Category: Hazards (Page 2 of 12)

Facebook Guest Chat

January 15, 2024 / Jesse Mueller / 2 Comments

Update as of 2/13/2024:

Readers recently brought to my attention that they couldn’t follow the steps below. After I looked into it, I can see that Meta has changed their Settings Pages, and you may not be able to disable this feature.

But as it turns out, that’s OK. Because they’ve disabled the entire Chat Plug-in feature, for the entire site:

I have to guess that Meta could not fix this problem with the scammers, so they had to abandon this odd feature. If you continue to get other scammy Facebook messages, make sure to report them.

Original Post:

Facebook Guest Chat is a new and problematic feature that affects (so far) only Facebook Business Pages. This feature allows people to message a business over Facebook, without signing in to a Facebook account. Guest chat allows for anonymous messaging, and the chat only lasts for a short time. After a day or so, the messages self-destruct, like in a spy movie.

Problematic

I can’t say why Facebook decided to implement this feature, but it is a problem. Cybercriminals are already looking to use this tool to phish and scam people:

If your Facebook Business Page receives this sort of message, please do not believe it! It did not come from Meta, there is no crime or danger afoot for your Page, and you should not do what this says. It is simply a phishing attempt, and the bad guys are trying to trick you into giving them your Facebook logon credentials!

You are welcome to report suspicious Guest messages to Facebook, if you like, but I doubt it will do much good.

Disabling Guest Chat

If you have a Facebook Business Page, you may choose to allow or refuse Guest Chat messages. The steps for doing this, though, are hard to find, and even Facebook can’t tell you accurately how to do this. Here’s what worked for me:

Go to your FB Business Page at https://business.facebook.com/
On the left, click Inbox
To the upper-right, click the cogwheel (Settings) button
Under Inbox Settings, click Chat Plugin
Click where it says Customize Chat Plugin
Next to Guest Chat, click the Toggle to turn it off
To the lower-right, click the Publish button.

After you take these steps, you will still get regular FB messages, from people who are properly signed-in to Facebook. But no more Guest messages can get through to your Business Page.

Scam Electricity-Saving Devices

January 9, 2024 / Jesse Mueller / 0 Comments

This post is not really a computer tip, per se, but I’ll cover it anyway. Scam electricity-saving devices are rather tangential to what I write about here, and quite a few people are asking me about them. So heads up! Here’s what I can find and say about these things:

Power Saving Devices

These things go by a variety of names: Watt-Saver, StopWatt Energy Saving Device, Power-Save Box and more. If you notice these for sale on Amazon/TikTok/eBay/Facebook/etc., they will promise to greatly decrease your electricity bill! All you have to do is buy a bunch of them, plug them into your household outlets and wait.

But everything about these boxes is made up and the facts don’t matter.

Elon Musk and/or Tesla have had no hand in creating or selling these devices.
They do not reduce your electricity consumption in any meaningful way.
Fox News and other news media have not endorsed or covered this product.

Their marketing also states that it may take a few months for you to notice the reduction on your bills. This is just a tactic to convince purchasers to keep these devices longer than the purchase-return-window.

The Truth

If you really want to cut electricity costs in your home, don’t believe these con artists. Conserving electricity is a little more involved than buying some junk from Amazon and plugging it in. There are plenty of reputable resources out there with ideas for you, and your electric company probably is probably one of them.

“But Jesse, I see these things on Amazon and they get great reviews!” Sorry, you can’t count on Amazon reviews these days. There are countless ways to game that system, so that a bogus product shows many 4- and 5-star reviews.

These devices contain almost nothing of value. YouTube has plenty of videos, where people take apart “power-saving boxes” and discuss their innards. Enjoy!

Xfinity’s 2023 Data Breach

December 19, 2023 / Jesse Mueller / 1 Comment

Has Xfinity contacted you recently to change your password? This was probably a legitimate request, and prompted by Xfinity’s 2023 data breach.

(I’ll call it the 2023 data breach, because they also had one in 2022!)

It looks like cybercriminals exploited and intruded upon Xfinity’s systems in October of this year, and we’re just now hearing about it. Xfinity has put out a generic statement about the matter. But government websites provide more important details, such as: 35 million customer records are involved. What kind of data was stolen? It could include usernames, passwords, last-four digits of SSNs, DOBs and security questions/answers.

If you are an Xfinity customer, it’s not important whether or not they notified you. Change your Xfinity password now. And if you are willing, consider using additional 2FA protection on your Xfinity account. Update your account security questions. And anything else that Xfinity reps suggest to you (if you call them).

