A Consumer Action News Alert • April 2020
www.consumer-action.org
   
 
SCAM GRAM is Consumer Action's monthly e-newsletter alerting you to the dirtiest players in the world of tech fraud, credit card scams, ID theft and general con-artistry. Don't be fooled by liars, cheats and crooks; wise up with SCAM GRAM!

NOTE TO READERS: Please add takeaction@consumer-action.org to your email contacts list, or drag us to your "primary" inbox/folder, so that you can continue to read SCAM GRAM (otherwise, your email service may think we're spam!).
 
  Telework terror  
  As if juggling a tyrannical toddler while attempting to fill out a time sheet weren't difficult enough, working from home during the pandemic has gotten even harder as opportunistic criminals look for weak spots in your virtual setup. Seeking a remote position? You're at risk there, too: Crooks are "recruiting" loads of applicants in light of recent layoffs. The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) emphasizes the maliciousness of the situation, stating: "Malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities." (When the FBI uses the word "malicious" six times in one alert, it's time to take note!) Sadly, scammers are hacking into home routers, using popular video conferencing software like Zoom to gain access to data, and baiting those looking for employment with fake websites that feature convincing content pulled from real sites. The con artists behind the bogus job boards "hire" everyone who applies for the virtual positions listed, typically task them with meaningless odd jobs, and then ask that the new recruits process a donation from "someone who wants to help fight the Coronavirus outbreak" (or something similar). This "donation" is actually stolen from another one of the scammer's victims--if you fall for the con, you're operating as a money mule (or "drop," as the scammers call you) to launder the criminal's "earnings" so that law enforcement can't track them. So what can be done about all the telework terror? If you're already a remote employee, check out the Federal Trade Commission's (FTC) guide to "Online security tips for working from home." Looking for a job now? Any offers to pay your "salary" via digital currencies (Bitcoin, etc.)--and any asks that you spend money to make it--should set off alarm bells!  
  Tried and true  
  COVID-19 scams are "everywhere right now"--so much so that in the last month, not one, but two members of our staff were featured in major media outlets (TIME and Forbes) alerting the public to the threats. And while it's hard to keep track of all the awfulness, some types of scams are tried and true--and, therefore, more prevalent, even during these unusual times. Which is why we're highlighting them in the press, in our new coronavirus resource guide, and, of course, right here in SCAM GRAM. Without further ado, when it comes to COVID-19 cons, robocalls, their cousin robotexts, and good old-fashioned phishing emails have consistently risen above the rabble. As we pointed out in Forbes, the calls and texts were "already a huge and growing problem prior to the coronavirus." The thing making them particularly dangerous now is that scammers are spoofing very important phone numbers and leaving voicemails, knowing that people are inclined to call back for fear of missing out on critical COVID info. Your phone might literally tell you that the Centers for Disease Control or your local health department called. Criminals are also becoming more sophisticated at mimicking government parties--and even companies, like Costco--in what are known as phishing attempts. Don't "bite" by clicking on a website link in an email or text that looks like it comes from a legit source, or by downloading an attachment that appears benign (but operates in the background to siphon data off your device). According to the FTC, consumers have already lost millions to these types of "viral" scams! So how do you not become a statistic? "I'd tell people to assume every unsolicited effort to reach you or sell you something should be viewed with extreme skepticism," Consumer Action's Linda Sherry said in TIME. "People should vet the offer by hanging up the phone, deleting the emails and then reaching out to the entity independently if indeed it is a firm you do business with. The best response to scammers is no response at all." This "no response" approach is especially useful if they threaten to "infect your whole family with coronavirus." (Yes, this happened.)  
  Leave 'em hanging!  
 
Check yourself. Everyone's looking forward to getting their "stimulus" check, but, according to the IRS, that's not really what it's called, and if someone calls you referring to it in this manner, it's probably an indicator that they're a scammer. (Hey, that rhymes!) As the IRS points out, "The official term is economic impact payment," and legit government officials should know this. They're also not going to call you asking for a cut, offering to help you get your payment faster, or requiring "verification" of any sort. The payments will be delivered via direct deposit to those who provided their bank account info when filing their 2018 and/or 2019 taxes. If you are expecting a paper check (because you did not set up direct deposit when filing your taxes), just know that it won't be written for an odd amount (with cents). Didn't file taxes or just confused about what category you fall in? Click here for more info. For updated information on "economic impact" checks (get it right!), you can check back here--whatever you do, don't consult with con men!
 
