Every year around tax time, we experience a spike in the number of calls we receive from clients as they discover that they are unable to file taxes because an identity thief has beat them to it. Until recently, victims of identity theft who had not been contacted by the IRS directly were unable to take any protective steps to notify the IRS of possible fraud. That was then…

Now- much to our delight-  the IRS has a method of “flagging” your information for monitoring! A copy of a police report documenting the identity theft and a copy of of your valid Federal or State issued identification, such as a social security card, driver’s license, or passport, etc should be forwarded along with Form 14026 to the IRS at:

Mailing address:
Internal Revenue Service
P.O. Box 9039
Andover, MA 01810-0939

FAX: Note that this is not a toll-free fax number
1-978-247-9965

You may also contact the IRS Identity Protection Specialized Unit toll-free 1-800-908-4490 for guidance. Hours of Operation: Monday – Friday, 8:00 a.m. – 8:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

For more information, please visit the IRS website.

You can also find helpful information about scams, suspicious emails and phishing attempts- including how to report them on their website here and here. Remember that identity thieves and scam artists are keen to try to trick you with timely scams that play on the hopes and fears of the average taxpayer. Emails or phone calls about audits, refunds, or stimulus payments should be treated with the utmost skepticism even if there is an official logo visible.

Another great game from Onguardonline.gov with some important tips regarding preventing and detecting spyware from your computer. Spyware can get on your computer in many ways and can lead to identity theft and fraud. Spyware can even come with packages of “anti-virus” software! Do you know how to protect yourself?

A new scam attempt, aimed at playing on our greatest fears, is making it’s way around cyberspace. ComputerWorld reports that hackers are using this trick to try to get you to download malware onto your computer. They are being so clever, that customize the scam to your location! A email comes to you with headlines such as “Bomb Blast in (your town)” or “At Least 18 Killed (in your city)” and leads to a fake Reuters news service site. Using a familiar ploy, the site then directs you to download the latest version of a flash player so you can see the details. However, instead of a flash player, you get a nice big download of malware.

This reminds us to be suspicious and vigilent. Scam artists are getting very refined in their methods, and some of the attacks are incredibly sophisticated to try to fool you. Don’t let fear keep you from practing the utmost caution when you recieve emails. Always be skeptical of updates to your flash player from third party sites. Go to the website for your player directly to ensure that you have the latest version.

This isn’t a new scam, but we are about to see a revival as spring break and summer vacations roll around. Thieves troll through popular social networking sites such as Facebook or MySpace for individuals posting their spring break or vacation plans on their profiles. Then, posing as a troubled student or traveler they contact all your friends and family asking for emergency cash. Not just by email, but by phone as well. The reasons vary from bail money to medical emergencies or family deaths.  Recently, this wave of fraud has been felt in Washington and Oregon as reported by King5 News, so the scam has officially made its way from coast to coast.

If your children or grandchildren are going to be taking a trip, form an emergency plan of communication with them. Develop a secret password or question-answer combination that you can double check the information if you get strange calls, emails or letters. Question callers to search out scam artists, even if they sound like your relative over the phone. Don’t ever assume that because they are using a familiar family pet name (Nana, Grammy) that they must be the person they say they are. Use caution, ask questions, and remain vigilant.

Onguardonline.gov, which provides helpful tips from the federal government, has some wonderful games to deliver important messages about identity theft. The first one I want to feature here is called “Friend Finder” and is in keeping with our recent posts about the dangers of social networking. So play the game, have some fun, and if someone catches you playing when you should be working just tell them, “It’s ok! It’s research.”

Recently while networking on Facebook; I received notification that a friend of mine had sent me an IQ Test challenge. Now, I am always up for some friendly completion with my buddies; so I decided to accept. What harm could there be in that?

The quiz began innocently enough through the 1^st two pages of decidedly easy questions (What is the capital of California for example). Then, I was suddenly being asked for my mobile phone number.  Of course I was skeptical; so I entered 999-999-9999. I then proceeded to two more pages of ‘quiz’. I noticed that the URL changed several times; but this time they were asking for personal information such as what high school I went to and the year I graduated. This may seem benign; but as Rachel’s posts have mentioned, this is a common security question that banks and other secure sites use to confirm the identity of the user.