If you want to call in about Xfinity’s 2023 data breach, start with this dedicated number: 888-799-2560. But that number may be swamped, and sometimes rings busy. If you cannot get that phoneline to work, try any other support number you may find on your Xfinity billing.

Addendum

Even though Xfinity customers are quickly securing their accounts, this data breach will likely result in other hazards, down the road. Cybercriminals will study the stolen customer records to see how to use them creatively.

If I had to guess, I’d say we’ll see an uptick in bogus Xfinity phone calls, where scammers promise big discounts or collect money for receiver updates. They can repurpose the data from this breach, to make them sound more legitimate to their victims!

How to Recognize Spam

December 6, 2023 / Jesse Mueller / 6 Comments

For some, it’s easy to spot spam in your inbox. But for others, it can be a real challenge. Spammers use a variety of tactics to make their email look tempting, believable and worthy of attention. But much like a spoiled brat or a passive-aggressive boss, we don’t want to encourage a spammer any more than we have to. The following common characteristics will help you recognize spam, so that you can react correctly when it arrives:

Mismatched Sender Email Addresses

When you get an email that you’re not sure about, consider the sender’s address. Many spammers use Gmail/Outlook/Yahoo addresses, because they are quick & easy to create. Other spammers use whatever email address they please, because they’ve spoofed it to look like a trusted domain name. In any case, looking at the email address from which the message came is your first clue to spam.

For example, if you have a curious email about your Norton subscription, but it came from GregoireBandersnatch@harvard.edu, that should immediately tell you that you have spam. A legit email from Norton would likely have Norton.com in the address.

Also imagine: You’re looking at a message from HelloFresh, and it seems to have been sent by Hell0Fr3shMark3t1ng@gmail.com. Wouldn’t the real HelloFresh send their marketing messages from an address ending in “HelloFresh.com”?

Gobbledygook Email Address

While you’re checking the sender email address, any kind of gobbledygook you see there is another tip-off. If the message came from d4H3f9a2fb1@serenitynow.com, you can probably consider that as spam.

Homoglyphs

Even though this may be new vocabulary to you, you probably already know what this is from past spam. A homoglyph is a character or symbol that is very similar in appearance to another. Homoglyphs can be used in humorous or creative ways, such as in l33tspeak or slangy texting, but spammers use it a lot in their subject lines and message bodies. Homoglyphic substitution helps their email get past some spam filters, while preserving the overall meaning for their recipients.

Șó aṇỿtɨmе yóu sее an еmaɨ| mеssagе that |óóks |ɨke thɨs sеṇtеṇçе, knów that ɨt ɨs spam and trеat ɨt as suçh.

Spelling and Grammar

Some spam employs flawless English, while other spam does not. If that message from WholeFoods is horribly written, or that offer from Wal*Mart misspelled the word “coupon”, beware! A big company surely has an editor on staff to review any mass communications, and would almost never broadcast anything so unprofessional.

Incidentally, I should remind you that spammers intentionally send spam with misspellings and poor grammar. They’re not ignorant. They do this as a tactic to target their audience and get responses from the people who are more likely to fall for their scams.

Outlandish Claims

“Extraordinary claims require extraordinary evidence.” Please do not believe or react too quickly in response to any email making outlandish claims or promises. I assure you that:

The Grand Vizier of Mazumba Province is not going to bequeath $10M to you
You are not going to get rich quick by investing in a secret Bitcoin opportunity
Secret Shoppers are not being hired in your zip code and you will not make $100k in your first year
That payout from a casino or lottery (that you’ve never heard of) is not going to make you rich

These emails persist, because they can sweep people up in their hopeful emotions and take advantage of our trusting nature. Don’t fall for it. Practice critical thinking skills and research things without haste, without responding to such spam.

Urgency

Is an email urging you to Act Now Before Time Runs Out? Is their special offer only good for another 15 minutes, and the message even shows an animated clock, counting down? Or is there a veiled threat of bad things coming, if you don’t act in a timely manner?

In any case, if an unexpected message is conveying a sense of urgency, that’s a big red flag. Legitimate offers won’t push or rush you into any decision. Hurrying you to decide something is a tactic meant to compromise your judgment.

Nearly Empty Messages

Some spam plays their game in the other direction: Their message shows up blank or mostly vacant of any real text. What little there is in the message is a lure.

Sometimes, the spam contains only a single sentence or phrase. It’s usually vague but just interesting enough to entice you. And it will be a weblink; you will instinctively know that you could click it to learn more. Don’t click it! It’s a trap!

