Those We Trust the Most! Beware of BBB Scams.

Fake BBB Email

Just Because it Says “BBB” Doesn’t Mean It’s The Better Business Bureau…
Image Source

Not all crooks are dummies. In fact, many are very smart. How many times have you heard the sentiment, “If only they’d use their skills for legitimate purposes…”? These clever con men know the businesses and brands that we trust and they take advantage of that trust by using an iconic symbol, like the Better Business Bureau (BBB), to lull us into a false sense of security when we see their logo, all in an attempt to separate us from our money.

If you own or work for a small business, be careful not to automatically take email messages you receive from the BBB at face value. There are a handful of hoaxes that seem to resurface every year using the BBB’s good name and mark to trick us. These email scams all start similarly with fraudulent email messages posing as the BBB. The fake emails are often signed with the address of the Council of Better Business Bureaus, which is the national office of the BBB system. The email messages are very convincing looking, often using what appears to be standard BBB formatting, including details like a user ID, reference number, and password, which are similar to the authentic complaint case notices from the real BBB. The messages are usually well written with good grammar and no spelling errors. Here are three angles the spammers have taken:

FOLLOW-UP ON COMPLAINT FILED WITH BBB — An email with the subject line “Complaint from your customers” may be a scam. Just like the real ones, the fake emails inform you that a customer has filed a complaint about a negative experience they’ve had with your company. The messages often include language, such as:

We encourage you to use our ONLINE COMPLAINT system to respond to this complaint.

The following URL (website address) below will take you directly to this complaint and you will be able to enter your response directly on our website:

Often the email refers the recipient to a zip file attachment, which supposedly contains a copy of the complaint.

Do Not Open the Attachment or Click On the Link!

When you receive this type of notice, your first instinct might be to jump right in and resolve the complaint by opening the attachment or clicking on the link provided in order to view the details, just as they suggest. Don’t click it, it may link to a non-BBB website. Instead, hover your mouse over the website address or URL (the part that begins with http://). That may reveal the actual address, which may not be BBB at all. Then again, it may not, so still tread lightly even if it appears to be a BBB website address. The link might actually take you to a rogue website that downloads malicious software onto your computer in the form of a virus, like a trojan, or other malware such as a botnet, all of which are ultimately designed to steal banking information and passwords.

REQUEST FOR UPDATED CONTACT INFORMATION “AS A SERVICE TO BBB ACCREDITED BUSINESSES” – Another tact the fake emails take is to appeal to your sense of system integrity, as in the following:

As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.

We encourage you to use our ONLINE FORM to provide us with this updated information. The URL below will take you directly to this form on our website:

…Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily…

CONFIRMING CLOSURE OF A COMPLAINT FILED WITH BBB – Another way to get businesses to open malicious attachments or fake links is to draw your attention to a “resolved” complaint that you knew nothing about until now. Again, the email message is “phishing” to get you to open a file or click on a link in pursuit of answers to this supposed complaint, as follows:

Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.

The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:

…The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated.

If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm’s response, we will notify your office with substantiation to support the consumer’s position and the case will be re-opened. Cases will not be re-opened without documentation or good cause…

BBB Spammer/Phisher/Hacker

Until Proven Otherwise… Assume This Guy Sent You That Email — Not the BBB
Image Source

What To Do If You Receive an Email…

Though you might, at first, be concerned that your business has a disappointed customer, make sure the “complaint” passes the sniff test first. In other words, if you don’t have any clients or customers who pay for your company’s products or services in advance, then it’s unlikely they need to involve the BBB to remedy things.

Question the timing and supposed affiliations referenced in the email. If your business is a CPA firm and the email ties your company to the American Institute of CPAs during tax season, don’t assume it stands to reason so it must be legitimate.

