Beware of “Can you hear me?” phone scam

Source: Article by Kathy Kristof of CBS News (http://www.cbsnews.com/news/beware-new-can-you-hear-me-scam/); accessed 31 January 2017.

The public are being warned about this latest phone scam, the “can you hear me” con. It is actually a variation on earlier scams aimed at getting the victim to say the word “yes” in a phone conversation. That affirmative response is recorded by the fraudster and used to authorize unwanted charges on a phone or utility bill or a stolen credit card. Once they have the recorded “yes,” they say that you have agreed to something.

So you may be asking how you can be charged if you don’t provide a payment method? The fraudster already has your phone number, and many phone providers pass through third-party charges. Additionally, the fraudster may already have some of your personal information such as a credit card number or utility bill (possibly as the result of a data breach). When you dispute the charge, they can say that they have your consent on a recorded call.

What can you do? Kathy’s article (http://www.cbsnews.com/news/beware-new-can-you-hear-me-scam/) suggests the following:

If you suspect you have already been victimized, check your credit card, phone and cable statements carefully for any unfamiliar charges. Call the billing company — whether your credit card company or your phone provider — and dispute anything that you didn’t authorize on purpose. If they say you have been recorded approving the charge and you have no recollection of that, ask for proof.

If you need help disputing an unauthorized credit card charge, contact the Federal Trade Commission. If the charge hit your phone bill, the Federal Communications Commission regulates phone bill “cramming.”

If you have not yet been victimized, the best way to avoid telemarketing calls from con artists is to sign up for a free blocking service or simply let calls from unfamiliar numbers go to your answering machine. Scammers rarely leave a message.

If you do answer a call from an unfamiliar number, be skeptical of strangers asking questions that would normally elicit a “yes” response. The question doesn’t have to be “can you hear me?” It could be “are you the lady of the house?”; “do you pay the household telephone bills?”; “are you the homeowner?”; or any number of similar yes/no questions. A reasonable response to any of these questions is: “Who are you, and why do you want to know?”

If the caller maintains they are with a government agency — Social Security, the IRS, the Department of Motor Vehicles or the court system — hang up immediately. Government officials communicate by mail, not phone (unless you initiate the call). Many con artists use the aegis of authority to convince you to keep talking. The longer you talk, the more likely you are to say something that will allow them to make you a victim.

Attention Android Device Owners: Do not use “CAC Scan” app

CAC Scan1From the Information Protection office at Barksdale AFB:

There is a new app available in the Google Play store for Android devices called “CAC Scan.”

DO NOT USE THIS APP!

The app is designed to scan the bar code on the front of a military CAC and provide you a read out of the personal data including the name, SSN, DOD ID number, etc.   And yes, it works.   A little research shows the app developer is an American most likely associated with U.S. Army (either active duty, gov or CTR) and lives in the US.CAC Scan2

Several disturbing questions remain:

  1. When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results?
  2. Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why?

We cannot see any valid reason to use this app and the ‪‎OPSEC/privacy implications are disturbing. It could be used to compromise PII on unsecured or stolen CACs.  All the more reason to ensure we properly secure our CACs.

 

Please use EXTREME CAUTION when downloading and using any app – especially one that deals with your personal information.

For reference:

DoDI 1000.13, January 23, 2014

2. GUIDELINES AND RESTRICTIONS. The guidelines and restrictions of this section apply to all forms of DoD ID cards.

a. Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in sections 499, 506, 509, 701, and 1001 of title 18, United States Code (U.S.C.) (Reference (u)). Section 701 of Reference (u) prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with appendix 501 of title 50, U.S.C. (also known as “The Service member’s Civil Relief Act”) (Reference (v)), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.

h. An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.

Title 18 U.S.C.

Section § 701. Official badges, identification cards, other insignia. Whoever manufactures, sells, or possesses any badge, identification card, or other insignia, of the design prescribed by the head of any department or agency of the United States for use by any officer or employee thereof, or any colorable imitation thereof, or photographs, prints, or in any other manner makes or executes any engraving, photograph, print, or impression in the likeness of any such badge, identification card, or other insignia, or any colorable imitation thereof, except as authorized under regulations made pursuant to law, shall be fined under this title or imprisoned not more than six months.

T-Mobile, Experian Data Breach Exposes Personal Info For 15M Consumers

TMobileExperianBreachHackers have reportedly stolen personal information for around 15 million consumers from a database of T-Mobile customers and applicants that was held by Experian. The compromised data comes from anyone who applied for a T-Mobile account after Sept. 1, 2013 and before Sept. 16, 2015.

Anyone who applied for a new contract or financed a phone through T-Mobile in the last two years should keep a vigilant eye on their bank and card accounts.

Read the full article for details on Consumerist.com.

Visit our Identity Theft page for ways to protect yourself and your family members.

 

Credit Card Skimmer Victims: How much you lose depends on your actions!

On 10 April, Rapid City Police announced they are investigating a series of credit card skimmers found inside pumps at several area gas stations. They stated that the skimmers they’ve found so far have been inside the pumps where they’re not visible to consumers.

You are recommended to  monitor your credit cards and bank accounts (a practice we encourage for everyone, all the time). If you notice any fraudulent activity, report it to your financial institution immediately.

In fact, how much you lose depends on the card you used and how quickly you report the problem.

LIMITYOURLOSSESMany ATM/Debit Cards issuers have voluntarily agreed that an account holder will not owe more than $50 for transactions made with a lost or stolen ATM or debit card. However, under the law, the amount you can lose depends on how quickly you report the loss.

For credit cards, you loss is limited to $50 as long as you dispute the fraudulent charges within 60 days of receiving your bill.

For a better understanding of gas pump credit card skimmers here is a story by ABC News from August 2013 showing how the skimmers work and how your are at risk.

Phishing attempt involving DFAS identified

Beware – scam emails – that appear to be sent by DFAS employees!

There are emails being sent to individuals, including military members, military retirees, and civilian employees, which appear to be sent by a DFAS employee.  Although the email appears to come from a DFAS employee and displays a dot mil address it is actually from a non-government email account.  This is an example of what’s called “spoofing.”

The emails indicate that individuals who are receiving disability compensation from the Department of Veterans Affairs (VA) may be able to obtain additional funds from the Internal Revenue Service (IRS).  These emails are not issued by DFAS and will likely result in a financial loss if you comply with the suggestions in the email.  Bottom line – do not send your personal information or copies of your tax returns and 1099s to the individual listed in the email.

The email indicates that individuals receiving VA disability compensation can receive additional funds from the IRS.  The email states that such funds can be obtained by sending copies of your VA award letter, your income tax returns, your 1099-Rs, your RAS statements, and a copy of your DD 214, to a so-called retired Colonel at an address in Florida.  Do NOT follow the suggestions in the email because you will be providing a significant amount of your personal information to a complete stranger, which could result in a financial loss to you.

DFAS has posted information on Facebook and they have also posted some info on the www.dfas.mil website.