Resource Center

Scams: Vaccine Scams

Mar 12, 2022 in Resource Center | Comments Off on Scams: Vaccine Scams

With the rollout of COVID-19 vaccines, you know that scammers and their dirty tricks won’t be far behind. As with many scams, the bad guys are after both your money and your personal information. Along with claiming to sell early access to vaccines and saying that you are required to get a COVID test or antibodies test before getting a vaccine, scammers are offering unproven treatments and “cures” for the virus. All of this for a price, of course.

According to the Federal Bureau of Investigation (FBI) some indications that you may be dealing with a scam include:

  • Advertisements or offers for early access to a vaccine upon payment of a deposit or fee
    Requests asking you to pay out of pocket to obtain the vaccine or to put your name on a COVID-19 vaccine waiting list
  • Suggestions of additional medical testing or procedures (for a fee or in exchange for Medicare or insurance information) when obtaining a vaccine
  • Marketers offering to sell and/or ship doses of a vaccine, domestically or internationally, in exchange for payment
  • Unsolicited emails, telephone calls, or personal contact from someone claiming to be from a medical office, insurance company, or COVID-19 vaccine center requesting personal and/or medical information to determine eligibility to participate in clinical vaccine trials or obtain the vaccine
  • Unverified claims of FDA approval for a vaccine
  • Advertisements for vaccines through social media platforms, email, telephone calls, online, or from unsolicited/unknown sources
  • Individuals contacting you in person, by phone, or by email telling you that the government requires you to receive a COVID-19 vaccine

The Department of Health and Human Services suggests you remember the following to keep yourself and your family safe from COVID-related scams:

  • You will not be asked for money to enhance your ranking for vaccine eligibility. Government and State officials will not call you to obtain personal information in order to receive the vaccine, and you will not be solicited door to door to receive the vaccine.
  • Medicare beneficiaries should be wary of unsolicited requests for their personal, medical, and financial information. Medicare will not call to offer COVID-19 related products, services, or benefits.
  • Do not trust unexpected callers or visitors offering COVID-19 tests or supplies. If you receive a suspicious call, hang up immediately.
  • Do not respond to, or click links in, emails or text messages about COVID-19 from unknown individuals.
  • Ignore offers or advertisements for COVID-19 testing or treatments on social media sites. If you make an appointment for a COVID-19 test online, make sure you are dealing with an official testing site.
  • Do not give your personal or financial information to anyone claiming to offer HHS grants related to COVID-19.
  • Be aware of scammers pretending to be COVID-19 contact tracers. Know that legitimate contact tracers will never ask for your Medicare number or financial information. They will not attempt to set up a COVID-19 test for you and collect payment information for the test.
  • If you suspect COVID-19 health care fraud, report it immediately online or call 800-HHS-TIPS (800-447-8477).

Privacy: Should Passwords Be Complicated? Or Just Long?

Feb 13, 2022 in Resource Center | Comments Off on Privacy: Should Passwords Be Complicated? Or Just Long?

You know the routine: you set up a new account and you are asked for a password. The password you choose must be suitably complex or you can let the site choose a password for you, full of numbers and special characters and impossible to remember.

What if you were to use a series of unrelated words instead of a password such as “%wT65g17&”? The Federal Bureau of Investigation (FBI) thinks that could be a better choice. They recommend combining multiple words into a long string of at least 15 characters.

For example, the site says that the passphrase “embassy praising expire owl” would take hackers 34,084,573 centuries to crack, as opposed to seconds or milliseconds for most commonly used types of passwords (e.g., 18 milliseconds to crack “december”). The site features a password generator that will generate a four-, five- or twelve-random word password, and tell you how long it would take to crack.

Why do they think this approach would work? You might picture a hacker as a guy in a hoodie, hunched over a keyboard entering password attempt after password attempt; but in reality, the bad guys actually use scripts that quickly run through massive numbers of passwords. According to the site, the method for cracking passwords might look something like this:

The hackers start with a bunch of wordlists. The top 10 million passwords is one. Also, lists of all English words, all names, dates, and so on. In less than one second, 30% of all passwords will be cracked.
The next step is to try all of the words again with common substitutions: capitalizing the first letter (december → December), making common letter-for-number swaps (december → d3cemb3r), and other common variations.
After that, they start combining the previous wordlists. Name + date (doug3251983). Name + [separator] + date (doug.3251983).

If all else fails, the final step is a brute force attack, i.e., try every combination of characters. Try a, then b, then c … eventually aa, ab, ac … eventually 6j2b#hi8, 6j2b#hi9, 6j2b#hi0, et cetera.
As the online comic strip xkcd says, “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

Of course, some sites will not let you use a password that doesn’t include capital letters, numbers and/or special characters. In that case, your best bet is probably to use a password manager. Password managers will generate secure passwords as needed and store all of your passwords for you so that you can use them across devices. Many people find this to be the easiest solution.

