Category: Scams (Page 1 of 3)

Dollar General Scam on Facebook

I’ve written before about a Lowes scam on Facebook, and the latest Dollar General scam is taken from the same playbook. If you see this post, claiming to offer free $30 vouchers from DG, know that it is a scam. Please don’t trust it or share it. If possible, report it to Facebook.

How do to tell that it’s a scam? There are some details to look out for:

First, visit the real Dollar General Facebook Page. On that page, you’ll see a blue badge stating this is a verified, authentic business page. Facebook has checked the identity of this page to make sure it’s not an impostor. You won’t see that badge when you go to the “Dollar General Fans” page.

Also consider: the true Dollar General Facebook Page has 3.4M Likes. The fake-Dollar General Facebook Page has 4,000.

The real Dollar General FB page was created in 2009, if you look under the Page Transparency section. The scammer’s page was created yesterday.

Here’s what’s so bad about this type of scam:

When you click Like on something, Facebook automatically promotes it to your Friends. Your connections on Facebook will probably see “John Doe Liked the Dollar General Voucher Giveaway” and they may visit the scam and click Like. And then their Friends will see what they Liked, leading them to visit the scam… It’s a bit like a toxic chain letter.

Next, here are some directions the scam may go:

1) A person running the promotion contacts you over FB Messenger to say that you’ve won! But first they need your name, address, DOB, and driver’s license info, credit card #. They claim you cannot claim your prize unless you comply, and this is all done to verify who you are.

2) Someone messages you to say that you’ve won and the prize is on its way, After they get your mailing address, they send you a check. For the wrong amount! They’ve sent a check for $1035, and they ask you to send them $1000 back. If you comply, you’ll soon be out $1000 thanks to a kind of fake check scam.

3) The Page manager contacts you, asking for your email, so that he can send you an official Winner document. You have to fill it out to claim your prize. But when you receive the attachment, it asks to install something on your computer.

The 1st example can lead to identity theft. The 2nd is a quick way to take untraceable money from you (and they’ll probably contact lots of people with this line, not just one lucky winner). And the 3rd is a common method of making people install malware on their computers.

There is no $30 Voucher Giveaway, no one will win anything from this! If you’ve interacted with this or any other Facebook scam Page, please: Unlike the Page or posts, delete any Shares you’ve made and report the Page to Facebook. Facebook might move faster to address the scam if it receives a higher volume of reports about it.

Last year, this scam was a chance at a free RV from a big mid-west company. Next month, it could be free Starbucks coffee for a year or government loan forgiveness. This sort of scam will keep happening on Facebook, a different bait each time. But the tactics and telltales will be the same. Stay dubious, my friends!

Shentel Email Best Security Practices

Many of my clientele are in the Shenandoah Valley of Virginia, the home territory of an ISP named Shentel. And like many ISPs, Shentel provides free, courtesy email addresses to its subscribers. It’s like a mint on your pillow, except this mint needs some extra warnings on its wrapper and may give you some indigestion…

I can level a variety of criticisms against any ISP-provided email another time. For this post, I need to write on how Shentel customers can keep their email more secure. There are frequent scams targeting Shentel email addresses, and I want to help as many people as I can to tighten their defenses.

If you don’t have a Shentel email address, this post will not directly apply to you, but the overall security recommendations do. So please consider these points, and implement anything you are comfortable with!

Password Strength

I’ve helped with Shentel email users for almost 20 years now, and from the beginning, I’ve noticed Shentel doling out really weak passwords to their email addresses. In 2002, it was common for a brand-new Shentel email address to come with a 6-digit password. It was typically 3 letters (part of the person’s name), and 3 numbers (often the phone exchange of the user). To this day, I still encounter Shentel email addresses with these old, short passwords, like “abc465” and “joe933”.

If your email password is this short and simple, please change it now. Email thieves can determine such short passwords quickly, without hacking you or tricking you. There are password-guessing programs readily available on the dark web that anyone buy and use for this. And once they guess your password, they can use your email to start scamming your friends and family, or worse.

Changing your Shentel email password is easy, especially if you know your current password.

  • Go to the Shentel Webmail website and login with your email credentials.
  • Click the cogwheel icon to the upper-right.
  • When the Settings screen appears, click Password.
  • Type in your old password and then enter a new password on the next two fields.
  • Click Save and you are done!

