Posts with «financial fraud prevention» label

FBI warns crypto fraud on LinkedIn is a 'significant threat'

If you have a tendency to talk to people you don't know on LinkedIn, you may want to take extra care. According to a CNBC report, the company has acknowledged a "recent uptick of fraud on its platform," and this time the scams involve persuading users to make investments in cryptocurrency. It's been deemed as a "significant threat" by Sean Ragan, the FBI's special agent in charge of the San Francisco and Sacramento field offices in California, who spoke to the outlet.

CNBC said the schemes typically began with someone pretending to be a professional and reaching out to LinkedIn users. They would engage in small talk, offering to help users make money through crypto investments. First, they would tell their targets to go to an actual crypto investment platform, but "after gaining their trust over several months, tells them to move the investment to a site controlled by the fraudster." Thereafter, the money is "drained from the account."

According to victims interviewed by CNBC, the fact that they trusted LinkedIn as a platform for networking lent credibility to the investment offers. 

Ragan told CNBC that "the FBI has seen an increase in this particular investment fraud," which the outlet said "is different from a long-running scam in which the criminal pretends to show a romantic interest in the subject to persuade them to part with their money."

Linkedin

In a statement published yesterday, LinkedIn encouraged users to report suspicious profiles. The company's director of trust, privacy and equity Oscar Rodriguez told CNBC that "trying to identify what is fake and what is not fake is incredibly difficult."

LinkedIn's article urges users to "only connect with people you know and trust" and to "be wary of... people asking you for money who you don't know in person." The company added "This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings."

It also lists "job postings that sound too good to be true or that ask you to pay anything upfront" and "romantic messages or gestures, which are not appropriate on our platform" as signs of potential fraud attempts.

The company isn't fully relying on its users reporting suspicious accounts as its only defense against scammers on its platform. "While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional," Rodriguez wrote in the statement. LinkedIn also reported that "96% of detected fake accounts and 99.1% of spam and scams are caught and removed by our automated defenses."

FTC says victims of crypto scams have lost more than $1 billion since 2021

The world of crypto continues to draw scam artists and fraud. People have reported losing a combined total of over $1 billion due to crypto scams since the beginning of 2021, according to an FTC report released today. From January 2021 through March of this year, more than 46,000 individuals filed a crypto-related fraud report with the agency. The median individual reported loss in these reports was $2,600.

Perhaps ironically, the most common coins used in scams are also the most widely used, as well as a top stablecoin. A total of 70 percent of scams used Bitcoin as the payment method, followed by Tether (10 percent) and Ether (9 percent). Ether is the prime currency of choice for NFTs, a relatively new crypto market where fraudsters and hackers have thrived.

Crypto investment scams were the most common type of scam reported to the FTC, accounting for an estimated $575 million in losses. Normally these scams target amateur investors by promising them large returns in exchange for an initial investment.

“Investment scammers claim they can quickly and easily get huge returns for investors. But those crypto 'investments' go straight to a scammer’s wallet,” wrote the FTC’s Emma Fletcher in a blog post.

Romance scams also account for a large slice of reported scams, totaling $185 million in losses. Many of these scammers reach individuals by social media or dating apps. A type of dating app scam known as “pig slaughtering” — where criminals build a fake relationship with a victim in order to con them into investing in crypto — has become more common, reported CoinTelegraph.

It’s important to note that the FTC report is only a small snapshot of how much crypto fraud has truly occurred, since the agency is relying on direct reports submitted by victims. An FTC paper estimated that less than five percent of fraud victims reported it to a government entity, and likely an even smaller number report to the FTC. As crypto becomes more popular, the number of scams have also increased. Blockchain platform Chainanalysis estimated that illicit addresses received over $14 billion in crypto last year, nearly twice the amount in 2020.

Democratic lawmakers want FTC to investigate controversial identity firm ID.me

A group of Democratic lawmakers led by Senator Ron Wyden of Oregon is calling on the Federal Trade Commission to investigate ID.me, the controversial identification company best known for its work with the Internal Revenue Service. In a letter addressed to FTC Chair Lina Khan, the group suggests the firm misled the American public about the capabilities of its facial recognition technology.

Specifically, lawmakers point to a statement ID.me made at the start of the year. After CEO Blake Hall said the company did not use one-to-many facial recognition, an approach that involves matching images against those in a database, ID.me backtracked on those claims. It clarified it uses a “specific” one-to-many check during user enrollment to prevent identity theft.

