Identity Theft

Recently, a new phishing e-mail has been circulating. The e-mail is the IRS asking for donations to help the victims of the California wildfires. The e-mail is a scam. The IRS is not and never will ask for donations, let alone send out an e-mail asking for financial and personal information.

The e-mail seems real enough. It provides links to an IRS website. The website asks for personal and financial information in order to obtain the donation. It seems like a good thing to do. However, do not enter any personal or financial information, the website is not the real IRS website. The information that is asked for is what the scammers use to steal identities, open new lines of credit and ruin peoples’ credit and lives. If that weren't enough, the links and the e-mail are also thought to contain “malware and other malicious software.”

To protect yourself and help stop the phishing scam the IRS

“urged those who received the scam e-mail to help the IRS shut down the operation by forwarding it to phishing@irs.gov, using instructions found in "how to protect yourself from suspicious e-mails or phishing schemes" on the genuine IRS Web site, http://www.irs.gov.”

On a happier note, the IRS is doing their part to help the wildfire victims. They are extending payment and tax return filing deadlines for victims.

“As California taxpayers start the recovery process, the last thing they should worry about is meeting a tax deadline,” said IRS Acting Commissioner Linda Stiff. “The IRS offers many resources for disaster victims online at IRS.gov, over the phone and in person.”

If you would like to donate to the victims there are several ways in which you can. The LA Times wrote an article with several suggestions of how to help the wildfire victims.

Read the AP's article for all the details of the e-mail scam.

Who would have thought that befriending a frog could be dangerous? Well, it is, if that frog has access to things like your e-mail address, birth date, home address, work info or school info. You may say to yourself that you would never be so foolish, but what kind of info do you post on social network pages?

The security company Sophos did a study and to find out what kind of information people are sharing and how easy it is to get hold of it. So, they created “Freddi Staur” - a fake Facebook user - then sent out 200 friend invites.

“Of the 200 people contacted, 87 responded and agreed to be friends … 82% of them gave "Freddi" an open view of their profiles … 72% divulged at least one of their e-mail addresses, 84% gave up their date of birth, and 87% offered details about where they went to school and where they work.”

Having personal information on your profile isn’t the problem. The problem is who has access to the info because it could be used to steal your identity. While it may be cool to have lots of friends - even if it's just a frog - you need to stop and think what kind of information you are giving them and how safe you really are.

Read all the study details on the Sophos web site.

Update:

If one study isn't convincing enough, here is another.  The BBC show Watchdog did a very similar study to Sophos study.  They created a false identity and befriended people on facebook. Then they took their study one step further.  They actually opened bank accounts and credit cards using the information of an individual that was provided on their profile!  Social networks are not as safe as we would like to think.  Read all the study details on the BBC web site.

Need another reason to be cautious of social networks?  Here's one, facebook employees can track what profiles you are looking at.  Yep, not only can the look at anyone's profile they can track the profiles that people look at.  While it may weird you out, it also helps keep people safe.  Check out the story and decide for yourself.

Fidelity Investments lost a laptop that had sensitive employee information for 196,000 current and former HP employees. The employes were told this week that they are at risk for identity theft and that they should take steps to protect themselves.

Here's part of the email that went out to HP employees:

"This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation."

A web site has been set up that "includes some immediate steps that you can take to protect yourself, as well as information about how to enroll for a 12-month period of credit monitoring at no cost to you and a Fidelity call center number in case you have additional questions."

This is just the latest in string of laptop losses that have affected employees at Sun, Cisco and IBM. It's unclear if the laptops are being targeted because of the information they contain, or if it's just random theft. My guess would be random theft.

When I worked in the corporate world, laptops disappeared on a regular basis. Thieves are able to dress like the typical corporate type (tan slacks, blue dress shirt, just the right amount of hair mousse) and sneak into one of our offices. From there they'd look for an unattended laptop, pick it up, and carry it out the door as if they were rushing off to attend the next staff meeting.

Anyway...

Fidelity has good news for those affected. It appears the data was encrypted and the encryption key has expired on the machine - making the data more difficult to extract.

Here's Fidelity's take on the situation:

"At this time, we are unaware of any misuse of the information contained in the software on the laptop," said Fidelity spokeswoman Anne Crowley. "The application was running on a temporary license from a third-party software vendor. The license has expired. Since the expiration of the license, the scrambled data would be difficult to interpret and generally unusable.

We have taken steps to implement extra security processes requiring additional authentication for access to those HP accounts as well as other measures to prevent unauthorized use. We have also employed additional security controls above and beyond our already significant monitoring activity to identify if there is any unusual activity in these accounts. Further, we have reviewed activity in the HP accounts and have found no indication of unusual or suspicious activity."

The bottom line is that no matter how careful you are, someone else's blunder can expose you to identity theft. The only way to avoid it is to withdraw from modern society. I'd personally rather have the 401k money.

It's our favorite time of year here in the U.S. - TAX TIME!

Along with tax season comes the predictable onslaught of IRS scam emails. No, these don't come from the IRS. They are from the same old bad guys trying to separate you from your money.

Here's an email that just arrived today:

They're only offering a refund of $63.80??? Those crooks!

I would have thought a higher amount, like $630.80 would better peak our interest in recovering the money. Oh well, I'm sure they do extensive testing to determine the cash amount that draws the most clicks...

Once you click the link you'll see a beautiful reproduction of the IRS site along with a form asking for your:

• SSN
• Credit card number
• Credit card expiration date
• Credit card CVV security code from the back of the card
• Credit card ATM PIN

This looks like a clear credit card fraud attempt. With this information they can purchase items over the internet or withdraw cash from your account.

What should you do if you receive an email like this?

The IRS, unfortunately, doesn't currently have an easy way to report these emails. The best you can do right now is call 800-366-4484 to report it, but the number was busy each time I tried to call. Not good.

The IRS has placed this kind of phishing scam in their "Dirty Dozen" tax scams for 2006. Here's what they had to say:

Phishing. Phishing is a technique used by identity thieves to acquire personal financial data in order to gain access to the financial accounts of unsuspecting consumers, run up charges on their credit cards or apply for new loans in their names. These Internet-based criminals pose as representatives of a financial institution and send out fictitious e-mail correspondence in an attempt to trick consumers into disclosing private information.

Sometimes scammers pose as the IRS itself. In recent months, some taxpayers have received e-mails that appear to come from the IRS. A typical e-mail notifies a taxpayer of an outstanding refund and urges the taxpayer to click on a hyperlink and visit an official-looking Web site. The Web site then solicits a social security and credit card number.

In a variation of this scheme, criminals have used e-mail to announce to unsuspecting taxpayers they are “under audit” and could make things right by divulging selected private financial information. Taxpayers should take note:

The IRS does not use e-mail to initiate contact with taxpayers about issues related to their accounts. If a taxpayer has any doubt whether a contact from the IRS is authentic, the taxpayer should call 1-800-829-1040 to confirm it."

Since the IRS is so lame in trying to shut down sites, I thought I'd do something.

It appears the servers are based in Korea and I've emailed the ISPs that manage the IP involved, but I'm not holding my breath.

The last word... enjoy tax season, just don't try to claim an early refund from scammers.