January 18, 2015

Scam U: Court Summons Scam

Don't fall for this classic bait and switch scam!

The court summons scam.

In September 2014, the Better Business Bureau (BBB) warned about scammers,  posing as fake law firms, emailing out convincing  notices that claim the receiver is involved in a lawsuit and being summoned to appear in an upcoming court hearing. The email bears a law firm's logo and contained an attached "court notice." Details within the email are vague on specifics such as where, date, involved parties, and reason. If you want that information, the email urges you to open the attached bogus court document, which silently runs an "exe" file in the background to install malware onto your computer. It is a classic phishing scam using fear tactics to entice  the victim into clicking onto the attachment.

Back in December 2013, criminals used a similar ploy to spread malicious malware. It was so successful, many US courts, like the Maryland courts system, issued public notifications warning people of this ruse. The following was taken from the Administrative Office of the U.S. Courts. (2014)
"According to the Security Operations Center of the Administrative Office of the U.S. Courts, the emails are instructing recipients to report to a hearing on a specified day and time. The emails also instruct recipients to review an attached document for detailed case information... Several state courts have reported similar schemes, and also are warning the public about potential viruses."
This scam also made productive rounds throughout the United Kingdom infecting unsuspecting victims' computers.

How to keep yourself safe? 
Here are some easy to follow tips.
  • Be leery of any "official" notification through emails. Most government agencies do not operate that way, let alone the US Court system. As the BBB mentioned, "unless you are involved in a case and have opted into receiving email communications, courts normally communicate through mail." (2014)
  • Don't fall for pressure tactics. Ignore the immediate call to actions within the email. Scammers often use such language to create a sense of urgency and to scare the victim into acting prior to thinking. You have time to research and think things through prior to randomly clicking on links and attachments.
  • Delete. Ideally, you should automatically delete unexpected notices such as these. Please do not click on any attachments or links without verifying the sender. You may end up with regrets later.
  • Call. If you are concerned whether you really need to appear in court, call the court system or attorney's office to verify. Do NOT use the number within the email as you will likely reach the con artist who will use further scare tactics. Do your independent research to find the official phone number to call. You can also use the US Court locator to help with your search.

Administrative Office of  the U.S. Courts (13 January 2014). Public alert: Scam emails about phony court cases carry computer virus. Retrieved from http://news.uscourts.gov/public-alert-scam-emails-about-phony-court-cases-carry-computer-virus
Better Business Bureau (5 September 2014). You're due in court! Classic email scam is back. Scam Alert email.
Kristof, K. (8 September 2014). Beware the court-summons scam. CBS News Money Watch. Retrieved from http://www.cbsnews.com/news/beware-court-summons-scam 
Ragan, S. (25 June 2014). Court summons scam makes a comeback. CSO online. Retrieved from http://www.csoonline.com/article/2367527/data-protection/court-summons-scam-makes-a-comeback.html 
Patterson, E. (5 September 2014). Court summons scam emails carry malware. Better Business Bureau. Retrieved from http://www.bbb.org/blog/2014/09/court-summons-scam-emails-carry-malware/ 

January 3, 2015

Consumer Lawsuit Against Target to Proceed

Remember the major retailer, Target's data breach back in December 2013 that exposed approximately 40 million payment cards and personal details for 70 million customers?

Well, it continues to be in the headlines even a year after the major breach, and it does not appear to be leaving any time soon.

Recently, U.S. district court judge, Paul Magnuson denied Target's motion to dismiss the class action lawsuit filed on behalf of impacted customers. In the lawsuit, the plaintiffs allege Target committed negligence, violation of various state consumer laws and data breach statutes, breach of implied contract, and breach of  REDcard account agreements. The lawsuit contains various pages listing out damages customers dealt with as result of the data breach. Damages include unlawful credit/debit card charges, restricted or blocked access to bank accounts, inability to pay other bills, late payment charges, and new card fees.  The plaintiffs are seeking unspecified damages and compensation for breach-related expenses.

The decision came only weeks after the same judge ruled that the class action lawsuit filed on behalf of several banking institutions could move forward. The banks are seeking compensation for breach-related expenses to include fraud costs and reissuing payment cards. Target argued the banks did not have a case since a third-party firm handles their credit and debit card payments. Unfortunately for Target, the judge presiding over the case did not see it that way. According to Judge Magnuson in a December 2, 2014 memorandum, "Target played a key role in allowing the [breach] to occur."

After the 2013 data breach was made public, various lawsuits were filed against Target. The courts consolidated all the federal cases into two lawsuits, one involving financial institutions and consumers in another. Both appear to be progressing forward.

It appears Target will spend a good bit of 2015 battling it out in court, which will entail major legal expenses. When you combine this with previous breach related costs, this data breach will probably cost Target more than the hackers earned.  If there is a lesson businesses can take away from incident, it is merchants will be taken to court for neglecting to address proper security in network and point-of-sale terminals. It is time to actually get serious about implementing an effective security program. As the old adage goes, an ounce of prevention is worth more than a pound of cure. I know I have stated that in previous posts, but it bears repeating. Based upon a recent Retailing Today's article, thankfully it appears major retailers are heeding this cautionary tale as retail cyber security becomes a CEO top priority.

Acosta, G. (3 December 2014). Target data breach lawsuit to go forward. Retailing Today. Retrieved from http://www.retailingtoday.com/article/target-data-breach-lawsuits-go-forward?ad=target 

Dahlhoff, D. (12 December 2014). Retail cyber security a CEO priority. Retailing Today. Retrieved from http://www.retailingtoday.com/article/retail-cyber-security-ceo-priority

Roman, J. (3 December 2014). Target breach suit won't be dismissed: Judge rules banks can move forward with case.  Data Breach. Retrieved from http://www.databreachtoday.com/target-breach-suit-wont-be-dismissed-a-7635?

Roman, J. (22 December 2014). Target breach consumer lawsuit to proceed. Gov Info Security. Retrieved from http://www.govinfosecurity.com/target-breach-consumer-lawsuit-to-proceed-a-7709