However, if you need to generate a password that, for whatever reason, you need to remember, you would be wise to follow the advice of the FBI and create passphrases of about four words and at least 15 characters. “mambo tango mister denim” would take 2,303,286 centuries to crack. That seems pretty secure to me!

Crimeware: Phishing Scheme Gives Bad Guys Access to Your Cloud Data

Jan 13, 2022 in Resource Center | Comments Off on Crimeware: Phishing Scheme Gives Bad Guys Access to Your Cloud Data

As online users become more sophisticated, hackers are becoming more sophisticated as well. Early phishing attacks relied on users clicking links without paying attention to where the links took them. For example, a hacker would create a page that looked just like the PayPal login page, but it was actually a fake page used by the bad guys to capture log in information from people who believed they were signing into their PayPal accounts.

Today, there are new twists to the old phishing scams. The usual tipoff in a phishing scam is that the user is sent to a domain impersonating the real one. It might be instead of, for example. In one recent scam, however, users who clicked on a malicious link to were taken to Microsoft’s actual login page. The catch is that there is code appended to the link that tells Microsoft to forward an authentication token to officesuited[.]com, a site controlled by the hackers. The user is then sent to a page that grants permissions to access the user’s email, contacts, files, mailboxes, and more. This same approach could be used with other cloud providers. In fact, Gmail was targeted by a similar tactic in 2017.

Why would users grant these permissions? If they do not know there is a malicious actor involved, users may not be concerned. We have been conditioned to click and agree when presented with options. According to Michael Tyler of, “We can look at the reason phishing is still around and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make. Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?”

Because the login happens at Microsoft’s website, two-factor authentication would not protect users. And once access has been given to this malicious app, even changing the password would not prohibit the hackers’ access.
Microsoft provides instructions for rescinding illicit consent grants, but the best way for users to avoid this issue is to carefully review the entire URL when installing apps and granting permissions. Look for links to unfamiliar sites and odd URLs. System administrators can block users from installing any apps or limit them to apps from the official Microsoft store.

Legal Matters: Fraud Reports from the FTC and the FBI

Dec 23, 2021 in Resource Center | Comments Off on Legal Matters: Fraud Reports from the FTC and the FBI

On June 15, 2021, the FBI’s Internet Crime Complaint Center (IC3) released its 2020 Elder Fraud Report. According to the report, IC3 received a total of 791,790 complaints in 2020, with reported losses exceeding $4.1 billion. About 28% of the total fraud losses were sustained by victims over the age of 60, and seniors suffered approximately $1 billion in losses. This represents an increase of about $300 million in losses in 2020 over what was reported by victims over 60 in 2019.
The FBI Elder Fraud Report also said the “average victim over 60 lost nearly $9,200 and that nearly 2,000 senior victims lost more than $100,000 each.” The largest increase came in tech-support scams, which exceeded $116 million in 2020 from less than $38.5 million in 2019. According to the Federal Trade Commission, younger people reported losing money to fraud more often than older people (44% of victims were aged 20 – 29 vs 20% aged 70 – 79); however, when people aged 70+ suffered a loss the median loss was much higher ($635 for ages 70 – 79 and $1300 for ages 80+, vs $324 for ages 20 – 29).

The FBI reports that the most common types of identity theft and fraud scams encountered by individuals 60 years of age and over included:

  • Tech support scam: Criminals access victims’ devices by posing as support representatives offering to repair issues. 
  • Romance scam: Bad guys approach victims on online dating sites and form relationships to extract money.
  • Investment fraud: Promises of high returns on investments are offered online or at in person events.
  • Grandparent scam: Criminals pretend to be a family member in distress needing immediate funds.
  • Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide payments.
  • Sweepstakes/charity/lottery scam: The bad guys claim to represent charities and solicit donations. Or they claim that the victim has won a prize and needs to pay a fee to collect their winnings.
  • Home repair scam: Criminals charge homeowners in advance for home improvement services that they never provide.
    TV/radio scam: Hearing it on the radio or TV doesn’t make it legitimate. Crooks may advertise to find victims.
  • Family/caregiver scam: The people closest to the victim may be the ones who steal from them, including relatives or caregivers.

Know how to protect yourself, and let family members know that they can protect themselves by: (1) learning to recognize common scams; (2) resisting pressure to act quickly, as scammers create a sense of urgency to avoid letting victims have time to think or get more information; (3) being wary of unsolicited phone calls, mailings, and door-to-door service offers; (4) protecting your identity by never sharing your personally identifiable information (PII); and (5) making sure your computer anti-virus, security software and malware protections are up to date.

