Greg's Corner

Tagged: two factor authentication Toggle Comment Threads | Keyboard Shortcuts

• 

  Geebo 9:00 am on November 26, 2024 Permalink | Reply
  Tags: 2FA ( 12 ), Apple ( 31 ), phishing ( 77 ), Scams ( 1,386 ), two factor authentication   

  Beware of the Latest Apple Phishing Scam 

  

  By Greg Collier

  In the ever-evolving landscape of cyber threats, phishing emails remain a persistent and dangerous tactic employed by hackers to steal personal information. The latest target? Apple account holders. A deceptive email claiming to be from Apple Support is making the rounds, aiming to trick recipients into handing over their login credentials and other sensitive data. However, this email isn’t from Apple’s headquarters. It’s a cleverly crafted scam designed to exploit trust and urgency.

  The email is designed to mimic legitimate correspondence from Apple, using familiar formatting and branding to appear authentic. The message claims that your Apple ID has been suspended due to unusual activity or that it’s missing information. It features a blue button labeled ‘Go to Apple ID’, urging you to verify your account to restore access. The sense of urgency is palpable, since it might warn you that failure to act within 24 hours will result in your account being permanently locked.

  While the email may seem convincing at first glance, a closer inspection reveals the hallmarks of a phishing scam. For instance, the sender’s email address doesn’t come from an official Apple domain. Instead, it might originate from a suspicious overseas domain. Additionally, the grammar and phrasing in the email are often awkward or incorrect, a red flag that something is amiss.

  Falling victim to such a scam can have serious consequences. If your Apple account is compromised, scammers could use the payment information stored in your account to purchase expensive Apple products, leaving you with the bill. To avoid such a scenario, it’s critical to scrutinize every email you receive.

  When examining emails, always verify the sender’s address and ensure it matches the official domain of the purported sender. Be wary of any links included in the message, particularly if the email is unexpected or seems suspicious. Legitimate organizations, including Apple, will never ask you to verify sensitive information through an email link. Instead, they’ll direct you to their official website or app to manage your account securely.

  Two-factor authentication (2FA) is another essential tool for protecting your accounts. By requiring a second form of verification, such as a code sent to your phone or another trusted device, 2FA can stop hackers from accessing your account even if they manage to obtain your login credentials.

  By remaining cautious, verifying the authenticity of communications, and enabling robust security measures, you can safeguard your digital identity and prevent scammers from succeeding. Always think twice before clicking, and remember: when in doubt, go directly to the source to verify the legitimacy of any request.

   

  Leave a ReplyCancel reply
• 

  Geebo 8:00 am on March 18, 2024 Permalink | Reply
  Tags: 2FA ( 12 ), phone scam ( 46 ), phone security ( 6 ), Scams ( 1,386 ), sim swapping ( 9 ), two factor authentication   

  A cautionary tale of SIM swap scams 

  

  By Greg Collier

  The nightmare of having your entire digital existence commandeered by malicious actors is a chilling reality for one unfortunate family from the Chicago area. What began as a routine day turned into a months-long ordeal of trying to reclaim control over their smartphones and, by extension, their digital lives after falling victim to a SIM swap scam.

  SIM swapping, also known as SIM hijacking or SIM porting, is a type of cyberattack where a malicious actor fraudulently gains control of an individual’s phone number by tricking the victim’s mobile carrier into transferring the number to a SIM card under the attacker’s control. This process involves exploiting vulnerabilities in the carrier’s authentication procedures or social engineering techniques to obtain personal information about the victim, such as their account PIN or other identifying details. The term SIM swapping can be misleading because the attacker doesn’t actually require physical possession of the victim’s SIM card to carry out the attack.

  It all started when the family’s wireless account was hacked, leading to the takeover of not just one, but all five of the family’s smartphones linked to the account. Suddenly, their devices were rendered useless, stripped of cellular service, and locked out of essential apps and services.

  Unauthorized apps were installed on their phones, contact numbers were altered, and passwords to numerous accounts were changed without their consent. The financial toll was staggering, with losses totaling thousands of dollars in stolen funds from various platforms, including investment and cryptocurrency apps.

  It’s suspected that the attackers obtained access to the family’s mobile phone account either by stealing or correctly guessing the account’s PIN. Experts advise regular changes to PINs and caution against using easily guessable information, such as birthdates, as security credentials. Moreover, limiting the dissemination of personal details on social media platforms can help mitigate the risk of identity theft.

