There are more scams, major cybersecurity incidents, and cases of identity theft happening now than ever before in history – and countless opportunities for you or your loved ones to be taken advantage of.
Few people understand the ins and outs of these scams better than Steve Weisman. Steve is a highly respected cybersecurity expert who has built a career helping people protect themselves, both online and off, and is the author of The Identity Theft Alert, The Truth About Avoiding Scams, and many other books. He’s a professor of white collar crime at Bentley University, a sought after public speaker, and a frequent guest columnist and expert for outlets including the New York Times, The Wall Street Journal, Forbes, and networks such as ABC, CNN, and MSNBC.
Today, Steve joins the podcast for a must-listen episode. You’ll learn why keeping up with cybercriminals is a never-ending game of cat and mouse, the common security mistakes that people make that can lead to massive financial and personal consequences, and simple steps you can take to protect yourself, your business, and your family.
In this podcast interview, you’ll learn:
Welcome, listeners, to a brand new episode of Your Wealth & Beyond. And today’s show is going to be crucial for all of us, cybersecurity, identity theft, ransomware, phishing emails, the list goes on and on it and affects all of us. So, today we’re bringing on Steve Weisman, a nationally recognized expert in all things scams, identity theft, cybersecurity. His entire career has been built upon helping to educate us on what we can do to protect ourselves both online and off. He is the author of multiple books, one of which is the Identity Theft Alert and How To Avoid Scams. And he’s just the go-to expert in helping us identify the risks that are out there. So, today we’re going to dig in, we don’t want to depress you, but we’ve got to really have open communication of what’s out there, what the thieves and the criminals are doing, and some of the ways and how you can protect yourself. So, without further ado, my episode with Steve Weisman on ways in how you can protect your identity both online and off.
[00:01:03] Andrew Rafal: And welcome back to a brand new episode of Your Wealth & Beyond. I want to welcome Steve Weisman to the show. Steve, how are you today?
[00:01:12] Steve Weisman: Terrific.
[00:01:14] Andrew Rafal: And today, listeners, we are going to talk all things on how to protect each and every one of you from identity theft to the different cybersecurity scams that are going as we enter here the holidays, some of the things to look for. I think we’re going to have a lot of great, great topics to weed through here. So, Steve, before we jump in, how have you become the go-to cybersecurity, identity theft? Where did this career come from? How did you get to this point?
[00:01:43] Steve Weisman: It’s an interesting question. I think I probably trace it back I’ve always been interested in crime and criminals. And in fact, I’m a lawyer, but I’m also a professor at Bentley University in Massachusetts where I teach white-collar crime. But before that, I actually taught in the Massachusetts State Prison system and met a lot of interesting conmen there. But I think what did it for me was many years ago, when I became a victim of identity theft at a gym, my locker was broken into, some identifying information was stolen out of my wallet, and I became the first victim that I was aware of and got very interested in seeing where it went from there and that just carried me into identity theft, scams, cybersecurity, both on a macro and a micro. I mean, this is a problem for all of us as individuals. It’s a major problem for the country in regard to cybersecurity and attacks against financial institutions, electrical grid. It’s an exciting topic.
[00:02:57] Andrew Rafal: Yeah. I don’t think there’s a week that goes by where there’s not something in the news that affected locally or nationally and it’s just the thieves are getting smarter and smarter. It’s that cat and mouse, how do we stay on top of it, and I guess for you that keeps your career moving along and you very busy out there.
[00:03:17] Steve Weisman: Yeah. It is interesting. There’s always something and you talk about the thieves and how smart they are. First of all, cybercrime like ransomware and identity theft can be done by anyone anywhere in the world. At one time, Interpol once estimated that there are only about 100 cybercriminal geniuses in the world but what they do is the business plan is fascinating. They will create this malware that will attack us, institutions, government agencies, whatever, and they will either do massive data breaches with it and then go on to a part of the internet called the dark web where the bad guys buy and sell things and they’ll sell that information. Other times they’ll create this new malware. And again, on these dark websites, some of them, they look like regular retail sites. One of them is called Joker’s Stash. They will lease or sell their goods to less sophisticated cybercriminals. And that’s part of the problem. You don’t need to be a cybercriminal genius to attack people with all kinds of malware. You just buy it online.
[00:04:30] Andrew Rafal: When we look at the mistakes that you’ve seen over the years, and especially now, let’s just talk through on the individual. What are some of the common mistakes that they’re making in regards to protecting their online identity, in regards to protecting their offline identity, with regards to credit cards and so forth? So, what are some of maybe the two or three top mistakes people are making right now?