PRIVACY: Should You Unsubscribe From Spam Texts and Emails – Or Not?

Dec 15, 2021 in Resource Center | Comments Off on PRIVACY: Should You Unsubscribe From Spam Texts and Emails – Or Not?

How many emails do you receive in a typical day? If you are like most people, the answer is probably, “Too many!” Some are emails you want, others you no longer find useful and some are just plain spam. Obviously, the ones you want to receive are not a problem, but what can you do about the others?

First let’s define what “spam” is. Spamhaus defines it this way, “Spam is an issue about consent, not content. Whether the Unsolicited Bulk Email (“UBE”) message is an advert, a scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant – if the message was sent unsolicited and in bulk then the message is spam.”

That means that if you subscribed to an email newsletter or agreed to receive sale notices from an online retailer those messages are not spam, even if they are no longer of interest to you. If you are receiving such emails from reputable organizations and want them to stop, clicking the unsubscribe link is the way to go. You should not, however, mark these emails as spam. Depending on your email service, marking legitimate emails as spam may affect how the email service treats them and people who want to receive them may find the messages directed to their spam box instead of their inbox.

So what about the stuff you didn’t ask for and do not want in your inbox? You can’t stop spam. Anyone who has your email address can send email to you. And blocking an email sender seldom works as the spammers use lots of random email addresses to send their junk to you.

Unsubscribing is not a good idea in these cases, as all this does is confirm to the spammers that they are sending to a valid address. They will send more spam or even sell your email address as a live address.

Although you can’t stop spam, you can manage it. Spam filters are an important tool in keeping spam out of your inbox and relegating it to the junk or spam folder, where it belongs. Most email platforms use some kind of spam filtering, but none of them are perfect. You will have the occasional spam message slip through or even some false positives, where messages that are not spam get sent to the spam folder.

You can train your spam filters and improve the results by marking messages that are improperly filtered.

The best thing to do is take steps to keep your email address from falling into the hands of spammers in the first place:

  • Do not post your email address publicly on websites, social media or other places.
  • Do not respond to spam by unsubscribing or clicking on a link in the email.
  • Disable images on email going to your spam folder. (When the image is accessed, it is like clicking on a link in an email and lets the spammers know they have a live one.)
  • Do not give your email address to just anyone. When dealing with a new company, use a “throw-away” email address.

Of course, another source spammers use to harvest email addresses are those emails your Aunt Bea sends of cute kitten pictures that she cc’s to everyone on the planet. You can ask Aunt Bea not to do that, but chances are she is going to keep right on sending them anyway. So, have a throw-away email for Aunt Bea to use, too.

Gift Cards Are Still a Favorite of Scammers

Mar 4, 2021 in Resource Center | Comments Off on Gift Cards Are Still a Favorite of Scammers

Your friends and family members may love receiving gift cards, but scammers love them, too. Gift cards are the preferred currency for many criminals as they can easily be converted to cash. And, once the scammers have the numbers off the cards, it is unlikely that you will be able to recover your money.
There are many scams where the bad guys will ask for payment via a gift card. They include: imposters claiming to be from the IRS or a utility company, “tech support” asking ask you to pay to repair your computer, callers claiming to be family members needing cash for an emergency, someone buying something from you who sends a check for more than the purchase price and asks for a refund of the difference by gift card and many more. (Spoiler alert: The ones who overpay by check sent a worthless check.) The nature of these scams can vary, but there is one universal truth: If someone is asking you to pay with a gift card of some kind, it is a sure sign of a scam.
One scam that is popular right now involves a scammer pretending to be representing a religious leader. The scammer asks people to send gift cards for a good cause and will often use the name of a local pastor or other known religious leader.
The scammers act fast to drain the gift cards as soon as they can, but if you act quickly after realizing you have been scammed you may be able to recover at least some of your money. Immediately call the company that issued the gift card (you can find contact information for many of the gift cards most popular with scammers, here) to report the fraud.
Even if you are cautious and believe that you and your family members are unlikely to fall for this type of fraud it is important to stay vigilant as scammers use sophisticated persuasion techniques to try to separate you from your money. Educate yourself, your parents and other family members that government agencies and others will never ask for payment by gift card.

