Income tax, data breach refund and phone scams revealed.
Welcome to Cyber Security Today. It’s Monday January 20th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Around this time of year people in Canada and the U.S. are thinking about filing their income taxes to get refunds. Meanwhile criminals are thinking about how to exploit the expectation of getting T4 or W2 slips from employers. An email security company called AppRiver says scammers have already started sending email to people in the U.S. pretending to be from the payroll provider ADP. Click on the link, it says, and you’ll be taken to an ADP web page where you can login and get your tax documents. Actually, it’s a fake page for capturing usernames and passwords. That gives the criminal access to personal information of ADP customers. It also may allow them to divert tax refunds. So if you get an email like this, ignore it. The only way to safely log into sites is by going there directly yourself and not by clicking on a link in a message.
Phone threats are another way scammers try to trick you at tax time. Last year there were reports of criminals calling people in Canada pretending to be from the Canada Revenue Agency, asking them to pay taxes on prepaid credit cards or by Bitcoin. There were also email demands. Remember, the CRA will not ask for personal information by email, or phone you and ask for personal information.
Here’s an unusual scam: A website promises compensation for anyone who is a victim of data breaches. Dubbed “The Official Personal Data Protection Fund” it is allegedly from the so-called “US Trading Commission.” All you have to do is fill in your name and mobile phone number and it will allegedly scan a list of leaked information to see if you qualify. Of course you do, even if you enter a phony name. But to get payment you have to enter your social security number. Don’t have a number? No problem. The site will sell you a temporary social security number for $9 with a credit card. The thing is, even if you have a real social insurance number the site makes you buy a temporary one. This scam was discovered by security company Kaspersky.
Meanwhile, the FBI and police in the Europe have seized a website called WeLeakInfo.com that sells access to stolen passwords and put it out of business. The site was similar to others on the Internet where you can check if your username and password credentials have been stolen. Most sites allow you to enter one email address, and that’s compared to a list of known compromised passwords. What you get back is a Yes or No on whether your password has been exposed. Data breach notification sites like that are useful. What a person can’t do is search and copy the entire list, which would give them access to thousands of stolen names and passwords for email and online websites. But that was the service of WeLeakInfo.com. For as little as $2 you could search and copy its database of 12 billion stolen records for up to 24 hours. Not any more. Two men have been arrested.
Finally, I often preach how important it is to use two-factor authentication to secure logins to important sites. With this you get a special code sent to a separate device, usually a smartphone, to enter in addition to your username and password. But what if a criminal takes over your phone? Then they get the special code, and if they have stolen your password to your bank or email can break into your accounts. A recent blog by security firm PhishLabs warns one way it can be done is if you fall for a text scam. The text may pretend to be from your carrier, saying you’re owed a refund. All you have to do is click on the link and enter your bank password. With that and other information the criminal has gathered on you they call your carrier and try to convince it to reset your phone password and switch your phone to one the crook controls. So first, don’t fall for this text scam. Second, make sure you’ve set up an account PIN number with your carrier so anyone who tries the phone switcheroo has to know your account’s PIN code.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.