At Scam Detectives HQ we’re always keen to help a friend in trouble.  If they really are in trouble that is….

This morning we received an email from one of our clients which read as follows:

 

Hi there.

I’m really sorry to reach out to you this manner and I’m sorry for not informing you about my urgent trip to Scotland. I am here for a Seminar and to complete a project.

I want this issue to be confidential between You and I because I don’t want people to get worried about my situation.

Everything was fine until I got robbed on my way back to the hotel and I lost my Wallet, mobile phone and some valuables during this incident. I had to block my account and bank cards immediately.

I am facing a hard time here because I have no money on me to clear Hotel bills and some expenses. I’m sending you this message because I need your help with a loan of £3350 to pay up the bills and make arrangements to get back home.

Am sorry for the inconvenience this message might cause you but please understand that am in a very bad situation right now and would appreciate if you could help me out.

Best regards,

(name removed)

You’ll need to check that your computer isn’t infected with a backdoor virus, keylogger or other malware that has led to your password being compromised. Run a full virus scan and deal with any infections BEFORE you log in to any other online services.

1) Be very careful when using public computers or networks to log in to your email or other subscription services.  There’s a useful guide from “LifeHacker” on using public networks safely here

2) Make sure that you’re using a strong password that consists of numbers, letters and special characters (*, $, !, £ etc.) to make life difficult for hackers

3) Use a different password for every site you use.

4) If possible, don’t use webmail (hotmail/aol/yahoo/gmail) for sites that require a password. Once a hacker has control of your email account, they can request password reminders from the websites you use and compromise these accounts. Use your ISP email address for anything that requires a password.

5) Keep a list of the sites that you use somewhere safe offline so you know who you need to get in touch with if your email account is hacked

6) Keep a list of your contacts somewhere other than your webmail account, so you don’t lose them if your account is hacked

This may all seem like a lot of work, (and a pain in the arse!) and it is, but prevention is ALWAYS better than cure and a few minutes work now could save you long hours of running around if your account is ever compromised.

iPhone users have long relied upon applications to make sure they wake up on time, check their email, book holidays, read newspapers and even ensure they don’t miss their favourite TV programmes. Some users say it’ll do everything but make the tea.

So whilst we’re not surprised, we ARE highly concerned that world leaders will be able to use their iPhone to launch an Intercontinental Ballistic Missile (ICBM) from anywhere in the world with a 3g internet connection (or wifi).

The NSA has tried to keep it under wraps, but, at great personal danger, Scam Detectives has obtained a screenshot of the app which appears below:

The scary thing is that over 70 million mobile phones are reported lost in America every year. How long before a Nuke enabled iPhone turns up on Ebay?

What do you think? Natural evolution of technology or the beginning of WW3?

Drop us a comment below:

{POST NOON UPDATE} This is an April Fool – Please don’t write to your MP, Congress, the Daily Mail etc {POST NOON UPDATE}

At Scam Detectives HQ we often receive emails reporting a website as a scam.

Many of these emails are not reporting scams as such, but customer service issues including refused refunds or products delivered late.

That’s not a scam, it’s an issue for the consumer to sort out with a strongly worded email or a call to Trading Standards.

We are very careful not to denounce a website that could simply be experiencing technical or supply-chain issues as a scam because:

a) We could get sued and
b) We could do untold harm to that Company’s online reputation.

A case in point is this week’s debacle surrounding Samsung’s laptops.

Several blogs (Scam Detectives wasn’t one of them by the way) reported that Samsung were willingly and deliberately installing keyloggers on their laptops.

Understandably, this raised an outcry with huge numbers of consumers calling for a boycott of Samsung’s products, refunds on existing products and prosecution under various acts of law.

It very quickly became evident that Samsung were doing no such thing. The “Keylogger” that was being reported by a well known anti-virus product was in fact a perfectly legitimate folder installed by a Microsoft product which, by unfortunate coincidence, shared the name of the folder created by the keylogger.

