuers Regarding Changes of Address.
This regulation is set forth at 16 CFR 681.3 and applies to a person described in 681.2 that issues a debit or credit card (card issuer). The term debit card'' means any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money,property, labor, or services. 15 U.S.C. 1681a(r)(3). The term ``financial institution'' means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in
section 461(b) of title 12) belonging to a consumer. The term ``transaction account'' means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the
purpose of making payments or transfers to third persons or others. To the extent a University issues campus cards which can be used as debit cards to make electronic funds transfers from a transaction account to off-campus merchants, such a University would be subject to this regulation.
1. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue
an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:
(i) Notifies the cardholder of the request:
(A) At the cardholder's former address; or
(B) By any other means of communication that the card issuer and the cardholder
have previously agreed to use; and
(C) Provides to the cardholder a reasonable means of promptly reporting incorrect
address changes; or
(ii) Otherwise assesses the validity of the change of address in accordance with the policies
and procedures the card issuer has established pursuant to section II above.
2. A card issuer may satisfy the requirements of paragraph 1 of this section if it validates an address pursuant to the methods in paragraph (1)(i) or (1)(ii) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
3. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder
Here it is (in summary):
IDENTITY THEFT RED FLAGS AND ADDRESS DISCREPANCIES UNDER THE FAIR AND
ACCURATE CREDIT TRANSACTIONS ACT OF 2003
On November 9, 2007, the Federal Trade Commission published final rules implementing part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)regarding the duties of creditors, card issuers and users of consumer reports with respect to the prevention of identity theft. These new regulations went into effect on January 1, 2008 and compliance is required by November 1, 2008. The regulations are organized in three parts which are summarized in this memo.
I. Duties of Users of Consumer Reports Regarding Address Discrepancies
This regulation is set forth at 16 CFR 681.1 and applies to users of consumer reports that are subject to administrative enforcement of the Fair Credit Reporting Act (FCRA) by the Federal Trade Commission (FTC) pursuant to 15 U.S.C. 1681s(a)(1). A user is someone who obtains a consumer report from a consumer reporting agency for a purpose permitted by FCRA, such as for employment or credit purposes. A university that obtains consumer reports would be subject to this regulation.
A user of consumer reports has the following duties:
1. A user must develop and implement reasonable policies and procedures designed to
enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy. A notice of address discrepancy means a notice sent to a user by a consumer reporting agency, that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
Examples of reasonable policies and procedures that a user may implement to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report are:
(i) Comparing the information in the consumer report provided by the consumer
reporting agency with information the user:
(A) Obtains and uses to verify the consumer's identity;
(B) Maintains in its own records, such as applications, change of address
notifications, or other customer account records; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by the consumer
reporting agency with the consumer.
2. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that the consumer report relates to the consumer
about whom the user requested the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnishes information to the
consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
The user may reasonably confirm an address is accurate by:
(i) Verifying the address with the consumer about whom it has requested the report;
(ii) Reviewing its own records to verify the address of the consumer;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
3. The policies and procedures developed in accordance with paragraph 2 above must
provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information the user regularly furnishes for the reporting period in which it establishes a relationship with the consumer.
II. Duties of Creditors Regarding the Detection, Prevention, and Mitigation of Identity Theft. This regulation is set forth at 16 CFR 681.2 and applies to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the FTC pursuant to 15 U.S.C. 1681s(a)(1). The term ``creditor'' means any person who regularly extends, renews, or continues credit; any person
who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 15 U.S.C. 1681a(r)(5). The term ``credit'' means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor. 15
U.S.C. 1681a(r)(5). A university that meets the definition of a creditor would be subject to this regulation.
1. Each creditor must periodically determine whether it offers or maintains covered
accounts. As a part of this determination, a creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts. An Account means a
continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. A covered account is:
(i) An account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account, or savings
account; and
(ii) Any other account that the creditor offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness of the
creditor from identity theft, including financial, operational, compliance,
reputation, or litigation risks.
Such risk assessment should take into consideration:
(i) The methods it provides to open its accounts;
(ii) The methods it provides to access its accounts; and
(iii) Its previous experiences with identity theft.
2. Each creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. The Program must include reasonable policies and procedures to:
(i) Identify relevant Red Flags for the covered accounts that the creditor offers or
maintains, and incorporate those Red Flags into its Program. A Red Flag
means a pattern, practice, or specific activity that indicates the possible existence
of identity theft;
(ii) Detect Red Flags that have been incorporated into the Program of the creditor;
(iii) Respond appropriately to any Red Flags that are detected to prevent and mitigate
identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be relevant) is
updated periodically, to reflect changes in risks to customers and to the safety
and soundness of the creditor from identity theft.
3. Each creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(i) Obtain approval of the initial written Program from either its board of directors
or an appropriate committee of the board of directors;
(ii) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development,
implementation and administration of the Program;
(iii) Train staff, as necessary, to effectively implement the Program; and
(iv) Exercise appropriate and effective oversight of service provider arrangements.
4. Each creditor that is required to implement a Program must consider the guidelines in Appendix A of the regulations and include in its Program those guidelines that are appropriate.
III. Duties of Card Issuers Regarding Changes of Address.
This regulation is set forth at 16 CFR 681.3 and applies to a person described in 681.2 that issues a debit or credit card (card issuer). The term debit card'' means any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money,property, labor, or services. 15 U.S.C. 1681a(r)(3). The term ``financial institution'' means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in
section 461(b) of title 12) belonging to a consumer. The term ``transaction account'' means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the
purpose of making payments or transfers to third persons or others. To the extent a University issues campus cards which can be used as debit cards to make electronic funds transfers from a transaction account to off-campus merchants, such a University would be subject to this regulation.
1. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue
an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:
(i) Notifies the cardholder of the request:
(A) At the cardholder's former address; or
(B) By any other means of communication that the card issuer and the cardholder
have previously agreed to use; and
(C) Provides to the cardholder a reasonable means of promptly reporting incorrect
address changes; or
(ii) Otherwise assesses the validity of the change of address in accordance with the policies
and procedures the card issuer has established pursuant to section II above.
2. A card issuer may satisfy the requirements of paragraph 1 of this section if it validates an address pursuant to the methods in paragraph (1)(i) or (1)(ii) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
3. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder
Friday, August 6, 2010
How to Avoid the Latest ID Theft Scams
The risks for identity theft are everywhere you turn. Your mail, your computer, your credit cards, even your trash; all present opportunities for criminals to gain access to your personal information. To prevent identity theft, you must constantly be aware of the ways that criminals will use to gain access to your personal, identifying information.
One place that identity thieves often focus their attention is on your computer. Web sites and emails can put you at risk for identity theft. Learn how to recognize the most common computer-based scams.
Recognize a Phish-y Email
Millions of emails like this one, that are designed to help a criminal steal identities, go out every single day. These are called phishing scams. Follow along with me as I show you how to spot a phishing scam so you'll never fall victim to another one.
It starts with opening the email message. As soon as you open a message, you should begin noticing some things aren't quite right. For example, this message is from a well-known banking institution--Capital One. Most banking institutions today don't send emails requesting that customers click on links or provide information.
Protect Your Computer from Spyware
Spyware is one of the most prevalent methods that identity thieves use to collect the information needed to steal your identity. It’s such a problem that some experts estimate that nearly 80 percent of personal computers are infected with spyware. It’s also a problem that shows few signs of slowing down.
