Fake calls from Amazon and Apple, vaccine scams, strengthening passwords

During the pandemic, Sam has been spending a lot of money on Amazon. Sometimes he loses track of what he’s ordered and when he’ll receive it. So, when he received a voicemail, supposedly from Amazon, he didn’t immediately delete it. The message said:

“An unauthorized purchase of an iPhone XR 64 gigabytes for $749 is being ordered from your Amazon account. To cancel your order or to connect with one of our customer support representatives please press 1 or simply stay on the line. Please press 1 to connect with our customer support team.”

Sam didn’t press 1, but unfortunately many have.

This is a fictitious case, but the U.S. Federal Trade Commission (FTC) is warning real phone users not to respond to calls and voicemails purportedly from Amazon that say the company is charging you for an item you didn’t order, or is reporting your package is lost or it can’t fulfill your order.

The FTC is also warning about recorded messages supposedly from Apple that tell phone users it’s discovered suspicious activity or a breach in their iCloud accounts.

Of course, in this type of phone scam fraudsters typically use the names of well-known organizations to increase the validity of the messages and prompt the users to act.

The goal of both versions of the scam is to prompt you to give up personally identifiable information (PII), such as your account password or credit card number that the fraudsters can use to steal your identity.

The FTC advises:

• Do not press 1 to speak with customer support.
• Do not call a phone number they gave you.
• Do not give out your personal information.
• Contact the FTC at ReportFraud.ftc.gov to report the scam.

(See Fake calls from Apple and Amazon support: What you need to know, by Alvaro Puig, Federal Trade Commission, Dec. 3, 2020.)

Avoiding COVID-19 vaccine scams

The pandemic has unleashed countless scams, and release of vaccines promise to do the same. Fraudsters will contact potential victims via texts, phone calls, emails or maybe even by knocking on doors to steal money and PII.

The FTC, in partnership with the U.S. National Association of Attorneys General, is warning the public on how to recognize and avoid emerging vaccine-related scams:

• You likely won’t need to pay anything out of pocket to get the vaccine during this public health emergency.
• You can’t pay to put your name on a list to get the vaccine.
• You can’t pay to get early access to the vaccine.
• No one from a vaccine distribution site or health care payer, like a private insurance company, will call you asking for your Social Security number or your credit card or bank account information to sign you up to get the vaccine.
• Beware of providers offering other products, treatments or medicines to prevent the virus. Check with your health care provider before paying for or receiving any COVID-19-related treatment.

If you’re in the U.S. and you’re contacted by a fraudster about the vaccine, ignore the message and report it to the FTC at ReportFraud.ftc.gov. File a complaint with your state or territory attorney general through consumerresources.org, the consumer website of the National Association of Attorneys.

(See COVID-19 vaccines are in the pipeline. Scammer won’t be far behind, by Colleen Tressler, FTC, Dec. 8, 2020.)

Strengthening your passwords

If you’re like me, your password list is growing. As always, strong passwords can help prevent fraudsters from cracking our accounts and stealing our identities. However, many users continue to use simple, easily remembered passwords and often repeat them for their accounts and devices. If a hacker cracks the password of one account they can access all the user’s accounts that have the same password.

NordPass, a password manager company, recently reported the top 200 passwords used in 2020. The firm worked with a third-party data breach company to evaluate a database that included 275,699,516 passwords. See the top 10 used passwords in Figure 1 below.

Figure 1: Top 10 used passwords in 2020

The top 10 used passwords were simple. Seven of them involved the use of numbers, and eight of them were cracked in less than a second as were the majority of the 200 passwords.

This study also classified the list of top 200 passwords into 12 categories. See Figure 2 below.

Figure 2: Categories of top 200 passwords in 2020

Here are NordPass’ top passwords (up to five) in each category, their overall ranking and number of users in a database of 275,699,516 passwords:

• Names: Aaron 31, No. 18, 90,256; Ashley, No. 31, 52,031; Michael, No. 72, 28,754; daniel, No. 77, 27,056; samantha, No. 95, 23,168
• Swear words: f..k you, No. 86, 25,618; f..kyou1, No. 143, 18,739
• Qwerty: qwerty, No. 12, 156,765; qwertyuiop, No. 25, 64,632; quer23456, No. 26, 35,837; qwerty123, No. 52, 35,827; qwe123, No. 87, 35,827
• Numbers: 123456, No. 1, 2,543,285; 123456789, No. 2, 961,435; 12345678, No. 5, 322,187; 111111, No. 6, 230,537; 123123, No. 7, 189,387
• Device: myspace1, No. 80, 26,363; computer, No. 116, 21,330; Samsung, No. 189, 16,218
• Entertainment: pokemon, No. 51, 37,197; superman, No. 88, 25,557; naruto, No. 112, 21,458; blink182, No. 128, 19,956; yugioh, No. 142, 18,792
• Password: password, No. 4, 360,487; senha, No. 10, 167,728); password1, No. 19, 18,556; password123, No. 19, 20,835; passw0rd, No. 195, 15,972
• Sports: soccer, No. 60, 31,085; football, No. 73, 28,496; baseball, No. 74, 28,278; basketball, No. 104, 22,060; football1, No. 178, 16,662
• Food: chocolate, No. 114, 21,409; cookie, No. 126, 20,0650; pepper, No. 169, 17,031; cheese No. 194, 15,9940; peanut, No. 197, 15,832

The numbers category dominates the top 200 worse passwords in 2020 with five of them in the top seven. Simplicity fails when picking passwords!

Author Tom Merritt of TechRepublic gives excellent tips for individuals to improve passwords:

• 10 characters minimum. The longer the better. A 10-character password takes at least four months to brute force crack, 11 characters takes a decade, 12 characters takes two centuries.
• Break up common words with random characters. Like a slash after the o in horse, a random number three in between the two t’s in battery, or a close bracket before the l in staple. This is a way to use a passphrase which is easier to remember but makes it much harder to guess.
• Use a number. Put it somewhere beside the beginning or end and don’t use the number one. Most people try to make a password “secure” by adding a one to the end. Likewise, use another special character besides an exclamation mark. Most people use an exclamation mark, and the attackers know this.
• Capitalize at random. Yes, capital letters make it harder to crack, but most people just capitalize the first letter. Don’t do that. Capitalize any other letter.
• Use a password manager. Free yourself from having to create these passwords yourself. A good password manager will make randomized passwords that are difficult to crack and it takes the pressure off you.

(See Top 5 tips for choosing strong passwords, by Tom Merritt, TechRepublic, Nov. 30, 2020.)

Contact me

Include these scams and ideas to strengthen your passwords to protect your online identity in your outreach programs and with your family, friends and business associates.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at a university in the U.S. Northwest. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization and is a member of the White-Collar Crime Research Consortium Advisory Council. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.