[00:04:54] Steve Weisman: You know, interesting enough, Andrew, the biggest mistake of all and you go back to my motto, my motto is, “Trust me, you can’t trust anyone,” and about 90% of all of the major data breaches as well as personal identity theft can be traced back to phishing and more sophisticated spear phishing. And what these are, are emails or text messages that appear to come from either a person we trust or some institution with which we’re involved. And there’s some kind of emergency or lure for us to click on a link. While we click on that link, and it downloads the malware onto our phone, downloads the malware onto our computer, and that’s where a lot of problems happen. So, the first thing, the first lesson is you never click on a link or download an attachment unless you absolutely have confirmed that it is indeed accurate. That is the biggest most avoidable problem.
I’ll tell you one other very important one, and particularly now in the holiday season where people will be doing a lot of shopping both online and offline, do not use your debit card for anything other than an ATM card. And the reason for this is if you use your credit card and it’s somehow grabbed by the bad guys and fraudulent uses is done with it, you’re only liable for up to $50 worth of fraudulent charges and quite frankly, I’ve never seen a credit card company that even charge that. But with your debit card which is tied directly to a bank account of yours, if you end up getting becoming a victim of identity theft, and they get that number and you don’t report your debit card theft right away, you can actually end up losing your entire bank account. So, keep that debit card just as an ATM card.
[00:06:50] Andrew Rafal: Well, and if you think about it, would there even be, you know, you could actually just get an ATM card with your bank, would that be something you’d recommend as not even have a debit card and just have an ATM card for the sole purpose of being able to take money out of the bank?
[00:07:03] Steve Weisman: I would. I really would. There have been so many problems where people have just not followed up on monitoring their account usage and after when it’s too late and it’s very easy to get these the debit card numbers and criminals get these all the time. So, yeah, I would agree with your recommendation.
[00:07:29] Andrew Rafal: And see, let’s go back to what you mentioned first and, obviously, the phishing emails have been around a while and they’re getting more and more professional. It’s amazing what we could hear on both my business email as well as on the regular personal email but it’s amazing now when you get something coming from PayPal looks like or Netflix now or Apple. So, one way that, and correct me if I’m wrong, but is this a good way to be able, as you say, don’t click on anything. Don’t click on anything but you can put your mouse over the link. And normally what will happen is that hyperlink that will pop up will show you some really funky type of web address, right, and at that point, this is for sure a phishing email.
[00:08:14] Steve Weisman: Yeah. That is one of the ways to avoid this. And here again, you mentioned what they do is, first of all, I mentioned how I taught in the state prisons and way back when the old conman they used to complain or they complain now they say, “You know, when we were doing the con and counterfeiting, it took talent. Now, any 14-year-old kid can do it with a computer.” And so, when you get a phishing or spear-phishing email and spear phishing is just phishing that’s more targeted toward you and you see the logo from Netflix, you see the logo from PayPal, it can look legitimate, but it’s really easy to counterfeit. So, as you say, you can hover over the address there to see where it’s really going. You also can look at the address that sent it and sometimes it will have nothing to do at all with that company. And very often what that is, is it’s part of a botnet because the bad guys hide their tracks. They will infect millions of computers around the world and use those computers to send out the phishing and spear phishing.
Another thing is, you know, it’s one thing when if I get an email from a company that I don’t deal with, a bank that I don’t have an account with, right away I know it’s a scam, but sometimes they will have personal information about you to make it seem legit or it may even be an email from what looks like a friend but their account may have been hacked. And part of the problem is us. We put too much information up on social media and so that information can be grabbed by criminals and turned against us, you know, the infamous grandparents scheme where the grandparents get a call in the middle of the night from a child who’s in Mexico and who’s having a problem on vacation and has to wire money or worse, send gift cards.
[00:10:16] Steve Weisman: One of the ways that that is perpetrated is the scammers will be going on social media. They’ll see when the college kid is putting up about their vacation in Cancun or whatever. So, we have to be a little bit more thoughtful about how could the information we put up be used against us?
[00:10:50] Andrew Rafal: Yeah. We, unfortunately, as a planning firm and with hundreds of clients, just over the last year, we’ve seen an uptick in clients that have been actually falling for some of these scams. You know, the old what I think if you go back to social media, what one just happened is, you know, they’re able to find somebody who may be lonely, who may have lost their husband, and now they’re creating these deep relationships with and it’s amazing no matter what we tell them and we’ll tell them this is a scam and then go you can look it up, you could go talk to your local government, but they’re sending money. And they’re making up these concocted stories and it’s preying on the lonely and it starts with Facebook and you guys just got to be careful out there of what you’re putting on and then who you’re creating these relationships with.
