We're regular readers of The Meaford Independent, so we were especially tickled to find this in the September 27, 2016 edition:
If you're not familiar with The Independent, we'd encourage you to start with this link, and then explore.
The bad guys are telephoning, again, and last night, I was the target. I listened to the whole message just so that I could get a sense of what the scam was. Does this belong on Kerry's web-site? I don't know. But better safe than sorry. It's not specifically "computer related" but it is a sensitive information security threat, so I thought I'd share here.
Why did I consider it a scam right away? Firstly, because I don't respond to anything like that, under any circumstances. It's my "Rule of Thumb". It's non-negotiable. I simply don't respond to email or phone calls (or even letter-mail), immediately. I ALWAYS contact my trusted company myself, at a phone number or website with secure log in, and I always initiate the contact separately, using information that I have obtained from another, trusted source. It is that simple. By always sticking to this policy, I can better protect myself.
So ... back up a little: last week, I received an email from someone claiming to be my bank, saying that I had a security breach on my credit card. It had phone numbers and web links in the message. I deleted it. That is my rule of thumb. And the message was clearly a scam, so I didn't even bother to investigate.
Last night, I had a phone call; it was a recorded message, using the standard voice that most legitimate institutions use for electronic phone calls. It advised that there had been a security breach on my credit card, and gave four digits as the reference. I didn't recognize the numbers at all. And the e-mail I'd recently received came to mind, too. If there had been a genuine breach of my security, my bank wouldn't be emailing me, and then waiting a week or so to telephone me. Just didn't make sense.
The recorded voice gave phone numbers and a Post Office Box address for my bank, and advised that I could only use the card for point of sale transactions when I punch in my PIN code, and that they'd be sending me a new card shortly. I was to contact them immediately about the issue.
It all sounded so very very "official" and legitimate. But I hung up the phone when the message was over. I didn't even bother to take down the phone numbers that they gave. That is my rule of thumb: I absolutely NEVER respond directly to that sort of thing.
This morning, the first thing I did was signed into my on-line banking, and checked my bank's legitimate messaging system. There was nothing about a fraud alert. Given that this is their secure way of communicating with me, I would have thought there would be something there, if my card had truly been breached. Nope. Nothing from my bank.
The recorded message had mentioned a post office box address for Toronto. So I web-searched the headquarters address for my bank, and when I found it, it most definitely didn't include a postal box. This was another big red flag that told me the phone call had been a scam.
Then, I ran a web search for information about how my bank notifies folks about security breaches.
And I have to say that I was a little angry that I couldn't find this information EASILY … my bank's web site was full of all kinds of information; just not their specific procedure for notifying clients about security breaches. I think I'll be contacting the head office to let them know that there should be a quick link to their policies, on the web. But that's another issue.
What I DID find were a number of chat rooms and blogs, talking about this particular scam, and they were dating back as far as 2012. Some of the entries talked about why they knew it was a scam right off the bat (the four numbers provided in the message were wrong), and other entries assured that it was not a scam. Many entries assured me that the entries claiming it was legitimate were actually written by the bad guys, so that they can make their scams work. It was an interesting exercise in “be careful about what you believe” when web-searching.
I also found sites, including one from CBC news, that talked about hackers breaching thousands of accounts, and banks having to replace the compromised cards with new ones. That was a little worrisome. I found blogs and special web-sites dedicated to notifying people about scams, but I was quite concerned that the notices were often un-dated. I had no idea if there had been a large breach last week or last year. Always check the date on a web-posting. Just because it comes up first in your search results doesn't mean that the information isn't ancient.
It was an interesting exercise. I couldn't get a straight answer anywhere that I looked.
But I found this: http://www.cba.ca/?cat=Fraud-Prevention
The Canadian Banking Association has a website with a number of resources, including tips on how to avoid fraud. I would encourage everyone to have a read through it. The information is quite "general" in nature, but what they have to say can get us thinking about how we deal with our sensitive information in our digital era. You can even sign up for a regular e-mail newsletter and fraud alerts.
As for my own "Rules of Thumb" ... I, and everyone else in my family who has used our home number for trusted company contact, will be calling our bank branch as soon as it is open, this morning, just to double check. I couldn't find, and confirm, my bank's specific policies about fraud alert phone calls, so we will follow up, ourselves , to ensure that our card security is fine ... and to report what I very strongly suspect is another scam attempt.
Always be suspicious, folks. The bad guys are sophisticated. With more and more financial transactions occurring digitally, we need to keep up to date.
It happened again ... a customer came scrambling into our store, just the other day, with a tale that we'd heard before:
An email had come in from "Windows", saying that they'd detected a big problem with her computer. She was to telephone the number in the message. Worried, she called the number, and was assured that they could fix the problem if she paid them a fee of $300.00. She gave them her credit card number, right then and there, relieved that this serious issue could be resolved.