  To mitigate the risk of SIM swapping attacks, individuals can take several precautionary measures. Avoid using easily guessable or recycled passwords, and consider using a password manager to securely store and manage your credentials. Whenever possible, use authentication methods beyond SMS-based two-factor authentication (2FA), such as app-based authentication or hardware security keys.

  Again, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

   
• 

  Geebo 8:00 am on March 14, 2024 Permalink | Reply
  Tags: 2FA ( 12 ), Chase ( 14 ), Scams ( 1,386 ), two factor authentication, Zelle ( 67 )   

  Bank accuses another Zelle scam victim of being a scammer 

  

  By Greg Collier

  A Houston, Texas single mother was recently ensnared by a string of fraudulent transactions conducted via the personal payment app Zelle.

  On December 26, the day after Christmas, the victim received an alert notifying her that an unknown recipient had been added to her Zelle account. Alarmingly, $1,000 had already been withdrawn without her authorization. Thankfully, Chase Bank recognized the fraudulent activity and promptly refunded the money.

  Then in January, the fraudulent transactions started again. In a relentless spree spanning three days, the scam artists persistently hacked into the victim’s Zelle account. They succeeded in withdrawing $1,500 initially, followed by $5,400, and then an additional $1,000, culminating in a total loss of $7,900. Alarmingly, these transactions occurred despite the victim having already reported the fraudulent activity.

  The victim diligently filed reports with the Houston Police Department, the FBI, and the Federal Trade Commission. However, Chase Bank shockingly denied her claims, going as far as to insinuate that she was the perpetrator of the scam. Allegedly, Chase even told the victim, “You probably should just admit that this was you that did this.”

  Once again, despite banks encouraging their customers to utilize Zelle, they frequently fail to support those who fall victim to scams through the app. Regrettably, this scenario isn’t isolated, as there have been numerous instances where the bank accuses the victim of being complicit in the scam. While it’s just anecdotal evidence on our part, the name of that bank always seems to be Chase. There’s an old saying in business that says, “It takes many good deeds to build a good reputation, and only one bad one to lose it.” Accusing customers of being scammers is not the good deed Chase may think it is.

  There is a way to protect yourself from fraudulent Zelle transactions, and that’s by enabling two-factor authentication on your banking app. This means that even if someone obtains your username or password, they won’t be able to access your account and steal money.

  While having any form of two-factor authentication (2FA) is better than none, it’s not advisable to rely on text messaging for receiving authorization codes. Instead, it’s recommended to utilize an authenticator app in conjunction with biometric authentication, such as a fingerprint scanner. This approach ensures that your 2FA data is linked to your device rather than your phone number.

   
• 

  Geebo 9:00 am on January 26, 2024 Permalink | Reply
  Tags: 2FA ( 12 ), cybersecurity ( 37 ), Scams ( 1,386 ), sim jacking ( 3 ), sim swapping ( 9 ), two factor authentication   

  Is two-factor authentication to blame for SIM-swapping scam? 

  

  By Greg Collier

  A SIM-swapping scam, also known as SIM hijacking or SIM card swapping, is a type of fraud in which attackers take control of an individual’s mobile phone number by tricking the mobile carrier into transferring the phone number to a new SIM card. The goal of the scam is to gain access to the victim’s sensitive information, such as personal data, financial accounts, and online accounts tied to the phone number. For this scam to take place, a scammer does not need physical possession of your phone or its SIM card.

  With control of the victim’s phone number and possibly access to their email or other accounts, the attacker can reset passwords, access sensitive information, and potentially engage in identity theft or financial fraud. What makes the SIM-swapping scam so appealing to scammers is the fact that little to no interaction with the victim is required.

  Recently, a woman from Maryland lost $17,000 to a SIM-swapping scam. Someone in California walked into a Verizon store and activated a new phone on a new SIM card using the victim’s phone number and information. Once that transaction took place, the victim’s phone was no longer active. From there, the scammers were able to use the victim’s phone account to access her bank account and empty it of $17,000.

  The news report about the victim’s financial loss makes it a point to show the victim had two-factor authentication enabled on most of her online accounts. Unfortunately, the SIM-swapping scam is specifically designed to circumvent two-factor authentication.

  Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity before gaining access to an account, system, or application. The purpose of 2FA is to add an extra layer of security beyond just a username and password. Most people who enact 2FA on their accounts use text messaging to receive their one-time 2FA code. If a SIM-swap is enacted on a phone where 2FA codes are bing sent to the phone, the scammers not only have control of your phone account, but can also receive your 2FA authorization codes.

  While any 2FA is better than having none, it’s not recommended to use text messaging to receive your authorization codes. Instead, it’s recommended you use an authenticator app along with a biometric authentication such as a fingerprint scanner. This way, your 2FA information is tied to your device and not your phone number.

  To better protect yourself from a SIM-swapping attack, set a unique personal identification number (PIN) or password with your mobile carrier to add an extra layer of security.

   
• 

  Geebo 9:00 am on March 7, 2023 Permalink | Reply
  Tags: 2FA ( 12 ), bank fraud ( 26 ), phone scam ( 46 ), Scams ( 1,386 ), sim swapping ( 9 ), two factor authentication   

  Thousands lost in SIM-swapping attack 

  

  By Greg Collier

  If you own a smartphone, how lost would you be without it? We’re not talking about losing your phone in the couch cushions. We mean, how much would your personal life be at risk if your phone was stolen. For many, their smartphone is the only device they need to conduct their lives. For even more, their entire lives are contained in their smartphone. Bank accounts, email, family photos, and schedules are just a few of things that could be accessed through a stolen smartphone. Now, what if we told you that you can lose all these things from your phone without physically losing the device?

  SIM-swapping is a type of cybercrime where an attacker takes control of a victim’s mobile phone number by tricking the victim’s mobile carrier into transferring the number to a new SIM card. Once the attacker has control of the phone number, they can use it to access the victim’s online accounts, such as email, social media, and financial accounts, which often rely on text messaging for two-factor authentication. Then the attacker can not only access your accounts, but they can lock you out of them as well.

  Recently, a man from Colorado lost $24,500 out of his savings account after his phone received a SIM-swapping attack. The victim received an email from his bank that a large transfer was being made, but by the time he was able to contact his bank, the transfer had already gone through. You can almost imagine the shock on his face when he tried to call his bank, only to find out his phone had no service.

  There are several effective ways to protect yourself from SIM-swapping. One is to use an authenticator app instead of relying on text messages for two-factor authentication. Authenticator apps are linked to a device instead of a phone number, making them more secure. Additionally, it’s important to avoid using accurate information for security questions on online accounts, such as high school mascots or pet names, as this information can often be found on social media. Lastly, you can contact your carrier and request that they disallow any device switches on your account, but keep in mind that to unfreeze your account, you may need to visit a carrier store and present identification.

   
• 

  Geebo 8:00 am on October 18, 2022 Permalink | Reply
  Tags: phone scam ( 46 ), Scams ( 1,386 ), sim swapping ( 9 ), social engineering ( 2 ), two factor authentication, Zelle ( 67 )   

  This phone scam could steal your life 

  

  By Greg Collier

  How much of a panic would you be in if you lost your phone? Can your personal or business email accounts be accessed through your phone? Is your phone locked with a PIN or password? Or is it secured using a fingerprint or facial ID? Do you have banking apps that require a PIN or fingerprint to access? Could any random stranger just pick up your phone and start accessing your money and information? Even if your phone is completely locked down and secure from physical access by outsiders, there’s still a way you can lose all access to your phone without actually losing your phone.

  There is a scam out there that most mobile phones are vulnerable to, and it’s known as SIM-swapping. The name SIM-swapping is a misnomer, since physical access to your phone’s SIM card is not necessary. SIM-swapping works when scammers or identity thieves contact your mobile phone carrier and pose as you. The scammer will use information they’ve found out about you to convince the phone carrier they are you. This is known as social engineering.

  Once the scammer convinces the phone carrier that they’re you, they’ll have the phone company switch your service from your phone to theirs. As soon as that happens, the scammers have direct access to your phone number and text messages. Since most of us who use two-factor authentication have the authorization codes sent to our text messages, the scammers can then access any number of your personal accounts, including your financial accounts.

  This recently happened to a victim from Tennessee. She had received a text message from her carrier indicating a change on her account before her phone service went completely dead. She called her carrier, and another name had been added to the account. By the time she had her service restored, scammers had transferred thousands out of her bank account through the Zelle app.

