Don’t let email scams hijack your holiday!


illustration of thief robbing santa

As seasonal shopping ramps up both on and offline, there are many opportunities for scammers and thieves to separate you from your hard-earned money.  Dial up your fraud awareness radar to the max – particularly when shopping online. Today, we’ll focus on email scams, a favorite tool for crooks. We’ve been monitoring our email spam folders and monitoring news reports to bring you some common scams this year.

Shipping status phishing emails: Be alert for emails telling you to login to check shipping status for recent purchases. This often works because it uses the names and logos of large retailers that you might actually have made a recent purchase from, such as Amazon or Walmart. Or it might be an email pretending to be Fedex, UPS, or another shipping service. Take the time to check these out carefully – did you make a purchase? Look at the information of the sender in the email header – is it legit? Hover over the link to read where it is taking you before you click. If there is any doubt, go back to the site where you made your purchase and check shipping info form there.

Emails using your name. There are many ways that scammers can get your name so that is no guarantee of legitimacy. They can even spoof your email address so that an email looks like it is coming from your own account. Here are some recent scams we’ve see using our name:

  • Cash advance for {your name}
  • Verify this charge to your {name of large retailer} account
  • Are you {your name)
  • We found your missing money {your name}
  • Hey {your name} !! Do You Remember me ?
  • Why did you text me (your name}

Gift card scams. Be alert for emails or phone calls telling you that you’ve been selected to get a $50 card or that you’ve been sent a card. In the last few weeks we’ve had malicious email attempts touting McDonald’s, Kohl’s, Bed, Bath & Beyond, Target, CVS, Apple and PayPal. Some of these mails can look very legit. Here are a few tips to stay safe:

  • Don’t buy gift cards from emails or from online auction sites. If you want to a purchase a gift card, go to the actual vendor site or their offline store.
  • When purchasing a gift card, never give private information such as your Social Security number, bank account number or date of birth.
  • Only use gift cards at the intended sites. If a caller or an online vendor tells you they only accept payments via gift cards, beware. Don’t give anyone gift card claim codes. Also, no reputable vendor or service will ask to be paid in Amazon or Apple gift cards, or any other gift cards.
  • If you purchase a gift card in a retail store, ask the cashier to scan the card to verify that the card actually reflects the stated amount and correct balance.

The TN Department of Commerce & Insurance has a good list of common holiday scams: Letter from Santa? Or is it bait from a scam artist? It’s worth glancing at their list of scams as well as  checking out their tips to stay safe.

Other common email scams and pitches we’ve seen in our spam folder lately that lead to malicious sites:

  • Check you Experian score
  • Letters from Santa offers
  • Instant loans: Get approved for $15,000 Immediately
  • Credit card offers
  • Pain drugs and medical marijuana offers
  • You have been selected for clinical trials
  • Please confirm receipt
  • Free samples

A few common signs of scams:

  • Offers that are too good to be true – they usually are fake.
  • Demands or threats to take action now to avoid consequences; emails saying “Final notice.”
  • Requests to update your information or change your password

Crooks have a lot of tricks and are good at exploiting human weaknesses. Here are a few sites that will help you learn more about current scams and improve your online safety savvy.

 

 

Tax Scams: The 2013 Dirty Dozen


Tax thief You may be dreading tax season but there are some folks who couldn’t be happier: criminal cartels. They are hoping to intercept your tax rebate, to con you into paying fake fines or to steal your identity. They have an increasingly sophisticated arsenal of tricks: phony emails, texts, websites and phone scripts. It’s a big business because, sadly, there is no shortage of victims. Read the The 2013 Dirty Dozen Tax Scams, an IRS-issued list of the most common tax scams last year.

What are common fraud warning signs?

  • Threats and promises. Any messages via email, text or phone that include scary threats, that demand immediate action or that promise refunds, rebates or winnings should be immediate red flags.
  • Requests for personal information. The IRS does not send any communication requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts. Do not give this information to phone callers either.
  •  Email with links and attachments. Scammers are good at creating email that looks “official.” Do not open links or attachments from people you don’t know. Get in the habit of hovering over email links to reveal the real address before clicking because the apparent link may not lead where it says.See How to Tell if a Link Is Safe Without Clicking on It.

Be skeptical about emails. Look for misspellings and bad grammar. One trick you can use is to copy a paragraph of a suspicious email into the Google search box – it will often reveal that many people got the same email and point to a number of alerts that the mail is a fraud. You can also check the IRS Consumer alerts.

Here’s more about how to recognize phish emails, and here’s how to report any phishing problems to the IRS.

Brace yourself: Here come the tax time phishing scams


It’s that time of year again … it’s so predictable you could almost set your watch by it: Tax season email scams. Thieves are pretty smart and can create a convincing-looking phony email – don’t fall for their traps. Clicking on a phony or “phish” mail could result in a computer virus, lost money, or a stolen identity. And guess what? It’s not just computer newbies who fall for these scams: smart, experienced people can be tricked too.
First rule of thumb, right from the IRS:

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

All unsolicited email claiming to be from either the IRS or any other IRS-related components such as the Office of Professional Responsibility or EFTPS, should be reported to phishing@irs.gov.

