A Fight Identity Theft visitor forwarded this email to us today and it was so creative I just had to post it here.
The email supposedly comes from Robert Mueller - the current head of the U.S. Federal Bureau of Investigations. Not only was it sent by the FBI, the scammers try to get you to believe it's been vetted by the Anti-Terrorist and International Fraud Division. Unbelievable.
What they're really after is the fee they want you to pay in order to collect your $850,000 - that's why they call this an "advanced-fee fraud." The fee is sent by money order which makes it very difficult to trace and impossible to recover. Here's the money paragraph:
This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $239.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).
The $239.99 will likely only be the start of the fraud. They'll continue to ask for more money in order to deliver the $850,000. No matter how much you pay, the money will never end up in your bank account.
From: robertmul@fbi.gov.us
Subject: E-mail From The FBI..
Date: Wed, 2 Dec 2009 13:53:50 -0500
Anti-Terrorist and International Fraud Division
Federal Bureau Of Investigation.
Seattle, Washington 98101-2904
Telephone/Fax Number: +1(206) 426-2866
Attn: Beneficiary
This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Company in the United Kingdom. During our investigation we discovered that your e-mail won the money from an Online Balloting System and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check.
Normally, it will take up to 10 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this company on your behalf that funds are to be drawn from a registered bank within the United States Of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Bank Of America.
We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Bank Of America you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Company in Seattle-Washington. According to our discoveries, you are required to pay for the following:
(1) Deposit Fee's (Fee's paid by the lottery company for the deposit into an American Bank which is - Bank of America)
(2) Cashier's Check Conversion Fee (Fee for converting the Wire Transfer payment into a Certified Cashier's Check)
(3) Shipping Fee's (This is the charge for shipping the Cashier's Check to your nominated destination)
The total amount for everything is $239.99 (Two Hundred & Thirty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to indicate that this $239.99 should be deducted from your winning prize but the funds have already been deposited at The Bank of America and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction via Western Union Money Transfer Or Money Gram. The payment will NOT reflect at the Bank of America with the given transaction code(EA2948-910) until you have covered the processing fees needed.
In order to proceed with this transaction, Click Here to contact your claims agent Mrs. Louise Major. You will be required to call her for verbal verification and e-mail her with the following informations:
FULL NAME:
FULL MAILING ADDRESS(INCLUDING CITY/STATE/ZIPCODE):
AGE/SEX/OCCUPATION:
CONTACT PHONE NUMBERS(CELL & HOME):
You will also be required to request Western Union details on how to send the required $239.99 in order to immediately ship your prize of $850,000.00 US Dollars via Certified Cashier's Check drawn from The Bank of America, Also include the following transaction code in order for her to immediately identify this transaction : EA2948-910.
This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $239.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).
Signed:
Robert Mueller
Federal Bureau Of Investigation
NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Louise Major via contact information provided above and make the required payment of $239.99 to information in which she will provide you.
__________________________________________________________________________________________________________
The information contained in this email message is legally privileged and confidential information intended solely for the use of the intended recipient(s). If you are not the intended recipient(s), any distribution, dissemination, or reproduction of this email message is strictly prohibited.
Medicare receives 4.4 million claims a day and approximately 1 out of 10 of those are fraudulent. All of the fraudulent claims add up to a large sum of wasted time and money and the government is trying to put a stop to it. The Department of Justice (DOJ) and the Health and Human Services (HHS) Office of the Inspector General have been working together to reduce fraudulent activity.
In 2008, the DOJ and HHS and the Centers for Medicare and Medicaid Services worked together through the criminal and civil systems to secure 588 criminal convictions, obtain 337 civil administrative actions against individuals and organizations who were committing Medicare Fraud, and recovered more than a billion dollars in health care fraud monies . . . To date in fiscal year 2009, the Department of Justice has already recovered nearly a billion dollars in health care fraud monies and recorded 300 convictions.
In addition to catching Medicare thieves the DOJ and HHS want to enable seniors to participate in the fight. They want to raise awareness about the kinds of fraud that are happening and give seniors the tools they need to deter, detect and defend!
Here are a few examples of how Medicare is scammed out of billions of dollars a year.
Medicare recipients need to keep themselves safe.