What is Spyware?
Spyware is a pretty common term, as it relates to identity theft. But what exactly is it? The easy answer is any malicious software that collects your personal information. But that answer really is too easy.
A more accurate description of spyware is that it is a group of software applications designed to collect your personal information or change the configuration of your computer without your consent. These applications can be downloaded to your computer by way of an infected file, planted without your knowledge when you visit a web site, or installed along with another software application.
What Does It Do?
Once a piece of spyware has been installed on your computer, it does one of two things: it either sits quietly in the background collecting information like account numbers, usernames, and passwords or it changes the configuration of your computer to allow a hacker access to your machine.
In the first case, the spyware is often called a keylogger – an application that logs every keystroke that you make when you’re using your keyboard. Once downloaded to your computer, keyloggers create a file where all of your keystrokes are stored, then each time you connect to the Internet a copy of that file is sent to a server somewhere else on the Web. Criminals then download that file and extract any valuable information that it might contain.
For example, if there’s a keylogger installed on your computer and you pay your bills online, order products from a Website, and fill out a registration form while you’re online, all of that information will be collected by the keylogger. Then that information is sent to the storage facility where the criminal later grabs it and separates the important stuff – your usernames, account numbers, passwords, date-of-birth, and credit card numbers. That information is then sold to another criminal who uses it for a variety of different illegal activities, including identity theft.
The other use of spyware is to change the configuration of your computer. When criminals use spyware in this manner, the program is installed on your computer and then it changes the configuration of your computer to allow that criminal to gain access to your machine, even if you’re protected by a firewall or other security software. Essentially, it’s like opening a door to your hard drive.
The criminal can then hack into your computer and either access personal information that’s stored on the computer or lock you out of the computer and use it connected to a group of other hi-jacked computers – called a botnet – to conduct some other criminal activity online. Criminals may even use your computer to send spyware and other malicious software, out to others.
Recognizing Spyware
One of the most difficult aspects of controlling spyware is that sometimes it’s hard to spot. Some spyware distributors have become so adept at disguising their programs that you can be infected and never know it. But more often than not there is at least one symptom of a spyware infection.
Some of the indicators that you may experience if you’ve been infected with spyware include:
Endless pop-up windows that open one right after another as you close them.
You type one Web address into your browser’s address bar but are redirected to another.
New, unexpected toolbars appear in your web browser.
New, unexpected icons appear in the task tray at the bottom of your screen.
Your browser's home page is suddenly changed and each time you try to change it back the effort fails.
Random Windows error messages begin to appear without explanation.
The operations of your computer slow dramatically when you’re opening programs or processing tasks such as saving files.
The only way to know for sure if your computer has been infected with spyware, however, is to scan your hard drive using an anti-spyware application.
Protecting Your Computer
Anti-spyware applications work in much the same way that anti-virus applications work. Once you install the anti-spyware application on your computer, you can set it up to scan your files regularly. There’s just one catch: the anti-spyware program has to be up-to-date to do any good.
Here’s a truth about any malicious software that poses a threat to you: criminals are constantly updating, changing, and improving the software so that it will be undetected by protection programs. An anti-spyware application that’s not up-to-date can miss the most recent threats, leaving you vulnerable.
Anti-spyware applications look for spyware based on a signature – that’s an indicator that it might not be a safe program. However, different anti-spyware programs look for different signatures. So, a piece of spyware that is detected by one program may go undetected by another.
To help combat that, I recommend installing at least two different anti-spyware programs on your computer. Use caution when setting them up, however. Make sure that each program is set to scan your computer at a different time or the programs may conflict with each other.
Spyware represents one of the most dangerous threats to your computer if you spend any time online. Take the time to install and configure anti-spyware applications to protect your computer. Without this protection, it’s not a matter of if you’ll be infected, but when and how much damage will be done.
The New Threat: Spear Phishing
Most people have heard about phishing – the practice of using fraudulent emails to gain access to personal information for the purpose of identity theft. But like any activity, an occasional update in the process is needed. Spear phishing is the new black in identity theft.
The term phishing was coined because of the way that criminals try to gain access to personal information – basically, they cast out a bunch of bait in the form of fraudulent emails, and wait to see who bites. Spear phishing, however, is more targeted.
Just a fisherman would use a spear to target a single fish, spear phishing targets individuals. Whereas criminals might send a single, mass e-mail to a couple hundred thousand people in a phishing attack, spear phishing attacks are customized and sent to a single person at a time.
The spear phishing email usually contains personal information such as a name or some tidbit about employment. They are also unique emails, rather than being the mass “your bank account has been compromised,” type emails that are more common in phishing.
For example, one instance of spear phishing targeted corporate executives with personalized emails about a legal case in which the recipient of the message was allegedly being sued. It was a new scam, so it was easy for executives to assume that it was legitimate and click the link provided in the message. And that’s the point at which the spear pierces the target.
How It Works
A spear phishing email usually includes a link that leads to a spoofed, or fake, web site that requests personal information. It all looks very legitimate, and sometimes even the experts are fooled by spear phishing emails. When the recipient of the message clicks through the link they’re taken to a page on the Web that looks so legitimate it can be hard for even seasoned security professionals to tell it’s a setup.
Other spear phishing emails may contain a downloadable file. They’re just as convincing, often appearing to come from an employer or someone else that’s equally legitimate. But the file contains malware of some kind that, once downloaded to your computer, collects your personal information and transmits it to the criminal when you’re online.
Spear phishing is a difficult scam to catch because the criminals that use this method of stealing identities put extra time and effort into the process. It requires research to gain access to enough information to make you believe the spear phishing email is real, plus it takes time to put together the web sites and messages that are used as bait. The pay-off however, is usually much greater than the rewards of a simple phishing attack.
So, how do you protect yourself?
There’s no guarantee that you can protect yourself from a spear phishing attack. The criminals that use this method are intent on gaining access to your identity, and they’re willing to put in the hard work to reach pay-off. And that means that spear phishing emails are very difficult to tell from any other email that might land in your in-box.
There is good news. At this time, spear phishing attacks seem to be limited to corporate targets. Nearly all of the spear phishing complaints that have been investigated have come from corporate employees. That’s no reason to let your guard down, though.
As criminals become more adept at spear phishing attacks, their targeting will widen, and individuals will fall into the target zone. It would not be surprising, however, to find that spear phishing was limited to the upper class and the upper middle class. This group of people typically has more resources available, and that’s ultimately what spear phishers are looking for.
For a criminal to be willing to put forth the effort needed to successfully use a spear phishing campaign, the draw has to be big – far more than the $31,000 average for most identity theft cases. That means that if you don’t fall into that group of people who are in the upper and upper-middle class, your chances of becoming a victim are much smaller.
Of course, all of the standard cautions apply: never open attachments for stranger, never click through a link in an email, never assume that just because you know the address the email was sent from means it’s safe. In this day, with identity theft literally running rampant, criminals will use whatever email address they can gain access to.
Also never open an attachment, even from friends, colleagues, or co-workers unless you’re expecting it. An email with an attachment that arrives unexpectedly could certainly contain malware, even if it’s not spear phishing malware. Simply requesting that your friends and co-workers notify you before they send an attachment will reduce your risk of becoming an identity theft victim.
Don’t take any chances; if you receive a message or a phone call that seems out of place, scan it for viruses and keep a close watch on your credit reports. It will be frustrating in the beginning, but it will become a habit, just like locking your doors when you leave. And the damage to your identity that you can save over time will more than make up for the initial inconvenience.