At this point, I had enough information to begin researching this threat and decided to close the page. However, the ordeal wasn’t over yet-these scammers really wanted me to stay and complete the ‘quiz’. The first time I attempted to close the window, I received an error message saying “Warning: Friends from Oregon think you’re dumb” that prompted me to continue. When I closed that page, I was rerouted to a site which my malware/virus filters immediately flagged as a ‘red’ site (possibly containing malware or spyware). Fortunately for me, I was able to exit this program without further incident.

Further research uncovered the true intent of this scam: if I had been unwitting enough to enter my actual mobile number, I would have agreed to receive text messages at upwards of $2 a text. From what I have read, it takes a very long time to get your phone company to reverse this action and is almost impossible to unsubscribe from the original application. Somewhere in the ‘quiz’, the scammers claim that a user agrees to these text charges and therefore the scammer has a right to send them. I certainly didn’t see any fine print of this nature at all.

Remember, Facebook and other social networking sites are a great way to connect with others; but they’re also a great way for scammers to connect with you. Beware of any quiz, survey or test that asks for personal information like your cell phone number. If it claims to be an ‘invitation’ from a friend; ask them if they really did send it to you (in my case, my friend had never done so). In fact, I would recommend declining invitations to quizzes like this altogether, and if that isn’t possible, to exercise caution and keep your malware blockers and virus filters up to date.

by Doug Pollack

Amit Yoran, former National Cyber Security Czar, concluded during a recent address at a security conference in Boston reported by Information Security Magazine that the “traditional models used by organizations to calculate risk are fundamentally broken.”

Empirical evidence would support his claim. Despite growing investments in security technology, the incidence of data breach events is rising. For every Heartland Payments Systems that is in the news, there are thousands of other data breaches that go undiscovered or unreported.

Privacy professionals note that many of today’s organizations do not have accurate inventories of the personal identity and health information (PII/PHI) that they store, manipulate and access. Nor have many performed data breach risk assessments nor put in place cross-functional data breach response plans. And fewer still have budgets for implementing technologies and procedures for reducing their risk of data breach, since it isn’t as prominent an industry “category” as say “intrusion detection” or “antivirus protection”.

“Yoran would like organizations to refocus their energy, and determine the impact of loss of data, rather than concentrate on system or infrastructure security. For too long, he said, security has focused on availability of service rather than focusing on the value of data and keeping it confidential.”

Seems like good advice.

In an excellent investigative report by Channel 7 News in Boston, reporters demonstrated how easy it was to obtain copies of vital records by using information available on popular social networking sites. Even though their requests contained incorrect information that should have raised a red flag- address, place of birth -  they were able to obtain birth certificates without much effort. The request did not even have to be made in person. This piece of paper- which may contain fathers name, mother’s maiden name, and place of birth- makes stealing an identity a breeze.

Putting your date of birth may seem like a relatively harmless piece of information to place on your profile, and it is fun to get birthday wishes from all your friends… but that can be a dangerous piece of information in the wrong hands. Not all states have the same controls in place for the retrieval of vital records, so it is important to keep as much information about yourself private as you can. Read the full transcript directly from their site here.

An update to Microsoft’s Malware Protection Center’s Threat Research and Response Blog by Scott Molenkamp the details social networking malware being addressed by Microsoft in their March update to their free Malicious Software Removal Tool.

This is an update regarding the US-CERT alerting us to the Koobface malware, as posted in this blog on March 4th, 2009. The Microsoft Malware Protection Center has noted that the following websites appear to be the focus of this attack:

• bebo.com
• facebook.com
• friendster.com
• fubar.com
• hi5.com
• myspace.com
• myyearbook.com
• netlog.com
• tagged.com

According to Microsoft’s details on the Malicious Software Removal Tool, “The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed…

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine. You should also use up-to-date antivirus software to help protect your computer from other malicious software. To download the latest version of this tool, please visit the Microsoft Download Center.”

The FTC wants you to know about the only official site to get your free credit report as granted under federal law. Since catchy tunes and funny videos are the way to our hearts, they have released some videos to help spread to word about how to monitor your credit report for free by using www.annualcreditreport.com

See the other videos at http://www.youtube.com/ftcvideos