Ace this test. A Kentucky government official is really upset over a "self-proclaimed medical marketing company" that "set up makeshift testing sites outside various churches in Louisville with workers dressed head to toe in hazmat gear." He's so upset, that the local newspaper had to "[expletive]" out his quote! The part we can repeat? He rightfully calls the group "the scum of the earth" and points out that what they're doing--charging $200 for fake tests while taking pics of victims' Medicaid cards and collecting their financial info (not to mention their actual DNA!)--is "really Medicaid fraud." We don't doubt it, but caution that you're more likely to get a text or call from a huckster claiming to be with the government and offering one of these bogus tests than you are to run into them in your church parking lot. As a matter of fact, the Better Business Bureau has warned consumers about disreputable texts making the rounds demanding that recipients take a "mandatory online COVID-19 test," while the FTC has posted an example of a bogus call offering a "free testing kit." As we mentioned above, these communications are "phishing" for your personal info, so don't click on any links and don't respond--leave 'em hanging!
 
  Tips!  
 
A public privacy event. The Federal Trade Commission (FTC) is hosting its 5th annual privacy convention (PrivacyCon 2020). The event, which is open to the public (no registration required, it appears) will be held on July 21 in Washington, D.C., and broadcast over the web. Unlike most "cons," at the FTC's gig you're more likely to see a bunch of "suits" rather than a guy in a superhero costume (like at Comic-Con). And the FTC intends to focus on health data privacy, which may seem dry, but is a particularly timely topic given how big business is increasingly looking to monetize our data--particularly that collected by health-related apps--with little regard to safeguarding it from third parties/identity thieves. (And don't even get us started on how the health data collected by apps isn't protected by federal HIPAA privacy law, ineffective as it is!) For more info on the concerns the FTC will be mulling over at the event--concerns that will be considered in creating regulations to protect consumer data as these emerging technologies, well, emerge--click here.
 
Pinging all Uber drivers! Workers who join rideshare companies like Uber often endure difficult working conditions, including exposure to scams perpetrated through the very apps they use to connect to the gigs. Tammy Smith is one such worker. She fell for a common con in which a fraudster calls an Uber driver (through the app, so that the call is anonymous) and claims to be with "Uber Support." In Tammy's case, the "supportive" scammer offered a $100 bonus for her good driving if she would confirm her personal account information with him--information that enabled him to obtain access to her bank account. After losing hundreds of dollars, a frustrated Tammy found and spoke with other Uber coworkers who had experienced similar scams. According to Gizmodo, these employees, and many more like them who describe situations almost identical to Tammy's in online forums, had encountered "one of the oldest and hardest-to-kill scams hurting [Uber] drivers." Unfortunately, it doesn't look like Uber is taking the steps necessary to stop these scams, so, for now, it's driver beware: If someone calls asking for any of your app account info (including your phone number), hang up!
 
Your princess is in another castle. Princess Cruises has hit some rough waters. Not only has the megaship mega-company (owned by Carnival) had to defend itself against its recently acquired reputation of floating disease vector, it's got some 'splaining to do with regards to a not-so-recent (but only recently disclosed) data breach. The breach, which occurred about a year ago, was reported on by TechCrunch after Princess posted about it (vaguely) on its website in mid-March. Princess wrote: "It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access" to employees', crew members' and guests' personal and financial info, including, potentially, SSNs, passport numbers, financial account information and health-related data. Princess wrote this before inexplicably stating that it had "no reason to suspect" that customer data was being misused. (It has no reason to suspect that it's not being misused either!) The cruise company recommends that those affected monitor their credit now, as well as obtain a credit freeze (which is what we recommend in situations like this).  
 
Too much off the top. Malware--there's that word again! Malware is particularly useful for criminals to install code in computers to siphon (or skim) consumers' credit card information off of the e-commerce/retail websites they visit. E-skimming, like its real-life counterpart skimming, which often takes place at "point of sale" gas pump card readers, takes a little off the top--but in this case, that "little" is your credit card info. The account info is captured in real time, as you enter it into the online checkout page, only to be sold for a pittance on the dark web to other scammers, who use it to buy things online or clone counterfeit cards. In addition to double-checking to ensure that you're shopping on a real website, and not an evil doppelgänger, run the latest antivirus software on your phone or computer as an additional e-skimming prevention measure. Use a credit card rather than a debit card so that you have a chance at recouping any potential losses. And continuously monitor the cards you use to shop online (for strange activity, of course--not to be reminded of how much money you blew during that online shopping spree last night).