Web Page Spoofing
Web page spoofing is an activity that hackers use to direct Web site visitors to a Web site that looks like the one they believe they are visiting. The actual site, however, is hosted in a different location, usually for the purpose of gathering personal or confidential information that is used in identity theft.
Spoofed Web sites are often used in conjunction with spoofed emails or phishing emails. The messages contain a link to the site, then when a visitor logs onto the site, they are prompted to provide account information, usernames and passwords, or a Social Security Number or date of birth.
A spoofed Web site appears identical to the Web site that is being copied, although it may have a different URL. However, hackers can also disguise the URL, which makes it very hard to distinguish a spoofed site from the real one.
Also Known As: Hoax Web Sites or Hoax Sites
Email Spoofing
Email spoofing is a technique used by hackers to fraudulently send email messages in which the sender address and other parts of the email header are altered to appear as though the email originated from a source other than its actual source. Hackers use this method to disguise the actual email address from which phishing and spam messages are sent and often use email spoofing in conjunction with Web page spoofing to trick users into providing personal and confidential information.
Software is usually used to collect or generate the email addresses that are spoofed. Hackers may create a virus that examines the contact information on an infected computer. That information is collected and sent to the hacker who then uses another piece of software -- a mass email program -- to send out bogus emails using the addresses collected.
Alternatively, hackers may use software that generates random email addresses to use to disguise the actual origin of the message being sent.
Jake's Identity Theft Blog
I've known about the Nigerian Letter Scam for a long time. I think the first time that I received some iteration of that scam was in 1993, not long after I first got Internet service in my home. I don't think anything of the strange letters, emails, and fake checks that come in my mail.
A woman in Alaska recently got a variation of the Nigerian Letter Scam that might have caught me, though. The elaborate scam started as what's common for this type of scam, but it seems the scammers just kept plugging away, hoping they would get to her by claiming at one point to be foreign government officials trying to ease ruffled feathers by making a restitution payment.The scary thing is, this kind of scam is just going to continue to get more elaborate.
Also, here are another few basics with regard to identity theft:
Sometimes, restaurant workers will use the card and copy the information and bring it back to the table. So, you never know if that info has been lifted.
The ATM cover scam: ID Theives are using an ATM slip over ATM machines. The cover actually goes over the ATM card insert and records that card info. Sometimes, a bulky camera will be placed over the keypad to record keystrokes on PIN codes that are entered. Later the information can be used to empty the account of available funds.
Medical Info scam: Many times (particularly family members) will steal a relative's info to get medical access especially where surgery is concerned.
CDL scam: This is committed by truckers stealing the licenses of other commercial drivers in order to get out of paying tickets.
Dumpster Diving Dangers
So many ways exist for thieves to grab your identity, it’s hard to believe sometimes that the ‘old-fashioned’ methods are still some of the most popular. For example, you mail box and your trash are two of the greatest risks to your identity. Mail scams happen all the time.
As the old saying goes, ’One man’s trash is another man’s treasure.’ And it’s so very true. One of the most notorious cases of identity theft prosecuted was a case of dumpster diving. Dumpster diving is when someone goes looking through other people’s trash for items that can be used or sold.
In most cases, a dumpster diver is looking for items: gently used clothing, knick-knacks, CDs, movies, or anything else that can be recycled, reused, or sold to someone else. People throw away perfectly good stuff all the time. If it’s in the trash and it’s still good, why shouldn’t someone get some use out of it, right?
That’s a great theory, except for one small loophole. People also throw away a lot of paper. In fact, the average individual throws away about 860 lbs of paper a year; paper that’s often printed with personal information like account numbers, dates of birth, and Social Security Numbers.
Identity Theft Waiting to Happen
It’s in trash that Stephen Massey, the leader of one of the most notorious identity theft rings to date, found his niche. Massey, a meth addict and petty criminal, stumbled on the idea of stealing identities for profit while he was dumpster diving to support his meth habit. In a dump, completely unprotected, he came across barrels of recycled paper that included names, birth dates, Social Security Numbers, and addresses. Everything you need to steal an identity.
That was back in late 90s, and Massey and his partner-in-crime were sentenced to prison in 2000. Massey received a two year prison sentence; his partner received one year. Since then, how corporate paper is handled has changed a little. Legislation like the Identity Theft and Assumption Deterrence Act of 1998 or the Personal Information Protection and Electronic Documents Act have forced some organizations to be more responsible about the storage and disposal of personal information.
Of course, changing the way that corporations handle your information is helpful, but what about the way you handle your own information? Many people don’t even think about the junk mail they toss in the trash, the old bank statements, or even personal correspondence. Every piece of paper that has information about you on it can put you at risk.
Consider pre-approved credit card and mortgage loans, for example. On average, Americans receive four or more of these per week. And most of those people just toss them in the trash. They may not ever even open them up.
Identity thieves can then come behind you, pull the approvals out of the trash along with the birthday card you received from Aunt Tessie, a copy of your bank statement or a credit card statement, and have nearly all of the information they need about you. It really is that simple.
It’s Not Illegal
What surprises most victims of dumpster diving is that the crime isn’t really a crime if the trash is left in a public place. For example, put a bag of trash out on the curb and anyone has the right to pick it up and carry it away. Even public dumpsters, like those found in apartment complexes aren’t off limits.
Dumpster diving becomes a crime when someone steals trash that is considered to be concealed. For example, the trash can that you collect your trash bags in, back by the garage, is considered concealed. Thieves can’t help themselves to that trash without risking theft charges if caught.
Grab and Go Identities
To you, the idea of sifting through someone’s trash sounds simply disgusting. To an identity thief, it’s an ordeal worth going through. On average, a victim is worth about $31,000 dollars to a thief. Some may be worth less, others worth much more. But wouldn’t you be willing to sift through a little trash if you knew you would most likely find about $31,000?
Once a thief has your trash, it’s just a matter of separating your valuable information from everything else. Then the criminal takes that information and uses it to create new accounts, funnel money from existing accounts, and even to take over more personal aspect of your life. It’s much easier to do than you might imagine.
By the time you discover the theft, the damage is done. All that’s left to do is try to undo the damage. And that’s a task that can take as much as two years to accomplish, so it’s much easier to protect yourself from the start.
Protecting Your Identity
It’s scary to realize that everything that you throw away could put you at risk. You can protect yourself, though. And it’s easier than you think.
The best way to ensure that dumpster diving thieves don’t gather enough information about you to steal your identity is to shred every piece of paper that you throw away. Shredding something doesn’t meant to tear it into little pieces. It’s also not wise to use a straight-cut shredder.
Straight-cut shredders cut paper only length-wise. With enough time and patience, a dumpster diver and put the pieces of your document back together, much like putting a puzzle together. Your best protection is a cross-cut shredder. Cross cut shredders cut both length-wise and width-wise, creating confetti out of your personal information that is too difficult and time consuming for criminals to want to put it back together.
Dumpster diving is more a threat than you realize. It’s easy for criminals to get at your personal information if you just throw it away. So protect yourself. Shred everything.
You’re Identity’s In the Mail
The U.S. Postal Service handles more than 207 billion pieces of mail each month. That's 207 billion opportunities for identity thieves to obtain information that can be used to steal people's identities. And those criminals take advantage of as many of those opportunities as they can.