Try to choose a password that is 8 or more characters long, and use a capital letter, a number and a special symbol. An example of a strong password is: Maverick20#21 .

If you do not remember your Shentel password, call Shentel at 1-800-SHENTEL and ask their tech support to change your password over the phone.

Recovery Options

If your password is strong enough, you should still visit Shentel’s Webmail website. Shentel is starting to implement Password Recovery Options for its email users, but you won’t see these if you use Outlook, Thunderbird or a Mail app to see your messages. You must go to their Webmail site!

When you visit that site nowadays, you will be prompted to set a recovery email and recovery phone number. Fill out and satisfy these items as best you can, and call Shentel for assistance if there’s any difficulty. These are important to do! If some bad actor invades your email next month, these will help you more quickly to regain control of your account.

Request 2FA to Be Implemented

The best security tool to prevent email abuse is 2FA. This stands for two-factor authentication, and adds an extra layer to the login process for an account. When you use 2FA, you first login using your password, and next have to enter a token or code sent to your mobile number or other security device. If someone steals your email password, the second step will block them from accessing your account.

Shentel does not offer 2FA on their email accounts and has a hard time answering my most basic questions about it. But many other email providers do offer 2FA. If you are going to stick with your Shentel email address, you might reach out to Shentel to ask them to consider adding this security feature. It would greatly reduce the number of hacked Shentel email accounts!

When In Doubt, Pick Up the Phone

If you receive an email, and something doesn’t seem right, take your hand off the mouse. Take a moment to think about what isn’t sitting right with you, and contact someone without using that email in front of you.

That means: if you want to contact Shentel, dial 1-800-SHENTEL or any support number that is printed on their bills. Do not use any number in the fishy email! Contact info showing in a suspicious email will often put you in touch with criminals. And those guys will be all too happy to pretend that they are with whatever company you say you’re trying to reach.

If you can’t reach the company for advice, call someone else. Talk to a trusted friend, police officer, church pastor or relative. Or drop me a line for a second opinion, I am happy to sound off on all things, legitimate and scammy! You’re even welcome to forward odd emails to me, and I will quickly write you back with my verdict of them.

The Google Voice Verification Scam

Are you selling items on Facebook Marketplace or Craigslist? Then watch for this scam!

The Setup

A potential buyer contacts you and asks for your cellphone number. Once you share your contact info, a text comes in from Google Voice. It contains a 6-digit verification code, and your would-be buyer quickly asks to know what that code is. The verification message says NOT share that code with anyone, but the buyer will insist it is to verify your identity and legitimacy.

The Scam

The person contacting you is trying to create a new Google Voice number. But Google requires that the new number be attached to an existing US phone number. The verification code is the last step in creating that Google Voice number, and will bind the Google Voice number to your phone number.

What Use is a Google Voice Number?

The potential buyer is actually a crook, looking to use a Google Voice number in his/her scams. Essentially, the bad guy gets a brand-new phone number (that won’t be on any spam lists) that can be used anywhere in the world, on any computer or mobile device. It’s kind of like buying a burner phone, except with Google Voice, there’s no physical phone and the new number is free. It’s a burner number, to be used, abused and discarded.

The Fallout

Who knows what scams or harassment will be carried out over the new number. But it will be very easy for the criminal to later stop using the number and cover their tracks. And as they scamper off without a trace, you might not be in the clear. If the authorities investigate illegal activity on the Google Voice number, they may track down the owner of the linked phone number. That would be you, if you were duped into giving over the verification code!

It gets even worse if you’re already using Google Voice. If you fall for this scam on your Google Voice number, the scammer may succeed in stealing your phone number from you!

Recovery Methods

If your cell number was used and linked to an unwanted Google Voice number, there is a complicated process to follow to unlink your number. Check out this forum for the steps, and feel free to contact BlueScreen Computer if you need extra assistance.

If someone stole your Google Voice number from you, you’ll want to act quickly to reclaim your Google Voice.

Final Advice

When selling goods online, be choosy about where you give out your mobile number. And never share verification codes that come to your phone or email. When a verification message says Don’t Share This Code, they mean it!