  • DO NOT open any attachments or click on any links to a website.
  • If you are not certain whether the complaint is legitimate, contact your local BBB (www.bbb.org/find).
  • Read emails carefully with a critical eye and look for clues of fakes, such as misspellings, poor grammar, generic or non-specific greetings.
  • Don’t be tricked into reacting too quickly by urgent instructions such as, “Click on the link or your account will be closed.”
  • Delete the email from your computer completely by emptying your “Deleted Items”, “Trash”, or “Recycle Bin”.
  • Forward the email to phishing@council.bbb.org or alert them at https://www.bbb.org/scam/report-a-scam/ so the BBB’s security team can track the fraudsters. The BBB Council warns businesses and consumers that the return email address, riskmanager@bbb.org, is not valid for the BBB.
  • Keep your antivirus software up-to-date at all times by running updates frequently, or better yet, have them set to update automatically. If you’ve already clicked on a link in the e-mail, run a full virus scan of your computer. Using an antivirus, spam filtering, and firewall software helps protect your business against the risks of malware attacks, such as botnets and trojans.

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.

Fake Website: What is Spoofing?

Spoofing - Phishing Emails and Fake Websites

By now, chances are you’ve heard the preaching about how important it is to have good, strong passwords – and how your passwords should contain at least twelve digits and be peppered with special characters whenever possible.  You’ve also probably heard you should have a different password for each and every account or website you frequent. And let’s just assume you’re heeding that advice.

Regardless of how long, strong, or clever your passwords may be, none of that matters if you share your passwords with the wrong person.  So it goes without saying that you wouldn’t willingly or knowingly give your password to just anybody. In fact, as wise as you are, you probably wouldn’t share any of your passwords with someone else. However, in spite of your prudent intentions, you might do just that if you’re not extremely careful.

With today’s sophisticated “phishing” and “spoofing” tactics, you could easily be duped into providing your login credentials for a website by typing your user ID and password into what you think is the real website, but in actuality, it’s a very convincing fake.  These lookalike or “spoof” websites appear to be the real thing, so much so that you could easily be lulled into providing your username and password without batting an eye.

It’s important to understand how and why you might end up on a fake website in the first place. Often it starts with a phishing email message you receive.  The email is fake and comes from an online scam artist posing as a credible organization that you trust and with which you normally conduct business.  The emails can truly seem authentic, containing believable imitations of the company’s logo.  But because they are contacting you, and through email no less, you should put your “suspicious” shoes on, even if nothing appears amiss.  Here’s what to do if you receive an email likes this:

First, if the message is seems overly suspicious, don’t open it at all – just delete it.

Secondly, assuming you’ve opened the message, take a look at the actual email address of the sender by hovering your mouse over the sender’s name/address, right-click your mouse to display a menu, then left-click on “Properties” to see if the message is really from who it purports to be from.  In other words, if the email says it’s from Chase Freedom, the email address should end in “chase.com.”  (NOTE:  Just because the email passes this test, doesn’t guarantee you’re in the clear.  It’s easy for hackers to spoof a legitimate email address, so don’t rely solely on this check for verification.) 

Spoof emails usually contain links within the body of the message that take you to other websites.  DO NOT click on them!  First, check for fake links.  Move and hover your mouse over the link in the email message and study the URL, which is usually displayed in your system tray at the lower left portion of your screen.  If it looks suspicious, don’t click it.  Spam (phishing) emails are geared to redirect you to a spoofing website where they’ll ask you to enter your personal information.  Never respond to emails asking for your account related information, such as account number, user ID, and/or passwords.  If you want to be sure you’re visiting the authentic website of a particular organization, it’s safest to open a new browser window and type the URL yourself, such as www.chase.com.

If you have clicked on a link and landed on a website, be sure to verify it’s not a spoofing website – even if everything else looks exactly like the real deal.  It’s possible you’ve been redirected to a webpage resembling the login screen for the business in question. BUT WAIT!  Slow down, take a minute, and think.  Spammers (aka “cyber criminals”) hope you don’t hesitate or take the time to think.  In fact, that’s exactly what they’re counting on! They want you to just plow ahead on “auto-pilot” and enter your user name and password when prompted, without thinking twice.  But if you do and the website is not the “Real McCoy”,  they’ve got what they wanted — your information!

To prevent this, anytime you are prompted by a website to enter information specific to you, whether a login, password, account number, or any other piece of information, make sure you verify you are really on the actual website and not a fake one.