In fact, your mailbox is the riskiest non-technological point for identity theft, according to a study released in October 2007. The study, an assessment of closed U.S. Secret Service cases between 2000 and 2006 which had components of identity theft and identity fraud, showed the top two methods of non-technological identity theft were re-routing of mail and mail theft. In other words, your mailbox is a serious threat to your identity.
Where'd My Mail Go?
Re-routing of mail topped the list of non-technology threats for identity theft. The re-routing is usually accomplished by Change of Address. Placing a change of address with the U.S. Postal Service is as easy as filling out a form online or mailing in a card that can be picked up at the post office.
Identity thieves collect addresses. They may drive by your residence, go through the phone book, or collect trash that contains your address. Then requesting a change of address takes just a matter of minutes.
Most post offices make change of address cards available in easy-access displays in customer service areas. And the electronic change of address can be found on the U.S. Postal Service Website. With the electronic method, however, there is a verification procedure required.
The verification process is simple enough, but also tends to make criminals use other methods to change your address. When using the online form, a valid credit card with a billing address that matches the old address must be used for verification. Not a problem if the thief already has access to your credit card account numbers, but otherwise it presents a bit of a tripping point.
Watch Your Mailbox
The two crimes – fraudulently changing addresses and stealing mail – look different from the victim’s point of view. But if you’re paying attention to your mail delivery, both should be easy to spot.
If a criminal fraudulently changes your mailing address, it’s going to be obvious within a few days. A change of address stops mail from being delivered to one location and re-routes it to another location. The first thing you notice is that suddenly you’re not getting any mail at all.
You probably won’t notice it for the first day or two. No mail usually means no bills and no junk, so on those rare days when we don’t receive anything, most of us just accept it as a blessing and move on. If you notice that you’re not getting mail for several days in a row, however, you should be suspicious of a deeper problem.
Exceptions do exist. A few people still have time periods, sometimes days, when they don’t receive any mail at all. If this is you, monitor those time periods so you’ll know what’s normal and what’s not. When you get past a normal length of time without mail, then it’s time to worry.
The issue is a little less obvious when someone is stealing your mail. Mail theft can take place one time or over a period of time. Some criminals steal mail because the opportunity presents itself.
Other criminals target individuals and even businesses, and then steal mail over time. They grab a piece here and there – both incoming and outgoing – until they have all the information they need. Still others create elaborate schemes to steal mail from multiple people over time.
One example of a mail theft scheme was a 2002 case where criminals used stolen Postal uniforms to impersonate mail carriers. Instead of leaving mail for residents, however, the counterfeit carriers were picking mail out of delivery boxes. Eventually, a Postal customer realized she had seen mail delivery twice in one day and reported the incident.
The real issue with mail theft of this type, however, is that you don’t know what mail you’re getting before it arrives (in most cases) so you have no idea what’s missing. That makes it vitally important that you pay attention to your mail delivery schedule, get to know your mail carrier, and even consider not using the mailbox at the street for mail transactions.
Protecting Your Mail and Your Identity
Since your mailbox is your greatest point of threat in the real world, knowing how to protect your mail is your first line of defense. It starts with being attentive. Know your mail carrier, know his schedule, and know normal delivery patterns for the mail that you receive.
In addition, put some safe mail handling practices in place:
Don’t leave mail in your box. Incoming or outgoing mail should never sit in your mailbox for an extended amount of time. For example, when you mail bills out, don’t place them in the mailbox as you leave for work in the morning. Instead, drop them at the Post Office. Also don’t leave mail sitting in your box after delivery.
Use a locking mailbox when possible. If you must leave mail sitting in your box, consider investing in a locking mailbox. These boxes allow Postal carriers to place mail in the box, but only a person with a key can remove it.
Rent a Post Office box. A Post Office box is the safest way to have your mail delivered, and they’re not expensive if you rent one through the Postal Service. If you can’t be around when mail is delivered to your street box, then renting a Post Office box is best way to protect your mail.
Use electronic payments and banking when possible. Sounds contradictory, doesn’t it? You would think that paying your bills online or using your online banking services would put you at greater risk for identity theft, but nothing could be further from the truth. When you’re conducting financial transactions online – safely – you’re far more protected than when you send checks through the mail that can be stolen, washed, and re-used. If you haven’t set up electronic payments, now is a good time.
Protecting your mail, and your identity, really is just a matter of changing the way you think. It used to be safe to leave your mail in the mailbox all day. But then, it also used to be safe to leave your doors unlocked all the time.
We don’t live in that world anymore. So take some time to think about the mail habits that you have that could put you at risk. Then change them. You’ll have one less point of risk when identity thieves come calling.
Point of Threat: Credit Cards
Identity theft and credit card fraud are not the same crime, though the two are often lumped together as one. Identity theft is much more far-reaching than credit card fraud. When a criminal steals you identity, they may have financial motivation, but you'll suffer more than fraudulent charges on your credit cards.
Identity thieves may change account information, create new accounts, use your identity to commit crimes, and even use your identity to establish a new life. Credit card fraud, on the other hand, is limited to charges on stolen credit card numbers. A criminal gains access to your account number and then uses it to purchase products online or in person and then resells those goods to get the cash.
So, if credit card fraud is not identity theft, why address it? The simple answer is because credit card fraud can be an element of identity theft. It can also lead to identity theft.
Preventing Credit Card Fraud
Credit card fraud is a crime that can often be prevented. For example, something as simple as a signature on the back of your card could prevent the card from being used if it’s been stolen. Even better, put the letters CID (which stands for See ID) on the back of the card. Then when a merchant attempts to verify the signature on the receipt with the card, they’ll request to see your identification.
Everyone is familiar with the basics of protecting your credit card. Don’t loan it out. Don’t leave it laying. And don’t give the number to someone you don’t know without first verifying they are legitimate.
But there are lesser known strategies for protecting your credit cards and card numbers, too. And these are the strategies that you should know well and use constantly.
Keep your card in sight. Whenever possible, keep your credit card where you can see it. Some places, like restaurants, take your card away and then bring it back after they’ve secured authorization for a transaction. It’s when the card is out of your sight that it’s often swiped through a card reader that stores the information from the magnetic strip for criminals to use to create a duplicate card later.
Ask about multiple swipes. It’s not uncommon when you hand a merchant your card for them to swipe it more than once. Usually, this happens because the card reader doesn’t read the magnetic stripe on the back of the card, but savvy criminals will also use a second swipe as a method to copy the information from the magnetic stripe to a storage device to later be transferred to a duplicate card. If your card is swiped more than one time, always ask why.
Never use your credit card on an unsecured Web site. A secured Web site will have a small lock in the lower right corner of the page, or the status bar for the page. If the lock doesn’t appear there, then the site is not secure. Don’t use your card on an unsecure site, because anyone with a little skill can capture the number and use it for their own purposes.
Never carry multiple cards. If you lose your wallet or purse, you lose everything that’s in it. Another danger here is that someone will go through your wallet or purse when it’s left unattended and steal just one card. Leave any card you won’t be using at home, and try to stick to putting all of your purchases on just one card.
Never give out your credit card number while you’re on your cell phone. Cell phones have become such a large part of our society that we often forget everyone around us can hear our conversations. If you need to provide your credit card number for a purchase while on the cell phone either request to call the company back from your own home, or find a place that’s private (like inside your car, alone) to provide the number.
