“Fleecing the Flock”: How affinity scammers use your identity against you

In another life, I used to write about a lot about sheep.

Yup. Sheep.

I used to write about a lot of animals, actually.  My job was to explain how different landscape and livestock tools worked.  Wild animal repellents, animal fencing, those really creepy fake owls you put on top of your barn to freak wild birds out—that sort of thing.  To understand why those sorts of products work and how to use them properly, you have to understand why animals act the way they do.

So, now I know a lot a lot about sheep.  And I’ve had a linguistic bone to pick with a lot of people ever since.

Sheep are the most slandered animal in our language.  If you’re going with the crowd, you’re being a sheep.  If you hold a popular belief someone else disagrees with, they’ll probably call you a sheep.  To be a sheep means you’re the kind of person who goes with the group.  It means you share the same opinions as the rest of the “flock.”  The implication is you’re too weak or stupid to go it alone, so you find 30 of your friends and do what they do instead of forming your own opinions or behaviors.

But if you know sheep—or at least, if you’ve had to do a lot of Googling about them in order to write promotional materials—you know this is not at all the reality of flocking behavior.

Sheep are NOT stupid.  Far from it, as a matter of fact.

The flocking behavior we see in social animals is actually pretty genius.  When you’re not strong enough to stand up to a wolf on your own, you’re safer when you stick with your friends.  Flocking animals rely on having dozens of eyes on the ground to look for the slightest sign of danger—that’s why they follow each other so closely.

Sheep aren’t the only animals known to get by with a little help from their friends.  Without our cooperative social nature, humans would likely not have shot straight up to the top of the food chain as quickly as we have.

Much like sheep, we rely on other people in our communities on a daily basis to do all the things we need to do.  And we absolutely depend on our flocks to stay safe from would-be predators.

Our flocks are more than just our family and friends.  Whether we realize it or not, we form flocks based on any number of shared traits, experiences, and identities: sharing an alma mater, a religious belief, a locality, a political affiliation, an ethnicity, a language, or a place of work.  We tend to trust others more when we have things in common with them.  You can probably think of at least a few people in your life you may have trusted almost immediately—despite being strangers—based on a few shared traits or values.

It’s not a bad thing most of us do this.  We make lifelong friends because we are able to quickly identify commonality and bond over it.  But when we do that too readily, the tendency to trust those we view as part of our flock can be dangerous—especially when we’re dealing with a wolf in sheep’s clothing.

There is a term for the types of scams that rely on people’s tendency to trust those they perceive as similar to them.  It’s called affinity fraud.  Affinity scams are scams—usually investment scams—that exploit a target audience by dressing those scams up to be everything that audience would trust by default: someone just like them.

While not every scam targeted toward a specific group is a textbook affinity scam, many of them are. 

Seniors are one example of a flock—a group of people who share a specific age range and many of the unique experiences that come with being that age.  Seniors would be far more likely to trust pitches made to them by other seniors or senior-adjacent people or causes.  This is why so many scammers opt to pretend to be from Medicare or the Social Security Administration.  A retiree target deals with those programs every day.  They trust those organizations.  These scams aren’t classic investment affinity scams, but they are successful because they use affinity tactics.

The most recognized affinity scams are those targeting religious groups.  Religious people have a great deal of trust in their churches, other members of their religious sect, and causes related to religion.  Someone who might be very wary of answering their phone and handing out their information to just anyone might not question a stranger claiming to be part of their religion asking for a donation for the church.  This behavior is exactly why churchgoers have lost MILLIONS of dollars to fraudulent investments and Ponzi schemes committed by fellow church members or bogus church organizations.

Another example of a classic affinity scam is this story of a pair of Cambodian immigrants who targeted other Cambodian immigrants to participate in a $30 million Ponzi scheme.  The scammers flaunted the wealth and comfortable lifestyle many immigrants dream about when moving to the United States, using it to convince their kinsmen to contribute their hard-earned money to an amazing “investment opportunity.”  In 2007, these scammers were sentenced to 20 years in federal prison.

An affinity scammer can use almost any part of someone’s identity to gain their trust.  But the most basic affinity scam is one where someone is simply targeting their own friends and family.  Why?  Because those people already trust them simply for being them.  It’s the simplest way to get money from someone, but it’s probably the most tragic, too.

Anyone can fall prey to these scams.  Everyone has something about their identity that can be exploited to gain their trust.

But seniors are particularly vulnerable to affinity fraud.  Seniors have more assets than younger people.  Seniors have retirement nest eggs and savings accounts.  If an affinity scammer is looking for someone likely to have at least one account or asset they can tap immediately to get a few thousand dollars to invest, they’re probably looking for a retiree.

Not only that, but seniors tend to be very active in church communities and charities.  Many seniors choose to spend their retirement volunteering or participating in community activism.  Seniors are a group of people known to be generous with their time and money when it comes to higher causes.  This is exactly the personality type an affinity scammer looks for: the kind of person who will contribute to something bigger than themselves.  The fact that retirees also tend to have bank accounts with readily available cash is icing on the cake.

Because these scammers are playing on the trust you have for those who share some of your most intimate and passionate beliefs—or even the love you have for them as a friend—these scams are some of the most damaging of all.  The money lost is bad enough, but trauma, shame, and devastation of having your trust destroyed by someone you may have cared about can follow you the rest of your life.  Sometimes the victims of these scams never move past what was done to them.

Protecting yourself from affinity scammers starts with understanding every single one of us is at heart a sheep.  I don’t mean that in the negative pop culture sense of the word, but rather in the sense that we all have the exact same need to stick with our flock as the animal we like to make fun of.  The reason we’re so quick to trust people like us is because we SHOULD be able to trust each other, especially when have so much in common.

But humans are predators, too.  For every one of us just trying to enjoy some grass with our friends, there’s another person who sees a field of fresh lamb chops.