Other times, the spam will have absolutely no text in the body. there will be only a single large image, and your email program may ask you if you want to Display Images? This, also, is a trap. Never ask your email app to display images from any unknown sender.

Anyone tricked by these messages will confirm to the sender that they’ve read the email and interacted with it. That leads to more spam and scams in their inboxes. Also, clicking links could expose them to malware downloads, phishing websites and worse.

This post should end with a recap on what you should do, and not do, with spam.

Just delete it, OR
Mark it as Spam/Junk mail (if your email offers you such an option)
Feel free to open and read any potential spam message, BUT
Do NOT reply to spam, do NOT call any phone numbers shown in spam
Do NOT click any links inside of spam, do NOT open any attachments
Do NOT unsubscribe from spam. Any unsubscribe options, even when offered by Google, can result in your receiving MORE spam.

Some good news on the horizon: Google is adding AI to their spam filtering software. They claim this will make them more successful at blocking homoglyph abuse and other sneaky spam. And if Google is deploying this new technology, I bet Microsoft and other big tech firms will follow suit.

Vishing

November 28, 2023 / Jesse Mueller / 0 Comments

I didn’t think we needed a specific term for scam phone calls, but here we are. Following in the footsteps of smishing and quishing, we also have the term vishing. Vishing is another portmanteau, created from voice + phishing. When you see or hear about vishing, they’re referring to any phishing/cybercrime carried out over the phone or through other verbal means.

Vishing Examples

You may know of some of these vishing scenarios already, but they’re worth rehashing. Some of these employ live human voices, while others might use recorded messages or even AI-generated speech.

Big Tech Impostor: An important technology company calls to urge you into action. The call may claim to be from Apple, Microsoft, Yahoo, Google, etc., and they may claim your account has been compromised or your data has been stolen. Others calls seem to come from Norton, McAfee and the like, where they state your PC is infected, or you are due some special refund. These calls often become a remote control scam.
Big Merchandise Impostor: Most of us place orders with Amazon or Wal*Mart, but that doesn’t mean they’ll call you out of the blue. Calls announcing that your shipment has been lost or damaged, will probably morph into a refund-based scam.
Pretending to Be Your Bank: Is that call really coming from your bank, or is it an impostor. Be suspicious if the person on the phone wants your PIN, or a texted code or anything else sensitive from you.
Television/Broadcast/Satellite Impostors: Xfinity, Dish, DirecTV and more are commonly impersonated on calls offering discounts and refunds.
The Grandparent Scam: Vishers call their victims, trying to pass themselves off as young relatives in trouble. Even worse, this scam is changing to employ AI-generated voices that sound very convincing. Family members report receiving calls that claim someone dear to them has been kidnapped.
Police Department/Court Systems/IRS Threats: If you need to pay your taxes, settle a court order or be arrested, a government employee will not call you to take payment over the phone. But these vishing efforts succeed everyday, because people are often afraid of these entities coming to their doors.

Advice & Notes about Vishing

Most vishing calls use Caller ID spoofing, to make them more convincing. Please remember that Caller ID is not always truthful.
Do not harass or aggress a caller, if you figure out they are a scammer. In rare instances, the cybercrook will respond by swatting their victim. Just hang up on them.
Some vishing calls originate from your trash. A crook may harvest an account number or some other PII after doing a little dumpster diving. I recommend you shred all sensitive paperwork before you dispose of it.
If you haven’t put your number on the National Do Not Call Registry, now’s the time. It won’t solve your telemarketing call problems, but it might decrease the unwanted calls coming in.
Let all unknown callers roll to voicemail. Do not answer mystery callers.
Some vishers look to leave a voicemail message about an urgent situation. They may use tools that send their call directly to your voicemail inbox! The recording will state a phone number to call, but that will typically just connect you to the scammers. Do not call these crooks back!
Don’t speak to a robocall or any suspicious caller. Some experts worry that talking on a recorded line may make it easier for a crook to steal your spoken words to create voice-mimickry used in their next vishing calls.
Vishing calls are getting better everyday, and you may find yourself on a call that you can’t figure out. If you’re feeling torn, hang up the phone! Call the company back, using a number you can trust, either from a printed invoice in your possession, or from their website.

Apple NameDrop

November 27, 2023 / Jesse Mueller / 0 Comments

If you use Apple devices, there’s a new feature in the latest OS updates called NameDrop. This function allows you to quickly and easily share contact info with other Apple device users. Simply place the two devices near each other, and NameDrop will appear! Each device user will get a pop-up, asking if they want to exchange contact cards.