Consider purchasing pre-paid credit cards for online shopping. Pre-paid credit cards are one of the best ways to protect yourself. You load the card with a set amount and then use it just as you would a regular credit card. The good news is, if the number is stolen or the card is lost, your liability and the amount of damage that’s done is limited by the money that’s available on the card. As an added bonus, there’s no interest on a pre-paid card since technically you’re spending your own money, anyway.
Credit card fraud may not be actual identity theft, but it’s often a step along the way. And even if the criminal that fraudulently charges your card isn’t interested in your identity, the expense and frustration of dealing with credit card fraud is reason enough to protect yourself.
Be smart. Use caution. And always be aware of how your credit card is being handled by someone else.
Data breaches are so common that more than 167 breaches were reported during the first three months of 2008. Unfortunately, you can't prevent a data breach. Sure, you can refuse to give your personal information to some organizations, and at times you should. But sometimes you have no choice but to provide personal information to some companies. So, what do you do if you learn that a company storing your personal information falls victim to a data breach? Use these five steps to protect yourself.
1. Contact the organization that suffered the breach.The organization should have a hot line set up and manned with staffers who can answer your questions about what protection the company plans to provide and to what extent your personal information is at risk.
2. Contact any affected financial companies.If your bank accounts, credit card accounts, or investment accounts are affected, immediately contact the companies and request that the account be closed and a new one opened. Alternatively, you can place a fraud alert on the account, but understand that those alerts won’t be affected by opening new accounts.
3. Monitor your banking and credit statements closely.Check every item on your bank statements and credit card statements to be sure they are legitimate charges and expenditures. If you find something that doesn’t match your receipts, call the company immediately and file a fraudulent charge notification.
4. File a fraud alert with all three credit reporting agencies.The credit reporting agencies – TransUnion, Equifax, and Experian -- are required by law to flag your credit report for 90 days if you file a fraud alert. Then if someone tries to open a new account using your credit information, you should be contacted for verification.
5. Sign up for any free credit report monitoring that’s offered.Because breaches have become so common these days, it’s not uncommon for companies to offer a one year credit monitoring service for free. If the company that compromised your information offers this program, sign up for it immediately and then use it to monitor your credit regularly.
Vishing
Definition:
A technique, much like phishing, that allows criminals to maliciously gain access to your personal information for the purposes of identity theft. Vishing scams use a combination social engineering and phishing to find victims that can be tricked into providing credit card or personally identifying information. Typically, the criminal sends the victim some kind of notice or leaves a message, requesting that the victim returns a call to verify an account or some similar ploy. When the victim returns the call, they are asked to provide account and identifying information under the guises of "updating" the account.
Once the criminal has access to that information, it is used for credit card or banking fraud, or as the first step in a stolen identity. Vishing also allows criminals to spoof caller-id, making a vishing scam hard to detect because everything appears to be legitimate.
Social Engineering
Definition: The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized.
Also Known As: Con Games
Examples: Using social engineering techniques, the hacker managed to get the network administrator to provide him the username and password needed to gain access to the company's server.
Excellent sources for these and other topics: http://www.about.com/ & http://www.bankrate.com/. Some of the information is a repost from other sources.
Michael L. Hathman
VP - Smart Solutions Financial Services, LLC
888-605-5181 Toll-Free
http://www.smartsolutionscreditrepair.com/
Info@SmartSolutionsFS.com
One place that identity thieves often focus their attention is on your computer. Web sites and emails can put you at risk for identity theft. Learn how to recognize the most common computer-based scams.
Recognize a Phish-y Email
Millions of emails like this one, that are designed to help a criminal steal identities, go out every single day. These are called phishing scams. Follow along with me as I show you how to spot a phishing scam so you'll never fall victim to another one.
It starts with opening the email message. As soon as you open a message, you should begin noticing some things aren't quite right. For example, this message is from a well-known banking institution--Capital One. Most banking institutions today don't send emails requesting that customers click on links or provide information.
Protect Your Computer from Spyware
Spyware is one of the most prevalent methods that identity thieves use to collect the information needed to steal your identity. It’s such a problem that some experts estimate that nearly 80 percent of personal computers are infected with spyware. It’s also a problem that shows few signs of slowing down.
What is Spyware?
Spyware is a pretty common term, as it relates to identity theft. But what exactly is it? The easy answer is any malicious software that collects your personal information. But that answer really is too easy.
A more accurate description of spyware is that it is a group of software applications designed to collect your personal information or change the configuration of your computer without your consent. These applications can be downloaded to your computer by way of an infected file, planted without your knowledge when you visit a web site, or installed along with another software application.
What Does It Do?
Once a piece of spyware has been installed on your computer, it does one of two things: it either sits quietly in the background collecting information like account numbers, usernames, and passwords or it changes the configuration of your computer to allow a hacker access to your machine.
In the first case, the spyware is often called a keylogger – an application that logs every keystroke that you make when you’re using your keyboard. Once downloaded to your computer, keyloggers create a file where all of your keystrokes are stored, then each time you connect to the Internet a copy of that file is sent to a server somewhere else on the Web. Criminals then download that file and extract any valuable information that it might contain.
For example, if there’s a keylogger installed on your computer and you pay your bills online, order products from a Website, and fill out a registration form while you’re online, all of that information will be collected by the keylogger. Then that information is sent to the storage facility where the criminal later grabs it and separates the important stuff – your usernames, account numbers, passwords, date-of-birth, and credit card numbers. That information is then sold to another criminal who uses it for a variety of different illegal activities, including identity theft.
The other use of spyware is to change the configuration of your computer. When criminals use spyware in this manner, the program is installed on your computer and then it changes the configuration of your computer to allow that criminal to gain access to your machine, even if you’re protected by a firewall or other security software. Essentially, it’s like opening a door to your hard drive.
The criminal can then hack into your computer and either access personal information that’s stored on the computer or lock you out of the computer and use it connected to a group of other hi-jacked computers – called a botnet – to conduct some other criminal activity online. Criminals may even use your computer to send spyware and other malicious software, out to others.
Recognizing Spyware
One of the most difficult aspects of controlling spyware is that sometimes it’s hard to spot. Some spyware distributors have become so adept at disguising their programs that you can be infected and never know it. But more often than not there is at least one symptom of a spyware infection.
Some of the indicators that you may experience if you’ve been infected with spyware include:
Endless pop-up windows that open one right after another as you close them.
You type one Web address into your browser’s address bar but are redirected to another.
New, unexpected toolbars appear in your web browser.
New, unexpected icons appear in the task tray at the bottom of your screen.
Your browser's home page is suddenly changed and each time you try to change it back the effort fails.
Random Windows error messages begin to appear without explanation.
The operations of your computer slow dramatically when you’re opening programs or processing tasks such as saving files.
The only way to know for sure if your computer has been infected with spyware, however, is to scan your hard drive using an anti-spyware application.
Protecting Your Computer
Anti-spyware applications work in much the same way that anti-virus applications work. Once you install the anti-spyware application on your computer, you can set it up to scan your files regularly. There’s just one catch: the anti-spyware program has to be up-to-date to do any good.
Here’s a truth about any malicious software that poses a threat to you: criminals are constantly updating, changing, and improving the software so that it will be undetected by protection programs. An anti-spyware application that’s not up-to-date can miss the most recent threats, leaving you vulnerable.
Anti-spyware applications look for spyware based on a signature – that’s an indicator that it might not be a safe program. However, different anti-spyware programs look for different signatures. So, a piece of spyware that is detected by one program may go undetected by another.
