Feels like breach weather
Unless you were too busy dyeing eggs and plotting where to hide them, you likely caught the story that broke over Easter weekend: AT&T experienced a massive data breach impacting approximately 7.6 million current and 65.4 million former account holders, the company explained on its website. The compromised information varied by customer and account, AT&T said, but may have included full name, email address, mailing address, phone number, Social Security number, date of birth, and account number and passcode. If you're an impacted AT&T customer, you'll want to take note of advice that can help you avoid the negative consequences and opportunistic scams that can follow a breach. Lifehacker's recommendations include creating a new AT&T account passcode (four-digit PIN), even if AT&T already reset your passcode; changing your password (different from a passcode); and setting up two-factor authentication for account access. In a story by CBS News, Justin Brookman, director of technology policy at Consumer Reports, recommended that impacted customers check their credit reports to make sure no one is using their Social Security number to open new accounts; consider freezing their credit (see our credit freeze educational materials, here); and be wary of emails from hackers pretending to be AT&T and asking their targets to click on a link "to solve all your security concerns." The CBS story emphasized that if you get this type of email, you should log in to your AT&T account or call AT&T directly. If you first heard the story on Monday, April 1, you may have been tempted to dismiss it as another corporate April Fool's joke that falls flat, but no such luck this time.
Blessed be thy gold
One recent victim of an almost fantastical "blessing scam" is telling her story to help protect a vulnerable population: non-English-speaking older women in the Chinese community. The San Francisco Standard recounted the story of Vickie Wong, the latest scam victim to be approached in public by a team of crooks looking to "save" her from a curse. In Wong's case, the Standard explained, one of three tricksters pretended to be looking for a doctor to help cure her "possessed" daughter. A second trickster then approached, claiming to know where to find the doctor, while a third woman, claiming to be a relative of the doctor, then convinced Wong that Wong, too, needed the doctor's help due to a curse. Wong agreed to bring out all the cash and gold in her home (worth over $50,000) for a blessing ceremony. During the ceremony, the scammers swapped out the black bag in which they had placed Wong's valuables for another black bag of similar weight that contained bottled water, baby wipes and other nonvaluable items. Consumer Action's own Chinese community outreach staffer, Jamie Woo, explained that this scam has surfaced periodically over the past 10 years, and has been reported on often in Chinese television, radio and print media. Woo urges Chinese-speaking immigrants to make time in their busy schedules to stay informed about scams through local Chinese media (with which she regularly collaborates). Woo welcomes Chinese speakers and their advocates to reach out to her for more information about scams impacting the Chinese-speaking community: jamie.woo@consumer-action.org or 415-777-9648, ext. 207.
Scams for subscribers and unsubscribers
(Dis)courtesy message. In a recent scam alert, the Better Business Bureau (BBB) warned consumers that scammers are impersonating businesses and sending email messages with fake subscription renewal notices. The BBB alert described one consumer's complaint about an email message asking them to renew their SiriusXM account. The email, which arrived one day after the consumer's real renewal date, directed the consumer to visit a website to enter credit card information. Fortunately, the consumer did not fall for the scam. Instead, the BBB alert explained, the consumer visited the real SiriusXM page and verified that the account had automatically renewed as expected. A really smart move, we'd say, by a savvy consumer who was at first thrown off by the timing of the message. Check out the BBB's tips for avoiding these types of scams, and follow the example set by the consumer who contacted the BBB: Reach out to the actual company where you have a subscription before handing over any information or money.
Extra helping of spam. Southern California's KTLA Channel 5 reminded viewers late last month that if your inbox is flooded with spam, you might want to think twice about hitting the “unsubscribe” button. The reason for this, KTLA explained, is that in a scam email, the unsubscribe button might not work, or it might be malicious. Scammers may want us to click on unsubscribe links simply to confirm that the email address is valid, leading to more spam. Or, as the news story explained, citing cybersecurity expert Joseph Steinberg, clicking the unsubscribe button in an unsolicited email could also potentially infect our devices with spyware or other malware, or be used in an identity theft scheme. One good practice recommended by Steinberg is to flag spam messages so that the email system's anti-spam engines can help filter them out. The KTLA story also included links to Federal Trade Commission (FTC) tips on reducing unsolicited commercial email and recognizing and avoiding phishing scams.
Tips
Highway robbery. From California to New York, authorities are warning about scam text messages asking drivers to pay for road tolls. An alert by Trend Micro includes a list of several messages they've seen targeting New Yorkers. The phony messages warn of unpaid balances that require prompt payment to avoid penalties. Clicking on links in the text, Trend Micro explains, takes consumers to phishing websites, where they will be asked for credit card and other personal information. According to NBC News 5 in Chicago, where a similar scheme was targeting residents, Illinois Tollway (the toll highway authority) worked with state and federal agencies last month to take down a phony website associated with the fake texts. One of our staffers in California received a text message, purportedly from the state's FasTrak toll collection system, requesting, within two days, a payment of $5.75 "to avoid incurring extra costs." In a subsequent alert, FasTrak reminded California drivers that they don't request payment by text with a link to a website. Consumers can file complaints with their attorney general's office and the FTC, and follow tips offered by MalwareTips.com.