Following that statement, the IRS began to distance itself from ID.me, announcing it would reconsider its use of the platform in late January. It subsequently began allowing taxpayers to authenticate their identity without the use of facial recognition. But as the letter points out, many state and federal agencies continue to require Americans to submit photos and documents to ID.me before they can access vital services, including unemployment insurance.

“Americans have particular reason to be concerned about the difference between these two types of facial recognition,” the senators write of ID.me’s turnaround, noting a one-to-many approach inevitably means millions of people will have their photographs “endlessly” accessed. “Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”

In making the statements it did, the group is asking the FTC to determine whether ID.me committed “deceptive and unfair business practices.” The company already faces an investigation from the House Oversight and Reform Committee. In a statement it shared with Bloomberg, ID.me declined to comment on the specific concerns mentioned in the letter from Senator Wyden. Instead, the company pointed to its track record of preventing unemployment fraud.

“ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options,” the company said. “We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”

Mining Capital Coin CEO indicted in $62 million crypto fraud scheme

Mining Capital Coin CEO and founder Luiz Capuci Jr. was — in an indictment unsealed yesterday — accused by the DOJ of allegedly running a $62 million global investment fraud scheme. He's the latest of severalcrypto company heads who have recently been similarly charged.

Through his company, Capuci convinced investors to purchase “Mining Packages," a global network of cryptocurrency mines that promised a certain return on investment every week. But instead of using investors’ funds to mine cryptocurrency as he promised, the DOJ alleges that Capuci diverted the funds to his own cryptocurrency wallets. Another MCC product known as “Trading Bots” operated under the same false pretenses. Capuci claimed that the bots operated in “very high frequency, being able to do thousands of trades per second” and promised investors daily returns.

“As he did with the Mining Packages, however, Capuci allegedly operated an investment fraud scheme with the Trading Bots and was not, as he promised, using MCC Trading Bots to generate income for investors, but instead was diverting the funds to himself and co-conspirators,” wrote the DOJ in its indictment.

MCC seemed to have all the workings of a pyramid scheme. Capuci recruited affiliates and promoters to lure investors. In return, he promised the promoters a number of lavish gifts, including Apple watches, iPads and luxury vehicles.

Currently the FBI’s Miami Field Office is investigating the case. The DOJ has charged Capuci, who is from Port St. Lucie, Florida, with conspiracy to commit wire fraud, conspiracy to commit securities fraud and conspiracy to commit international money laundering. If found guilty, he faces a maximum sentence of 45 years.

In a review of the cryptocurrency mining platform, crypto blogger Peter Obi noted that the combination of MCC’s $50 monthly fee for membership and its steep 3% withdrawal fee meant that investors were unlikely to make a profit unless they referred other investors. He pointed out that such a referral process was “particularly worrying” because it was consistent with other past crypto scams.

Indeed, a number of crypto leaders have been accused by authorities of running Ponzi schemes in recent years. Earlier this year the DOJ indicted Bitconnect founder Satishkumar Kurjibhai Kumbhani for allegedly running a $2 billion Ponzi scheme — believed to be the largest virtual currency pyramid scheme in history.

Capuci never registered his company with the SEC. The agency today issued a fraud alert for the company. According to the SEC press release, Capuci and his associates successfully convinced 65,535 investors to purchase mining packages worldwide and promised daily returns of one percent, paid weekly for over a year. In total, the group netted $8.1 million from the sale of the mining packages and $3.2 million from initiation fees.

UK police charge two teens in connection with Lapsus$ hacking group case

After arresting seven alleged members of the hacking group Lapsus$ last week, London police have charged two of them with multiple computer crimes. the teenagers aged 16 and 17 remain in police custody in connection with the investigation. 

"Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," the City of London Police said in a news release. "The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorized access to a program. They will both appear at Highbury Corner Magistrates Court this morning (April 1st)."

Lapsus$ claimed to have downloaded 37GB of Microsoft source code for key products like Bing and Cortana, along with mobile apps. They also reportedly compromised the security system of MFA company Okta, forcing the company to admit that it made a mistake in the way it handled the attack. 

One of the teens arrested was reportedly a 16-year-old Oxford resident known as "Breachbase" or "White," who has supposedly made the equivalent of $14 million in Bitcoin. London police have not released any names, however, nothing that the people charged are juveniles and that reporting any identifying information about them is prohibited. 