OK, at least one of the blogs published a retraction, but how many people read it? As many as read the original article and resolved never to buy a Samsung laptop again? Probably not.

This could potentially have done untold damage to the reputation of a Global manufacturer. Why? Because the blogs concerned didn’t do enough research to verify the story before publishing. If I worked in Samsung’s legal department, I’d be considering lawsuits right now.

So if Scam Detectives doesn’t publish a damning report on the website you consider to be a scam, it’s because it’s either not a scam or we can’t say with 100% certainty that it is. Sorry.

Following up from yesterday’s quiz, find out how much you know about the risks facing your business from scammers, spammers and social engineers!

[mtouchquiz 2]

[mtouchquiz 1]

So, you’ve just bought a pair of tickets for a fantastic music festival. You’ve been wanting to see the headline act for ages and you’re really excited. Ok, it cost you £150 but the tickets weren’t available anywhere else, having sold out through “official” channels within hours of going on sale.

You’ve been promised that the tickets will arrive no less than five days before the event, but it’s getting closer and there’s nothing in the post. You’re starting to get nervous.

Three days before the event (still no tickets…) you go back to the website you bought them from to find it’s been taken offline. Emails to the seller bounce back as undeliverable.

A Google search tells you that there are hundreds of festival-goers in the same boat. You realise that you’ve either been scammed outright or the Company has gone out of business.

What can you do about it?

Although you have to accept that you’re going to miss the gig, as long as you paid by credit card your money is safe.

Section 75 of the Consumer Credit Act 1974 says that when you pay for goods or services costing over £100 using a credit card, both the supplier AND your credit card issuer are “jointly and severally liable” for the performance of the contract.

What does that mean in “non-legal” speak?

Simply put, if you enter into a contract to buy something, or to pay for services, and pay using your card, if the supplier doesn’t hold up their side of the bargain, for example by providing shoddy goods, bad workmanship or failing to supply the goods at all, you have a choice of who to claim against for breach of contract.

You can either claim against the supplier (which may not be possible if they’ve gone out of business or just won’t acknowledge your complaint) OR against your credit card issuer.

Despite what some credit card issuers may tell you, you don’t need to get a court judgement against the supplier first.

Does Section 75 only apply to physical goods?

No. According to the Financial Omsbudsman Service wherever you have a claim for breach of contract under (for example) the Supply of Goods and Services Act (1982) or the Misrepresentation Act (1967) you should be covered by Section 75.

Examples may include:

A holiday package which is significantly not as described (or isn’t supplied as the travel agent goes bust)
A training course which doesn’t deliver the training advertised in advance
A plumber who doesn’t fit a radiator properly so it leaks all over the floor and ruins your new carpet

Claims where a product or service hasn’t been received are relatively straightforward. Claims for unsatisfactory goods or services are not so straightforward and you will have to prove that this is so.

Can I only claim back the amount I paid?

No. You can claim for all even if you only paid a deposit by credit card

What if I paid by debit card

Unfortunately, the Consumer Credit Act doesn’t apply to debit cards as they are effectively treated as cash payments. VISA debit cards are covered under a little known rule known as the “chargeback” scheme which offers similar protection but often bank staff are not trained on this, so you may have to get your call escalated to management level before it’s approved. Other debit card issuers may offer some level of protection on an individual case basis.

So what’s your advice?

If you’re buying ANYTHING over the value of £100, pay by credit card even if you have the cash in your pocket. It could save you a load of hassle later if things don’t go according to plan.

At Scam Detectives HQ we hate charity scammers with a passion.

So when we received this email purporting to come from UNICEF, we decided to find out just how heartless they REALLY are.

HOPE FOR JAPAN NOW: DONATE TO THE EARTHQUAKE & TSUNAMI VICTIMS
from UNICEF Relief Programme – unicef_japantsunami@gmail.com
reply-to unicef_japantsunami0@yahoo.co.jp
to
date Mon, Mar 14, 2011 at 8:10 PM
subject RE: HOPE FOR JAPAN NOW: DONATE TO THE EARTHQUAKE & TSUNAMI VICTIMS.

