Scammers Pull Heartstrings to Get to Our Money

There are a lot of scams being perpetrated by those who wish to make a quick buck. Some are very complex, but others are surprisingly simple to pull off and therefore, they persist. Following are three of the most common types of scams that take advantage of human compassion.

Advance Fee Lottery

In this one, the victim is promised a prize, a service, or money with interest if he or she pays a “fee.” The most well-known of this type is the Nigerian Prince or “419” scam. The story goes that a Nigerian prince is in trouble due to unrest in his country. He needs the victim’s help to move large amounts of money into a U.S. bank account so that it doesn’t get into the wrong hands. All it requires is that money be deposited into a bank account in Nigeria in the victim’s name first. Then the transfer of funds won’t be detected by the “bad guys.” Once the money is in the Nigerian account, it is promised that a large sum will be transferred to the victim’s U.S. bank account later as a thank you.

Another version of this is that the victim has somehow won a lot of money in a foreign lottery. All he has to do is send a “fee” and identifying documentation and the money will be sent. Of course, this does not ever happen, but that fee will never be seen again.

Remote Impersonation

In these types of scams, someone claims to be a friend of someone who is in trouble and requests monetary assistance on behalf of the person in trouble. Often it is supposed to be for an injured relative or friend. Sometimes, the fraudster claims help is needed to bring a friend or loved one home from overseas after he or she has been robbed.

Another popular version, referred to as a romance scam happens on online dating sites. The scammer will pose as a potential love-interest, gain the trust of the victim, and ask for money. Many times the poser pretends to be in the military, stationed overseas, and needs money to buy things like pre-paid phone cards to call home.

Disaster Relief/Charity/Dying or Sick Baby

Americans are an empathetic lot and scammers know it. That’s why scams persist that piggyback on natural disasters such as the Nepal Earthquake in 2015 or Hurricane Matthew that hit the east coast of the U.S. late in 2016. Often these become so successful because they spread very quickly on social media such as Facebook and Twitter.

The Dying or Sick Baby version is when someone pretends they have a very sick or dying child who needs medical care. The compassion for a sick child sets in and people donate to help pay the bills. There is also a “sick parent” version of this where someone requests financial help for a bus or train ticket to visit sick parents.

For all of these types of scams, there are some guidelines to follow to avoid being taken by them:

1. Always take time to verify the story independently; even if it sounds like a very urgent matter and even if your heartstrings are pulled tight. It doesn’t usually take long to place a separate phone call to another person to confirm if a relative or friend is sick and really does need help. If you cannot verify it, don’t send money.

2. If you are told that cash, a money service such as Western Union, or pre-paid cards are the only form of payment accepted, question the legitimacy of the request.

3. When natural disasters happen and you want to send money, donate through a well-known and respected charity. They will accept payment cards on their websites.

4. Beware of anyone who tries to place an undue sense of urgency on the matter. If it is a real need, taking a few moments to confirm it is not out of the question.

The Nigerian Prince or 419 scam is a newer version of the Spanish Prisoner Scam that started in the 16th century. As you see, it has been around and working for a very long time and is not going away any time soon. None of these will. Instead, they will likely morph into many new versions as technology changes. That is, along as they are still working.

© Copyright 2017 Stickley on Security

It’s a Cookie Theft! Yahoo Announced Sophisticated Way Hackers Stole Data in 2013 Breach

Yahoo is notifying some users that their cookies were stolen. No, not by Cookie Monster, but by whomever perpetrated the breach that was announced in December 2016, occurred in 2013, and affected 1 billion Yahoo users.

The notice that is going out contains links opening this news event into a perfect phishing opportunity. Your safest bet is to never click on an unexpected or unknown link. If you want to go to a website, use a bookmark in your browser, manually enter it, or search it. Links can be spoofed and so can email address.

Cookies are little bits of corresponding text between a user’s device and a website. They are used to authenticate users and can track a user’s movement around the site or prevent the user from re-entering information over and over on frequently visited sites. This information could be login IDs, zip codes, or even theme settings. Most cookies are temporary and deleted once the session ends (session cookies), but others, such as those you give the site permission to save, such as perhaps your login ID and password, can stick around for a long time (persistent cookies) and these are the ones that Yahoo says were forged in order to get access to these accounts. The hacker(s) didn’t even need to know passwords in this case. They just copied them from the cookies.