Whether it’s an absolute stranger, someone loosely associated with certain things you are, or someone you’ve known for years, there can be no difference in the level of scrutiny with which you examine ANY investment proposal made to you.  The temptation to trust certain people over others will always be there, but you can’t allow anyone to override your common sense when it comes to your check book.

Verify every detail of the pitch made to you independently.  Take nothing someone asking you for money says for granted.  Get as much information about the opportunity as you can and do your own independent research to verify the legitimacy of their claims.

Do not succumb to grandiose emotional appeals, guilt tactics, or pressure to give someone your money.  This is true of ALL kinds of scams.  If someone is trying to guilt you into giving them money (“don’t you trust me, we’ve known each other for years,” “but I helped YOU all those times—why won’t you help ME?”), don’t make a knee-jerk decision you’ll regret.  The more someone pressures you emotionally instead of listing the data-based reasons why an investment is good, the more you need to be wary.

Make sure absolutely everything is done in writing—no handshakes, no verbal agreements, and no money exchanged without a legitimate receipt.  Everyone knows this, but this tends to really go out the window when dealing with a friend, family member, or someone close to you who you trust.  Never give someone a substantial amount of money without the paperwork.  And if that person balks at you requesting such a thing?  It’s not because they’re worried about YOUR best interests, if you catch my drift.

Consult a financial planner or lawyer in absolutely every major financial investment.  If you aren’t a financial professional, chances are good you won’t really know the full extent of what you’re getting involved in.  Never stroke a huge check to anyone without talking to a pro.  If there’s something fishy about the arrangement, a financial advisor will see it right away.

“If it sounds too good to be true, it probably is.”  It’s pretty hard to tell someone how to avoid getting affinity scammed.  The red flags may not be flying as high or as bright as with other scams, and because victims trust the scammer, what few flags are visible might be hidden by fog.  But one ancient bit of wisdom will always serve you well here: beware of investment opportunities promising mind-blowing returns or rewards.  The bigger the promises, the smaller the chance what you’re being told is true.  If there’s one glaring warning sign, it will probably be this one.

Account compromised? If you respond to this call, it might be

With nothing else better to do, you might be one of the millions of people who have succumbed to the temptation of internet shopping in the past few months. Don’t worry—I’m not going to judge you. The way I see it, if you don’t ask me what useless things I’ve purchased on Etsy this year, I’m not going to ask you. Nothing empties my wallet faster than boredom.

And anyway, a lot of our increased online shopping this year is out of necessity and self-preservation—at least, that’s what I’ve been telling myself. This isn’t exactly the best time to be milling around in brick-and-mortar stores if you can avoid it.

Then, add Christmas on top, and most of us have been going a little swipe-crazy sitting at home on the computer.

But with increased usage of our cards online, payment processing services like Paypal, logging in and out of our email accounts, and setting up online accounts at retailers we may have only shopped at in person, we open ourselves up to online fraud. We are giving online thieves and scammers infinite opportunities to scam us out of information, steal our card numbers, and snatch our login credentials. The more we put out there, the more there is for someone to steal—that’s just kind of how the internet works, unfortunately.

So getting a fraud alert email, text, or call around this time would be a bummer, but would you question it if you spent the last month running up your credit cards online? Probably not.

Well…it turns out you probably should.

Today the Better Business Bureau published its newest fraud warning regarding bogus fraud alerts about “compromised” accounts, including Amazon, Paypal, and Netflix, to name just a few.

But this can happen with any one of your online accounts. You could receive a fraud alert from your bank, your email client—anywhere you log in, and especially those accounts that could contain sensitive or financial information.

But the compromised account alert is merely just a solicitation to you to get you to compromise your account.

BBB reports this scam is happening via email and phone call. Emails—which may be disguised as coming from legitimate senders and businesses—will send you to a phishing site, asking for your login information and even your Social Security number. In the phone version, the caller tells you that suspicious charges were seen on your account. The caller will either try to get the same information out of you the email version does or will ask you to download a mysterious “anti-malware” program to your device. Spoiler alert: that “anti-malware” program will be malware.

In a stranger version of this call, the caller may direct you to…buy a bunch of Google Play or gift cards in order to…buy back access to your account? I don’t entirely understand the gambit there, but as we’ve discussed before, any time someone asks you to buy pre-paid cards in order to pay for something, it’s a scam. It’s one of the biggest red flags there is.

Just a few months ago, consumers reported calls regarding their Apple accounts being compromised.

In each case, the scammer will either use trusted branded materials or a spoofed legitimate business address to contact you via email or tell you on the phone that they’re an employee of the business in question. It is possible the phone number will be spoofed to appear legitimate, as well.

Whether the scammer contacts you by email or phone, the key here is not to give any personal information up until you can verify what they’re telling you. For example, if someone calls from your bank telling you there are suspicious charges on your account, log into your online banking before you continue the conversation. If there is indeed some kind of freeze or flag on your account, it’ll be pretty obvious once you’ve logged in.

You can also ignore the email or hang up on the call, find the phone number for that business, and call them directly to check on your accounts. If you do this, just make sure you’re getting the phone number for that business from your own search—not from any website or email the caller might give you.

The most important thing to remember—especially with scam callers—is not to let fear or pressure cause you to do something you know isn’t safe. You don’t have to share your information with just anyone who asks for it, no matter what the situation might be. And the more a caller tries to apply pressure or use fear tactics to get that information out of you? The more likely it is they are fraudsters.

Besides. What are they going to do if you don’t? Beat you up over the phone? Don’t let anyone make you feel like you’re doing the wrong thing by being protective of your personal information. Frankly, any business would be happy to know their customers are protective of their information. It saves them a lot of hassle, you know?

