How data breaches lead to hack fraud: Internet Scambusters #687
If you think your personal information has been stolen during a data breach, you could subsequently find yourself on the receiving end of a hack fraud.
In this sneaky trick, scammers, who don't really have your personal details at all, pose as reps from the breached company and ask you to confirm your account info.
Then they use that information for identify theft, as we report in this week's issue.
Now, here we go...
Hack Fraud Creates Double Threat for Victims
Hack fraud, a new twist to the theft of personal information through corporate data breaches, is creating a double threat for victims.
Data breaches, in which a company's customer records are accessed by hackers, are now so common that it's rare to encounter someone whose information hasn't been stolen.
Mostly, this information ends up in the hands of spammers and identity thieves but most victims don't even know about it until they find someone is using their bank or credit card information for fraud.
Or at least, that's how it used to be. But now, companies whose records are hacked are under an obligation to let their customers know their information may have been compromised.
And often, these companies offer a free credit monitoring service for a year or two to provide early warning of any fraudulent use of victims' data.
Contacting affected customers seems like exactly the right and fair thing to do, but unfortunately it's opened the door to the hack fraud scam in which crooks pretend to be from the breached company or from law enforcement agencies.
They send out spam emails, text messages and even cold-calls at random, telling recipients their account details have been compromised.
Of course, it's hit-or-miss. Some recipients won't even be customers of the hacked organizations.
But, by chance, some will and they may be completely taken in by the bogus contact and tricked into handing over their contact information.
Usually, the crooks ask for account information including user names, credit card details and passwords, claiming they need to confirm this against the records stolen by the hackers.
They then proceed to drain bank accounts and max out any credit accounts they gain access to.
Clean Up Offer
In other cases, scammers buy lists of hack victims from underworld data brokers and contact them offering to "clean up" their records.
They imply that they can somehow remove stolen data so it's no longer available to crooks and, of course, they charge a fee for their services.
This was particularly the case with the recent breach of highly sensitive membership data from the married-adults dating site Ashley Madison.
The scammers claimed to be able to remove individuals' personal information from the site itself and from the data thieves -- neither of which they can really do.
On top of all this, there's also the risk of being contacted by scammers pretending to be from a company you do business with that hasn't even reported being hacked.
Crooks can easily acquire information about which retailers you buy from, either from illegal data brokers or even by going through discarded bills and records.
Again, they will contact these individuals claiming there's been a data breach and ask for "confirmation" of confidential information.
Five Key Points
To avoid becoming a victim of hack fraud, here are five key things to know:
1. If you receive a phone call claiming you've been hacked, it's almost certainly a scam. Companies whose data has been breached don't usually use the phone to notify customers.
Likewise, they rarely even use email. They normally send out formal notifications in the mail.
If you do get an email that you think might be genuine, don't click on any links in the message in case it leads to malware.
Instead, contact the company independently.
2. Breached companies will never ask you to "confirm" your confidential information, so don't give it to someone who asks.
3. Don't be taken in by messages that seem to include personal information about you. As we said, it's easy for crooks to get their hands on this information.
And on that point, make sure you shred any documents that contain personal information about you, including your name.
4. Don't pay to have hacked data supposedly removed or cleaned up. It can't be done, except by the organizations who hold the data on their systems, and they won't charge for it.
5. If you learn about a company you do business with being hacked, visit their website and/or contact them directly to find out what actions they propose to take to protect you and your data.
Alert of the Week
Although you should be vigilant for scams every day of the year, there's an extra focus coming up in early March.
The week of March 6-12 is National Consumer Protection Week, a coordinated campaign supported by most U.S. states, the Federal Trade Commission, and many consumer groups.
The aim is to highlight availability of information, tips, videos, and publications that help protect consumers against scams.
A wide range of information, much of it downloadable, will be available online, with additional support for community and educational organizations.
Learn more and get involved by starting at www.ncpw.gov
That's it for today -- we hope you enjoy your week!