You can delete or clear your cookies anytime you wish. Depending on your browser, the process should be very simple. Just search for the instructions and clear them out. Just keep in mind that many of your cookies were set up by you to make life simpler, so know that if you do this, you may have to re-enter data on a few of your favorite sites. Once they are cleared, you can check your cookie settings to be sure you are prompted anytime a website is requesting to use a cookie.

If you are a Yahoo user who has still not changed his or her password since these latest breaches were announced, take a moment to do that now. It’s a good idea to change passwords on a regular basis and considering how often sites are invaded these days, quarterly is becoming a better and better idea. When doing so, make sure that upper and lower case letters are used, a special character is included, as well as at least one number. Make sure all passwords are at least eight characters long whenever possible.

It’s also not a great idea to save your passwords for online accounts. It may not be desirable to keep re-entering them, but it’s much safer. In fact, if ever offered multi-factor authentication (MFA) for accounts such as email and online banking, take advantage of it. Then even if a hacker does get your cookies, he or she still can’t get into your account because your MFA code will still be needed.

Yahoo says it is nearing the end of its investigation of the 2013 breach and notifying those that were affected by the forged cookies. It’s uncertain what advice they will provide in those notifications, but likely changing passwords will be part of it.

If you think that a data breach doesn’t affect a business’ value, think again. Because of the combined breaches announced last year affecting 1.5 billion users, it might have saved Verizon a lot of money in its bid to buy Yahoo. It has been reported that the offer has decreased by $250 to $300 million.

© Copyright 2017 Stickley on Security

Why Disability Insurance Is Critical

Most people understand why having life insurance is a good idea: Nobody wants to leave their survivors in a financial lurch if they were to die suddenly. But what if you suffer an accident or illness and don’t die, but rather, become severely disabled? Could you or your family make ends meet without your paycheck, possibly for decades?

Although most people are entitled to Social Security disability insurance (SSDI) benefits if they’ve paid sufficient FICA payroll taxes over the years, the eligibility rules are extremely strict, applying can take many months, and the average monthly benefit is only about $1,150.

So what are your other disability coverage options? Many companies provide sick leave and short-term disability coverage to reimburse employees during brief periods of illness or injury. Some also provide long-term disability (LTD) insurance that replaces a percentage of pay for an extended period of time.

But employer-provided LTD plans usually replace only about 60 percent of pay and the money you receive is considered taxable income, further lowering your benefit’s worth. Plus, such plans often have a waiting period before benefits kick in, will carve out any SSDI benefits you receive, and cap the monthly benefit amount and maximum payout period (often as little as two years).

Thus, even if your employer provides basic LTD, you might want to purchase additional coverage. Just be prepared: LTD insurance can be expensive. Yearly premiums may cost 1 to 3 percent of gross income, depending on plan features, your age, and whether you have preexisting conditions.

First, see if you can buy supplemental coverage through your employer’s plan – their group rate will be cheaper than an individual policy and you probably won’t need a physical exam. Or see if any professional or trade organizations you belong to offer group coverage.

If not, you’ll have to buy an individual policy. A few of the things to keep in mind:

  • The younger and healthier you are, the lower the premiums you’ll be able to lock in.
  • Some policies won’t pay benefits unless you can’t perform the duties of your own occupation, while others specify that you must be physically unable to perform any job (the latter coverage is much cheaper).
  • Look for a “non-cancelable” policy, which means the insurer can’t cancel or refuse to renew your policy – or raise the premium – if you pay on time.
  • The longer the waiting period before benefits are paid, the lower the premium. Thus, if you have enough sick time and savings to wait 120 days before payout, your premiums will be significantly less than for a 60-day waiting period.
  • Some policies only provide benefits for two years, while others pay until your normal Social Security retirement age – most cover somewhere in between. The shorter the term, the lower the cost.
  • Many plans exclude preexisting conditions, mental health or substance abuse issues.
  • For an additional fee, policies with a “future purchase option” allow you to increase coverage as your wages rise, without having to take another physical or rewrite the policy.
  • Check whether the benefit payout amount is fixed or if cost-of-living adjustments are made periodically. The latter type is more expensive but offers better protection against inflation if you’re disabled for many years.

Bottom line: If you became seriously disabled it could easily wipe out your savings and put your family in financial jeopardy. Before you actually need it, investigate what disability coverage you already have and what other options are available.