Learn to recognize common schemes. A few common fraud schemes are:
It's critical that Medicare recipients check their statement summary sheets and look for:
If you see any of these problems make a phone call to your provider or Medicare to get it resolved. It could just be a clerical error or it could be a fraudulent act that needs to be reported.
To some the task above may seem very overwhelming. The DOJ and HHS understand that seniors want to protect themselves but may not have the knowledge to do so. For this reason Senior Medicare Patrols (SMP's) were created. SMP's are groups or seniors, formed in communities, that help other senior citizens learn how to combat Medicare Fraud. They bring awareness to seniors in the community, teach seniors how to read and understand their Medicare summary statements and offer support.
Medical identity theft and Medicare fraud are a huge problem that the government cannot tackle on its own. While they do their part it's important for senior citizens to do their part to protect themselves from medical identity theft and be on the watch for Medicare fraud.
More detailed information is available in the Fight Back! Medical Identity Theft and Medicare Fraud brochure [5] put out by the HHS.
More information is available at Stop Medicare Fraud's website [6].
So you received a data breach notification in the mail… no big deal, right? Not according to Javelin Strategy & Research’s latest report [9]. In fact, Javelin’s latest research reveals you are four times more likely to suffer identity fraud if you’ve received a data breach notification within the past year.
The average fraud victim will spend 30 hours and $496 out-of-pocket costs to restore their affairs, merchants and financial providers will spend billions to protect systems and brands, and law enforcement will work hard to chase the bad guys.
Many states around the country are enacting laws requiring entities that have experienced data security breaches to notify affected individuals whose personal information may be at risk. However, there seems to be a disconnect between breach notifications and consumer awareness of the risk they bring.
It might be a good idea considering the Identity Theft Resource Center [10] has already tracked 356 data breaches so far this year. Forty-six of those breaches have involved financial institutions, and when they or their third-party service providers are breached, it’s nasty.
Take for example the Heartland Payment Systems [11] breach earlier this year. The result of this breach was a staggering compromise of 130 million credit and debit cards. Now that’s a lot of Visa cards…yikes!
There is very little we can do to avoid data breaches, however there are steps that we can take to better prepare ourselves for the next time that breach notification shows up in the mailbox:
Lastly, remember the words of the orator, Robert Green Ingersoll when he said:
“It is a thousand times better to have common sense without education than to have education without common sense.”
Ben Bernanke is a victim of identity theft. This is proof positive that it can happen to anyone.
Ben Bernanke - the Federal Reserve Board chairman - was one of hundreds of victims of an elaborate identity-fraud ring, headed by a convicted scam artist known as "Big Head," that stole more than $2.1 million from unsuspecting consumers and at least 10 financial institutions around the country.
On August 7, 2008, Anna Bernanke - Ben Bernanke's wife - was at a Starbucks when her purse was stolen off the back of her chair.
It's not good...
So the thieves had Mrs. Bernanke's SSN, Date of Birth (from the Driver's License), home address, and home phone (from the checks). This is the perfect combination of personal data.
It goes without saying that you should never carry your Social Security card in your purse or wallet. It should be tucked away in a very safe place at home or in a bank lock box. You should also limit the number of credit cards you carry. Just think of how many banks you'd like to call and/or fraudulent transactions you want to deal with and limit your cards accordingly.
The thieves were part of a crime ring called "The Cannon to the Wiz." Here is the entry from the Urban Dictionary [17] for "cannon":
Cannon - Old school term for a skilled pickpocket. "
These thieves were after personal information as well as checks and credit cards. They worked in government or medical offices or were simple pickpockets or mail thieves. They attended major sporting events in order to target victims with wallets and purses full of loot. One such victim was Donna Pendergast - an assistant Michigan Attorney General. Her experience went like this:
The robber was so adroit he managed to lift the wallet from her purse without her even knowing it. "They took it right out of my purse while it was on my shoulder," she said. "I didn't feel a thing."
Yes and no.
Federal agents busted the identity theft ring this summer, but George Lee Reid - the one who fraudulently used the Bernanke's checks to steal $9,000 - had the charges dropped against him, but the Feds are now searching for him again on related charges.
More information on this story from Newsweek [18].
From a recent UC Berkeley report:
More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.
Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.
What’s all the fuss about? Internet web sites often attach browser ‘cookies’—small strings of identifying text and numbers—to your computer to help them keep track of you and your preferences when you visit their sites. In theory this is a useful connection between you and the web sites you visit. For instance, an online book vendor could store your customer preferences information to better help you find what you want and make it easier to make your purchases.
However, like many useful, good things on the web, browser cookies have turned out to be an avenue for identity thieves to find us and our personal information. A cookie that no one knows about and that is not controllable through our web browsers, and can be used to re-spawn traditional browser cookies—could be a useful avenue for identity thieves indeed.
Removing Current Site Cookies
Turns out, Adobe has a Settings Manager on its site where you can control how Flash cookies are stored along with other things. If you right-click on a piece of Flash code in your browser you can select "Settings" and get to this special place. Or you can just click our handy link: Adobe Website Storage Settings Panel [21].
What you should be seeing is something like this:
Here you can see which cookies have been written to your computer along with the ability to DELETE all of them. That's something I would strongly consider. Remember, however, that there are some benefits with these cookies. If you frequent sites that use this technology (and many do) you will be deleting some of your settings with those sites and you may have to re-enter text each time you visit.
There is risk/reward with every choice you make in life...
Even if you decide to push the Delete all Sites button, you still have some work left.
Stopping New Sites from Writing Cookies
Even if you deleted the cookies that have already been written to your computer, you'll need to keep new cookies from being written as well. Luckily, Adobe has created a way to do that:
Adobe Global Storage Settings Panel [22]
If everything goes according to plan, you should be seeing something that looks like this:
Here you can tell Flash not to store any cookies in the future. Just drag the slider over to "None" and select "Never Ask Again." That's it!
Here are some other tools if you want 3rd party help with managing or controlling Flash cookies:
Windows:
Mac OS X:
You can always go to the directory where the cookies are stored and remove them manually. It's not a permanent solution - new cookies will get created in the future - but it works.
Windows:
LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
Mac OS X:
For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys
GNU-Linux:
LSO files are stored in ~/.macromedia.
Now you know about the mysterious and curiously difficult to remove Flash cookies. They are pervasive - even on government web sites [26] - and won't be going away anytime soon.
Please post any follow-up questions or concerns below...
When Barack Obama famously refused to relinquish his treasured BlackBerry, he became the first president in American history to use email while in office. He will also be the first to have to worry about personal internet security.
The president's new BlackBerry is a special modified variation with top-notch encryption features—further details are not being shared with the media. Vice President Joe Biden and other key officials have also been given this most limited of limited edition devices.
But famed hacker Kevin Mitnick says that despite its special security features, no BlackBerry is impossible to compromise. In an interview with Fox News, Mitnick said "It's a long shot, but it's possible. You'd probably need to be pretty sophisticated, but there's people out there who are."
According to Mitnick, who is credited with hacking Motorola, Nokia, Sun Microsystems, FBI, and Pentagon networks (among many others,) the best course of action for a hacker would probably be to infiltrate the personal computer of somebody close to Obama. Then, the hacker would have to use that person's identity to divert Obama to a compromised website that would upload malicious code onto the BlackBerry.
That's precisely why the president's security team is keeping his email address such a closely guarded secret [29]. Obama will also have to frequently change his email address.
Who exactly has this address is unknown, but the number is believed to be considerably less than 50, with Biden, advisers David Axelrod and Valerie Jarrett, press secretary Robert Gibbs, and chief of staff Rahm Emanuel almost certainly at the top of the list. Beyond that, one can only guess: top supporter Oprah Winfrey, secretary of state Hillary Clinton, celebrity email buddy Scarlet Johanson, DNC chair Tim Kaine? One can only speculate.
If any of our readers are on the list, please let us know so we can send him our suggestions on the economy...
Did that get your attention? Scammers are hoping it will.
An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported [32] that emails are showing up that read something like this:
Subject: Breaking news
Barack Obama refused to be the president of the United States of America [33]
Yours Sincerely,
Cecily Lynn
Subject: What is going on with our country?
