Con Watch: Beware of Phony Shopping Sites

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Like just about every other aspect of our lives, retail shopping has moved online. According to a Pew Research study from 2016, 8 out of 10 Americans are shopping online.

While shopping online is certainly easy and convenient, it also can be dangerous. There is a good chance that you will end up at a bogus, counterfeit website rather than the real online retailer. A recent study done by cybersecurity company Proofpoint found that malicious fraudulent websites increased by 11 percent in 2018 and that scammers had created phony websites mimicking 85 percent of all retailers.

Many of these phony websites appear legitimate. It is relatively easy to set up a website that looks just like the website of a trusted retailer, and it takes little or no skill to include counterfeit logos of legitimate companies in the phony retail websites.

In many instances, these phony websites’ domain names appear exactly the same as the real retailers’. For example, while the domain name for the legitimate online retailer may end in the familiar “.com,” the fake website’s domain may end in “.net” or any of the other top level domains. As a consumer this can be easy to miss.

In other instances, the scammers may register a domain name that changes one or two letters in the legitimate name that can be easily overlooked, such as replacing the letter “m” with “r” and “n” which may not be noticed by the consumer.

The problem comes when you, as a consumer, go to one of these phony websites and provide your username, password and credit card to the scammers who set up the phony website.

Making things worse, one of the things we have always relied upon to distinguish legitimate from counterfeit websites is to look for websites whose names start with “https” instead of “http.” The “s” in “https” indicates that the website is encrypted and safe. However, according to Proofpoint, about 25 percent of the phony websites post bogus “https” security certificates and phony padlock icons to fool unsuspecting consumers. Sadly, it now appears that you can’t even rely on “https” anymore.

Many of these fraudulent websites lure customers through phishing emails in which a link to the phony website appears. Never click on links to websites contained in such emails. Always type in the name of the website independently yourself and make sure that you do not make any typographical errors that can lead you to a phony website. Always check the domain name of the website to be sure you are on the correct website before entering your username, password or credit card number.

So how do you keep yourself from being scammed?

If you have any concerns about a website, go to, where you can find reviews about particular merchants and see if they are legitimate. If a merchant is not even listed there, they probably are fraudulent. It generally is a good idea to buy only from established companies with whom you are familiar.

You can also go to and find out who actually owns the website. If it doesn’t match who they say they are, you should stay away from it. For instance, while a website may appear to be a legitimate store such as Walmart or Target, whois may show that the particular website you are on is registered to someone in Nigeria, which would be a good indication that it is a scam.

Finally, some good advice whether you are shopping online or at a brick-and-mortar store is to always use your credit card rather than your debit card. Under Federal law, you cannot be assessed more than $50 for fraudulent purchases made by someone using your credit card, and most credit card companies charge nothing. However, the potential liability of a debit card has been compromised can reach the value of your entire bank account if you do not report the crime promptly. Even if you do report the theft promptly, your access to your bank account is frozen while the bank investigates the crime.

Featured image: Shutterstock.

Con Watch: Why You Need to File Your Equifax Claim Now

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

It was two years ago that Equifax, one of the three large credit reporting agencies, suffered a major data breach in which personal data of more than 147 million people was stolen. The personal information included the names, dates of birth, and Social Security numbers

The sad truth is that the data breach was avoidable, having been caused by hackers who exploited a vulnerability in an Apache software program used by Equifax. Apache had issued a security update months earlier, which Equifax failed to install in a timely manner. As a result of the negligence of Equifax, charges were brought by various state and federal agencies. The Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and all but two of the states’ Attorneys General have settled their claims against Equifax.

Individual claims under the settlement are now being accepted, although the settlement still is awaiting court approval, which is expected to occur on December 19, 2019. The first step for everyone is to find out if your personal information was affected by the data breach.

If you find that you were one of the 147 million people affected, here is a list of what you may receive under the terms of the settlement.

  1. Free credit monitoring for four years at all three credit bureaus — Equifax, Experian and TransUnion — and six more years of free credit monitoring at just Equifax. If you already have credit monitoring, you can choose to receive $125.
  2. Additional cash payments of as much as $20,000 for expenses you paid out of pocket in response to the Equifax data breach. These reimbursement payments are intended to cover data breach related payments made by you such as the costs of freezing and unfreezing your accounts (which until last September cost between $3 and $12 each time you froze and unfroze your credit reports), credit monitoring, and fees paid to accountants or lawyers related to the data breach.
  3. Payments related to the time you spent dealing with the data breach at a rate of $25 per hour. If your claim is for ten hours or less, you are required to describe the actions you took, such as freezing your credit reports at each of the three credit reporting agencies and the time that you spent on these activities. If your claim is for more than ten hours, in addition to describing what you did, you must also provide copies of documents showing that you were a victim of identity theft or other problems related to misuse of your information.
  4. Seven years of free access to assistance through identity theft restoration services in the event that you do become a victim of identity theft.
  5. Beginning next year, you can get seven free credit reports each year for the next seven years from Equifax, upon request. (Federal law already provides that you can get one free credit report annually from each of the three major credit reporting agencies.)

While many news reports of the settlement indicate that Equifax will be paying $700 million to settle the claims against it brought by the various federal agencies and states’ Attorneys General, that number is extremely misleading. Only $425 million of that amount is earmarked for the benefit of consumers, and only $31 million of that amount is allocated toward the $125 cash payments. The remaining $394 million allocated toward consumers goes toward paying for the cost of the credit monitoring provided for in the settlement and the reimbursement payments. In addition, once the $31 million dollars earmarked for individual $125 payments is exhausted, the payments will be reduced. Therefore, it is important for you to file a claim as soon as possible in order to receive the full $125. All claims must be filed no later than January 22, 2020. Note that no payments will be sent until after the settlement receives judicial approval, which is expected in December.