To help combat that, I recommend installing at least two different anti-spyware programs on your computer. Use caution when setting them up, however. Make sure that each program is set to scan your computer at a different time or the programs may conflict with each other.
Spyware represents one of the most dangerous threats to your computer if you spend any time online. Take the time to install and configure anti-spyware applications to protect your computer. Without this protection, it’s not a matter of if you’ll be infected, but when and how much damage will be done.
The New Threat: Spear Phishing
Most people have heard about phishing – the practice of using fraudulent emails to gain access to personal information for the purpose of identity theft. But like any activity, an occasional update in the process is needed. Spear phishing is the new black in identity theft.
The term phishing was coined because of the way that criminals try to gain access to personal information – basically, they cast out a bunch of bait in the form of fraudulent emails, and wait to see who bites. Spear phishing, however, is more targeted.
Just a fisherman would use a spear to target a single fish, spear phishing targets individuals. Whereas criminals might send a single, mass e-mail to a couple hundred thousand people in a phishing attack, spear phishing attacks are customized and sent to a single person at a time.
The spear phishing email usually contains personal information such as a name or some tidbit about employment. They are also unique emails, rather than being the mass “your bank account has been compromised,” type emails that are more common in phishing.
For example, one instance of spear phishing targeted corporate executives with personalized emails about a legal case in which the recipient of the message was allegedly being sued. It was a new scam, so it was easy for executives to assume that it was legitimate and click the link provided in the message. And that’s the point at which the spear pierces the target.
How It Works
A spear phishing email usually includes a link that leads to a spoofed, or fake, web site that requests personal information. It all looks very legitimate, and sometimes even the experts are fooled by spear phishing emails. When the recipient of the message clicks through the link they’re taken to a page on the Web that looks so legitimate it can be hard for even seasoned security professionals to tell it’s a setup.
Other spear phishing emails may contain a downloadable file. They’re just as convincing, often appearing to come from an employer or someone else that’s equally legitimate. But the file contains malware of some kind that, once downloaded to your computer, collects your personal information and transmits it to the criminal when you’re online.
Spear phishing is a difficult scam to catch because the criminals that use this method of stealing identities put extra time and effort into the process. It requires research to gain access to enough information to make you believe the spear phishing email is real, plus it takes time to put together the web sites and messages that are used as bait. The pay-off however, is usually much greater than the rewards of a simple phishing attack.
So, how do you protect yourself?
There’s no guarantee that you can protect yourself from a spear phishing attack. The criminals that use this method are intent on gaining access to your identity, and they’re willing to put in the hard work to reach pay-off. And that means that spear phishing emails are very difficult to tell from any other email that might land in your in-box.
There is good news. At this time, spear phishing attacks seem to be limited to corporate targets. Nearly all of the spear phishing complaints that have been investigated have come from corporate employees. That’s no reason to let your guard down, though.
As criminals become more adept at spear phishing attacks, their targeting will widen, and individuals will fall into the target zone. It would not be surprising, however, to find that spear phishing was limited to the upper class and the upper middle class. This group of people typically has more resources available, and that’s ultimately what spear phishers are looking for.
For a criminal to be willing to put forth the effort needed to successfully use a spear phishing campaign, the draw has to be big – far more than the $31,000 average for most identity theft cases. That means that if you don’t fall into that group of people who are in the upper and upper-middle class, your chances of becoming a victim are much smaller.
Of course, all of the standard cautions apply: never open attachments for stranger, never click through a link in an email, never assume that just because you know the address the email was sent from means it’s safe. In this day, with identity theft literally running rampant, criminals will use whatever email address they can gain access to.
Also never open an attachment, even from friends, colleagues, or co-workers unless you’re expecting it. An email with an attachment that arrives unexpectedly could certainly contain malware, even if it’s not spear phishing malware. Simply requesting that your friends and co-workers notify you before they send an attachment will reduce your risk of becoming an identity theft victim.
Don’t take any chances; if you receive a message or a phone call that seems out of place, scan it for viruses and keep a close watch on your credit reports. It will be frustrating in the beginning, but it will become a habit, just like locking your doors when you leave. And the damage to your identity that you can save over time will more than make up for the initial inconvenience.
Web Page Spoofing
Web page spoofing is an activity that hackers use to direct Web site visitors to a Web site that looks like the one they believe they are visiting. The actual site, however, is hosted in a different location, usually for the purpose of gathering personal or confidential information that is used in identity theft.
Spoofed Web sites are often used in conjunction with spoofed emails or phishing emails. The messages contain a link to the site, then when a visitor logs onto the site, they are prompted to provide account information, usernames and passwords, or a Social Security Number or date of birth.
A spoofed Web site appears identical to the Web site that is being copied, although it may have a different URL. However, hackers can also disguise the URL, which makes it very hard to distinguish a spoofed site from the real one.
Also Known As: Hoax Web Sites or Hoax Sites
Email Spoofing
Email spoofing is a technique used by hackers to fraudulently send email messages in which the sender address and other parts of the email header are altered to appear as though the email originated from a source other than its actual source. Hackers use this method to disguise the actual email address from which phishing and spam messages are sent and often use email spoofing in conjunction with Web page spoofing to trick users into providing personal and confidential information.
Software is usually used to collect or generate the email addresses that are spoofed. Hackers may create a virus that examines the contact information on an infected computer. That information is collected and sent to the hacker who then uses another piece of software -- a mass email program -- to send out bogus emails using the addresses collected.
Alternatively, hackers may use software that generates random email addresses to use to disguise the actual origin of the message being sent.
Jake's Identity Theft Blog
I've known about the Nigerian Letter Scam for a long time. I think the first time that I received some iteration of that scam was in 1993, not long after I first got Internet service in my home. I don't think anything of the strange letters, emails, and fake checks that come in my mail.
A woman in Alaska recently got a variation of the Nigerian Letter Scam that might have caught me, though. The elaborate scam started as what's common for this type of scam, but it seems the scammers just kept plugging away, hoping they would get to her by claiming at one point to be foreign government officials trying to ease ruffled feathers by making a restitution payment.The scary thing is, this kind of scam is just going to continue to get more elaborate.
Also, here are another few basics with regard to identity theft:
Sometimes, restaurant workers will use the card and copy the information and bring it back to the table. So, you never know if that info has been lifted.
The ATM cover scam: ID Theives are using an ATM slip over ATM machines. The cover actually goes over the ATM card insert and records that card info. Sometimes, a bulky camera will be placed over the keypad to record keystrokes on PIN codes that are entered. Later the information can be used to empty the account of available funds.
Medical Info scam: Many times (particularly family members) will steal a relative's info to get medical access especially where surgery is concerned.
CDL scam: This is committed by truckers stealing the licenses of other commercial drivers in order to get out of paying tickets.
Dumpster Diving Dangers
So many ways exist for thieves to grab your identity, it’s hard to believe sometimes that the ‘old-fashioned’ methods are still some of the most popular. For example, you mail box and your trash are two of the greatest risks to your identity. Mail scams happen all the time.
As the old saying goes, ’One man’s trash is another man’s treasure.’ And it’s so very true. One of the most notorious cases of identity theft prosecuted was a case of dumpster diving. Dumpster diving is when someone goes looking through other people’s trash for items that can be used or sold.