So now that the Christmas shopping rush is over, it might be a good time to go through all of your accounts and statements just to make sure everything is in its right place. Keeping an eye on your finances in general is another good way to thwart anyone trying to tell you that you have thousands of dollars in suspicious charges or that your accounts are frozen. Being aware of your spending and the health of all your accounts will make it much harder for someone to lie to you about it.

HHS warns the public NOT to respond to COVID vaccine scams

After a year I think we all are looking forward to forgetting, Santa has swooped in at the 11th hour to deliver us the gift that’s at the top of all of our Christmas lists: a COVID-19 vaccine.

Of course, in this festive metaphor “Santa” is all the people in the medical research field who have worked day and night to develop an injection that will end this complete and utter nightmare—and did so with a novel virus at neck-breaking speed. In this situation, I have to give credit where credit is really due. Sorry, St. Nick.

One vaccine has already been approved for use in the United States, and five others approved in different parts of the world. Behind those are several more vaccines nearing completion on trial phases.

Hopefully very soon we can return to some semblance of normalcy around here. Personally, I can’t wait to get out there and see how bizarre my loved ones have gotten since I last saw them. At least, I hope they’ve gotten bizarre. I don’t want to be the only weird one at the reunion.

But for right now—and presumably into the next several months—vaccine quantities are extremely limited. They’re rightfully being reserved for those who most need them, primarily the healthcare workers risking exposure every single day. This group also includes workers in long-term care facilities where COVID has a particularly strong stranglehold.

After that, it is expected the second priority group in most states will be people over 65 years of age. This is especially critical because, aside from seniors being vulnerable in general, it will cut off the virus’ favorite breeding ground: nursing homes. Nursing facilities have been the source of many early outbreaks in this country.

Producing, shipping, and administering vaccines to those highest on the priority list is a process certain to take quite a bit of time. Secretary of Health and Human Services Alex Azar estimates the general public won’t have access to the vaccine until Spring 2021, so it looks like we’ll have quite a while to wait.

Knowing that, none of us should be expecting to receive any kind of communication telling us to pull up at the COVID Shot Store any time soon. Even seniors who will be among the first to receive the vaccine shouldn’t expect it—we’ve only just started to deliver doses to frontline health workers.

With thousands of healthcare workers waiting on the first vaccines to arrive, there is absolutely NO chance of getting any kind of early access to the shot. Zero. Zilch. Not possible. No way, and no how. There are very few doses even being made yet, and every last one of them is spoken for.

But if we know ANYTHING about scammers, we know they are shameless opportunists. Judging by how they reacted to the first available COVID tests, the Department of Health and Human Services is getting out in front of the vultures before they really start circling.

The Office of the Inspector General at HHS is already issuing warnings about any communication the public might receive—be it email, phone call, or text—about offers and access related to the COVID vaccine.

To paint a picture of just how fast scammers can mobilize campaigns, the Food and Drug Administration authorized use of the first COVID vaccine six days ago. Just three days later, we got the first reports about vaccine-related scams.

Per usual, scammers are making these calls and emails sound and look as if they’re coming from genuine government and health institutions, like the FDA, the CDC, Medicare, or local physicians and pharmacies. There may be very little in the way of red flags to let you know the communication is from an imposter: emails will spoof email addresses and use legitimate branding materials, and calls may used spoofed phone numbers that on a cursory look-up seem to be coming from a legitimate place.

But as we’ve explored in the past on this blog, it is nothing for a scammer to fake a local or legitimate number or throw together a halfway decent facsimile of a recognized and trusted website. This is 101-level stuff for a fraudster.

Normally I’d give some tips about how to recognize these things or maybe a list of things you can do to steer clear (I do LOVE a bulleted list). But telling you how you can avoid having your personal information stolen by these particular scammers is, thankfully, much simpler than that:

You can’t get the vaccine.

There is no vaccine available to the general public.

There won’t be a widely available vaccine until second quarter next year.

That’s really all you need to know. Anyone offering you some kind of super secret VIP access to the shot in the meantime is trying to get something from you. Absolutely NO ONE can get this shot except a select few who really, really need it. That’s it. That’s all. End of.

The day we have enough of the vaccine to distribute it to the public, it will absolutely consume the news cycle. I imagine there will be lines outside every PCP and pharmacy door that would make you think someone was handing out free suitcases of diamonds (or toilet paper, AM I RIGHT?! Hahahaha! Help, someone, please.).

There will be no questions at all when this thing becomes available or if it’s available. We will all know when that time comes. And that time is not any time soon.

So, know that in the coming months these vaccine scams will be everywhere. Scammers will contact people in all the ways they usually do, via any means, and they will be really good at making themselves out to be something that they’re not.

And as it gets colder and darker and the cabin fever starts setting in (if it hasn’t WELL before now), they’re going to use that to tempt victims into thinking they can get this shot that will allow them to get back to life.

Don’t fall for it. It’s going to be a tough winter, but we made it this far. We all just need to keep following the rules for a few more months so we can end this nonsense once and for all.

“Can you hear me?”

There are few things I hate more than the sound of my own ring tone at noon on a Monday.

To be fair, I hate the sound of my ring tone at all other times, too. Since settling into my quarantine life, I’ve really gotten used to a minimal amount of social stimulation. A ringing phone sounds like a baseball going through a picture window at this point.

But at noon on a Monday when I don’t have a prescription for pick-up or a pet due for a wash and cut the next day? There is only one type of person who calls me. And that’s generously assuming it’s a human being.

When I hear that sound at noon on a Monday, I start making gentleman’s bets with myself.

It’s the police.

No, it’s the “Social Security Officer.”

Ooh, no, it won’t be the Officer this time—it’ll be the Agent.

Maybe I’m feeling especially lucky and it’ll be the guy who really just wants to give me deals on medical equipment.

No, I definitely won a free cruise today.