Obama has gone [33]
Yours faithfully,
Rodney Lynch
The link in the actual emails (we're not linking to anything in the examples above) point to the following site:
The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:
Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:
- harvesting sensitive information on your computer
- turning your machine into a spam zombie
- establishing a back door on your computer that will allow it to be remotely accessed
Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?
Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated [34]. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.
By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.
Whether you're a business traveler touching base with the home office or a vacationer catching up on some last-minute Christmas shopping during holiday travel, airport wireless networks are a welcome distraction during a layover.
But beware...
According to a recent article in Forbes [37], anyone who logs on using an airport wireless connection is instantly exposed to data and identity theft.
Forbes interviewed a so-called "white-hat hacker," working for AirTight Networks (which makes wireless security software and hardware,) and found that during AirTight's survey of 20 American airports, agents had identified serious security flaws in nearly every network. Some airports even allowed critical baggage handling and ticketing data to pass through their network unencrypted---a potential security risk in more than just the digital sense.
The purpose of the tests was to alert airports to the problem in the hopes that they would choose to hire AirTight as their security provider, but in the short term, let it stand as a warning to travelers: You are nowhere near as safe logging in at an airport hub as you are even at home. Even shopping malls and many universities provide more network protection to their users, and since there are currently no laws on the books that require airports to try any harder, don't expect any of this to change overnight.
Here's a quote from Forbes on how bad things are:They found rampant phony Wi-Fi hot spots created by phishers and, at several large airports, plenty of open or insecure networks run by critical operations such as baggage handling and ticketing. Almost all public networks allowed data such as user names and passwords to pass through the air unencrypted. Only 3% of people used something more secure.
Most security experts would recommend these four steps to relative safety on public wireless networks like those found in airports:
These steps won't guarantee you 100 percent safety, but it's a good start if you decide that uploading those Christmas photos to Flickr can't wait until tomorrow.
This video from Forbes provides more details on what you should watch out for:
Thanks to our friends at Kroll Fraud Solutions [40], we have some excellent 2008 tax season tips for avoiding identity theft:
The U.S. economy may not be the only beneficiary of the recently passed federal economic stimulus package – identity thieves are getting a boost, too. Why? In the wake of the recent IRS announcement that more than 130 million Americans will receive tax rebates this year, identity thieves are using the promise of extra cash to lure Americans into disclosing their sensitive personal information.
These “phishing” schemes can take a variety of forms, the most common of which involves an identity thief who calls or e-mails a consumer pretending to be an IRS employee. The consumer is promised a sizable rebate if they file their taxes early. All the caller needs in exchange is the consumer’s bank account number to deposit the check.
The bad news is that schemes like the one described above are common; the good news is that falling victim to one is avoidable – as long as consumers get smart on the facts and follow the proper precautions.
Below ID theft expert Brian Lapidus, chief operating officer of Kroll’s Fraud Solutions, offers some important advice that every consumer should know about protecting their personal information during tax season. At Kroll, Lapidus oversees a highly-skilled team that includes veteran licensed investigators who meet regularly with IRS agents to stay apprised of emergent tax fraud issues – bolstering the team’s specialized work supporting breach victims and restoring individuals' compromised identities to pre-theft status.
The BBC is reporting that 25 million Britains were exposed to the threat of identity theft when the HM Revenue & Customs (similar to the IRS in the U.S.) lost a CD containing personal data.
Ouch!
This has to be one of the worst data breaches ever, since the CD was not encrypted (just password protected) and the data included:
In case you're not familiar with that last item, it's similar to the Social Security Number here in the U.S. What else could a potential thief want?
The CD with the data was sent to another HMRC location by a lower level employee via regular mail instead of using an encrypted network connection or some other secure method. The CD never showed up at the other office and officials are now trying to determine if it was stolen or just lost.
"The data lost - bank account numbers, names and addresses - represents a gold mine for the thieves and is much more valuable to them than credit card numbers or taxpayer id numbers," said Gartner analyst Avivah Litan.
"In fact, in the black market, bank account numbers sell for the highest price, or between $30 and $400 (£15 to £200), which is significantly more than the fifty cents to five dollars that criminals pay for credit cards."
This disaster has already forced the resignation of HMRC's chairman - Paul Gray. I'm guessing the employee involved was also "sacked," as the Brits like to put it. Let's hope so.