HOPE FOR JAPAN NOW: DONATE TO THE EARTHQUAKE & TSUNAMI VICTIMS

The United Nations International Children’s Emergency Fund (UNICEF, USA) hereby appeal to all Cooperate Bodies, Non Governmental Organizations (NGO), Celebrities, Government Official, Individuals including you as well, on behalf of the Japan Earthquake & Tsunami Victims for financial supports in providing relief and shelter.

Your one (1) cent or $1 counts at this critical time for the Children and citizens of Japan and what ever support you rendered will be rewarded by God. Please fill out the following information’s.

1). First Name
2). Last Name
3). Direct Phone Number
4). Email Address (Optional)
5). The Amount To Assist

Note that 100% of funds raised will go towards relief efforts in Japan and there are NO backend costs. A massive 9.8 magnitude earthquake struck North-East Japan on Friday, March 11th 2011. The damage to buildings is extensive and the number of injured or dead is estimated to be over 10,000 of which 40% are children.

Your financial support will help rush emergency supplies to survivors of this catastrophe. Your donation now will help distribute life-saving relief supplies including food, clean water, blankets, medical supplies and tents to children and families devastated by the Tsunami caused by the earthquake and aftershocks in Japan.

Please donate and assist the Japan earthquake & Tsunami victims financially and with your prayers as well. All donations will be made via PAYPAL, WESTERN UNION, and Bank Wire Transfers. Upon the confirmation of your willingness to assist the children and citizens of Japan, we shall respond back to you with the directives on how to redeem your support/donation. As soon as we receive your email response, We shall then provide you with the details on how to redeem and send your donation.

Thank you for your generous gift in this time of need.

UNICEF – SOUTH EAST-ASIA REGION
Address: UNICEF, 19 Phra Atit Road
Chanasongkram, Phra Nakorn
Bangkok 10200, Thailand.
Hoteline: +66888831257 ( Open 24 / 7 )
Email: unicef_japantsunami1@yahoo.co.jp

I. HIGHLIGHTS/KEY PRIORITIES

• Japan’s massive emergency response operation scales up to respond to three consecutive emergencies: earthquake, tsunami and nuclear radiation threat

• Japan is on high nuclear alert as authorities urgently work to cool two nuclear reactors.

• Rescue operations by boat and air continue but many tsunami-affected areas remain inaccessible.

• More than 380,000 people evacuated across the country.

• International emergency specialist teams arrive in Japan to assist the Government emergency response operations.

c/o: Hope For Japan Now: A Global Benefit For Earthquake and Tsunami Relief. Your donation will support the following organizations:

United Nations Office for the Coordination of Humanitarian Affairs (OCHA)
Unicef
American Red Cross
WPF
Western Union
Oxfam America
PayPal

Using a “throwaway” email address, we responded with this message:

I would very much like to donate to the Japanese Earthquake appeal.

Since the disaster, my 6 year old daughter has been extremely distressed. It was her birthday on Sunday and she was given a sum of money which she now wishes to donate to those in need.

Please advise as to the most efficient way to get the funds to you.

Their response:

Good Day,

This is to inform you that we appreciate your sympathizes upon the people of Japan and we pray that the Almighty God will continue to bless your entire family, be informed that your donations will provide relief and shelters to the Victims of this devastated earthquake & Tsunami.

However, you are required to provide to us your personal information for more prayers from the people of Japan for your willingness to assist the children and citizens of Japan in this time of need, such as:

1). First Name
2). Last Name
3). Direct Phone Number
4). Email Address (Optional)

Consequently, you are advice to send your donation to UNICEF – SOUTH EAST-ASIA REGION, BANGKOK, THAILAND as programmed by the United Nations Office for the Coordination of Humanitarian Affairs to receive all donations to help distribute life-saving relief supplies including food, clean water, blankets, medical supplies and tents to the people of Japan.