[00:11:29] Steve Weisman: Yeah, very, very much so. The romance scams that you’re describing, it’s not just here. It’s totally around the world. I just saw some figures in Hong Kong where it’s particularly bad and, yes, it preys on lonely, vulnerable people and that’s it. It’s one thing about the scam artists and, remember, these people are the only criminals we call artists. They have a knowledge of psychology that Freud would have envied. And so, they’ll appeal to whatever works. It can be loneliness. It can be a little bit of greed. It can be fear. It can be any of these things. And indeed, it is surprising to me how many and really, really intelligent people will have those vulnerabilities exploited and become victims. The romance scams are actually have been people who committed – there was a case out in the Midwest where someone kept sending money and his family kept learning about it and telling him, “Don’t do this.” Eventually, he committed suicide and left a note saying, “You’re all going to really be feeling bad when you find out that this was a real deal and it wasn’t just me.”
[00:12:39] Andrew Rafal: Unbelievable. Yeah. And it’s just when we think about what’s happening out there, you mentioned earlier about the, you know, besides the phishing, so now we’ve got to be worried about our iPhone and Android. Talk us through about what we should be looking for in these text messaging scams that are happening now.
[00:12:58] Steve Weisman: Yeah. And this is one of the things, at one time, people thought they were safer on their iPhones rather than their androids and at one time, they were probably correct that there was more attention paid by cybercriminals to the Android phones than the iPhones. But now, equal opportunity scams. They are both vulnerable. So, one of the first things is people will often have all kinds of good security software on their computer or their laptop but fail to put it on their phone and that’s important. You also have to make sure that your phone because phones can get lost as well. You don’t want to store too much sensitive information on there. You want to make sure you’ve got a good strong password, thumbprint, whatever these are. These are all important and, of course, we spend so much of our lives on our phone that this is where the scammers come in.
Instead of phishing, they call it smishing and smishing just basically is a phishing email now it’s a text message that comes into a text message with a link. And here’s one of the things, we’re talking about, you know, have the most up-to-date security software and up-to-date is definitely the key. Because what happens is security is ever-evolving. And I was actually asked to be an expert witness in a class action against Equifax regarding the data breach that affected 148 million of us, including me, and the thing with the Equifax data breach was the data breach exploited a vulnerability in a software called Apache that Equifax used. There had been a security update issued months before the actual hacking. The hacking exploited that vulnerability, but Equifax just hadn’t gotten around to downloading it and it was extremely negligent.
[00:14:57] Steve Weisman: So, two of things here are, one, when you do get a notice to update your software, update your security software right away whenever, whatever you’re using, but the other thing is the most up-to-date security software will always be at least 30 days behind the latest new types of malware. They call these zero-day defects. The brilliant cybercriminals identify these and then they put them out there because people aren’t going to be protected by their security software. So, you have to have security software on all your devices. You have to have it updated. But even then, you’ve got to be particularly careful because it won’t be 100% effective.
[00:15:40] Andrew Rafal: Yeah, you think about it, you’ve worked with them in the prison system, some of these con artists, how smart they are, and you just think if they put their mind to actually good work, what they could have built and companies they could have built and careers they could have had. It’s amazing.
[00:15:52] Steve Weisman: Well, you know, it’s interesting you say that because the smart and I’ve met all kinds of interesting people throughout my career and government officials and the smartest person I’ve ever met was a professional chess playing bank robber in prison. His name was Dale Tuttle but he used the alias Andrew Goodman, so he could sign everything A. Goodman. And he would go around the country, he would be robbing banks and playing in chess tournaments. He tried to convince me that bank robbery was a victimless crime that he created. Let’s say he created jobs in security. He never hurt anybody. Companies will pay for this with insurance. He said victimless crime.
[00:16:43] Andrew Rafal: Unbelievable. Well, there’s a little bit of truth to that. He created a new…
[00:16:48] Steve Weisman: Yeah.
[00:16:49] Andrew Rafal: That’s great. And, you know, tax season although it’s not here, it’s coming quickly. I got a lot of these calls and we actually had one client call us thinking that literally, the IRS was going to come in and arrest her. The police were on the way. So, as we prepare for tax season, what is that scam in regards to whether it’s an email from the IRS or these robocalls that are actually calling in consumers and saying that they’re basically behind on their taxes or that they broke the law and they’re putting that fear into them?