By Jason Alderman

Having Trouble Paying Your Heating Bill? LIHEAP Could Help

The chill of winter can be offset with the pleasure of curling up inside a warm home. Turning on the heat and settling into your favorite chair to open a new book or watch a movie feels even better when snow falls or rain patters against the windows. Unfortunately, some families have to choose between paying high winter utility bills and buying groceries or gas for their cars. The necessity of food and transportation often wins.

Fortunately, there are assistance programs. One such program, the federal Low Income Home Energy Assistance Program (LIHEAP), helps low-income households with heating or cooling costs, during an energy-related crisis (such as a shutoff notice from your utility) and with weatherization improvements.

If you, a parent or a friend are struggling to make ends meet this winter, LIHEAP and similar programs might be able to help keep your home warm.

Apply as soon as you can if you think you’ll need assistance. The federal government provides the funding for LIHEAP, but the programs are run at the state level. The money gets distributed on a first-come-first-served basis and states give priority to households with children, elderly or disabled members. Often the largest benefits are awarded to the homes with the most need.

States open their winter applications at different times, and you should apply for LIHEAP right away if you think you’ll have trouble paying for heating.

LIHEAP won’t cover your entire utility bill, but it can help keep your home warm. LIHEAP’s heating benefit is only intended to help you pay to heat your home. For example, if you’re heating unit runs on gas, the program will contribute towards your gas bill, but not your electricity bill.

You might only be able to receive a benefit once every 12 months, but it can make a big difference for your finances. For the fiscal year 2014, the most recent data available, over 5.7 million households received heating assistance and it offset an average 45.9 percent of recipients’ annual heating costs.

Qualifying for LIHEAP assistance. States, tribes and territories have some control over the services, qualifications, aid limits and application process for the LIHEAP program in their area.

You can review each state’s income eligibility for the fiscal year 2017 on this table. The state or local organizations that distribute funds also consider applicants’ utility costs, family size and location. Renters and homeowners could be eligible for LIHEAP assistance, but you might not qualify if you have subsidized housing.

Being qualified doesn’t guarantee that you’ll get assistance. Each state receives a set amount of funds for the year, and on average only 20 percent of qualified household receive benefits.

How to apply for LIHEAP. Often you’ll apply for LIHEAP at a Community Action Agency (CAA), local non-profit organizations that help administer federal, state and local grant programs. Some states let you complete the application online, otherwise you may need to mail, fax or hand in an application.

The Office of Community Service’s website has contact information for each state and territory, including a link to a website where you’ll find state-specific eligibility guidelines and program information.

As part of the application process, you may need to share identifying and financial information, including:

  • Recent utility bills.
  • Recent pay stubs, or a profit-and-loss statement if you’re self-employed.
  • Documentation for other income, such as Social Security benefits.
  • A lease or property tax bill as proof of your address.
    Your Social Security number.
  • A list of people living in your home, their relation to you, dates of birth and incomes.
  • A copy of a utility termination notice, if you received one.
  • Your energy provider’s information.

If you’re having trouble with your state’s website, or want to help someone who isn’t computer savvy, you can call the LIHEAP Clearinghouse’s National Energy Assistance Referral (NEAR) at 1-866-674-6327 (TTY: 1-866-367-6228).

Bottom line: When the temperature drops, heating costs can quickly rise. You shouldn’t have to suffer, and LIHEAP could help provide much-needed financial aid. You can look for additional assistance programs using the search tool. Also look into state-based programs and payment plans or assistance from your local utility.

By Nathaniel Sillin

Amazingly Realistic PayPal Scam Seeks Your Sensitive Details

There is yet another phishing scam targeting PayPal users. This one is an example of how the fraudsters and scammers are getting pretty good at tricking their victims. It even uses the actual PayPal logo (or an incredibly well-done facsimile of it), the PayPal color schemes, and claims there is an issue with the user’s account that needs to be corrected. Until it is, there will be limited access and functionality to the account.

The email received is not bad, but still does have the tell-tell signs of phishing, if you are paying close attention. There are few language mistakes (for example, one heading is “What the Problem’s”) and there is a generic greeting of “Dear Customer.” It also has a sender address that is nothing similar to PayPal’s domain (in the example seen, it was “”).