  • Study the website URL in the address bar. For example, make sure it is really “twitter.com” and not a deceivingly close “twiter.com”. Close doesn’t cut it.  If it’s not exact, it’s not the site you want.
  • Some fake websites will insert a false address over the actual, evil address, making it appear as though you’re on a legitimate website. Just because a URL contains the name of the business in it, doesn’t mean it’s legitimate.
  • Also, look for a secure lock icon in your browser where it normally would appear, such as immediately to the right of the address bar if you’re using Internet Explorer. Check to be sure it isn’t a fake icon placed somewhere else on the page just to fool you.
  • Look for “https” before any website address (URL) where you’ll be entering personal information. The “s” stands for secure. If you don’t see “https” you’re not on a secure website and you shouldn’t enter any personal information.
  • Never respond to any online forms or popup windows asking you to login, change or update your user ID or passwords, or provide any other sensitive personal information. Only do this if you’ve initiated the visit to the company’s website yourself by typing the URL directly into your browser’s address bar.

Some of the more commonly spoofed organizations for emails and websites include financial and banking institutions like Chase, Citibank, PayPal, social media outlets, escrow service providers, as well as online commerce websites like eBay.

The intent of spamming and spoofing is to trick you into handing your personal information over to online dirtbags.  They are identity thieves, plain and simple, and they’re hoping you’re not paying attention. Make sure you slow down and scrutinize the emails you receive and verify the websites you visit. It will be worth it!

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.

Reporting Online Fraud and Cybercrime

Reporting Online Fraud and Cybercrime

If you or someone you know is becomes the victim of online fraud or any other type of cybercrime (or even just an attempt at it), you need to contact the authorities as soon as possible. Keeping it to yourself can lead to repeated attacks, as well as continued spread of Internet fraud, crime, and even increased distribution of viruses and spyware through crime networks that try to set up shop on your computer.

Depending on what level of fraud and/or cybercrime you’re dealing with, you may have to notify multiple agencies. But regardless of how many places you have to contact, doing so will be the first step to stopping the crooks in their tracks. Please use the list below as a starting point to report any incident:

  • An Important First Step:

    If the fraud you’re reporting reporting is, or becomes, aggressive or threatening in any manner, contact your local authorities. The police in your community should be made aware of any potential threats to you, your family, your home, etc.

  • Get Into The System:

    Head to IC3.gov, the “Internet Crime Complaint Center”. This site is a partnership between several government agencies, including the FBI. The IC3 has an online complaint submission form that you can use to report online fraud and other Internet-related scams.

  • If It’s International…:

    If you feel you’re the victim of an international scam operation, contact econsumer.gov, a coalition of about 2 dozen countries who want to help stop cross-border cybercrime. You may also want to contact a US Secret Service field office to let them know, too.

  • Contact Credit Reporting Companies:

    If you think you’ve been the victim of identity theft, contact any one of the big 3 credit reporting companies. They’ll get your information disseminated to all three. Their contact info is as follows:

Don’t just be a victim of online fraud and cybercrime. Contact the appropriate authorities and government agencies and stop Internet-related crime before it stops you.

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.

The Most Dangerous Threat to Your (Internet) Security.

The Most Dangerous Threat to Your (Internet) Security.

There’s a threat lurking on your computer right now. A presence so fraught with security holes that to expose it to any malicious element on the Internet would likely result in things such as identity theft, spyware, hacked accounts, and worse. What’s this problem? The problem, my friend, is you.

“Only amateurs attack machines; professionals target people.” Bruce Schneier (computer security expert)

So you’re a danger to yourself and others around you when it comes to Internet security… don’t feel bad. We’re all guilty of it. As humans, we’re notoriously good at being bad: we forget to pick up the milk even though our significant other reminded us, we skip a meal and eat way too much later that night, and we certainly get complacent when it comes to Internet security. And that last thing, that’s what we’re talking about. You can deal with your SO and your doctor on those first two. 🙂

We’ve talked about social engineering before, which is an easy way for hackers and phishers to get information out of you. Instead of breaking into your computer they attempt to break into you, using emails, instant messages, and in some cases even phones or talking to you in real life (both of which are much more rare, but still possible). Once they have gained your trust they begin to break down walls and get at what they really want: your sensitive information. Passwords, account numbers, access codes… anything they can get their hands on that might prove valuable.

In order to stop these people from breaking into your life, you have to train yourself to jog your brain out of complacency when it comes to Internet security. Three of the easiest ways to lock out the bad guys are:

  1. Strong passwords:

    Maybe we’re sounding like a broken record here, but a good password is one of the easiest, and best, deterrents to attacks ranging from account privacy to identity theft. Build yourself a better password.