[00:17:28] Steve Weisman: Yeah. And this is certainly a huge problem but there’s a pretty easy solution. And here again, they prey on our fear and concerns here. If you get a phone call and your caller ID says IRS, you can’t trust it. A very, very simple, easy technique called spoofing will allow anyone to make the call appear as if it’s coming from another number. So, you may get a number that’s the actual IRS number. It may say IRS on there, but it isn’t the IRS calling. So, how do you know if it is or not? And fortunately, the answer is an easy one. The IRS does not initiate any contact with you regarding tax matters by either phone, text message, or email. So, anytime you get a call from someone purporting to be the IRS demanding that you pay some taxes or whatever, it’s a scam, and you can just ignore it.
[00:18:31] Andrew Rafal: Great. Great info there. I actually use a software on my iPhone called RoboKiller I believe it is and it’s great because it actually has about 25 different messages that once it knows that it is a robocall and it could be actually an individual, but then they’ve got these messages where it puts them like they’re talking to somebody and it’s great because it records it afterwards.
[00:18:56] Steve Weisman: That’s terrific. Yes. You know, robocalls are one of the biggest areas of scams and these are the automated calls and they’re made through computers. They’re not even made through phones and here again what you should do, first of all, you may want to get on the federal Do Not Call list which will prevent legitimate telemarketers from contacting you. One of the things with that is if you get a call from someone purporting to be from a bank or a timeshare or whatever, after you’re on the Do Not Call list you know automatically that it’s a scam because they’re not following the Do Not Call list. Beyond that, there are a lot of programs like you mentioned and also Nomorobo and many others that will help screen robocalls from your phone. I use them. Again, nothing’s 100% effective but they are very, very good and worthwhile.
[00:19:55] Andrew Rafal: Yeah. With that spoofing, now I get more and more of them where it shows that 480, that Phoenix area code. So, every time that happens it comes through and then I’ll block it so it’s just continually like a boat sinking in the holes and covering one hole and then having to block another one.
[00:20:09] Steve Weisman: Yeah. Playing whack-a-mole.
[00:20:11] Andrew Rafal: So, great point on the IRS. They are not going to contact you. They’re going to only do it via mail but the one thing that is real are these thieves that are filing tax returns before the actual individual does and that’s a real crime and it’s happening. So, what can we do to protect ourselves from that happening where they’re collecting and having the refund check go to a bank or to, in most cases, another mailbox that they’re collecting those funds?
[00:20:42] Steve Weisman: Yeah. Income tax identity theft is a huge, huge problem and it cost us as taxpayers billions and billions of dollars a year. It is tremendously inconveniencing for the legitimate individual taxpayer too. And what happens is, as you alluded to, Andrew, the criminal gets your social security number and they file an income tax return before you get a chance to. Now, they’re not actually even looking for your refund. What they’re going to do is they’re going to make a counterfeit W2 to send in with their tax return or your tax return and get that money. So, what happens is if they do have your social security number, if they do send this in and get the refund, you file your legitimate tax return and suddenly you are contacted by the IRS. There is a letter and it tells you that there’s been a duplicate return.
You have to go through all of the procedures to try and prove that it is you and to get your legitimate refund and, frankly, although the IRS has gotten better with this, it can still be close to a year before you can get your legitimate refund. And so, one of the most important things is to file your return as early as possible and that’s probably the best thing you can do. Interestingly enough, on the black market for social security numbers, the most valuable social security numbers to income tax identity thieves are those of the citizens of Puerto Rico. And the reason for that is that citizens of Puerto Rico are American citizens but they are not required to pay federal income taxes so they will have social security numbers, but they won’t be filing a federal income tax return. So, in this way, the income tax identity thief knows there’s not going to be another income tax return filed before they file theirs.
[00:22:51] Andrew Rafal: Wow. That’s a devious, devious planning there and I did not know that so that’s an interesting tidbit there. So, I’ve been hearing more and more in ransomware and it’s affecting a lot of these municipalities and they’re kind of going after this lower hanging fruit. So, let’s talk about two things. One, again, as we’re dealing more with individuals and business owners on the Your Wealth & Beyond podcast, is ransomware something that we as individuals and business owners have to be worried about?