I’m not feeling particularly special or lucky today—today, I thought, I’m going to play it safe and guess that my Social Security number has been suspended. That’s what it’s usually been lately.

But I was wrong. Good thing it was only a gentleman’s bet. I would hate to lose the ten dollar bill I found in my jacket pocket to the responsible part of myself who would put it in the piggy bank.

I daresay I was almost excited after I picked up the phone. It’s a little embarrassing to admit certain types of scam calls make me excited, but, hey. We’ll just chalk it up to the quarantine lifestyle.

The call I received was exciting because I hadn’t considered it for several years. It’s been about three or four years since I’ve read anything about it. Even then, reports about it were dubious at best. It was a call everyone was getting in 2017, but despite the panic headlines, there were just as many questioning whether or not the scam existed at all.

When I answered the phone, I didn’t get a “hello,” “hi, this is–,” or “is this–?”

The first thing I heard was, “can you hear me?”

Part of the reason I answered with more of a grin than an audible response is the caller caught me in the middle of a vicious battle with my post-holiday writer’s block. Little did the caller know he was doing me a real solid in the middle of the day.

But part of it was also getting that verbal response is the goal of the caller’s game. In 2017, this scam was known as the “Just Say Yes” scam.

This phone scam is actually pretty interesting because although we have a detailed rundown of how it works and what the caller is trying to gain from asking a weird question as a greeting, there are very few documented cases of this scam occurring. If you Google it, the second and third search results are from CNET and Snopes calling these calls a potential hoax.

Here’s how they’re supposed to work:

You receive a call and the caller asks, “can you hear me?” Or greets you with some other question with a yes or no answer.

You say, “yes.” And then the caller immediately hangs up.

The caller asked you a question to get you to say, “yes” because they were recording the call. They now have a recording of you saying, “yes.”

From there, the caller will attempt to gain access to your financial accounts by using the recording of your voice saying a confirmation word. This could result in new accounts appearing in your name or fraudulent charges showing up on your bank statement.

What isn’t up for debate is that these strange calls were all the rage several years ago. Tons of people reported receiving this weird call—and I, myself, received it just now. “Can you hear me?” And then click. There isn’t a question that it’s something that happens.

What IS questionable is whether this call is being made to record your voice and gain access to your personal information.

Back when this “scam” was a hot topic, I even thought it was a weird premise. It’s possible, sure, but…does it make sense?

Think about it: how many customer service phone trees do you use that rely on voice recognition to determine your identity? It would nice to not play 20 Questions every time I need to call my bank, but unfortunately, I’ve had to provide at least three pieces of critical information to prove who I am since the day I had my own bank account.

And that’s another thing. Knowing someone would at least have to provide my birth date and the last four numbers of my Social Security number or account number (probably both) to gain access to my account, what would having a recording of me saying one word do?

So you have me saying, “yes.” What about the other hundred words you’re going to need to use? The call would have to be in two different voices.

I’ve never been sure what having a recording of me saying one word would accomplish. My best guess is because financial institutions often record calls for quality control, it may be a defensive measure in the event the recording of that call is used as evidence to prove fraud. In that case, it might be a good thing to have my actual voice on the line giving someone permission to look into my private information.

But given the fraudster would use far more words than just “yes” to access my accounts, it still seems a little far-fetched.

Nevertheless, there ARE reports—albeit, very few—of people receiving this call and experiencing some kind of fraud soon after the call.

A man in Washington reported receiving this call and finding fraudulent hotel charges on his bank statement several days later. Though he is convinced the call was the source of the mystery charge, there’s little in the way of direct evidence to link the call to the charge. And it still doesn’t explain how the scammer could have made the charge without also getting the victim’s financial details.

According to the director of Consumer Federation of America, it’s possible the people who receive these calls have already had their information stolen. The call might be occurring only because a scammer has already managed to steal your identity.

But if that’s true, I still don’t entirely understand why a scammer would need to go to these lengths to access your financials. Unless they also have a recording of you saying all of your information on top of every other word in the English language, it seems a little pointless. Having had my credit card maxed out by a thief in a matter of hours just weeks ago, I can attest to the fact that nobody needs a recording of your voice to buy 10,000 followers on Instagram on your dime.

And, yes. Someone stole my credit card number to buy Instagram followers. These are strange times we live in.

All my questions aside, did I answer the question with a yes or no? Absolutely not. I’d much rather protect my bank account from any future would-be social media influencers than be right about this scam not making much sense. At the end of the day, I can’t use smugness to pay my light bill. If I could, I’d be cruising around in an Aston Martin right now.

The fact remains this call is still happening and we aren’t entirely sure why. And it’s happening enough that the Better Business Bureau just recently put out warning. It may not make a lot of sense, but as it concerns your money and identity, being safe is always better than being sorry.

At the very least, these calls could be nothing more than a scammer checking for a live phone number. Every time you answer a scam call, you’ve just let an entire network of scammers know you’ll answer your phone. See here if you want to know how THAT works out for you in the end. I’m STILL getting texts because of that little investigation.

The best thing to do is refuse to pick up the phone from an unknown caller. And if you do? Don’t ever say “yes” or “no” to someone asking you a question before they even greet you. I recommend a hearty and cheerful “mmm-hmmm” if you absolutely must speak.

Social media “Secret Sister” gift exchange is an illegal pyramid scheme in a Santa suit, says Better Business Bureau

It’s that time of year,

When the world falls in love,

Every song you hear seems to say,

Merry Christmas,

Please give us your name, address,

The contact information for several of your close friends and family,

And ten dollars, and you might receive,

Up to 36 gifts in return from everyone participating,

In this year’s Secret Sister game!

Well, not every song. But if you spend a lot of time on Facebook during the holiday season, it will probably seem like it.