In most cases, a dumpster diver is looking for items: gently used clothing, knick-knacks, CDs, movies, or anything else that can be recycled, reused, or sold to someone else. People throw away perfectly good stuff all the time. If it’s in the trash and it’s still good, why shouldn’t someone get some use out of it, right?
That’s a great theory, except for one small loophole. People also throw away a lot of paper. In fact, the average individual throws away about 860 lbs of paper a year; paper that’s often printed with personal information like account numbers, dates of birth, and Social Security Numbers.
Identity Theft Waiting to Happen
It’s in trash that Stephen Massey, the leader of one of the most notorious identity theft rings to date, found his niche. Massey, a meth addict and petty criminal, stumbled on the idea of stealing identities for profit while he was dumpster diving to support his meth habit. In a dump, completely unprotected, he came across barrels of recycled paper that included names, birth dates, Social Security Numbers, and addresses. Everything you need to steal an identity.
That was back in late 90s, and Massey and his partner-in-crime were sentenced to prison in 2000. Massey received a two year prison sentence; his partner received one year. Since then, how corporate paper is handled has changed a little. Legislation like the Identity Theft and Assumption Deterrence Act of 1998 or the Personal Information Protection and Electronic Documents Act have forced some organizations to be more responsible about the storage and disposal of personal information.
Of course, changing the way that corporations handle your information is helpful, but what about the way you handle your own information? Many people don’t even think about the junk mail they toss in the trash, the old bank statements, or even personal correspondence. Every piece of paper that has information about you on it can put you at risk.
Consider pre-approved credit card and mortgage loans, for example. On average, Americans receive four or more of these per week. And most of those people just toss them in the trash. They may not ever even open them up.
Identity thieves can then come behind you, pull the approvals out of the trash along with the birthday card you received from Aunt Tessie, a copy of your bank statement or a credit card statement, and have nearly all of the information they need about you. It really is that simple.
It’s Not Illegal
What surprises most victims of dumpster diving is that the crime isn’t really a crime if the trash is left in a public place. For example, put a bag of trash out on the curb and anyone has the right to pick it up and carry it away. Even public dumpsters, like those found in apartment complexes aren’t off limits.
Dumpster diving becomes a crime when someone steals trash that is considered to be concealed. For example, the trash can that you collect your trash bags in, back by the garage, is considered concealed. Thieves can’t help themselves to that trash without risking theft charges if caught.
Grab and Go Identities
To you, the idea of sifting through someone’s trash sounds simply disgusting. To an identity thief, it’s an ordeal worth going through. On average, a victim is worth about $31,000 dollars to a thief. Some may be worth less, others worth much more. But wouldn’t you be willing to sift through a little trash if you knew you would most likely find about $31,000?
Once a thief has your trash, it’s just a matter of separating your valuable information from everything else. Then the criminal takes that information and uses it to create new accounts, funnel money from existing accounts, and even to take over more personal aspect of your life. It’s much easier to do than you might imagine.
By the time you discover the theft, the damage is done. All that’s left to do is try to undo the damage. And that’s a task that can take as much as two years to accomplish, so it’s much easier to protect yourself from the start.
Protecting Your Identity
It’s scary to realize that everything that you throw away could put you at risk. You can protect yourself, though. And it’s easier than you think.
The best way to ensure that dumpster diving thieves don’t gather enough information about you to steal your identity is to shred every piece of paper that you throw away. Shredding something doesn’t meant to tear it into little pieces. It’s also not wise to use a straight-cut shredder.
Straight-cut shredders cut paper only length-wise. With enough time and patience, a dumpster diver and put the pieces of your document back together, much like putting a puzzle together. Your best protection is a cross-cut shredder. Cross cut shredders cut both length-wise and width-wise, creating confetti out of your personal information that is too difficult and time consuming for criminals to want to put it back together.
Dumpster diving is more a threat than you realize. It’s easy for criminals to get at your personal information if you just throw it away. So protect yourself. Shred everything.
You’re Identity’s In the Mail
The U.S. Postal Service handles more than 207 billion pieces of mail each month. That's 207 billion opportunities for identity thieves to obtain information that can be used to steal people's identities. And those criminals take advantage of as many of those opportunities as they can.
In fact, your mailbox is the riskiest non-technological point for identity theft, according to a study released in October 2007. The study, an assessment of closed U.S. Secret Service cases between 2000 and 2006 which had components of identity theft and identity fraud, showed the top two methods of non-technological identity theft were re-routing of mail and mail theft. In other words, your mailbox is a serious threat to your identity.
Where'd My Mail Go?
Re-routing of mail topped the list of non-technology threats for identity theft. The re-routing is usually accomplished by Change of Address. Placing a change of address with the U.S. Postal Service is as easy as filling out a form online or mailing in a card that can be picked up at the post office.
Identity thieves collect addresses. They may drive by your residence, go through the phone book, or collect trash that contains your address. Then requesting a change of address takes just a matter of minutes.
Most post offices make change of address cards available in easy-access displays in customer service areas. And the electronic change of address can be found on the U.S. Postal Service Website. With the electronic method, however, there is a verification procedure required.
The verification process is simple enough, but also tends to make criminals use other methods to change your address. When using the online form, a valid credit card with a billing address that matches the old address must be used for verification. Not a problem if the thief already has access to your credit card account numbers, but otherwise it presents a bit of a tripping point.
Watch Your Mailbox
The two crimes – fraudulently changing addresses and stealing mail – look different from the victim’s point of view. But if you’re paying attention to your mail delivery, both should be easy to spot.
If a criminal fraudulently changes your mailing address, it’s going to be obvious within a few days. A change of address stops mail from being delivered to one location and re-routes it to another location. The first thing you notice is that suddenly you’re not getting any mail at all.
You probably won’t notice it for the first day or two. No mail usually means no bills and no junk, so on those rare days when we don’t receive anything, most of us just accept it as a blessing and move on. If you notice that you’re not getting mail for several days in a row, however, you should be suspicious of a deeper problem.
Exceptions do exist. A few people still have time periods, sometimes days, when they don’t receive any mail at all. If this is you, monitor those time periods so you’ll know what’s normal and what’s not. When you get past a normal length of time without mail, then it’s time to worry.
The issue is a little less obvious when someone is stealing your mail. Mail theft can take place one time or over a period of time. Some criminals steal mail because the opportunity presents itself.
Other criminals target individuals and even businesses, and then steal mail over time. They grab a piece here and there – both incoming and outgoing – until they have all the information they need. Still others create elaborate schemes to steal mail from multiple people over time.
One example of a mail theft scheme was a 2002 case where criminals used stolen Postal uniforms to impersonate mail carriers. Instead of leaving mail for residents, however, the counterfeit carriers were picking mail out of delivery boxes. Eventually, a Postal customer realized she had seen mail delivery twice in one day and reported the incident.
The real issue with mail theft of this type, however, is that you don’t know what mail you’re getting before it arrives (in most cases) so you have no idea what’s missing. That makes it vitally important that you pay attention to your mail delivery schedule, get to know your mail carrier, and even consider not using the mailbox at the street for mail transactions.
Protecting Your Mail and Your Identity
Since your mailbox is your greatest point of threat in the real world, knowing how to protect your mail is your first line of defense. It starts with being attentive. Know your mail carrier, know his schedule, and know normal delivery patterns for the mail that you receive.
