Worst password choices and sneakiest tricks to steal your ID: Internet Scambusters #545
Password theft is back in the spotlight in this week's Snippets issue, with latest details of the worst ones straight off the crooks' own lists.
We also have the lowdown on two sneaky financial scams -- one targeting small business owners.
And we report on an unusual job scam that, in some cases, even takes victims south of the border.
Let's get started...
Thieves Target Your Password, Your ID -- and Your Car
One day you may be able to look your webcam in the eye and be instantly recognized, but until then we're stuck with old-fashioned passwords as the main way of gaining secure access to our online accounts.
But despite widespread warnings, including several Scambusters issues, it's remarkable that people continue to use easy and predictable words or number combos.
So we make no apology for returning to this vexed subject this week as part of our Snippets issue.
We'll also be looking at financial phishing tricks and an unusual variation on jobs scams.
By now, we hope that most Scambusters readers will be alert to the dangers of using easy, short passwords, and then using them again and again on multiple sites.
But we're hoping you might pass on this issue to friends and acquaintances in hopes of spreading the word and perhaps getting a few more people out of the clutches of the password crackers.
The reason we're doing this is because a recently published list of common passwords shows people are still trying to protect themselves with words like "password," "123456," and "12345678."
In fact, those are the top 3 in the latest "Worst Passwords" chart from smartphone software outfit SplashData. And they've held those slots for years.
This year's new entries include the strikingly original (tongue-in-cheek) "Password1" and "welcome," while "111111" shows the biggest gain, moving up three places to number 9.
Seriously though, isn't it a shame that people are still using these terms and numbers, which are the first ones any hacker tries? Using them is just like handing your front door key to a crook.
In fact, the SplashData chart is compiled from the crooks' own online lists that contain millions of stolen passwords -- and they're being offered for sale.
Morgan Slain, SplashData CEO comments: "We're hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."
Amen to that.
Action: For more information on how to create secure passwords, check out these Scambusters issues:
And please pass it on!
Payroll Software Scam
Another continuously hot topic, which we featured in our previous Snippets issue and in many other reports, is phishing, and in particular, the use of bogus email messages that pretend to come from legitimate organizations.
Sometimes these are aimed at small firms, where it's hoped they'll hoodwink busy owners or employees into surrendering confidential information that gives the crooks access to their bank accounts.
The latest one that follows this pattern landed in the inbox of one of the Scambusters team, claiming to be from financial software company Intuit, producer of the QuickBooks program used by lots of small firms.
Carrying the Intuit logo and with the subject line "Information Only: Payroll Account Terminated by Intuit," the message claimed a payroll transaction had been rejected.
It asked recipients to sign in to their account and arrange to transfer money.
But what looked like an Intuit link actually took victims to a French website mimicking the real thing.
The site has now been taken down but, no doubt, not before some firms fell victim. Also, no doubt, the crooks have set up another phishing site with the same purpose.
Meanwhile, another member of our team received a phishing email claiming to come from credit card company American Express.
This time, the subject heading was "American Express Alert: Your Transaction is Aborted" and the message contained links that secretly led to a hijacked commercial computer system that would upload malware onto victims' PCs.
This scam was still "live" at the time of writing, so watch out!
Action: In both cases, poor grammar, spelling and language use were dead giveaways.
But one simple rule avoids this scam: Don't click links in messages that claim to connect to a page where you have to sign on. Instead, go straight to the genuine website yourself and check there that everything is in order.
Job Ad Targets IDs -- and Victims' Cars
Just space to squeeze in one more Snippet -- this time an unusual version of a job scam.
It starts with a bogus job ad on Craigslist, purporting to come from the homebuilding charity Habitat for Humanity. The name of the Salvation Army has also been used for this trick.
There seems to be two variations of the scam.
In one, applicants are met, usually at a coffee shop, in the locale where the Craigslist ad appears and asked to provide information including Social Security numbers and driver's license details.
This is a straight identity theft ruse and the victim hears no more about the supposed job.
The second variety is more complex. While being interviewed, the victim's car is ransacked.
In several instances, victims were actually asked to drive to Tijuana in Mexico, where their vehicles were actually stolen.
Action: Craigslist is a notorious target for job scams, so be especially wary when applying for a posted job there.
Also be wary about meeting anyone for an "interview" in a coffee shop or anywhere but a proper office. And park your car within sight!
Don't part with personal information to someone before thoroughly checking them and their organization out.
In the end, all of the scams in this week's issue boil down to the same thing: Whether they're sending out phony emails, posting bogus job ads or guessing your password, the crooks want information that will lead them to your money.
That's all for today -- we'll see you next week.