I want to emphasize: NameDrop always asks permission to exchange any info. I’ve got a bit of rumor control to do here, as people across the internet have noticed this new iOS addition and are reacting poorly. Misinformation and fearmongering is afoot.

If you see any posts, urging you to turn off NameDrop, take a breath and Don’t Panic. Please understand that NameDrop only works under strict conditions:

Two devices have to be very close to each other (almost touching)
The Apple devices are powered on and unlocked
Each user taps Share to authorize their data to transmit

Apple NameDrop is safe and well-implemented. I don’t see any real risk here. You are still welcome to disable the feature under Settings -> General -> AirDrop -> Bringing Devices Together. Just don’t buy into the viral hysteria; there’s no major safety loophole or hazard here.

Low-Hanging Fruit

November 21, 2023 / Jesse Mueller / 0 Comments

In the technology world, people are jeopardized by two separate yet equally scary groups: the big tech companies, who care only for monetizing their users’ data; and the opportunistic scammers, who prowl the web looking for victims. These are their stories.

Dear Xxxxxx,

I’m writing this letter to you about your kiddo. Please don’t worry, this is not one of those Are-you-sitting-down? notes. But let me explain something that you might think is a teachable moment:

Facebook recommended your daughter’s profile to me, as a potential friend-connection. I haven’t Friended her, but I did click on her name to look at her profile. And Egad, She’s got too much personal info out there. I am able to view all of this info on her profile, because it’s all set to Public visibility:

Complete FB Friends List
Name of high school and college, with admission years and major
Hometown and current city/state of residence
Mother, father, brother and uncle’s names, with links to their FB profiles
Birthdate

If I can view this info, then anyone in the world can. I’m thinking about the scammers that are having a field day on Facebook — all of this sensitive info is essentially low-hanging fruit to them. “Easy pickin’s”, if you’re into that country vernacular. And I’m not so concerned about your daughter here, as I am the people connected to her. She’s probably smart enough to dodge the average Facebook criminal, but what about all of her friends and family?

A publicly-visible Friends List is what attracts scammers that clone profiles. In essence, a bad guy could create a brand new FB account, and give it your daughter’s name. S/he could copy and use your daughter’s profile pic. And then they’ll start sending Friend Requests to everyone they see on her F-list. If any of her FB Friends are too trusting or naive or quick-with-the-mouse, then they may connect with an impostor-scammer, who is ready to pretend to be your daughter and con some money from them.

Publicly-visible family connections are interesting to a different type of crook. Sometimes, cybercriminals attempt the “grandparent scam“, where they call a family member and pretend to be someone else in the family. The scam usually starts with a phonecall: “Uncle Ned, it’s me, Saoirse, I’m in NYC and I’m in jail! Can you wire-transfer me some bail money?” In order to carry out these schemes, they study family names & connections and it really can help their ruse hold up. Full disclosure: I unknowingly contributed to a grandparent scam, several years ago. A scammer saw some family names on my FB masthead photo, glommed some specifics about my family, and tried to scam someone important to me. Live and learn, never again!

And showing your hometown and school info to the public is just all-around ill-advised. That info is commonly connected to account security questions, so an identity thief might appreciate this kind of info.

My hot-take on Facebook is this: Mr. Zuckerberg & Co. spares all expense in running their platform, and they are not looking out for their users. When on Facebook, we are not customers, we are simply “the Product.” The scammers are very aware of what Facebook tolerates and ignores, and they exploit that knowledge to their greatest benefit. This has been happening for a long time now, and I have no reason to anticipate any improvement. If we’re going to use Facebook, then it’s up to each user to mind their own safety.

So, if you think your daughter would be receptive to some advice, let her know she should go to her Facebook Profile, and change all of her personal info to be less Public. To the right of the Friends List is a 3-dots button that allows you to Edit Privacy. She can also go through all of the sections under “About” on the profile, and use the Pencil or 3-Dots buttons to up the privacy levels. Personally, I’ve set most of my Profile to the “Only Me” level, but the “Friends” level is good, too. Anything besides “Public!”

And if she makes these improvements, there a tool for her to check herself. If she goes to her Profile, there’s a 3-dots button to the right, just below the masthead photo. She can click that and then go to “View As”. This presents her profile as it appears to the public (to people who are not connected to her on FB). She can traipse through her own profile in this mode and judge if she missed anything that needs hiding away.