Relief for the unrelieved. The Federal Trade Commission announced in March that it is sending more than $4.1 million in refunds to people who lost money to student loan debt relief scammers who lured consumers with fake loan forgiveness claims. The FTC alleged that, since 2014, the operators of Mission Hills Federal and Federal Direct Group (the scheme used several different names) tricked students into paying hundreds to thousands of dollars in illegal upfront fees and pretended to lower consumers’ monthly student loan payments. The operators also tricked consumers into sending their monthly student loan payments directly to the defendants by falsely claiming to take over the servicing of the consumers’ loans. Few payments were actually applied to consumers’ student loans, and in many cases, none at all. The FTC is sending checks to close to 30,000 consumers. Anyone with questions about a refund payment should contact the refund administrator, JND Legal Administration, at 844-566-0108, or review the FTC’s refund FAQs. Because tricksters will use any opportunity to make a dime, the FTC's announcement reminded consumers that they never require anyone to pay money or provide account information to receive a refund.
A hefty cover charge. Vacationers shell out for everything from flights and hotels to dining and entertainment. Offers of free, fun activities might, therefore, be very enticing to many a traveler. According to ABC 10, one Miami tourist was approached earlier this year by a scammer claiming to be a club promoter who could get her into any Miami-area nightclub for free. In order to access nightclub flyers, the tourist handed her unlocked phone to the scammer so that he could "add his Instagram page to her account." The scammer then continued to distract the tourist while an accomplice took possession of the phone, claiming to also be adding his Instagram page and following others on the app. ABC 10 reports that the tourist later discovered that while the scammers had her phone, they accessed her Chase banking app, changed the password, and initiated a $1,500 Zelle transfer. At least one of the perpetrators was subsequently arrested; turns out he had been previously arrested for similar schemes in which victims lost $1,500 to $3,500 via unauthorized transactions. This serves as a reminder not to hand our phones over to strangers for any reason, and, as NordVPN advises, to log out of banking and other financial apps whenever they’re not being actively used, lest we lay out the welcome mat to our financial accounts for anyone who finds or steals our device.
When helping to fight crime doesn't. New Jersey 101.5 radio station posted a story on its website last week warning about scam calls from fraudsters pretending to raise money for police. The story notes that the calls increase whenever an officer is injured or killed in the line of duty—scammers prey on people's emotions. Among the red flags to look out for are high-pressure tactics. For example, New Jersey 101.5 explained, scam callers will suggest a particular donation amount, such as a hundred dollars, and if they don't get the answer they want, will follow with a "What do you mean you don't have a hundred dollars to keep our officers safe?” The news piece offers several tips, including one key takeaway worth committing to memory: Police will never call to ask for donations. (If your caller ID displays an actual police department phone number, it’s spoofed.) Remember this the next time a scammer calls to ask for a donation to police, and take the opportunity to contribute to the fight against crime by hanging up.
Lost and found out. In early April, the Daily Dot ran a story about a recent case of what at times has been called the "Find my iPhone scam." Citing a TikTok user whose post went viral, the Daily Dot explains that two women attempted to rob him while he sat in his car in a grocery store parking lot. The women, who had pulled up in another vehicle, approached his car and one of them told him through a cracked window that [according to their Find My iPhone app] he had one of the women's phones. The TikTok user, of course, did not have their phone and took off (though he said they followed him). In January, according to Patch.com, Rye, New York, police similarly warned about a pair of scam artists going to people's homes and showing residents a phone in which the Find My iPhone app supposedly shows that one of their phones is pinging inside the resident's home. Patch.com explained that the perpetrators tried to get inside the resident’s home or tried to get them to come out. In an almost identical story in New Braunfels, Texas, local police said in a Facebook post that the perpetrator was also able to give details about the would-be victim’s daily movement. (Our wild guess: Perhaps the perpetrators follow people around before approaching them?) The takeaway for the rest of us is to not be taken by surprise, and to not allow our inherent desire to be helpful to people in need put us at risk of becoming crime victims. We recommend calling police if you're in an unsafe situation and unable to move away. Also heed the TikTok user's wise advice, as reported by the Daily Dot: “Pay attention to your surroundings at all times, and if someone comes up to you and says they lost their iPhone... don’t get caught up.”
Tell us how we're doing!
We'd love your feedback on how we've been doing and which of our services have been most important to you. Please fill out our (very) brief three-question survey here!