[00:23:24] Steve Weisman: Yes, absolutely. All of the above. Ransomware in the last year has become the most prevalent malware and it really does create a huge problem. We’ve heard about there were a number of municipalities in Texas, for instance, that were all hit by it looked like the same one. There have been hospitals, there have been cities like Atlanta and Baltimore that have been shut down. There have been police departments but receiving a bit less as far as news coverage has been the fact that a lot of small businesses and we as individuals also are attacked by ransomware. So, how ransomware works is you again click on that link in that tainted email and you end up downloading the malware that is called ransomware. This ransomware will encrypt and lock up all of your data and then appearing on your screen is the ransom demand that either you pay and generally it’s by some kind of cryptocurrency like Bitcoin, a ransom within usually about 48 hours or they will destroy all of your data.
This is a huge problem. Now, you can never be 100% secure. So, what I always advise people is, yes, you’ve got to keep your security software up-to-date with the latest security updates. And this is particularly important because there have been criminals using older strains of ransomware that you do have defenses against. But even beyond doing that, you’ve got to back up regularly on at least two other sources, maybe in the cloud and a portable hard drive all of your data regularly. So, if you do become a victim, then you can retrieve your information. A couple of quick stories with this.
[00:25:19] Steve Weisman: One, and I saw this was one that was going around to individuals was a ransomware strain with a Star Trek theme and it would use all of this Star Trek jargon telling you that you had become a victim of ransomware. Once you pay, if you paid the ransom, Mr. Spock would come on and he would give you the key. But I’ll tell you, I was working over the summer with a company that deals with ransomware for large corporations and what happened was the person in this company, he was representing a client. They have been hit with ransomware and this guy contacts the criminals and said, “Okay.” First, they tried to negotiate, and you sometimes you can, the ransom but then said, “We need to see you show some good faith. So, give us the key to unlock some of our data so we can know to trust you.”
So, the criminals gave them the key, it didn’t work. So, the security people then told them this is not working and at that point, the criminals, “We are so embarrassed. And let me check with our tech team.” And of course, they checked with their tech team and tech support and got back, “Okay, try this key,” and then that key did work, but they really are quite organized and this is a business for them. So, if they’re going to continue doing ransomware, they have to show that they’re giving a little support technically.
[00:26:59] Andrew Rafal: Yeah. When that 60 minutes report I saw earlier this year when it hit the municipalities and a lot of hospitals, you know, 40,000, 50,000, they paid it, a lot of them had the insurance to cover it, and then they gave back the data. So, you hit it right on the head there. If these criminals did the ransom and then just took the money and ran, well, then they’re shooting themselves in the foot there. So, it sounds like they’re pretty good business planners in regards to making sure that their business is going to excel.
[00:27:29] Steve Weisman: Yeah. You know, you mentioned something that clicked off something in my mind and that is about the infamous because you were talking about insurance, the business email compromise and this is a multi-multi-billion dollar scam around the world. The gist of it is it affects big but also medium and small businesses. And someone gets an email that appears to come from the CEO or someone else to wire money into an account. It’s dealing maybe it’s a customer who’s changed their account number, whatever. There’s generally it looks good and it’s usually because the corporation has been hacked, the email account has been hacked of the CEO. So, they even know perhaps when the person is on vacation, so they’re not even going to be in the building when they send the email but here’s one of the things and it’s kind of interesting.
There have been companies that have tried to use their cyber insurance and, in fact, the claims have been denied in some instances. These cases are being litigated because they’re saying, “Well, no one did a cyber-attack on you and stole money. You sent money on your own.” So, it’s important to have insurance, cyber insurance for companies and it’s the kind of thing that you’ve got to make sure you know what you get for coverage. For individuals, it is important to have some kind of identity theft protection service and we’re familiar with LifeLock, and others, but it’s also important to remember that at the gist of it, these are not identity theft prevention services. So, it’s like you’re crossing the street, you get hit by a bus, someone runs out and tells you as you’re lying on the underground, “Hey, you just got hit by a bus.” That’s LifeLock. They will tell you sooner that you become a victim of identity theft.
[00:29:30] Steve Weisman: So, you do need to have the kind of monitoring that companies like LifeLock provide but even more so, you need to have to take the steps like freezing your credit reports. This is one reason I’ve endorsed an identity theft protection product called Identron. They’re the only one out there that helps you set up credit freezes for yourself and your children. Your children are prime targets of identity theft so that even if someone has your social security number, they’re not going to be able to access credit of set up accounts in your name.
[00:30:07] Andrew Rafal: So, your software is making it easier to do that credit freeze so that I think that’s one of the issues that people look and say, “Yeah, I want to freeze my credit. I’ve got to contact the three bureaus. And then what if I want to apply for a loan or get a new car?” those types of things. So, how does your service make it a little bit easier and efficient for the individual?