In reference to the above matter, you are to send your Donations (Money) through western union money transfer to the below information:

RECEIVER’S NAME: ADJEI MICHAEL ATTA
ADDRESS: UNICEF, BANGKOK-THAILAND.
AMOUNT:…………………….
SENDER’S NAME & ADDRESS:………..
MTCN:…………………………

On receipt of your kind donations, the UNICEF shall publish your names for more prayers from the people of Japan and the entire World, please endeavour to indicate your name and other relevant information as stated above.

Thank you for your generous donations.

c/o: Hope For Japan Now: A Global Benefit For Earthquake and Tsunami Relief. Your donation will support the following organizations:
United Nations Office for the Coordination of Humanitarian Affairs (OCHA)
Unicef
American Red Cross
WPF

So, you see that there really is no level to which these [expletive removed] will not stoop.

PLEASE ensure that if you’re donating to the relief efforts in Japan you take great care to ensure that your donation is going to those in need, and not straight into the pockets of scammers like this.

ONLY donate via official websites (where you’ve typed the URL in yourself) and don’t respond to email requests for money.

Do you use something that looks like this to log into online banking, Paypal or your Company’s Virtual Private Network?

It’s a “security token” and it generates a random code which you have to use to gain access to your online banking accounts, to stop hackers and “phishing” scammers being able to access your accounts remotely. Known as “two-factor authentication” it’s been promoted by banks as the most secure way to use online banking.

Until today. The manufacturer of these devices has announced in an open letter to it’s clients that it has been the target of an “Advanced Persistent Threat” which has led to it’s systems being breached and data relating to it’s products being stolen.

Whilst insisting it is “confident” that the information extracted will not allow a direct compromise of the two-factor authentication system, it admits that it “could” be used to reduce it’s effectiveness in future.

How does this affect you today?

Information about how this affects end users is sparse at this time. We would fully expect that the major High Street banks will be issuing advice to their customers about how this breach affects them within the next few days. If you are concerned about your online banking security, please contact your bank directly.

Was this caused by human error?

In it’s “SecurCare” online note, RSA gives the following advice to it’s corporate customers:

* We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

* We recommend customers enforce strong password and pin policies. We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

* We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

* We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

* We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

* We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

* We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

* We recommend customers update their security products and the operating systems hosting them with the latest patches.

Reading between the lines, this suggests that this attack could have been the result of employees falling victim to “social engineering” techniques which led to them inadvertently disclosing passwords or other critical data to unauthorised parties.

At Scam Detectives we’re extremely concerned by this successful attack on one of the world’s most respected and trusted online security Companies and fully endorse the advice they have given.

========================================================================

Our new book “Scammers, Spammers & Social Engineers: A Scam Detectives guide to keeping your business safe online” is now available and gives practical advice and tips on how business owners can secure their systems and train their staff against scams and social engineering techniques that could cost thousands of pounds in lost revenue or data.

It’s available in paperback at £9.99 plus P&P or for instant download at £7.99 (pdf reader required)
========================================================================

We all share more about our daily lives on Twitter, Facebook and other social networking websites than ever before. Photos we’ve taken, purchases we’ve made, what we had for breakfast. It may sound dull and mundane (and often it is) but how much information can you glean from one user’s Twitter feed? Is it enough data for an identity thief to pose as you when dealing with a financial institution, or allow a “phisher” to target your bank account more effectively?

Scam Detectives decided to find out

By searching for one piece of the jigsaw (the name of a particular high street bank) we were able to identify a Twitter user who was being particularly generous with her private information.

Details freely provided in her Twitter feed, in conjunction with standard directory enquiries searches and a helpful link to her facebook profile, allowed us to build up this profile:

Her full name (including middle initial)
Where she lives (yes, down to the street address and postcode)
Her Date of Birth
Her email address
Her telephone number
The Company she works for
Her town of birth
Her children’s names
Which bank she uses for her current account
Who holds her mortgage
Who issues her credit card
Her mother’s maiden name
The name of her first pet
That she’d attended the V festival in 2010 (and which one, on which day)
That she was desperate to get tickets for V 2011 but hadn’t been able to
That she drives a green Volkswagen Beetle (and the reg no)

So, how could we use that information?