The “Secret Sister” gift exchange post has popped up on social media going back to 2015, and this year appears to be no different.

If you don’t know what I’m talking about, here’s an example of what the post might look like:

“Creating some positivity?” That sounds like a fantastic idea. After the way THIS year has been going for all of us, positivity is in short supply. Why not join in on a light-hearted Secret Santa while it looks like we won’t be able to join in on any in-person celebrations this winter?

…Aaaand that’s how they’ll get you. That thought process right there. Because although this scam was around long before COVID, it will be far more enticing this year than any previous. We’re all primed to conduct our holiday cheering online—and we’re far more likely to seek out ways to put ourselves in the Christmas spirit after eight months of doom and gloom.

You see, the whole “Secret Sister” thing is a lie. In reality, it’s a clever recruitment tool to get you involved in a good old fashioned pyramid scheme, according to Better Business Bureau.

You throw in $10 and tell your friends. And then they throw in $10 and tell their friends. …And then they throw in $10 and tell their friends… And so on, and so on, and so on, until the last person on Earth has put her Hamilton into the basket and there are absolutely no gifts to go around—assuming anyone gets any gifts in return at all, of course.

To make matters worse, your $10 isn’t the only thing at stake in these gift exchanges. In order to make the sending and receiving of mystery gifts from strangers possible, the exchange operators will need your full name, your address, and quite possibly your financial information depending on how they’re asking you to send your buy-in. That’s MORE than enough information for someone to get the ball rolling on stealing your identity.

Not only is this a pretty straightforward pyramid scheme—which are extremely illegal in the United States—but it’s also a form of illegal gambling, says the U.S. Postal Inspection Services.

Participating in a gift exchange like this could get you in hot water for mail fraud. Note that strange little comment in the example image about “don’t comment that it’s illegal for sending people a $10 Christmas gift.” Yeah. This person knows exactly what they’re doing.

And for the record? It IS illegal.

This scam is mostly being seen on Facebook, but you should keep an eye out for it on all of your social media platforms. It goes without saying you should completely ignore any posts or requests to join any Secret Santa-style gift exchanges with strangers, but if you see any of your friends and family sharing posts like this, give them a heads-up: not only is this a scam, but it’s one that can get everyone who participates into big, big trouble.

“Smishing”: scammers’ newest tool in the smart phone era

Last night, while I was sitting around daydreaming about all the bills I was going to pay on time, I received an unusual text message:

Three delinquent payments, I thought. I only ever have two delinquent payments on my credit report—how dare you suggest I’m the type of person who would have a third!

It just so happens I pulled my free credit reports for the year a few days ago, so I know perfectly well there’s nothing delinquent on my credit record. And while a quick Google investigation didn’t yield any results for this phone number or the verbiage used in that text, I know I’m just one of the thousands of people on the receiving end of this message today.

This is an example of what’s now being called “smishing.”

Don’t be fooled: “smishing” might be one of the funniest words ever invented, but it describes something that could have a dramatically negative impact on your life IF you aren’t on the lookout for it.

“Smishing” comes from the combination of “SMS,” or short message service, and “phishing,” a practice in which scammers pretend to be legitimate organizations seeking information to ensnare victims.

Typically, phishers have relied on casting a wide net of emails to direct victims to bogus websites. Once navigated to the site, users are usually asked to input critical login information or private details a scammer can exploit, but sometimes users are tricked into downloading malicious software that can be used to gain access to sensitive data.

But in 2020, most of us have traded our desktops and laptops for mobile devices. And instead of using email to communicate, we are favoring short message services for an increasing amount of our day-to-day business.

Ten years ago, it would have been unusual to receive a business text.

Today, I would conservatively estimate that I receive between ten and 37 thousand texts a day from my utility providers, my financial institutions, my doctors, mail delivery services, and everywhere I have ever shopped in my entire life. At this point, I wouldn’t be surprised if I received a text message from a gumball machine I put a quarter into in 1995–“WE MISS YOU! USE COUPON CODE ‘GUM95’ TO GET YOUR FREE CHERRY DUBBLE BUBBLE TODAY!” Things have really gotten out-of-hand.

Naturally, our growing trust and comfort with conducting business over text messages has created a favorable environment for phishers to move their operations to SMS.

In fact, the environment is so favorable, scammers are—excuse me for a second. I just got a text notification.

Nevermind. Just another smish. And from the same scammer, too. Check out that URL.

Anyway. Now, what was I talking about…

…Oh, right.

The environment is so favorable for text-scammers that they stand to make more money duping users through texts than they ever did through email. As many as 98% of text messages get opened compared to 20% of emails, and 45% of texts get responded to versus a measly 6% of emails.

Case in point: the reason I received a second smish attempt from the same bogus URL is because I opened the first one. Unfortunately, by reading the first text about my derogatory credit marks, I’ve just let the scammer know my phone number is live and I can be intrigued enough to open a message. Though I didn’t take the bait about my credit report, the scammer will likely keep trying me with different tactics hoping he sends me one I can’t resist.

In the phishing game, getting a potential victim to open the message in the first place is half the battle. And phone users, like myself, have proven we are much more likely to open a text than an email.

What the scammer doesn’t know is that I opened his texts to make an example out of him on blog about scams. Sorry to get your hopes up, friend, but thanks for the content!

The rise in smishing success is also largely due to a common misconception that our phones are more secure than our computers. Most of us have had decades to understand our computers are susceptible to malware, scams, and other suspicious activity. But we still don’t have a common understanding that our phones are computers, too. They are just as vulnerable to attack as any other device. We need to view unknown texts with the same amount of suspicion that we do unknown emails on our computers.

Smishing attempts can be about anything, but usually things that would cause a user alarm enough to motivate them to open the message and click a link:

You owe the IRS money.

You have bad marks on your credit report (check!).