More coverage on the BBC site - Q&A: Child Benefit Records Lost [46] | Analysis: How Worried Should You Be? [47]
Links:
[1] http://www.fightidentitytheft.com/blog/fbi-says-youve-won-lottery
[2] http://www.fightidentitytheft.com/blog/fbi-says-youve-won-lottery#comments
[3] http://www.fightidentitytheft.com/blog/medicare-fraud
[4] http://www.smpresource.org
[5] http://www.stopmedicarefraud.gov/fightback_brochure_rev.pdf
[6] http://www.stopmedicarefraud.gov/index.html
[7] http://www.fightidentitytheft.com/blog/medicare-fraud#comments
[8] http://www.fightidentitytheft.com/blog/data-breach-danger-study-shows-it’s-real
[9] http://www.javelinstrategy.com/2009/10/27/between-paranoia-and-compacency-educating-consumers-on-data-breaches-and-fraud-risk/
[10] http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml
[11] http://www.bankinfosecurity.com/articles.php?art_id=1200
[12] http://www.fightidentitytheft.com/credit-monitoring.html
[13] http://www.fightidentitytheft.com/credit-freeze-laws.html
[14] http://www.fightidentitytheft.com/blog/identity-theft/protect-your-privacy-by-becoming-a-privacy-grouch
[15] http://www.fightidentitytheft.com/blog/data-breach-danger-study-shows-it’s-real#comments
[16] http://www.fightidentitytheft.com/blog/ben-bernanke-identity-theft-victim
[17] http://www.urbandictionary.com/
[18] http://www.newsweek.com/id/213696
[19] http://www.fightidentitytheft.com/blog/ben-bernanke-identity-theft-victim#comments
[20] http://www.fightidentitytheft.com/blog/new-breed-super-cookie-defies-removal-almost
[21] http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
[22] http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
[23] https://addons.mozilla.org/en-US/firefox/addon/6623
[24] http://www.ccleaner.com
[25] http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/
[26] http://www.securecomputing.net.au/News/152723,top-websites-using-flash-cookies-to-track-user-behavior.aspx
[27] http://www.fightidentitytheft.com/blog/new-breed-super-cookie-defies-removal-almost#comments
[28] http://www.fightidentitytheft.com/blog/obamas-blackberry-security-strategy
[29] http://www.nytimes.com/2009/02/01/us/politics/01obama.html
[30] http://www.fightidentitytheft.com/blog/obamas-blackberry-security-strategy#comments
[31] http://www.fightidentitytheft.com/blog/breaking-news-obama-refuses-be-president
[32] https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/136
[33] http://www.fightidentitytheft.com/categories/Government
[34] http://www.fightidentitytheft.com/blog/latest-worm-infects-9-million-pcs
[35] http://www.fightidentitytheft.com/blog/breaking-news-obama-refuses-be-president#comments
[36] http://www.fightidentitytheft.com/blog/airport-wireless-network-not-as-safe-as-you-think
[37] http://www.forbes.com/forbes/2008/1208/052.html
[38] http://www.fightidentitytheft.com/blog/airport-wireless-network-not-as-safe-as-you-think#comments
[39] http://www.fightidentitytheft.com/blog/-2/keep-identity-thieves-at-bay-during-the-2008-tax-season
[40] http://www.krollfraudsolutions.com
[41] http://www.antiphishing.org/index.html
[42] http://www.irs.gov/individuals/article/0,,id=106778,00.html
[43] http://www.irs.gov/publications/p552/ar02.html#d0e617
[44] http://www.fightidentitytheft.com/blog/-2/keep-identity-thieves-at-bay-during-the-2008-tax-season#comments
[45] http://www.fightidentitytheft.com/blog/identity-theft/25-million-brits-exposed-to-identity-theft
[46] http://news.bbc.co.uk/2/hi/uk_news/politics/7103828.stm
[47] http://news.bbc.co.uk/2/hi/business/7103940.stm
[48] http://www.fightidentitytheft.com/blog/identity-theft/25-million-brits-exposed-to-identity-theft#comments
[49] http://www.fightidentitytheft.com/blog/categories/Government?page=1
[50] http://www.fightidentitytheft.com/blog/categories/Government?page=2