We could target her very effectively with a “phishing” email

Dear Ms X

We have detected unusual activity on your (xyz bank) credit card. Our systems have identified the following transaction as potentially fraudulent:

13/10/2011 – Currys Superstore (home town) – £1,278.99

Please click on This Link to either report this as a fraudulent transaction or to confirm that you made this purchase.

Thank you

Your Credit Card Issuer

You see how this could be much more convincing than the random phishing emails you get now? It addresses her by name, looks like it came from a bank she actually has an account with and even mentions her home town.

Another way we could target this user is by issuing a fake “fine”.

Dear Ms X

Your vehicle (reg no. XX58 XXX) was recently observed parked illegally in (street where she works). Please see below for the exact details of the offence:

Vehicle description: Green Volkswagen Beetle
Registration Number: XX58 XXX
Offence Code: PC32 (expired parking ticket)
Date: 12/1/2011
Time: 14:22

The penalty for this offence is £60.00 which can be paid by credit or debit card by calling (0870) 1112222. If you do not pay within 7 days this will increase to £120 and may lead to legal action.

Again, we have personal information, the actual details of the car and a location where the car may well have been parked for a short time.

Other ways that this user could be targeted include (but are not limited to):

• ID theft (using common answers such as mother’s maiden name, first pet’s name, child’s name etc to satisfy security checks)
• “Phone phishing” (Hi Ms X, I’m calling from xyz bank, we just need to discuss your account. Could you just confirm the first, third and sixth letters of your password for data protection purposes?)
• An offer for V festival tickets at a “too good to be true” price (We notice you haven’t bought your tickets for this year’s V festival yet. We have “reserved” tickets for people who attended last year – You were at X on Y date, weren’t you?)

The more information you share, the more “jigsaw pieces” you provide to scammers who could use it to target you with the one scam that looks real enough for you to fall for it.

Be very careful, and don’t share more than you need to. Use privacy controls on Facebook to ensure that your email address, home town and telephone number are hidden from strangers. If you post a picture of your car, mask the registration number first. Don’t be tempted with silly web games like “Your porn name = your mother’s maiden name followed by the name of your first pet” – You could be giving up the one detail that the scammer needs to steal your identity.

It sounds like paranoia, but that doesn’t mean they’re not out to get you!

Editor’s note – we contacted this particular Tweeter before publication and she has now “sanitised” her feed and locked down her Facebook profile so tight it hurts!

This isn’t technically a “scam” by the strictest definition, but it’s definitely a ripoff and you should beware of being taken in.

Scam Detectives HQ just received a message via Facebook advising Internet users to be very careful when looking for contact telephone numbers online.

The reader had “Googled” to find the telephone number for the tax credits helpline. The “sponsored listings” at the top of the results look like this:

Clicking on one of the links takes you to this website:

So you grab your phone, call the number displayed in large type on the screen and you get through to the Tax Credits helpline, right? Wrong!

You get a recorded message giving you the telephone number for the tax credits helpline which has just cost you £1.53!

You could have obtained this number for free, and let’s face it, you’ve used Google because you don’t want to pay for Directory Enquiries, haven’t you?

Similar “sponsored links” can be found when looking up the customer service numbers for most major high street banks, mobile phone operators, home phone and broadband providers and credit card issuers.

NEVER call a premium rate number (starting 09) to get in touch with a customer service department. Most organisations will have telephone numbers that begin (0800), (0845) or (0870) which will be charged (at most) at 10p a minute from a landline.

If you’re looking for a customer service telephone number, you should make sure that you are on the organisation’s official website by checking the web address. It will usually follow this format:

www.(organisation name).com (or .co.uk/.org/.gov.uk)