However, if the reader is tricked into thinking there is a problem, the button included in the email that supposedly goes to the PayPal login screen, actually goes to a fake site. Now, the phoniness of that site is very difficult to detect. It has the PayPal logo nicely done. At the bottom are the logos for a 100% secure site by Symantec, but the wording is not quite right: “Secured & Certificate by Symantec.” If you are looking for the green lock next to the URL to ensure you have landed on a secure site, you will see it. Per ESET, the thieves are transmitting the form over an HTTPS link.

Along the side of the screen are some FAQs about having limited access. A subsequent screen after clicking the “continue” button has a list of items to fill in. These include address, social security number, and mother’s maiden name.

Always be on the lookout for phishing. With the plethora of data breaches occurring these days and the sophistication of the fraudsters on the rise, it’s ever more important to pay close attention when an email is received that says something is wrong with an account that stores such sensitive information. Never click links or attachments included in those. Go directly to your account and login from a previously saved link or by manually typing the URL into the address bar. If you receive a suspicious email or find a fake PayPay-related site, you can report it to PayPal as well. There is more information in its Help Center.

PayPal is a particularly attractive target for such scams because it’s tied to payment card and bank account numbers. If they get your login credentials, it’s not much more effort for them to steal from you. Always take the time to read messages carefully and if there is any suspicion at all, don’t click.

© Copyright 2017 Stickley on Security

Lost iPhone Provides ID Thieves Great Opportunity to Go Phishing

There is an account of someone online who was relieved of his iPhone while vacationing in Italy. It was stolen out of the rental car when he was away for a couple of hours. While these things happen all the time, what happened to him later is quite interesting. His story provides a couple of lessons. The first one is a good reminder. Don’t leave your smartphone unattended in your car. That just invites theft; even if you live in a small town in the middle of the U.S. where you know most of the people in town.

Once this person discovered his phone was missing, he went into Find My iPhone and entered his phone number and a note to call him in case it was found. Essentially what ended up on the lock screen was “This iPhone has been lost. Please call me” with a phone number and button to press to call. After that, he simply went on with his vacation confident that his data was secure and that no one could activate the phone.

Eleven days later, he received a text and email that his phone had been found. What was in the email was a very professionally done message with a link that he was to click in order to see the last location of his iPhone. Sounds great, until he clicked the button. He started to enter his Apple ID credentials and before he got too far, he had second thoughts. That was because he suddenly realized it was a phishing scam.

He noticed the address at the top of the screen and it didn’t look like Apple would use it. It was “” It also had no indicator that the site was using a secure certificate, as the Apple site would. He also looked up the owner of the site and it was registered to someone in the Bahamas. There were other warning signs as well, but you get the picture.

If you use the “Find My iPhone” feature on your device, use caution about what you put into the text box should you need to use that app. Never enter your email address, because that allows someone to potentially phish for sensitive details. In addition, be a bit on edge about any telephone calls you may receive from Apple claiming someone found your iPhone. It is highly unlikely that Apple would call you. They might send email to the address you have on file in your account and they might even text you, but it’s doubtful they’d place a phone call. That said, should you receive one tell the caller thank you and hang up. Contact Apple separately using a number on their official support site. Never give anyone who calls you unexpectedly or unsolicited, sensitive information or login credentials.

In this story, the victim assumed that the thieves got his name from the “Medical ID” information stored on his phone, before he had a chance to lock the device. There is a place where you can put in certain information such as your name, blood type, allergies, and emergency contact information that is available even when the iPhone is locked. If the thieves indeed used that, they could have found his name there and searched online. Since his name is very unique, they could have figured out his email address using online searches and social engineering.

However, if the phone has been locked in the Find My iPhone app, it only shows on the lock screen what is written in the boxes when you filled it in iCloud. So if you don’t add your name, email address, social media handles, or any other identifying information, thieves won’t know how to find you in other ways.

Also, when filling in the medical ID section, consider putting in limited information. Since it could very well save your life, some information such as allergies to medications might be very useful. However, using your first name and the first names of your emergency contacts might be preferred over including last names too.

If you are one of those people who don’t lock their phone, it is highly recommended that you do. Had this one not been, whoever took it could have run off with a wealth of information. After all, think about all the details we keep in them these days: Our name, contact numbers, email addresses, banking and financial apps, access to home security systems, health data, social media apps with automatic login selected, etc. Which brings us back to the first tip and just don’t leave valuables in your vehicles.

© Copyright 2017 Stickley on Security