Trend Micro Check

The Trend Micro company has come out with a new tool that I want to recommend. Trend Micro Check is a free browser extension that you can install in Google Chrome (or Microsoft Edge) that will protect you as you surf the web.

Specifically, Trend Micro Check blocks ads and trackers (like AdBlockPlus), warns you when you visit scam or misinformation websites (like Bitdefender Trafficlight) and also goes through your surfing history for baddies. If it finds anything worrisome in your browser history, it will report it to you and then offer to remove it.

You can install the extension from the Get Now button on this page, or try this direct link to it in the Google Play Store.

The Mystery Shopper Scam

If you receive a letter hiring you to be a “secret shopper” at a big-name store, please understand it is almost certainly a scam. The letter may be extremely detailed, and it may be accompanied by a cashable bank check. But both are illegitimate and you stand to lose a lot of money if you participate. Here’s how this scam works:

The Setup & Instructions

The victim responds to a Facebook post or unexpected text, expressing interest in a money-making opportunity. The scammer sends over this kind of letter, along with a check for a large amount of money:

In short, the letter claims that the job is to pose as a secret shopper. The purported work involves entering Walmart stores and buying $2000 worth of gift cards, while casually taking notes on the store and customer service. The check amount exceeds the value of the gift cards, and the “shopper” is instructed to “keep the remaining money” as their pay.

The victim deposits the check into their bank account and immediately gets to work: Visiting stores, taking notes, buying gift cards. They return home, write out details on the shopping trips, and transmit all of the numbers from the backs of the gift cards to the “boss.”

It all seems like quick and easy work, and the average person will look at the math, and feel like they can make $470 in a heartbeat. But it takes a while for the other shoe to drop…

The Cunning Defense

Many scams use gift card purchases to rob people of their money, everyday, and the big-name stores know all about it. As a result, Walmart trains their employees to watch for questionable gift card purchases. Cashiers are told to gently inquire with any shoppers buying large quantities of gift cards. They truly want to stop this crime and protect their shoppers from losing money. Store workers are ready to explain the scams and save people from themselves.

But the “story” presented in this mystery-shopper-letter grooms the victim to be discreet and not respond to such questioning. If the mystery shopper “blows their cover”, then they will “fail in their mission”. This preps the victim to resist any in-store conversations that might help them spot the scam.

The Payoff & Switcheroo

So the victim has deposited the check, visited stores, purchased gift cards, and sent the info to the person running the show. Everything seems finished and quiet. How does the other shoe drop?

1-5 days later, the victim’s bank will contact them. The bank will inform them that the check they deposited for $2470 was fraudulent or illegitimate. The amount of the check has been reversed and removed from the victim’s account.

It may seem confusing, because right after the deposit, the money appears on the victim’s ledger and is viewable as “available funds” through the bank website or app. But that is not a promise or guarantee of any kind. It can take almost a week for the bank to verify the check and finalize the entire transaction. When a fraudulent deposit is caught and reversed, the person who deposited the check is held liable for the amount.

After the bank explains this to the victim, the scam truly reveals itself: A fake check & letter convinced the person to spend their own money on gift cards, and send them over to a stranger. The scammer emptied the gift cards and now has $2000 in untraceable, nonrefundable money, and the victim has lost $2000 from whatever account they used to buy the gift cards. Or more, if the bank assessed any fees for the bad check!

What To Do

If you’ve encountered this scam, you can report it. The FTC and your state’s OAG would like to hear from you!

If you’ve fallen victim to this type of scam, you may contact your local authorities. But please understand that they probably cannot help reverse gift card or wire transfers, and your money is likely gone.

If you really really want to find legitimate mystery shopper employment, that is possible. But never from a Facebook post or random text. Consider reaching out to the official Mystery Shopping Professionals Association, if you think this is a good career path for you.

QR Codes on Boarding Passes

A modern boarding pass (plane ticket) has a QR or Bar Code on it. Quickly scanning that code makes it easy for an airport employee to check you in and get you on your plane. But some people warn about those QR codes and their security.

USA Today and other news stories have been circulating for years, warning of the dangers of discarded boarding passes. Supposedly, hackers could pick up your tossed ticket, scan the QR code themselves, and glean your information. Then that info could be used against you in a scam or money-making scheme.