If you choose to receive free credit monitoring, once the settlement has been approved by the court and your claim has been approved, you will receive an activation code and instructions by your choice of email or regular mail. Cash payments will be made by check or debit card sent by mail once the settlement and your claim have been approved.

If you wish to opt out of the settlement and sue Equifax on your own, you must do so by filing a request for exclusion by mail no later than November 19, 2019. However, I cannot imagine any situations where it would be worth your while to do so.

Another aspect of this data breach that has been hardly reported on is that in the two years since the data breach occurred, none of the data stolen in the data breach has been put up for sale on the Dark Web, that part of the Internet where criminals buy and sell goods and services. Generally, following data breaches, the information is promptly marketed on the Dark Web as soon as possible to maximize profits. To date, there have been no reports of identity theft attributable to the stolen information. This has led many experts, myself included, to conclude that similar to the 2015 massive data breach at the federal Office of Personnel Management, this data breach may well be the work of the Chinese government, which undertakes such activities as a part of intelligence gathering and not for profit making.

Featured image:

Con Watch: Protecting Yourself from Data Breaches

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Recently, the Marriott hotel chain announced that it had suffered a major data breach involving its Starwood guest reservation database. Starwood is a group of hotels bought by Marriott in 2016 and includes such well known hotel chains as the St. Regis, Westin, Sheraton and W Hotels. The data breach was discovered in early September 2018 by Marriott, but had been ongoing since 2014. The total number of people affected by the breach is estimated to be an astounding 500 million. 327 million had personal information stolen, including names, phone numbers, email addresses, and birth dates. Millions more also had credit card information compromised. Marriott and law enforcement authorities are investigating the matter, which appears to be the work of Chinese state hackers.

Marriott has set up a website with updated information about the data breach. If you stayed at a Starwood hotel between 2014 and now you should check out the website for more information.

It is an unfortunate fact of life that regardless of how careful you are about protecting the security and privacy of your personal information, you are only as safe as the companies and government agencies with the weakest security. You may have not stayed at a Starwood hotel in the last four years, but chances are you are among the millions of people whose personal information was compromised by data breaches at Equifax, Orbitz, eBay, Premera Blue Cross, Anthem, Lord & Taylor, Saks Fifth Avenue, T-Mobile, Hyatt, Brooks Brothers, Chipotle, Neiman Marcus, Arby’s, Staples, Kmart, Dairy Queen, Home Depot or Target, to name just a few.

With many companies and governmental agencies failing to take proper security measures to protect your data, it is truly more a question of when, not if, will your personal information be stolen by hackers. The threat of identity theft posed by a data breach is very much dependent on which personal information was stolen. At its most benign, email addresses or other similar information may be used by hackers to formulate spear phishing emails and text messages to lure you into clicking on malware-infected links. At its worst, such as in the Equifax data breach, sensitive personal information such as your Social Security number can be used directly to make you a victim of identity theft.

Protect Yourself Against Data Breaches

Taking the security precautions listed below can help prevent you from becoming a victim of identity theft.

Con Watch: Hidden Dangers in the Internet of Things

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

The Internet of Things is the name for the technology by which a wide range of devices are connected and controlled over the Internet. The list of things that make up the Internet of Things includes cars, refrigerators, coffee makers, televisions, microwave ovens, fitness bands, thermostats, smart watches, webcams, copy machines, medical devices, home security systems and even children’s (and adults’) toys.

According to the research firm Gartner, 8.4 billion devices made up the Internet of Things in 2017 and is expected to increase to more than 20 billion devices by 2020.

While these internet-connected devices can be very convenient and helpful, helping you track your calories or unlock your house remotely, they also can have a much darker side.

In 2017 Italian researcher Giovanni Mellini published his findings that he was able to remotely hack into and take control of a sex toy. While a Bluetooth-enabled toy may open up new vistas for consenting adult, it also opens up frightening new opportunities for hackers.

In 2017 the FBI issued a warning to consumers about the privacy and identity theft dangers posed by internet-connected toys for children. These toys are incredibly sophisticated and can tailor their responses to a child’s behaviors and words. The toys often come equipped with sensors, microphones, cameras, data storage components, speech recognition, and GPS. Some of these toys pose a security threat in the way they gather and store information.

For instance, the doll My Friend Cayla has hidden cameras and microphones that can be used to record private conversations over an insecure Bluetooth connection. She has been banned in Germany since 2017, according to the Bundesnetzagentur, the German telecommunications regulatory agency.

The dangers can be quite serious. In 2011 researcher Jay Radcliffe hacked and disabled an insulin pump connected to the Internet, and in 2015 security researchers Charlie Miller and Chis Valasek famously hacked Jeep Cherokees.

The most prominent danger posed by the Internet of Things is when cybercriminals are able to hack your devices and then move within your home’s computer systems to access your routers, laptops, tablets, phones, and computer hard drives. From there, they can steal personal information such as your credit card numbers, bank account passwords, and other information that can be used to make you a victim of identity theft. They can also enlist your devices to distribute malware anonymously.

How to Protect Yourself

The Internet of Things can be a safe (and fun!) place if you merely take the necessary precautions.