You have bad marks on your driving record (double-check!).

You have packages waiting at the post office.

Your bank is closing your account.

You’ve won a prize!

Your Social Security number is being suspended.

Your Apple/Google account has been locked.

You’ve been exposed to COVID (this one is the Flavor of the Month)

If you’ve received something like this, step one is to scrutinize the number of the sender. Many times the number won’t look remotely like a real number. It could also simply say “restricted.” Hard pass on those messages. But, it is worth noting that a scammer can spoof any number they’d like—including those you trust.

Step two is to scrutinize the message content. A lot of these messages are somewhat…bizarre. Using my “Auto Vehicle Department” text as an example, the first thing I notice is…what the hell is the “Auto Vehicle Department?” The next thing I notice is This Sender Definitely Feels Strongly About First Letter Capitalization. That doesn’t strike me as being too professional. I’d certainly expect more from the prestigious Auto Vehicle Department.

These texts will usually include a link. So, step three is DON’T CLICK THE LINK. There is a possibility all it will do is take you to a fake website where the real damage will be done, but there’s also a possibility that just clicking the link will install something nasty on your phone. So the safest thing you can do is not click anything within the message.

LOOKING at the link in the message, however, might give you some further clues it’s illegitimate. The reason I knew my messages were fraudulent is because aside from being really absurd URLs for allegedly important organizations, they are also…the same URL.

…Then again, that could just be a coincidence.

And now that I think about it, I AM pretty concerned about my driving record…

…Maybe I should just check it out a little bit more before I—wait, phone’s beeping again.

Wow! I’ve won an iPad! I’ve always wanted one of those!

Except…there’s those capital letters again.

…And there’s that URL again. I guess that’s a triple-check for today.

I probably should have made “step one” don’t click to open the message in the first place. I have a feeling I’m going to be paying for writing this article for a few days.

…Hang on a minute.

…Yeah, I’m definitely going to be paying for this one.

The data security experts at Kaspersky have some additional tips to protect you from the rise in smishing scams. And as always, if you’re receiving texts like this, report them to the FCC.

Speaking of which, I have some some reporting of my own to do, it seems.

Good luck and stay safe on your phones out there!

Study shows Americans are increasingly comfortable sharing health, Social Security, and financial information in the wake of COVID-19

The Advertising Research Foundation recently released results from its third annual Privacy Study, a survey conducted to find out how Americans perceive and treat their personal and private information. Among other things, the survey measures how well Americans understand privacy terminology and concepts, and how willing they are to release different kinds of private data.

This year’s study occurred within the context of the COVID-19 pandemic, a unique environment where we’re being asked to share deeply personal information we might not otherwise. Not only are we readily sharing medical information in an effort to slow the virus’ spread, but we’re also engaged in a nationwide discussion about hardship—one that shines a spotlight on our individual finances.

Given the dialog about contact tracing, personal health habits, and economic relief, most of us could have guessed at the results of this year’s survey. Though this has been a gradual trend over the years, the 2020 Privacy Study indicates a sharp uptick in how comfortable people are with sharing all kinds of sensitive personal information.

Some examples of this uptick include the amount of people willing to share medical information (34% in 2020 versus 27% in 2019) and an increase in data-sharing among those who have experienced job loss or wage decreases.

It was also found that despite this increase in sharing, more Americans understand the terms of privacy agreements. For example, the study shows that respondents have a much greater understanding of what “third party” information sharing means. Not only are we sharing more of our personal information than in the past two years, but we are also much more aware of what we are agreeing to when we share that information.

It’s not hard to understand why this trend is occurring. We are being actively encouraged to share medical information to help healthcare professionals fight the virus. And we all have a tendency to volunteer our experience when we talk about economic policy and impactful stimulus measures.

But while this sharing is necessary in many respects, it can also make us susceptible to the dangers of putting too much out there to too many people.

Within the first weeks of COVID making it to our shores, financial predators repainted, refurbished, and reintroduced their scams to suit our pandemic-anxious climate. Instead of impersonating Social Security Administration workers or law enforcement, they now impersonate doctors, nurses, and contact tracers. Instead of offering lottery prizes, they now offer COVID testing and stimulus checks.

The critical takeaway from this study is knowing that we’re living in a world where we are being asked to share more and more—and most of us are doing it.

Unfortunately, the more we put our concerns about our privacy to the side for the greater good, the more we prime ourselves to be okay with it in the future. And that could create a pretty big problem moving forward.

We say all of this just to remind you to stay vigilant about who you tell what. There are so many reasons why putting your experience out there is important—we rely on people telling their stories about illness and financial struggle to advocate for positive change.

But not everyone who asks to hear your story is trying to work for you. Some of them might be actively working against you. And they don’t need very much information about you to do it.

So continue to be mindful and alert when it comes to your personal information. This is both true of direct contact from a potential scammer AND generally sharing your personal details on social media. Ask those who may approach you to share your personal information to verify their identity or purpose, and never, ever feel like you HAVE to trust someone asking for it.

Cell phone users receiving “missing package” texts are in for a nasty surprise

Have you received a text lately that looks like this?

A43

I certainly hope not. If you have, there’s probably a very high likelihood you clicked the link. Even if we were living in a normal situation, it would be almost impossible to resist finding out what you could possibly have stuck at the post office.

But we aren’t living in a normal situation. Thanks to COVID-19, we’re shipping and receiving more packages than ever. And with nationally reported postal slowdowns, a lot of those packages are stuck in shipping limbo for unusually long periods of time.

If YOUR experience of the past few months is anything like mine, you probably have 2, 3, 4…15 packages floating around in the postal network right now. And you’ve probably also lived the joy of seeing that “scheduled for delivery tomorrow” on the shipping tracker about five days past “tomorrow” with no kind of update.