  There are ways to protect yourself from SIM-swapping. One way is to use an authenticator app instead of using text messages for your two-factor authentication. Authenticator apps are tied to the device instead of being tied to a phone number. Also, when filling out your security questions for online accounts, don’t give the correct answers. Information like your high school mascot or your pet’s name can be discovered on your social media. Lastly, you can contact your carrier and tell them not to allow any device switching on your account. However, to get your account unfrozen, you may have to visit your carrier’s store with your ID.

   
• 

  Geebo 8:00 am on August 31, 2022 Permalink | Reply
  Tags: 2FA ( 12 ), bank fraud ( 26 ), Bank of America ( 11 ), bank scam ( 72 ), customer service ( 50 ), customer support ( 23 ), Scams ( 1,386 ), two factor authentication   

  Victim loses $40K in bank scam 

  

  By Greg Collier

  A man from the Central Valley region of California recently lost close to $40,000 in a bank scam. As far as we can tell, Zelle wasn’t even used, which is a rarity these days. The man received a phone call from someone claiming to be from the fraud department at Bank of America. The caller is said to have told the man that there were fraudulent transactions on his account. But before the ‘fraud department’ could help him, they said they needed the man to give them a six-digit code they were sending to him, so he could verify his identity.

  The man gave the caller the code, and we’ll get to the importance of that in just a bit. The caller then told the man that since there was fraudulent activity on his account, they needed to shut down the online banking option on his account. The caller was actually a scammer who drained the man’s account of nearly $40,000 with several transactions.

  The most disturbing part of this scam is that the scammer already had the victim’s personal information. The victim didn’t have to give the caller any information, as the scammer was able to give the man’s personal information to him. The scammer even disabled the notifications the man should have received when the scammer started taking large amounts out of the man’s account.

  So how was the scammer able to access the man’s bank account? The news article doesn’t go into detail about that. However, if we were to hazard a guess, it seems like the scammer already had all the information needed to access the man’s account. The information could have been obtained through any number of data breaches that have happened in the past few years.

  The only thing the scammer really needed to access the account was the authorization code. Many banks require their customers secure their account using a two-factor authentication code. So even if someone tries to log in to a bank account with the username and password, they’ll still need the 2FA code that’s typically sent to the customer’s text messages. Once the scammer was able to obtain that code, they had complete access to the man’s bank account.

  Anytime you receive a phone call from your bank, especially about fraudulent activity, hang up and call the bank back using the number on the back of your debit card. Scammers almost always spoof the number they’re calling from. Also, never give anyone any authorization code over the phone. These codes aren’t just used for banking, either, as many online accounts can be hijacked if someone were to give this number out.

   
• 

  Geebo 8:00 am on June 23, 2022 Permalink | Reply
  Tags: cybersecurity ( 37 ), Facebook ( 180 ), Facebook Marketplace ( 63 ), phishing ( 77 ), Scams ( 1,386 ), social media ( 81 ), two factor authentication   

  Marketplace scam could send angry strangers to your home 

  

  By Greg Collier

  Typically, when we discuss scams carried out through Facebook Marketplace, they’re the ones that plague a lot of online marketplace platforms. Of course, there’s the fake check/overpayment scam. Lately, the Google Voice verification scam has been popular on Marketplace. There have also been a number of rental scams, just to name a few. Now, a new scam has been reported that could have unintended consequences for all victims involved.

  According to a report out of Tulsa, Oklahoma, scammers are hijacking the Facebook accounts of their victims through phishing attacks. The report states specifically that the scammers are posing as old friends that you may not have heard from in a while. However, the scammers use the hijacked accounts to place items for sale on Marketplace that didn’t actually exist. While some of the items have been mundane, like furniture, other listings have been advertising purebred puppies.

  As we have seen with previous puppy scams, scammers will often list a fake address to make their scam seem more legitimate. This has led to victims showing up to homes where they think they’re about to get a puppy, only to be turned away in disappointment. While some victims understood the situation, others have become angry at the people living at the address listed, thinking that the residents are part of the scam.

  If scammers are collecting money through apps like Venmo, Cash App, or Zelle, they could be sending their victims to the address of a person with a hijacked Facebook account. This scam could potentially lead to a violent encounter.

  The best way to protect yourself is to keep your Facebook account secure. Consider making your account private to your friends and family only. Use a password that can’t be guessed easily. For that, you can use a password generator service. Even most modern web browsers have a password manager built in. Lastly, you should enable two-factor authentication on your Facebook account. This means there would be a two-step process into signing in to your Facebook account.