Basically True, But…

The basic info presented in these stories and articles is true. Most QR and Bar Codes on boarding passes contain your name and other PII, and that information is stored there in an insecure manner. Anyone can zap that code to read it, with the right, freely available tool.

You can test it for yourself, next time you have a boarding pass in hand. There are numerous free QR-Code-Reading apps you can download to your phone. Use one to scan your ticket, to see what lay underneath that strange sigil. Or there are websites that do the same thing: Simply upload a picture and it will regurgitate what’s in the QR code as plain text.

Reader’s Digest has reported on this. Kim Komando, as well. Krebs on Security did way back in 2015. That’s makes this a big deal, right?

Not That Big of a Deal

Nah. I can agree this is worth discussing, but I don’t think it’s worth the hype and paranoia that the news media would have you adopt.

First, the QR codes often contain the same info that is printed in plain English on your ticket. There’s a chance of other info, like your seating preference or your frequent flier number, being stored in the code. But there won’t be anything super-secret, like your account password or bank account, in there.

Next, while the potential for information abuse is there, it hasn’t become widespread. Notice that as you watch or read these news items, they report on what could happen, what hackers might do with your boarding pass. The reporting is largely hypothetical. That’s because the hackers are going after lower-hanging fruit. There are easier ways for scammers to target their victims than picking up trash and boot-strapping into one person’s accounts and identity.

You should still treat your boarding pass as a sensitive document. Like a utility bill or library card, you should store your boarding pass safely or shred it when you are done with it. You shouldn’t be careless with any document that reveals information about your identity. Don’t tempt fate. That said, this risk with boarding passes is low, and the news media are largely stirring the pot and cashing in on the attention economy.

TMI on Facebook

Too Much Info

Recently I commented on YouTube that we should be very careful about what we share on social media. Specifically, I mentioned that we should avoid posting personal or sensitive facts about ourselves. Consider this ubiquitous example:

Sharing your employment info with the entire internet

I see this post repeated all over Facebook, sometimes with over 500,000 comments. My jaw drops to see so many people publicly reveal their answer to a security question they may have used on an important account.

But beyond advising you to Don’t Comment on These Posts, I want to conjecture a little with you, and suggest how deep the danger can go.

A Fairly Bad Tale

Let’s imagine a guy named Joseph Target. He’s an average guy who is amused by all the fun posts on Facebook. He’s clicked Like on hundreds of Pages that show him jokes and fun stuff. And he comments on everything he can relate to. “I worked at Subway, too! In Springfield, where I grew up. My brother still lives there.” Joe thinks it’s all harmless fun. And you know what? It is, at the time, for most of the people on Facebook.

Until one day, his Facebook account is stolen from him. He thinks it’s a high-level hackjob, but it was a common Messenger scam, that tricked him into giving up his password to the bad guys. He learns about the problem when people start calling him about weird FB Messages coming from his account. He hurries to a computer, goes through the standard account recovery process and then starts sending apologies to his FB friends. All told, it may have only been a few hours that his account was in someone else’s hands. But with a new password in hand, Joe feels like things are resolved, and he settles back into some Farmville games and commenting on posts about favorite hamburger toppings.

But during those few hours? The intruders weren’t just spamming his Facebook friends. They downloaded all of his Facebook info, saved it to their hard drive for future perusal. That includes his every post, every Like, every comment on everyone else’s posts, including all of those fun posts about his first job and mother’s name. Since they had Joe’s password, the process was quick (about an hour) and easy to do.

So as Joe returned to his casual Facebooking, the thieves casually riffled through all of Joe’s posts and other info from Facebook. And the bad guy was able to assemble quite the dossier on Joe, starting with his address and phone and email, and moving on to work history, relatives’ names, where he banks, his first pet’s name, and all kinds of other choice things he’s commented on over the years. All from one download from Facebook.

Are these Facebook phishers going to commit identity theft? Probably not, but they will sell the Target’s info to seasoned criminals, who do know how to steal someone’s identity. They’ll go on to use Joe’s record to open lines of credit, start utilities accounts, and maybe even obtain legal identification, all in his name.

Yes, this is an extreme story. This may not occur with every compromised FB account, but please understood how possible it all is. It does happen.