RIAA goes after NFT music website HitPiece

HitPiece may have already shut down its website after several artists spoke up about their work being used without their permission, but the Recording Industry Association of America (RIAA) isn't letting it off the hook. The organization has sent the attorney representing HitPiece a letter demanding the website and its founders to stop infringing on music IPs, to provide a complete list of site activities and to account for all NFTs that had been auctioned off. It also wants to know how much the website earned. HitPiece founder Rory Felton previously said that artists will get paid for sold digital goods that are associated with them, but the artists who spoke up are skeptical that they'll get anything.

In the letter, the group repeatedly called HitPiece a scam operation designed to exploit fans. RIAA's Chief Legal Officer Ken Doroshow said it used "buzzwords and jargon" to hide the fact that it didn't obtain the rights it needs and to make fans believe they were purchasing an article genuinely associated with an artist. Doroshow added: "While the operators appear to have taken the main HitPiece site offline for now, this move was necessary to ensure a fair accounting for the harm HitPiece and its operators have already done and to ensure that this site or copycats don't simply resume their scams under another name."

Although HitPiece branded itself as a platform for music NFTs, its founders claimed that it didn't actually sell any sound files. The RIAA argues, however, that it still used artists' name, images and copyrighted album art. Further, if it truly didn't sell any sound files, the RIAA says that "likely amounts to yet another form of fraud." 

Social media scammers stole at least $770 million in 2021

The last year has been a boon for social media scammers, according to a new report from the FTC. The agency says more than 95,000 people lost $770 million to scammers who found them via social media platforms in 2021. That’s more than double the $258 million they say scammers made off with in 2020.

The report doesn’t speculate on why there was such a big increase in 2021, but it notes that reports of scams have “soared” over the last five years. It also states that there was a “massive surge” in scams related to “bogus cryptocurrency investments” and that investment scams accounted for nearly $285 million — more than third — of the $770 million lost last year.

Romance scams have also “climbed to record highs in recent years,” according to the report. “These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money,” the FTC says. Also prevalent are scams related to online shopping, most of which involve “undelivered goods” that were purchased as the result of an ad on social media.

Of note, Facebook and Instagram are the only two platforms named in the report. “More than a third of people who said they lost money to an online romance scam in 2021 said it began on Facebook or Instagram,” the report states. Likewise, the FTC says that Facebook and Instagram were the most commonly cited platform for reports of undelivered good, with the two apps cited in 9 out of 10 reports where a service was identified.

“We put significant resources towards tackling this kind of fraud and abuse,” a spokesperson for Meta said in a statement. “We also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.”

Interestingly one of the FTC’s recommendations is that users try to opt out of targeted advertising when possible as scammers can “easily use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases.” The agency also recommends users lock down their privacy settings and to be wary of any messages asking for money, especially in the form of cryptocurrency or gift cards.

ID.me says it uses more powerful facial recognition than previously claimed

The CEO of ID.me, a service used by dozens of states to verify unemployment benefits claimants as well as several federal agencies, has walked back previous claims that the company does not use a more powerful method of facial recognition.

https://t.co/hNfdvMYFQe Founder and CEO @Blake_Hall issues an important statement around "1 to Many" check on selfies to combat identity theft.

To learn more about the example of Eric Jaklitsch of New Jersey referenced in the statement below, visit: https://t.co/OLQX1gAhYLpic.twitter.com/LwnsneqAeF

— ID.me (@IDme) January 26, 2022

"ID.me uses a specific '1 to Many' check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse," Blake Hall said in a statement. "This step is internal to ID.me and does not involve any external or government database."

That contrasts with comments Hall made earlier this week. "Our 1:1 face match is comparable to taking a selfie to unlock a smartphone," he said. "ID.me does not use 1:many facial recognition, which is more complex and problematic."

The 1:many approach involves matching images against those in a database, whereas 1:1 is a case of ensuring someone matches their own photo. For 1:1 matching, ID.me compares a user's selfie against a piece of government ID that they upload.

Privacy advocates have criticized both approaches. Research has indicated that some facial recognition systems struggle to identify people with darker skin tones, and concerns have been raised about the security risks of storing biometric data.

Hall said ID.me's 1:many check "occurs once during enrollment, and exists to make sure a single attacker is not registering multiple identities. This step is not tied to identity verification. It does not block legitimate users from verifying their identity, nor is it used for any other purpose other than to prevent identity theft."