CRIMEWARE: Cybersecurity While Working from Home

Dec 9, 2020 in Resource Center | Comments Off on CRIMEWARE: Cybersecurity While Working from Home

More employees than ever are working from home, and 85% of Chief Information Security Officers (CISOs) said that they had to sacrifice cybersecurity to quickly enable them to do so. Cybersecurity vendor Netwrix announced this and other findings from a June 2020 survey conducted to determine how organizations are responding to the work-from-home changes brought by the pandemic. Other findings include:

  • 25% reported suffering a ransomware or other malware attack during the first three months of the pandemic; 47% were able to spot it in minutes.
  • Though only 14% of organizations encountered data theft by employees, 66% are anxious about this scenario, compared to just over half pre-pandemic.
  • 63% reported an increase in the frequency of cyberattacks and 60% found new security gaps as a result of the move to remote work.
  • The most common threats experienced since the transition to remote work share a human factor: phishing (48%), administrative mistakes (27%) and improper data sharing (26%).

“Many companies were caught unprepared when cities and states issued mandatory stay-at-home rules,” said Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers (IAITAM). “Now, the rubber is going to meet the road when those companies, which are struggling not to be crippled by COVID-19, try to keep the cash flowing by having employees at home call or email for credit card information, print out invoices on untracked home computers, and send them out on personal Wi-Fi networks.”

A study by cybersecurity firm Tessian found that 52% of employees cut corners and engage in riskier online behavior when working remotely. Distractions and pressure to get their work done quickly are affecting how people work.

At a minimum, employees working from home should observe these eight best practices for working remotely:

  • Avoid public Wi-Fi. If you must connect from a public location, use personal hotspots or a VPN.
  • Keep work data on work devices. It is unlikely that your personal devices have the same levels of security as those maintained by your company IT department. By using your personal devices on your company’s network, you may be putting the integrity of the company network at risk.
  • When working near others, block the sight lines so they cannot see your screen. A few bits of information captured while looking over your shoulder may be all a bad guy needs to hack into your personal or business accounts.
  • Encrypt sensitive information in emails and on your device. Encryption keeps unauthorized persons from intercepting and reading your data.
  • Lock your doors. Part of data security is keeping your devices physically secure to prevent theft.
  • Never leave your devices or laptop in your car. That includes the trunk. Thieves can quickly strike if you step away.
  • Don’t use unknown thumb drives. Hackers are known to drop thumb drives near companies they are trying to attack, knowing that some employees will pick up the malware-loaded drives and use them, giving the hacker access to the company’s data.
  • Use a USB data blocker when charging your device at a public charging station. It is best not to use a public charging station but, if you must, use a data blocker to prevent possible theft of your data or installation of malware on your device.

Working from home due to COVID-19 presents both risk and opportunity for employers and employees. It is likely that we will see new technologies develop that will minimize risks while taking advantage of the opportunities. In the meantime, following smart security protocols will go a long way toward maintaining your organization’s security.


May 5, 2020 in Resource Center | Comments Off on SCAMS: COVID-19 Scams

Every newsworthy event becomes a hook for scammers who want to get our money or our personal information, and scammers have eagerly taken advantage of the confusion, concern and even panic surrounding the Coronavirus (COVID-19) pandemic. The scams being put forth are similar to past frauds, but with a Coronavirus spin.

Scammers may approach potential victims via telephone, text or email, or even in person. The specifics of the scams are unique to the pandemic, but underneath the Coronavirus sheep’s clothing the scams themselves are the same wolves we have seen for many years.

Some of the most common COVID-19 scams include:

  • Telephone scams telling Medicare recipients they qualify for testing and asking for their Social
    Security Number and other personal information
  • Scammers asking for donations to fake charities
  • Scams related to potential government payments to businesses and consumers

The Identity Theft Resource Center offers these tips to avoid common COVID-19 scams:

  • Go to the source. If you are unsure if something is legitimate, go directly to the company or agency that would be responsible.  Do not rely on the contact information in the communication you received.
  • An email or phone call asking for a Social Security number, driver’s license number, credit card number or bank account information is probably from a scammer.
  • Social media messages claiming to be from the government for anything regarding COVID-19 are likely scams. Report it to the social media platform and block the sender. The government does not contact individuals through social media.
  • COVID-19 phone scams are running rampant, promoting everything from COVID-19 testing to government benefits to bogus “cures” for the virus. Don’t answer calls from unfamiliar numbers and do not return calls from voicemails unless you are certain of the caller’s identity. If you are not certain if a call is legitimate, look up the actual number for the alleged caller and call them back.

Keep your wits about you and review these tips as needed to help ensure you do not fall prey to the latest iterations of scams.

MyIDMatters Content for Issue 43, Q1 2020

Mar 23, 2020 in Resource Center | Comments Off on MyIDMatters Content for Issue 43, Q1 2020

View document here.

MyIDMatters Content for Issue 39, Q1 2019

May 17, 2019 in Resource Center | Comments Off on MyIDMatters Content for Issue 39, Q1 2019

View document here.