She was lucky. She suddenly realized that this may be a scam, and came right in to see us about it. In the end, she was able to prevent the charge to her credit card, but she now had the trouble of having to cancel that card, have a new account set up to replace it, and will spend a fair bit of time contacting trusted vendors, like PayPal, to change all of her card information.
Some customers haven't been so lucky, and have paid big bucks for it.
So how can we help protect ourselves from becoming victims?
BE ON GUARD. The bad guys are counting on you being caught while distracted, or busy, or not thinking clearly for any number of reasons. Most victims, if they had been paying closer attention, wouldn't have fallen for the ploy in the first place. When dealing with e-mail that is from someone you don't specifically know already, pay attention to what it actually says, and don't fall into the trap of clicking the link in the message, without thinking hard about that first. If you're in the middle of a big project, or talking on the phone, or otherwise preoccupied with something else ... then don't do anything with your email from strangers.
DON'T CLICK ANY LINKS. Never click a link inside of an email unless you are definitely, and in advance of receipt, expecting an email from someone or a company you have been dealing with. For example, some companies, while opening a new account on-line, will send you an email with a link that you need to use in order to immediately confirm who you say you are. That's just fine, if you've just been opening a new account, and the website tells you to expect an email from them. But ... if the message turns up out of the blue ... it's a scam.
KNOW YOUR TRUSTED COMPANIES' POLICIES. Our bank, utilities, and any number of other companies contact us, by e-mail, on a regular basis. But absolutely NONE of them EVER ask us to do something, in an e-mail, that doesn't involve closing that message, and going to their web-site to securely log on into their system outside of our e-mail program. Absolutely NONE of our trusted companies will put a link into their web site that will lead us to providing sensitive information.
DON'T TRUST THE LOGO. The bad guys will send you messages that look exactly like the messages you get from your legitimate trusted companies. So ... always be on guard. Read the message, and if there's any request in it, that involves you providing sensitive information, close it, and delete it. If you're concerned that the message was real, then go into your web browser, separately, and log into the legitimate company's secure system.
DON'T PHONE THE NUMBER PROVIDED. This is in the same category as "don't click the link". If you receive a message asking you to call a number, close it and delete it. If you're concerned that it might actually be from a trusted company, then find their number from a trusted source, and call it. A utility bill, statement, or even Canada 411 on the web, will give you the legitimate phone numbers of your trusted companies, and only these are the phone numbers you should use.
This list is, by no means, "complete" ... just when you think you've figured out all of the ways that the bad guys can scam you, they come up with something new. So keep watching, be suspicious of everything, and develop your own "Rules of Thumb" that make sense to you, and that you stick to by default.
There's no point in having an "interactive" web-site if you can't share useful information; so we're going to kick off with a short, and general, list of tips to keep your computer hardware in optimal operational condition. It is, by no means, complete. But it's a starting point to get folks thinking of their systems as the machines that they are. We'd love it if you'd contribute your own thoughts and experiences, too, in the "comments" section.
"Social Media" first came into my life when my kids became old enough to want to be involved themselves, and, so, I signed onto FaceBook, too, for the exclusive purpose of keeping an eye on what they were up to. I told them that I was "creeping" them, and made sure that they knew I was watching. THey groaned, and learned all about privacy settings, and how to keep me from seeing what they didn't want me to see. I learned about privacy settings, to make sure that I wasn't restricted. And while they were young, the deal was that they could freely participate if I could freely view.
This had nothing to do with being a "helicopter parent" who needed control over their every activity; it had everything to do with their youth, and the learning process that comes with it. We'd taught them socially acceptable behavior off-line; I wanted to make sure that, as they grew and matured, they knew about on-line etiquette and what is, in my opinion, acceptable. I didn't haunt them. I just checked in, occasionally.
And, then, the funniest thing happened: I'd mentioned this to a few of my "Mom" friends, who thought that it made sense, in respect of their own kids, so they signed up themselves. Suddenly, my peers and I were swapping photos and notes about our lives for our own benefit. Many had friends and family all over the globe, so when they joined up, too, Face Book became a forum for bringing our loved ones into our lives from afar. E-mail contact, for events that we wanted to share with many people, became laborious compared to a FaceBook post that everyone could see; the media had become a communications TOOL.
In upcoming posts, I'll be talking about many of the issues that are discussed at the front counter of Kerry's. But, with some consultation with my grown-up buddies, we've come up with a short list of what I call "The Golden Rules of Social Media". These are the thoughts that we always keep in mind, as we upload our lives onto the internet.