  2. Trust but verify:

    We’re not suggesting that you live your Internet life in a bubble, just use the same precautions you’d use in the real world. Use some of the tips we wrote in our blog post “5 Simple Tips to Staying Secure Online” and that should cover your bases.

  3. Lock down accounts:

    Your privacy is one of your most important assets online. For every service you use, from your bank to Facebook, make sure that you understand how their security and privacy policies affect you and lock down information such as your physical address and home phone number so that only people you want contacting you can do so.

Reducing the amount of information publicly available about you and keeping up with a few easy Internet security tips will go a long way to keeping you safe… from yourself. 🙂

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.

Verified by Visa Scam: How to Spot the Fake.

Verified by Visa Scam: How to Spot the Fake.

Update: Learn about Visa’s (rumored) replacement for Verified by Visa, V.me.

Keep on the lookout for a scam regarding the Verified by Visa (VbV) program; a legitimate security layer set up to provide increased protection for your data for online purchases. Internet scam artists are sending out spam linking to fake versions of the program that do nothing to protect you.

The Verified by Visa program is part of the 3-D Secure protocol (developed by Visa), with similar programs adopted by Mastercard (SecureCode) and JCB (J/Secure). These programs provide an additional authentication step (i.e. a password request) for your online purchases through participating Internet retailers. This added step is set up to help ensure your identity at the time of purchase. Here’s the official word from Visa:

In addition to our other ways of preventing, detecting, and resolving fraud, we offer Verified by Visa, a free, simple-to-use service that confirms your identity with an extra password when you make an online transaction.

Phishers are casting their lines and looking for new victims. The bait they’re using is usually an email that looks like the real deal, but ultimately leads to a scam website that tries to get you to submit your credit card number and other information under the guise of the Verified by Visa program. Luckily we’ve got three suggestions for you to protect yourself from getting caught by this scam:

  1. Scrutinize your email:

    Most Verified by Visa phishing attempts start with an official-looking email that requests you to join. However, Visa isn’t sending out emails to customers in order to get them to sign up. The usual way you’d get the Verified by Visa sign up option is through a participating retailer as you begin the checkout process on their website. If you receive one of these emails, call your Visa provider and ask them to verify if the email is legit. Chances are it’s not.

  2. Watch where you’re surfing:

    If you do happen to click on the link from your email, be careful. Phishers and other scam artists are great at copying real websites and making their VbV scam version look legitimate. Check the URL, or web address, that you’re on to make sure you’re on the real site. See our blog post entitled “How to Spot a Fake Website” for more information.

  3. Go to the source:

    If you’re interested in signing up for the Verified by Visa program or learning more about it, visit the official Verified by Visa FAQ.

As always, be wary of emails in your inbox asking you to sign up for anything or giving you a link to click on to enter any of your information.

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.

Census Scams Strike at Citizens.

Census Scams Strike at Citizens.

If you live in the United States, you’ve probably already heard that the 2010 US Census is making its way across the country. What you may not know, however, is that with the Census comes a legion of fraudsters trying to pull a fast one on folks like you and I.

We’d like to remind everyone that the 2010 US Census will only arrive in a physical mail box, and not your email inbox or anywhere online! Scammers are already hard at work sending phishing emails and setting up fake web sites, trying to get people to reveal personal and/or financial information for the Census. Do not respond to these US Census scam emails and web sites! They’ll only lead to scams, phishing, and worse.

The US Census Bureau has a Fraudulent Activity and Scams web page that gives more information on how they’ll contact you:

  • The Census Bureau does NOT conduct the 2010 Census via the Internet
  • The Census Bureau does not send emails about participating in the 2010 Census
  • The Census Bureau never:
    • Asks for your full social security number
    • Asks for money or a donation
    • Sends requests on behalf of a political party
    • Requests PIN codes, passwords or similar access information for credit cards, banks or other financial accounts.

For more details on official US Census policy, visit the US Census web site.

If you're looking for great anti-virus software that won't break the bank, try StopSign. You don't pay extra for tech support for difficult malware, and our web protection software just works. Download & install StopSign to find out why our members choose us over the other options.