[00:30:26] Steve Weisman: Yeah. What Identron does is it takes you through it in one place step-by-step what you do and clicks you on and takes you directly to each of the three credit reporting agencies and actually even a fourth that deals only with cell phones. But you mentioned an important thing because the credit reporting bureaus, they’re big businesses, they never wanted us to freeze our credit because they make their money not from us. We’re not their customers. We’re their product. They sell our information to banks, insurance companies, and others and that’s entirely legitimate. But when we freeze our credit, they can’t send that and sell that information. So, it is important and it’s simple to do. It really is. If you can do it all for individuals, adults, you can do it online. With children, you do have it’s a little bit more complex, but it’s really just by sending in like a certified copy of birth certificate and a few other documents.
But here’s a good thing, at one time, there used to be a charge when you froze, then let’s say you wanted to take out a loan, recently, I had to renew the lease on my car, so I needed to unfreeze my credit so that the lender could look at it and see what my credit was. Then once the business transaction was completed, freeze it again. Well, the good thing is where they used to charge you to freeze and unfreeze and freeze again, a federal law that went into effect a year ago in September now makes that totally free and it’s simpler to do. So, when I went on to unfreeze my credit so that the creditor could check out my credit report, I had it unfrozen for 48 hours. So, at the end of the 48 hours, I didn’t even have to go back in to refreeze it. It did it automatically. So, the laws have gotten much better on this. And frankly, they did this in response to the major Equifax data breach. So, if there was anything good that came out of it, that was this.
[00:32:35] Andrew Rafal: And then you mentioned earlier and I was going to bring it up, LifeLock or for me, I actually I utilized LifeLock and Identity Guard. So, that is from the standpoint of what we can do to help protect us. Is that a must for people to spend that money each month to be able to at least know if your credit has been used or there’s been a change in your file?
[00:32:57] Steve Weisman: Yeah. You know, I think it is. On the one hand, thinking kind of evolved on this, at one time, you can check your credit report for free at each of the three major credit reporting agencies once a year. And one of the things used to advise is tell people well do it at Equifax and then four months later do it at Experian, then four months later do it at TransUnion and that way you’ve got them every four months. But the fees for the services like Identron, like LifeLock and others, I think they’re worth it because what happens is you have your credit constantly monitored. Most of these services also will check the dark web to see if your personal information, your social security number has been part of any data breach and it’s out there and is being sold. So, the credit monitoring is a big deal but there are other services that also are provided and it’s part of all of the prudent things we need to do to protect ourselves. But yeah, I do think it’s something that everyone should have.
[00:34:09] Andrew Rafal: And like with Identron you guys were able to, you know, you mentioned dark web earlier and that’s the one thing that, in regard to us, not knowing that our email was may be compromised. So, what are you able to do then? You’re able to search the dark web or is it more so to see like what companies got affected? And then how does it work backwards to know that your email potentially was out there or your credit information was out there? How are you guys scanning the dark web or how is it scanned?
[00:34:39] Steve Weisman: Yeah. We have access to the dark web and therefore we are able to scan it to see if our credit cards, our social security numbers or other personal information turned up. And you mentioned what about with companies. In just about every major data breach, you go back with Target and others, the companies themselves do not discover that they’ve been the victim of data breaches. It’s usually credit card companies which are themselves constantly monitoring the dark web. And so, what they will do is they will find a lot of credit cards, a lot of debit cards that are being sold on the dark web and these banks and credit card companies they will then correlate, “Okay, what do these have in common?” and then they can trace it back to, “Aha, this was a security data breach at Wendy’s.”
And then they will contact Wendy’s and knowing what they’re looking for, they’ll be able to find the actual data breach in there. But it is often through the monitoring of the dark web most of the time that these major data breaches are discovered. The companies don’t discover them on their own.
[00:35:57] Andrew Rafal: Okay. Great. So, besides in a multitude of books, your website and I love this name and I guess this goes back to your passion of when you started out in homicide but Scamicide and this will be in the show notes, everybody. So, Scamicide was created by you and it looks like more than anything it’s to help each of the individuals or help us stay on top of some of the scams as total and then the different trending scams. So, it seems like you’re updated in almost daily on some of the scams that are affecting us.
[00:36:34] Steve Weisman: Yeah. Actually, Scamicide is kind of like one-stop shopping for defense against scams and it’s free. One of the things is I’ve been doing it probably about eight years and when I first started, I was wondering if I was going to be able to find because we have our scam of the day, a new one. And would I be able to find a new one every day? Well, I’m up around 3,000 individual scams. So, we will tell people about scams, new scams every day, and very often we’ve been ahead of the curve when it’s scams involving the Internet of Things or how your car can be hacked and your phone can be hacked. We also connect you with sometimes when there are scams, the Federal Trade Commission is involved and they will actually refund money. So, we have a section on there you can go to and we will let people know if you’ve been a victim of this scam, you can apply for checks here. So, we warn people about what to do with identity theft and scams and we also tell them how to recognize them, how to defend against them, and what to do if you have become a victim.