So, if I was to receive this text? I wouldn’t be surprised. Not only do have no idea where some of my packages are right now, but in my late night quarantine boredom, I may have made one or two completely unnecessary purchases I no longer even remember.

…Okay, fine. It’s more than one or two. I admit it, I admit it.

Fortunately after writing so many of these blogs, I’m thoroughly convinced no one has ever sent me a legitimate text in the entire history of my owning a mobile device. I say “fortunately” because it’s an extremely convenient excuse to use when you want to ignore people.

No, I’m not ACTUALLY that paranoid yet. But I DO take text messages—and especially links in text messages—from people I don’t know very seriously. There are any number of things clicking a link can do to your device and your personal data if it’s coming from a ill-intentioned sender. It’s always good policy to do some web search homework when you receive a text message like this.

If you performed a quick web search after receiving THIS text, you’d find out pretty quickly this is another one of those risky links.

Officials are sending out a heavy word of warning to anyone who might receive a “missing package” text message.

Users clicking on the link are being navigated to phony Fed Ex and postal delivery login portals and possibly even unknowingly installing malware on their devices. This malware can lock you out of your device, steal the credentials to your email, bank apps, and other critical software, and pull sensitive data from your phone.

If you venture to log in to these fake postal delivery portals, you could also be directed to input vital personal information that could be used to steal your identity.

So, word to the wise: if you become one of the thousands of Americans who receive a text message telling you to visit a link to claim your “missing package?”

Do NOT click the link.

DO block the number and report the sender to the Federal Trade Commission.

The only “package” you’ll be missing by deleting this text message is one you DEFINITELY want to stay lost.

Scammers threaten Social Security recipients with prison

The one thing I will say in favor of Life in Quarantine is it does free up a lot of time.

When you don’t have too many places to go, you have a lot of open evenings and weekends. The past few months have been a great time to catch up on all the hobbies and projects I’ve been meaning to get around to.

Like, waxing the hardwood floors.

Reading all of the books I bought, but never touched after.

Money laundering.

Learning Italian.

Solo scherzando! My isolation hobbies don’t actually include any felonies. But, it would seem a criminal investigator at the United States Federal Government thinks they do—or at least, someone impersonating one:

This mildly threatening message is brought to you by my very own voicemail inbox.

Now, I can’t really speak for “my family,” which is also apparently being investigated (I can’t blame anyone for turning a suspicious eye toward those shifty individuals), but unless I’m entering the “committing financial crimes in one’s sleep” phase of quarantine, I’m not guilty of hiding any ill-gotten gains. I’d probably remember doing something like that if I did.

And if THAT was the case, I DEFINITELY wouldn’t be blasting my criminal warrant notice all over the internet.

There. Now that my name is sufficiently cleared…

This is just real life example of what awaits you in your voicemail box when you choose not to answer the phone for callers you don’t recognize. Or, if the caller spoofed a number in your area code, the robocall you would have received in real time if you had picked up the phone.

Admittedly, this is pretty tame version of the “you’ve committed a crime, so we’re going to need you to call back and give us all of your Social Security information” scam. They get much more colorful than simply accusing someone of money laundering. My personal favorite is the one where a “Social Security agent” calls you and tells you that your Social Security number has been linked to a rental agreement for an abandoned vehicle filled with cocaine and blood. We’ve gotta give that person at least a few points for style and flourish.

Whether the caller mentions your Social Security number, being attached to the Social Security Administration, or simply just accuses you of committing a crime without any specific nod to your Social Security, the end goal of these phishing calls is the same. Scam callers are getting a list of names and phone numbers, casting a wide net, and hoping they can scare someone enough to get them to call back. At that point, the caller will inevitably ask for your Social Security number along with as much identifying information as they can.

Once they have it, they will use it to steal your identity. If they can get your banking information out of you, they’ll skip right to the chase and help themselves directly to your bank accounts.

Lately, the setup for these scams have evolved to reflect the new pandemic-anxious environment we’re all living in. Scammers have taken advantage of those living in isolation, expecting calls from contract tracers, and looking for resources to stay safe during the pandemic by adapting their pitches to be more COVID-related.

But that doesn’t mean they’ve let go of their tried-and-true methods. Even at a time like this, nothing makes people more anxious and likely to pick up the phone than being accused of committing a federal crime.

To this I can only reiterate that you KNOW whether or not you’ve done something to get on the wrong side of the law. I mean, come on, money laundering? That’s not just something you do on accident while waiting for your toast to pop on a Tuesday morning.

If you aren’t hiding millions of dollars in offshore accounts or playing your local slots multiple times a week to clean your drug money (don’t get any funny ideas—I listen a LOT of true crime podcasts), it’s pretty safe to say you shouldn’t be taking any calls like this seriously.

And if that isn’t enough to make you feel better? I can’t stress enough that no law enforcement agency OR representative from the Social Security Administration is ever going to call you casually on the phone. That’s just not how it works. If you’re being accused of any severe wrongdoing, believe they’ll send someone to your house. At the very least, you’ll get a very serious-looking letter in the mail or something.

But a sloppy informal robot call? Not even a chance.

And bear in mind the reason the feds and the Social Security Administration can send you a letter is they know where you live already. These agencies would never need to call you on the phone and ask you for your name, your address, your Social Security Number, or any other identifying information. They have it.

So, as you’re sitting at home bored out of your skull waiting for someone—ANYONE—to call and provide you with some kind of social entertainment in quarantine right now, just remember to resist the urge to pick up for numbers you don’t know.

And if they leave you a voicemail as spooky as this one? Don’t be afraid to share it with us so we can have a good laugh.

How scam artists are using “contact tracing” to commit financial fraud

We’re willing to bet you’re probably not too familiar with the term “contact tracing.”