Cheers! — Jesse

Zelle Scam Refunds

November 14, 2023 / Jesse Mueller / 0 Comments

A year ago, I blogged about Zelle and why scammers often push their victims to use it. Money sent through Zelle is generally transmitted in an instant and that means the transaction is irreversible. Scammers want your money, and they don’t want you to be able to claw it back. They know that Zelle doesn’t help much with scam refunds.

Up until recently, Zelle (and the big banks behind it) have been unsympathetic to scam victims. Their stance was simply that customers were responsible for their own transactions. But there’s a change a-coming: Senator Elizabeth Warren and other congress-people have mounted investigations and pressure on the big banks. And the results are swaying banks to do more for scam victims.

If you’ve been swindled out of money through a scam, and Zelle was the tool to move the money, then there may be hope for you to get a refund. Banks participating in Zelle are now refunding scam victims for incidents dating back as far as June 30, 2023. If you fit this description, then:

Contact your bank for a refund
Report the scam through the Zelle website
Lodge a compliant with the FBI IC3, detailing the scam

Be safe out there, my friends.

Recurring Facebook Scams

October 21, 2023 / Jesse Mueller / 0 Comments

Here’s a (hopefully? for a while?) final run-down on recurring Facebook scams I’m seeing out there. Don’t fall for any of these, please!

Celebrity Impersonation Pages

Johnny Depp is not going to private-message you on Facebook. Lori Loughlin will not respond to your comments and Likes. Margot Robbie would never send you a Friend request. Celebrities live in a different world than us and have handlers and layers of protection that separate us from them. If an ultra-famous person on Facebook is giving you explicit attention or asking you for things, please suspect a scam. You are almost certainly dealing with a con artist.

Creepers in the Comments

This should be a no-brainer, but I have to mention it. There arelurkers & creepers on Facebook and they manifest unexpectedly in the comments of Reviews and Public Posts.

Don’t ever respond to these characters. Block them or report their comments, but don’t initiate any contact. They’re just looking to start a private conversation, and try to take advantage of you after that begins.

Puppy Adoptions

Legitimate people will try to adopt out their puppies or other baby animals. And then there’s the scammers:

These scams can often be spotted with ease. The scammer will be out-of-the-area, or pressure you for a down payment before seeing the animals. As with most internet offers, don’t hand over money before seeing firsthand what’s for sale.

Car Detailing Offers

I’ve written at length about this type of service scam, but it merits a special mention here. Bogus car detailing offers persist in many Facebook groups, and I recommend you avoid them.

Much like the duct cleaning offers, you might actually get your car cleaned through one of these posts. But you’re not dealing with a local company. If you comment on one of these posts, someone from Pakistan, using a sock puppet account, will contact you to schedule your car detailing. S/he will send some unknown person to your house to “take care” of your car.

That person may actually clean your car, or not. If anything suspicious or illegal occurs, that person is going to vanish. The individual from Pakistan will block you. And you will have no one to hold accountable, the police will be unable to assist. It’s best to report these posts and find a truly local company to clean your car for you. Shop local!

Bargain Offers for TV Streaming

I’ll be breaking this out into a separate, detailed post soon, but for now, watch out for this nonsense:

Avoid these offers, as they are too good to be true. If these were legitimate, everyone would be flocking to them, and no one would ever pay for cable TV again. People who have a go at this type of streaming might actually get to watch some of their favorite shows. But the service will be spotty. The support will be non-existent. And then suddenly, the law will catch up to the copyright infringers at the top. Suddenly, the streaming service will wink out of existence as the top executives quit the country with whatever money they still have. Spoiler alert: these companies are not paying for or obtaining licenses for the shows they allow you to stream. That’s IP theft!

Facebook Account Help

If you’ve ever been locked out of your Facebook account, you know then how decidedly unhelpful Facebook is. You cannot call Facebook for help. They don’t offer any email or chat support. It’s just crickets and tumbleweed. This creates a perfect void for the scammers to fill:

Cybercriminals have crawled all over Facebook and other social media sites, creating posts, comments and even Group Pages, promising to help recover lost Facebook accounts. And anyone who comes to them for help? These bad guys will take whatever they can: your money, your Facebook account, your email and its password, and more.

These dreadful people are also constantly scanning public posts and comments for anyone looking for this kind of help. Sometimes, they will just pop up and comment back on people’s comments, promoting fake-help scammers on Instagram.

If you’ve lost access to your Facebook, check out what I’ve written on this blog post, or head straight to the legitimate Facebook article on this topic. You’re welcome to reach out to me for further advice. But please: Avoid or ignore any strangers that claim to have magic recovery powers. They don’t.