In addition, put some safe mail handling practices in place:
Don’t leave mail in your box. Incoming or outgoing mail should never sit in your mailbox for an extended amount of time. For example, when you mail bills out, don’t place them in the mailbox as you leave for work in the morning. Instead, drop them at the Post Office. Also don’t leave mail sitting in your box after delivery.
Use a locking mailbox when possible. If you must leave mail sitting in your box, consider investing in a locking mailbox. These boxes allow Postal carriers to place mail in the box, but only a person with a key can remove it.
Rent a Post Office box. A Post Office box is the safest way to have your mail delivered, and they’re not expensive if you rent one through the Postal Service. If you can’t be around when mail is delivered to your street box, then renting a Post Office box is best way to protect your mail.
Use electronic payments and banking when possible. Sounds contradictory, doesn’t it? You would think that paying your bills online or using your online banking services would put you at greater risk for identity theft, but nothing could be further from the truth. When you’re conducting financial transactions online – safely – you’re far more protected than when you send checks through the mail that can be stolen, washed, and re-used. If you haven’t set up electronic payments, now is a good time.
Protecting your mail, and your identity, really is just a matter of changing the way you think. It used to be safe to leave your mail in the mailbox all day. But then, it also used to be safe to leave your doors unlocked all the time.
We don’t live in that world anymore. So take some time to think about the mail habits that you have that could put you at risk. Then change them. You’ll have one less point of risk when identity thieves come calling.
Point of Threat: Credit Cards
Identity theft and credit card fraud are not the same crime, though the two are often lumped together as one. Identity theft is much more far-reaching than credit card fraud. When a criminal steals you identity, they may have financial motivation, but you'll suffer more than fraudulent charges on your credit cards.
Identity thieves may change account information, create new accounts, use your identity to commit crimes, and even use your identity to establish a new life. Credit card fraud, on the other hand, is limited to charges on stolen credit card numbers. A criminal gains access to your account number and then uses it to purchase products online or in person and then resells those goods to get the cash.
So, if credit card fraud is not identity theft, why address it? The simple answer is because credit card fraud can be an element of identity theft. It can also lead to identity theft.
Preventing Credit Card Fraud
Credit card fraud is a crime that can often be prevented. For example, something as simple as a signature on the back of your card could prevent the card from being used if it’s been stolen. Even better, put the letters CID (which stands for See ID) on the back of the card. Then when a merchant attempts to verify the signature on the receipt with the card, they’ll request to see your identification.
Everyone is familiar with the basics of protecting your credit card. Don’t loan it out. Don’t leave it laying. And don’t give the number to someone you don’t know without first verifying they are legitimate.
But there are lesser known strategies for protecting your credit cards and card numbers, too. And these are the strategies that you should know well and use constantly.
Keep your card in sight. Whenever possible, keep your credit card where you can see it. Some places, like restaurants, take your card away and then bring it back after they’ve secured authorization for a transaction. It’s when the card is out of your sight that it’s often swiped through a card reader that stores the information from the magnetic strip for criminals to use to create a duplicate card later.
Ask about multiple swipes. It’s not uncommon when you hand a merchant your card for them to swipe it more than once. Usually, this happens because the card reader doesn’t read the magnetic stripe on the back of the card, but savvy criminals will also use a second swipe as a method to copy the information from the magnetic stripe to a storage device to later be transferred to a duplicate card. If your card is swiped more than one time, always ask why.
Never use your credit card on an unsecured Web site. A secured Web site will have a small lock in the lower right corner of the page, or the status bar for the page. If the lock doesn’t appear there, then the site is not secure. Don’t use your card on an unsecure site, because anyone with a little skill can capture the number and use it for their own purposes.
Never carry multiple cards. If you lose your wallet or purse, you lose everything that’s in it. Another danger here is that someone will go through your wallet or purse when it’s left unattended and steal just one card. Leave any card you won’t be using at home, and try to stick to putting all of your purchases on just one card.
Never give out your credit card number while you’re on your cell phone. Cell phones have become such a large part of our society that we often forget everyone around us can hear our conversations. If you need to provide your credit card number for a purchase while on the cell phone either request to call the company back from your own home, or find a place that’s private (like inside your car, alone) to provide the number.
Consider purchasing pre-paid credit cards for online shopping. Pre-paid credit cards are one of the best ways to protect yourself. You load the card with a set amount and then use it just as you would a regular credit card. The good news is, if the number is stolen or the card is lost, your liability and the amount of damage that’s done is limited by the money that’s available on the card. As an added bonus, there’s no interest on a pre-paid card since technically you’re spending your own money, anyway.
Credit card fraud may not be actual identity theft, but it’s often a step along the way. And even if the criminal that fraudulently charges your card isn’t interested in your identity, the expense and frustration of dealing with credit card fraud is reason enough to protect yourself.
Be smart. Use caution. And always be aware of how your credit card is being handled by someone else.
Data breaches are so common that more than 167 breaches were reported during the first three months of 2008. Unfortunately, you can't prevent a data breach. Sure, you can refuse to give your personal information to some organizations, and at times you should. But sometimes you have no choice but to provide personal information to some companies. So, what do you do if you learn that a company storing your personal information falls victim to a data breach? Use these five steps to protect yourself.
1. Contact the organization that suffered the breach.The organization should have a hot line set up and manned with staffers who can answer your questions about what protection the company plans to provide and to what extent your personal information is at risk.
2. Contact any affected financial companies.If your bank accounts, credit card accounts, or investment accounts are affected, immediately contact the companies and request that the account be closed and a new one opened. Alternatively, you can place a fraud alert on the account, but understand that those alerts won’t be affected by opening new accounts.
3. Monitor your banking and credit statements closely.Check every item on your bank statements and credit card statements to be sure they are legitimate charges and expenditures. If you find something that doesn’t match your receipts, call the company immediately and file a fraudulent charge notification.
4. File a fraud alert with all three credit reporting agencies.The credit reporting agencies – TransUnion, Equifax, and Experian -- are required by law to flag your credit report for 90 days if you file a fraud alert. Then if someone tries to open a new account using your credit information, you should be contacted for verification.
5. Sign up for any free credit report monitoring that’s offered.Because breaches have become so common these days, it’s not uncommon for companies to offer a one year credit monitoring service for free. If the company that compromised your information offers this program, sign up for it immediately and then use it to monitor your credit regularly.
Vishing
Definition:
A technique, much like phishing, that allows criminals to maliciously gain access to your personal information for the purposes of identity theft. Vishing scams use a combination social engineering and phishing to find victims that can be tricked into providing credit card or personally identifying information. Typically, the criminal sends the victim some kind of notice or leaves a message, requesting that the victim returns a call to verify an account or some similar ploy. When the victim returns the call, they are asked to provide account and identifying information under the guises of "updating" the account.
Once the criminal has access to that information, it is used for credit card or banking fraud, or as the first step in a stolen identity. Vishing also allows criminals to spoof caller-id, making a vishing scam hard to detect because everything appears to be legitimate.
Social Engineering
Definition: The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized.
Also Known As: Con Games
Examples: Using social engineering techniques, the hacker managed to get the network administrator to provide him the username and password needed to gain access to the company's server.
Excellent sources for these and other topics: http://www.about.com/ & http://www.bankrate.com/. Some of the information is a repost from other sources.
Michael L. Hathman
VP - Smart Solutions Financial Services, LLC
888-605-5181 Toll-Free
http://www.smartsolutionscreditrepair.com/
Info@SmartSolutionsFS.com
Subscribe to:
Posts (Atom)