If you aren’t, that’s okay. It’s not some new lingo in digital scam world—in fact, it’s a legitimate practice and it has nothing to do with phone and internet fraud. We actually just learned about it, ourselves.

Contact tracing is a tactic used by healthcare workers to track and limit the spread of dangerous diseases. It’s been one of our most tried-and-true strategies for containing epidemics. Before we had other advanced medical tests and techniques, doctors and medical professionals used contact tracing to identify potential carriers of deadly illnesses and isolate them to prevent further infection. It’s actually a tool we’ve been using for centuries.

Once an illness has presented in a local area, contact tracers will interview the afflicted person to determine how many people they’ve been around during the time that they’ve been infected. When the tracers identify those who have a high likelihood of exposure, they’ll reach out to those individuals with instructions on how to seek treatment or isolate.

From there, contact tracers will repeat the process, mapping out a web of exposed people. This allows the area’s medical system to anticipate how serious an epidemic might be and work quickly to make sure the infection doesn’t spread farther than those exposed initially. Contact tracers are basically the detectives of the medical field.

Right now, healthcare workers are using the same tactics to contain those who have come into direct contact with COVID-19 patients. Until we have a vaccine, identifying and isolating Coronavirus carriers is all we can do to stop the infection from exploding.

To do this, healthcare workers will often reach out directly to those who have been named as potential carriers. Typically, this will be done by phone. The call might go something like, “hi, I’m So-and-So from Your City’s health department, and we have reason to believe you’ve been exposed to COVID-19.” During the course of the call, the healthcare worker will probably need to ask you some questions to verify your identity and give you medical instructions.

So why are we explaining a perfectly legitimate healthcare practice on a blog about scammers?

Well, after that last paragraph, you’ve probably guessed what the problem is, here.

The problem is scammers know about contact tracing and how medical professionals do it. They know that during a global pandemic it’s extremely plausible that any one of us could receive a call from the health department. And they also know that people who are terrified of contracting the virus will be quick to answer questions—personal questions—in order to get tested and treated.

Sadly, a very necessary healthcare strategy has now become the perfect setup for identity thieves and financial predators.

Local news stations from coast-to-coast are airing warnings to residents as this scam is popping up all over. The Federal Trade Commission and Better Business Bureau have each issued official statements regarding bogus contact tracing calls and text messages.

This is a tough situation. We need to cooperate with our health departments so we can get to the end of this incredibly long, incredibly awful book and slam it shut. But how are we to know if the call we might receive is legitimate? Anyone can say they’re a contact tracer over the phone.

The first way to identify a fake caller is to ask yourself what a legitimate healthcare professional WOULDN’T do:

  • They’re NOT going to text you to tell you might have COVID-19. Can you imagine someone texting you to tell you that you’ve been exposed to a deadly virus? That would be like a cop texting you to tell you that your Social Security number has been suspended (okay, that one does happen, but it’s also a scam). A doctor or healthcare worker is definitely not going to break serious medical news to you by sliding casually into your text message inbox. That’s just absurd.
  • They’re NOT going ask you for your credit card details. Receiving a contact tracing call doesn’t cost anything and they don’t need your bank information to verify who you are. The point of the call is to tell someone they’ve been exposed and ask them to get tested and quarantine—not to get someone to pay for any kind of service. There is absolutely no reason they would ask for financial data.
  • They’re NOT going to ask about your Social Security or Medicare information. Again, this call has absolutely zero to do with your income, finances, or medical coverage. All of that is completely impertinent to the conversation.
  • They’re NOT going to ask you ANY details about your personal life EXCEPT those that involve how many people you’ve been around in a certain time frame, who they are, and what symptoms you may or may not be experiencing. That’s it. That’s all they care about.

Any alleged “contact tracer” doing any of these things (contacting you through unprofessional means, asking for bank information, asking for Social Security or Medicare information, and asking you for private personal details unrelated to the topic at hand) is a scammer. A contact tracing scammer will inevitably do one if not all of these things. That’s how they make their money.

But, a contact tracer DOES have to ask you some questions. They WILL ask for your name, it’s possible they could want you to verify your location, and they’ll assuredly ask for very light contact information for those you may have exposed. Especially with regards to handing out the names and numbers of people you know, you may not feel comfortable even doing that without some kind of reassurance.

Not only is that understandable, it’s entirely expected. Legitimate healthcare workers know we deal with scam calls every day. They know the wise will be uncomfortable sharing any information with an unknown caller.

That’s why it’s important to know it’s okay to refuse to give information before you have reasonable proof the caller is who they say they are. The health department gets it and they’ll respect your reserve.

They are able to send you a photograph of their identification badge if you ask. And they’ll also have no problem with you saying that you’d like to end the call, verify their organization’s phone number independently, and call back to request to speak with them. This is a very common and recommended way to verify the legitimacy of any caller claiming to be from a recognizable business or organization.

If the caller fights that request, pressures you to continue the call or answer questions, or insists that you call a number they provide you, it’s a good indication the caller is a fraud. Scammers are known to get very aggressive and threatening on calls when the victim isn’t cooperative.

Healthcare workers have no reason to pressure or scare you on the phone—in fact, it’s not legally required that you answer any of a contact tracer’s questions. Although, you definitely should. Providing information to contact tracers benefits all of us.

Also, keep in mind these scammers are like many others in that they’re spoofing the actual phone numbers of local health departments. Don’t solely rely on the validity of the number showing up in your caller ID to verify the caller. That number may be faked, too.

And DEFINITELY don’t click any links you might get sent in emails or text messages. Those will most likely lead to phishing sites or malware.

Like most of us, you probably won’t ever get chased down by a contact tracer. But, with Coronavirus showing no signs of stopping anytime soon, it’s always a possibility.

If you do end up receiving a call like this, just make sure you follow these rules and you’ll get all the information you need—without falling for someone’s gross phone scam.