  While none of these methods are foolproof, they do go a long way in keeping your digital life secure.

  Video: Stolen Facebook account posts fake ads, sends strangers to woman’s doorstep

   
• 

  Geebo 8:00 am on June 20, 2022 Permalink | Reply
  Tags: Cash App ( 42 ), cash flipping ( 8 ), Scams ( 1,386 ), social media ( 81 ), two factor authentication   

  FBI warns of social media cash scam 

  

  By Greg Collier

  The advent of personal payment apps like Cash App, Venmo, and Zelle has given rise to a new generation of scams. One of the most egregious scams is the cash flipping scam. This is mostly associated with Cash App, although it has appeared on other platforms. Cash flipping is when scammers try to convince their victims that they’ll give the victims a lot of money in exchange for a little money.

  For example, a scammer may promise victims $500 if the victims send the scammers $50 through Cash App. Once the victim sends the money through Cash App, the scammer blocks the victim and keeps their money. The scam is given legitimacy since Cash App itself holds giveaways called #CashAppFridays. Cash App policies give little recourse to victims in scams like this. Payments can often only be refunded if the person who receives the payment cancels the transaction.

  Recently, the Las Vegas office of the FBI has issued a warning about cash flipping scams. They say that scammers are using hijacked social media accounts to approach victims through private messages. Often these hijacked accounts show pictures of people with large amounts of cash to try and make the scam seem on the up and up.

  If the scammers don’t break off contact immediately, they’ll claim Cash app is holding up the transaction. The victim will then be instructed to use a certain email address on their Cash app account to make the transaction go through. This then allows the scammers to hijack the Cash App account itself.

  To avoid this scam, the FBI recommends using two-factor authentication on your payment and social media apps. While this can be an inconvenience to some, it goes a long way in keeping online accounts secure. If the scammers ever request any kind of verification code number, they’re trying to circumvent your two-factor authentication, and that code should never be given out to anyone.

  Lastly, people don’t get rich by giving away money for free. As with most scams, if it sounds too good to be true, it probably is.

   
• 

  Geebo 8:00 am on July 28, 2021 Permalink | Reply
  Tags: Facebook Marketplace ( 63 ), fake websites ( 11 ), google voice ( 13 ), red light camera, Scams ( 1,386 ), traffic tickets ( 3 ), traveling ( 15 ), TSA PreCheck ( 2 ), two factor authentication   

  Scam Round Up: Red Lights, the TSA, and Google Voice 

  

  By Greg Collier

  Every so often, we come across scams that may not warrant an entire blog post. So here are three scams that caught our attention this week that be briefly summed up.

  In Renton, Washington, scammers are sending emails to victims claiming that the victim ran a red light and was caught on one of the city’s red light cameras. The email contains a link where you’re supposed to pay your fine but, of course, goes to the scammer instead. What makes this scam effective is that many jurisdictions use a third party online platform to collect some traffic fines. However, you can tell that this is a scam since most, if not all, cities send their red light tickets through the postal mail and not by email. Most states don’t even have your email address connected to your license plate number.

  ***

  If you travel a lot for business or leisure, you may have thought of signing up for TSA PreCheck. This program allows low-risk individuals to pay for a service where they can have an expedited security check when flying. As with a lot of government services, scammers are trying to trick PreCheck seekers into giving up their personal info by creating phony websites that claim they can register you with PreCheck. Again, there is a simple solution to this scam, but not everyone is aware of it. Only websites that have a .gov address can register you for PreCheck. Some of these scam websites may even have a .us address. Anybody can purchase a .us domain name, and it is not under the authority of the US Government. You can apply for TSA PreCheck at the TSA website.

  ***

  Our last scam for today is one we’ve previously discussed and also affects Geebo’s industry. If you’re selling something online, whether it’s with Geebo or someone else, be wary if someone says they want to prove ‘you’re real’. An authorization code will be sent to you and the buyer will ask for that code number. Do not give it to them. They’re trying to set up a Google Voice number that would be tied to your phone number. This way, they could continue scamming people using the Google Voice number, but would be traced back to you. This recently happened to a woman from New Hampshire who was selling her items on Facebook Marketplace.

  ***

  Please keep in mind that even though these scams may not be happening in your area, that doesn’t mean that it soon won’t be.