[00:37:43] Andrew Rafal: And one of those trending right now and for a lot of our clients who are getting closer in that Medicare, 65 and older, what kind of scams should we be looking for in regards to open enrollment on Medicare and other scams associated with health in general?
[00:38:00] Steve Weisman: Yeah. And, here again, probably health scams are the oldest of scams. A lot of the scams are really not new anyway. They’re just reworking of scams that have been with us forever. The Nigerian email scam is really just a reworking of a scam called the Spanish prisoner scam from the 1500s. But you’re right, we are in the open enrollment period of Medicare, the only time of the year you can change your plans. And therefore, there are all kinds of scammers contacting people out there about programs that they are eligible for and it’s really hard to know if they are legitimate or not. In covering this in Scamicide, we give some information about how to do this, including, frankly, the Medicare website. The Medicare website of the federal government is a really good website that you could go on and find what programs are available to you in your area.
There also is an acronym, I think it’s called SHIP and these are localized federal organizations that will help you to see which are scams and which are not. One thing again, you never give your social security number or Medicare number. Up until this year, it used to be your social security number. You never give that out to anyone over the phone who is asking for it because you just don’t know who they really are. You also have to be wary of this is something that we’ve seen in a lot of areas where there are seniors. People will come and say we will get you free medical equipment. We just need your Medicare number and then they’re defrauding Medicare, but they’re also using that against your insurance and when you need it, suddenly it’s been used and it’s been used fraudulently. So, always, be very, very wary. Don’t get that free equipment that just someone at a health fair is offering you merely for your Medicare number.
[00:40:04] Andrew Rafal: Great. Great points. You know, this new one that it’s scaring the daylights out of me and I think it’s going to get more and more play but you can go back to the iPhones and now most of these have these SIM cards that are attached to it. And the SIM card kind of controls so many things, right, Steve? Because you think about how our email and our banking what we use is if we lost our password, guess how the majority of us are using to reset that is our phone number, get the text message. So, most people don’t realize on how this the SIM card scam works. I know a lot of times they’re looking at more of those that have the cryptocurrency wallet that they know they’re going to try to scam them that way. But what is it and how can we protect ourselves as best we can? Obviously, we can’t stop a scrupulous person within Verizon who’s selling that data but what are some things that we could do right now to help protect our cell phone SIM?
[00:41:02] Steve Weisman: Yeah. This is one of the biggest emerging areas of scams and major, major threat. So, as you indicated, the SIM card is the piece in your phone that really is the guts. It is your telephone number and you get a new phone, you switch the SIM card from that card from that phone to another phone. One reason the SIM card is so important is what we call dual-factor authentication. So, I give you an example. When Jennifer Lawrence was a victim of having her nude photos stolen from the cloud, she was very, very upset and as you can obviously imagine, and she was very, very angry with Apple because she said the iCloud was not secure. Well, the cloud was secure.
She got a phishing email and it was a very basic one. It said, “This is from Apple security. We just need to confirm your username and password.” So, she gave it to them. So, she in fact, just gave it to the scammers so that they could go into her account. Many, many accounts and particularly if you’re doing something like online banking, you want to have protection more than just your username and password so that someone who gets these can’t go into your account. So, the way that’s usually done is by having when you go in a onetime code is text message to your phone and you then input that. Well, this is something and I noticed this kind of protection you have on with your bank account, of your online banking, and other online accounts. Recently, I noticed the head of Twitter, the CEO of Twitter, had his Twitter account taken over and I’m thinking this guy’s got to have dual-factor authentication. He did.
[00:42:56] Steve Weisman: But when the bad guys have switched the SIM card from your phone to their phone when that text message to provide the code to get into your bank account is sent, it’s sent to the bad guys’ phone. So, this is a real huge, huge problem but as you indicated, there are some simple ways to protect yourself. And we have this in scammers that we list with each of the cell phone providers, service providers, you can put a pin or a code on there so that even if someone has your – they can’t switch the SIM card into their phone unless they know your pin. The other thing you can even do is because even paranoids have enemies, you can make it such that your SIM card cannot be switched into another phone unless you are physically in the store to do so where you can show a photo ID. But, yes, having a pin on your SIM card is so, so important and most people don’t do it.