Safeguards

What can you do about it? For starters, stop posting personal info to Facebook (and other social media). Don’t post anything on Public posts, and review your own account data. Delete what sensitive info you can from their site, like your birthday, hometown, High School. While that info can help long-lost friends find you, it’s also useful to strangers and bad guys.

If you have some spare time, use the Download function to get a copy of your Facebook info and review it yourself. You may be surprised or terrified at what you find in there; it’s almost like reading a diary you’ve been secretly keeping on yourself! But it may help you find other info on your account that you’ll want to change or remove.

Consider turning on 2-factor authentication for your Facebook account. I know, 2FA can be an added inconvenience when logging into your account, but it is an effective safeguard against some bad actor swiping your password. With 2FA in place, someone would have to swipe your password and your phone in order to gain access to your account. That’s highly unlikely to happen!

Ultimately, though, the only certain method to protect your info on Facebook is to close your account. Identity thieves can’t see or copy info from your account, once it’s been deactivated. I don’t expect many of you will delete your Facebook, but just in case, this shows the steps for that.

Facebook Messenger Video Scam

This scam has whiskers on it, but because it returns every 6 months or so to claim new victims, I want to describe it so you can be on the lookout:

A Facebook Friend contacts you through Facebook Messenger, saying: “Is it you in this video?!” Below the message is a link to YouTube or another official-looking video site.

If you click the video, you are presented with a Facebook sign-in screen, asking for your email and password…

DON’T sign in on that screen and DON’T click the video link!

The link does not go to YouTube or any other legitimate website, and the Facebook sign-in prompt is a phishing site that is NOT part of Facebook. Anyone who types a password into that box is delivering their Facebook credentials directly to the bad guys. And the friend who sent you that fake video message? Their account was likely stolen from them in the same manner.

If you get this kind of Facebook Messenger message, contact that friend immediately outside of Facebook. Call, email, text, just reach out to them and let them know that their Facebook account may be compromised, and that they should change their password.

If someone is calling you complaining about your message, then perhaps you were hoodwinked! Change your Facebook password ASAP, and consider turning on their 2FA feature, to safeguard against this in the future.

Do Not Harass a Phone Scammer

I just saw some really bad advice on Reddit. Someone suggested that when you take a call from a scammer, you should spend some time complaining, to waste their time and convince them to not call anymore. Please do not do this.

The chance of you convincing a scammer to change their deceitful ways is fairly close to zero. No one will remove you from their scammer call list, and in fact, they may deliberately pass your info around to other scam-call companies. There is no version of this phone call where you gain anything of value from it, but also, there is a small risk of danger.

In rare instances, a scammer may swat their victim. Swatting is when someone reports a fake emergency to the police, that targets a victim and their residence. The swatter may lie about a bomb threat or a domestic situation, leading police to speed to the scene. I will state the obvious here: You do not want the police coming to your door, weapons at ready, prepared to deal with violence.

Swatting is rare, but it does happen. Some scammers are just that evil, and secure in the thought that they cannot be tracked down. So the safest thing to do in the face of a scam phone call is to simply hang up, without further comment.

The Norton Auto-Renewal Scam

Many people get annual emails that announce upcoming antivirus auto-renewal charges. So this scam tends to works well, because it lines up with people’s expectations:

There is nothing true about this message, yet it still grabs people and compels them reach for the phone. The urge to undo that $500+ charge almost blocks out other thoughts. But if you receive this kind of email, take a deep breath and realize that it is just a ruse. It is a variant of the Thanks for Your Purchase scam. It is a purchase that never happened.

The phone number in that email will not connect you to Norton, but a scammer. S/he’ll gladly pretend to be with Norton or McAfee or whatever company you mention. And they will cheerfully agree to get you your money back. But what they will actually do is pretend to process a refund for you, while covertly making off with your cash.

Don’t ever call these numbers, and don’t email the senders. Even knowing that it’s a scam, reaching out to them in any way may encourage them to share your contact info with other scammers. And that just means more scams in your inbox. It’s always best to just delete these emails. And if a scammer cold-calls you with this sort of scheme, just hang up on them without another word.

« Older posts

© 2021 BlueScreen Computer

Theme by Anders NorenUp ↑