He claimed data shows that dropping the 1:many check "would immediately lead to significant identity theft and organized crime. The 1:1 Face Match step is the only step used to verify identity as explained in our earlier reports."

According to Cyberscoop, some ID.me workers expressed concern that the company's public statements didn't align with what it was actually doing. "We could disable the 1:many face search, but then lose a valuable fraud fighting tool. Or we could change our public stance on using 1:many face search,” an engineer is said to have posted to an ID.me Slack channel this week. “But it seems we can’t keep doing one thing and saying another as that’s bound to land us in hot water.”

“If companies and the government have to lie about facial recognition in an effort to avoid public scrutiny, they shouldn’t be using it,” Fight for the Future campaign director Caitlin Seeley George said in a statement. “We already know this company is willing to say anything in order to get more government contracts. The CEO of ID.me has been peddling erroneous numbers about unemployment benefit fraud, but the fact that the IRS knew about this discrepancy is a big problem. The only responsible thing for the IRS and any other state or federal agency using ID.me to do is to stop these contracts immediately.”

ID.me came back under the spotlight recently after cybersecurity reporter Brian Krebs tried to set up an account, which will be required to log into the Internal Revenue Service's online portal by this summer. Krebs ran into difficulties during the verification process, and ID.me placed him in a queue to join a video call with a live agent. The system gave Krebs an estimated wait time of three hours and 27 minutes.

Hall said ID.me works with 10 federal agencies, 30 states and 540 companies. Last year, some users reported having to wait months to receive their benefits after the system failed to verify their identity. In some cases, folks said they had no success with the video chat system either.

Flexbooker online appointment service breach exposes data of 3.7 million users

A group of hackers is trading a database of stolen information from FlexBooker, a cloud-based tool for scheduling appointments, containing sensitive customer data. According to BleepingComputer, the company suffered a security breach before the holidays and notified its customers about the attack in an email, where it revealed that its Amazon AWS servers were compromised on December 23rd. It also admitted that its system data storage was accessed and downloaded.

Based on information from Have I Been Pwned, the breach compromised 3.7 million accounts containing email addresses, names, passwords, phone numbers and partial credit card numbers. BleepingComputer says a group called Uawrongteam took credit for the attack and shared links to archives with the stolen data, which the group claimed also include users' drivers' licenses, other IDs, password salt and hashed passwords. FlexBooker's typical customers are people who need to be able to quickly schedule appointments with clients, such as doctors, lawyers, dentists, gyms, mechanics, salons, trainers, therapists, so and and so forth. 

In Flexbooker's email to users, it said the infiltrators failed to get "any credit card or other payment card information." We're guessing the company didn't take the stolen partial credit card numbers into account. Before Flexbooker, Uawrongteam previously claimed other data breaches and also traded databases with stolen information from its previous targets. They include data from Racing.com, a digital TV network that broadcasts horse racing, and from rediCASE Case Management Software solution for health services and other businesses. 

 

New breach: Online booking service FlexBooker had 3.7M accounts breached last month. Data included email addresses, names, phone numbers and for some accounts, partial credit card data. 69% were already in @haveibeenpwnedhttps://t.co/LGaAnj1hUA

— Have I Been Pwned (@haveibeenpwned) January 6, 2022

FCC proposes new rules to combat SIM swapping scams

SIM swapping scams have been on the rise these past couple of years, and since most online services these days are tied to people's phone numbers, the technique has the potential to ruin victims' lives. Now, the Federal Communications Commission is seeking to create new rules that would help prevent SIM swapping scams and port-out fraud, both of which are techniques designed to hijack people's phone numbers and identities. 

The commission said it has received numerous complaints from consumers "who have suffered significant distress, inconvenience and financial harm" as a result of both hijacking methods. SIM swapping is a technique wherein a bad actor convinces a wireless carrier to transfer a victim's service to a phone they control. When a bad actor successfully transfers the victim's service and number to another carrier, that's called port-out fraud.

To make it harder for scammers to gain control of potential victims' phone numbers, the FCC wants to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules. In particular, it wants to require providers to adopt more secure methods in authenticating a person's identity before agreeing to transfer their service to a new phone or to another carrier. The commission also proposes a rule that would require providers to notify customers whenever a SIM switch or a port-out request is made on their accounts. 

As part of the FCC's rulemaking process, the public can now comment on these proposals. The commission still has to read those proposals and offer the public another chance to make their voice heard before it can decide whether to amend the aforementioned rules.