Here’s a guide from the IRS with more information about recognizing and reporting phishing and other fraudulent solicitations.
Second rule of thumb: Never send sensitive financial information via email – it is not secure. This includes social security numbers or PIN numbers, passwords and other access information for credit cards, banks or other financial accounts.
Third rule of thumb: If you get an email request to update your password or to enter an account number, password, or other identifiable information, DO NOT click on a link or reply. Instead, go directly to the site of the organization that is asking for the update and sign in to your account. If there is a request for updated information, you will find it there.
Fourth rule of thumb: Never enter any financial or account information on a site unless you are sure it is secure. How can you tell? Look for the “s” – most websites are preceded by https:// – secure websites use https:// – that one little letter makes all the difference. Most browsers will also show a little icon of a padlock right in the address bar beside the web address. You can’t always trust a web page graphic promising security since these can be faked – look for the website address and the padlock in the address bar.
For more, see our past posts:
How Can I Securely Send Sensitive Tax Docs to My Tax Preparer?
Don’t get hooked by tax-time phishing!

Don’t get hooked by tax-time phishing!


The IRS isn’t the only one out to get your money this time of year. Unfortunately, this is the season for tax scam schemes, including the perennial favorite, email phishing. Email phishing, for the uninitiated, is a term referring to scam emails that take on the look and feel of an e-mail from legitimate corporations, trying to trick you into clicking on a link and entering your personal information. Sophisticated phishers can look exactly like legitimate emails if you don’t know what to watch out for, and their links can lead you to ages that look remarkably like the real thing.
phishing.jpg
Phishing schemes have been around since the birth of the internet; they’re the latest technological spin on a very old phone scam in which con artists called unsuspecting citizens asking for social security or credit card numbers. Just like the phone scam, the best way to react to a phishing email is to hang up: delete the email, don’t click on anything and move on to the rest of your day. If you’d like to be a good citizen, you can forward the phishy email to phishing@irs.gov.
How serious is email phishing this time of year? The IRS puts it at the top of their “dirty dozen” list of tax scams. That means that it’s incredibly common. You may well be the recipient of an unwanted tax scam phishing email this year. If you don’t get one and want to know what they look like, Snopes.com, the well known rumor debunking site, has examples of a variety of tax phishing emails. (alert: Snopes site has popup ads).
How can you tell that an email is phishing? First, disregard any email that claims to be from the government. The IRS will never contact you by email or through any social media like Facebook or Twitter. This has been a policy for many years and it’s unlikely to change. Therefore, if you receive any communication from the IRS in any other way besides mail, you can safely assume that it’s faked.
Not all tax phishing emails purport to come from the IRS, though. Popular tax preparers H & R Block and Intuit, the makers of the well known tax software TurboTax, are also reporting phoney emails being issued supposedly under their name. Click links for their safety tips to protect against phishing). In a slightly different twist, H & R Block customers in Tennessee were even scammed by fake text messages. Just as in an email or phone call, texts that claim to be from tax entities should be ignored and reported. Remember, no reputable company other than your mobile phone carrier is going to contact you via text message. Intuit has an up to date list of current phishing scams on their website, so if you use TurboTax and receive any emails from them, check this list before replying or clicking on attachments.
To be safe, never click on an email attachment from anyone you don’t know and make sure that any emails, even from friends, are really from them before you click. Always, always, think before you click. To use an example from my own email inbox, is it really likely that your old college friend is stranded in London without any cash and chose you to ask for a loan? If it looks suspicious, it probably is – and my friend was still in South Carolina.
Here’s a good rule of thumb: If you get an email from your bank, your tax preparer, or an online merchant with an urgent request about your account, don’t click the link in the email: instead, go directly to the bank or merchant website and sign in the way you normally would. If there is any urgent message, it will be listed under your account.

Don’t get taken in by tax-time phishing via phony IRS e-mails


There’s a group of thieves who are scheming about how to get your personal financial data this tax season and make no mistake about it – they’re good at what they do. Consumer Report’s Money Blog offers this advice: as you plan for tax season: Don’t become a tax-time phishing victim. No matter how authentic an e-mail from the Internal Revenue Service may look, the IRS doesn’t initiate taxpayer communications through email.
Know what you’re up against – educate yourself about phishing
According to Wikipedia, phishing is:

“…the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.”

Some of the best consumer advice and resources can be found at the Anti-Phishing Working Group’s (APWG) site. The following tips are excerpted from their consumer guide on how to avoid phishing scams:

  • Be suspicious of any email with urgent requests for personal financial information
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic – call the company on the telephone, or log onto the website directly by typing in the Web address in your browser
  • Avoid filling out forms in email messages that ask for personal financial information – you should only communicate information such as credit card numbers or account information via a secure website or the telephone
  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
  • Consider installing a Web browser tool bar to help protect you from known fraudulent websites
  • Regularly log into your online accounts to ensure that all transactions are legitimate
  • Ensure that your browser is up to date and security patches applied
  • Always report “phishing” or “spoofed” e-mails to the following groups: forward the email to reportphishing@antiphishing.org; forward the email to the Federal Trade Commission at spam@uce.gov; when forwarding spoofed messages, always include the entire original email with its original header information intact

Additional resources
FBI’s New E-Scams & Warnings
How to spot a fake website and not get phished
Stop. Think. Connect.