I’ll tell you one other thing that is a real important protection, simple to do, but provides a great risk if you don’t have it is your security question. What happens if you don’t remember your password? You get it wrong? Well, you can merely answer a security question and get the password but this is easy enough for the hackers to do. Sarah Palin actually got her email hacked. Her security question was where did I meet my husband? The hacker went on Wikipedia and found out she met him at Wasilla High School. Now, we may say, “I’m not as famous as Sarah Palin. My information is not going to be out there.” Well, it is. It’s out there all over the place, including my bank has, you know, what is my mother’s maiden name? Well, that’s pretty easy to find out. So, what do you do to make that a lock solid security question? You make your mother’s maiden name, firetruck, grapefruit, credit card. You pick something that is absolutely totally nonsensical, no criminal is ever going to be able to find that online and it is so ridiculously silly, you will remember it.
[00:45:12] Andrew Rafal: Yeah. That’s really good advice. And I’ve actually started using LastPass a couple of years ago, enabling to help make these really long passwords and not have to remember all of them. Are you a fan of a LastPass or some of the other first passwords that are the way where you can have all of your stuff out there, but it’s completely protected and encrypted?
[00:45:34] Steve Weisman: Yeah. Here again, I kind of like having as much control as I can. So, yes, these services that will provide long encrypted passwords for you can be very, very helpful for many people. I personally don’t use them only because I see them as too much of a target of the hackers. And while there haven’t been a lot of data breaches at some of these services, there have been some. What I generally do is you cannot have the same password for all of your accounts because what happens is, there’s a data breach at some minor website that you’re going to and you’re using that also for your online banking. So suddenly, they’ve got the password to your bank account as well. What I suggest is you’ve got to have a long complex password and I say start with a sentence something like, “I don’t like passwords.” You get capital letters, you get small letters, you got an apostrophe.
Now, you can then make that stronger. Add a couple of exclamation points at the end. That’s your base. So, my Amazon password might be IDontLikePasswords!!AMA. So, this is some way that you can have a base password that you can adapt and be able to remember for all of your accounts.
[00:46:58] Andrew Rafal: Yeah. When you think in terms of beyond the security questions, the authenticators that are becoming more and more popular. I know I use the one from Google, are you – should people start using that instead of their cell phone as a way to get into the more secure things like the banking or things of that nature, their financial institutions like Fidelity and TD Ameritrade?
[00:47:25] Steve Weisman: Yeah. I agree that these are, you know, they’re far from perfect, but they are a lot better than some of the dual-factor authentications and other authentications we have out there. So, the good guys are always playing catch up with the bad guys but, in fact, that’s a good development and that’s a good way of providing some hygiene to your use of the computers.
[00:47:50] Andrew Rafal: So, listeners, we didn’t want to depress you today. We didn’t want to scare you, but we have to and we’ve got to stay on our toes. And that’s why you’ve got to follow Steve and I’d say sign up for his blog on Scamicide because you’ll get emails to you on the latest trends. And you guys just have to be very, very diligent in protecting your identity because nobody else is going to do it. And really, Steve, I thank you for doing the dirty work for us because, without individuals and professionals like you, the thieves and the criminals are going to take out over the world. So, continue doing your good work, sir.
[00:48:30] Steve Weisman: I appreciate it. A quick story and this is as far as depressing people and not depressing people. When I was in prison teaching, I had a student who was serving two consecutive life sentences, which meant when he died, he would start his second life sentence. I said, “Oh, I was curious about that.” He said, “Me too.” He said, “When the judge sentenced me, I looked up at him.” I said, “How do you expect me to do two consecutive life sentences?” So, the judge looked down and said, “Just do the best you can.” So, that’s what it comes down to. It’s a scary world out there but do the best you can. Take these simple steps and by and large, you can protect yourself.
[00:49:05] Steve Weisman: Yeah. And it comes down to common sense. And it’s just before you do anything, don’t click. Think things through. IRS isn’t coming after you. Just stay on your toes. So, Steve, this is great. I know we could have spent another couple hours digging into some of these scams. I really appreciate it and I’m sure I’ll be in touch with you when we find new ones from our clients and I appreciate all the good work you’re doing and thanks so much for being on the show today.
[00:49:28] Steve Weisman: Oh, I really enjoyed it and be happy to do it again.
[00:49:30] Andrew Rafal: Wonderful. Well, listeners, stay tuned later this month for a brand new episode of Your Wealth & Beyond. Happy planning, everybody.