Pelland Blog

Beware the “Sextortion” Scam: A New Form of Cybercrime Making the Rounds

October 28th, 2018

Most people realize that the ultimate in cyberwarfare would be for one country to take down the power grid, telecommunications network, financial industry, or military and defense networks of a foe country. There is no doubt that the United States, Russia, China and other countries maintain this capability but wisely withhold use of this “nuclear option” in cyberwarfare, although there have been instances where the waters have clearly been tested. As has been recently demonstrated, cyberwarfare tends to take a much more subtle and individualized approach, exploiting weaknesses in things like social networks and ballot tabulations. The same sort of approach, where individuals are targeted, is generally practiced in cybercrime, the aggressive bully that is the awkward little stepbrother of cyberwarfare.

Cybercrime takes a variety of forms but generally targets either individuals or individual companies. Small businesses, where there is often only a subtle distinction between a business and its owners, can be particularly vulnerable. In most instances, the criminal activity exploits vulnerabilities in the security practices of the target. These vulnerabilities include the failure to apply software patches and updates, unsecure office practices, and the use of weak, old, and/or repetitive passwords. The results include the easy entry of computer viruses and malware that can turn a computer into a bot on a criminal network or install ransomware that will hold a computer and its files hostage. The same vulnerabilities lead to the proliferation of phishing attempts and other email and telephone scams where the senders or callers impersonate trusted companies in an attempt to obtain passwords, secure information like social security numbers, your credit card numbers, or remote access to your computer.

One of the latest trends in cybercrime exploits a combination of known hacks and personal fears and anxieties. As most of us know, there have been a number of major websites that have been hacked in recent years, some instances more widely publicized than others. The ultimate victims are the individuals whose personal data has been breached and compromised. The term “pwned” originated in early online gaming as a typographical error in the word “owned”. If you have been “pwned”, it means that your personal information is now “owned” by others. To see if your personal data has been “pwned”, visit the “Have I Been Pwned?” website and enter your email address. At the time of this writing, there are 296 websites that have been “pwned” with over 5 billion accounts compromised. Some of the websites that have been hacked include Adobe, Ancestry, Avast, Comcast, Dropbox, Exactis, Experian, Forbes, Kickstarter, LinkedIn, MySpace, River City Media, Snapchat, Ticketfly, tumblr, and Yahoo. This list includes websites that you have probably used, and in all likelihood, your personal information has almost certainly been hacked. In my own instance, my email address has been compromised in 10 of these major hacks, most recently the Exactis hack in June 2018. That recent hack disclosed credit status information, dates of birth, email addresses, income levels, marital statuses, names, phone numbers, physical addresses, and much more from 340 million personal data records.

Stolen passwords are then readily exchanged, sold, or even made freely available on a number of forums and so-called “pastes”, utilized by cybercriminals who are well aware of the human tendency to reuse usernames (many simply the users’ email addresses themselves) and passwords across a variety of websites. Security breaches like the Yahoo and Dropbox hacks go back to 2012. Although savvy Internet users will have changed their passwords on those sites long since then, if those same passwords were used on other websites, the vulnerability remains. More recent hacks will expose passwords that are currently in use, demonstrating a strong argument in favor of changing passwords on a regular basis.

With this combined background information in mind, you will understand how I felt both alarmed and violated when I received an email one evening back in July that made it past the Gmail spam filter. The subject line included a username and password combination that I frequently used 10 or 15 years ago, indicating that somebody had gained access to my personal information, even though it no longer represented valid credentials. The email had successfully caught my attention and, at first glance, seemed like there could be cause for concern. It went on to allege that a visit to pornographic websites led to the installation of remote access and keyboard logging software on my computer that gave the hacker complete access to my email and social media address lists, as well as my computer’s microphone and camera. Cutting to the chase, the sender was threatening to send a compiled split-screen video of the sites I had visited, along with my “interactions” with those sites, to my friends and family members as allegedly compiled from access to my computer. The only way to prevent this from happening was to pay $3,200.00 in Bitcoin (a cryptocurrency that is popular with online thieves) using a key that was provided.

The facts that I do not spend my time visiting pornographic websites, do not have either a camera or microphone installed on my computer, would immediately know if somebody had remote access to my computer, my passwords are highly secure, and Trend Micro Maximum Security software shows that my computer is free of any malware, spyware or viruses, still left me feeling personally violated. The following morning, I spoke with an agent at the Federal Bureau of Investigation’s Boston field office who told me that this extortion scam had been circulating quite widely throughout the month of July 2018. (In fact, I found a variation in my spam folder a couple days later, with this second thief only seeking $250.00 in Bitcoin.) The agent also told me that there were people who reported receiving variations that were sent through the mail. I also have friends and clients who told me that they have received the same sort of email during the same time period and as recently as last week. I went on to file an online complaint with the FBI’s Internet Crime Complaint Center, commonly referred to as the IC3. There is also a page on the Krebs on Security website that outlines the “Sextortion” scam and currently includes nearly 1,000 comments from people like me who have received the emails and are trying to warn others from falling victim.

The lessons to be learned are to:

  • Be aware that your personal information has been stolen, probably on multiple occasions.
  • Your personal information can be used in extortion attempts.
  • Minimize vulnerabilities on your computer and run up-to-date security software.
  • Never trust any email that sets a deadline or seeks payment in cryptocurrency.
  • Never make an extortion or ransom payment.
  • Notify legal authorities if you are a victim.

It is challenging enough running a small business these days. Nobody needs to waste time, worries, or money with the perpetrators of online scams, who are going to continue to evolve into using more creative and credible formats.

This post was written by Peter Pelland

Red Flag Emails

October 15th, 2018

An email that recently made the rounds among campground owners encouraged them to “renew” their advertising on the Go RV Park website. In instances that were called to my attention, Maryland campground owners were provided a link to a page where they could see their advertising located, along with a $49.00 renewal price. The email also stated that the website had “acquired the Maryland Campground and RV Park Directory Inc. and SW Publications Nationwide.” At first glance, $49.00 sounds like a good deal, and the fact that your park (and every other park whose data has been harvested) is already listed makes the “renewal” make sense.

Take a second glance before reaching for your wallet. The “Maryland Campground and RV Park Directory Inc.” does not exist to my knowledge, although it sounds both legitimate and oddly similar to the directory of the Maryland Association of Campgrounds. Then, “SW Publications Nationwide” is another company that appears to be both nonexistent but very similar to “Southeast Publications”, a well-recognized vendor within the campground industry. Many of us tend to miss the little details, and many people who read “SW Publications” mistakenly interpreted that as “Southeast Publications”. Finally, the GoRVPark.com website sounds confusingly similar to the GoRVing.com website that is a partnership of the RVIA, the RVDA, and National ARVC.

In addition to your own listing and compiled listings of every other campground, the website features banner ads for industry giants that include KOA, ELS, Good Sam, Bass Pro Shops, and Walt Disney World’s Fort Wilderness Campground. This certainly suggests legitimacy, but who says that any of those businesses paid for, authorized, or might even be aware of their ad space (at least until now)?

Back to the $49.00 “renewal” price, that would truly appear to be a bargain. The company’s website offers a $149.00 advertising fee and says that “This $149.00 yearly price is for a LIMITED time only. RV Parks, Campgrounds & RV Resorts who sign up NOW will NEVER be subject to the regular annual cost of $499.00 per year.” Interestingly enough, this exact wording appears on the earliest appearance of the website on the Internet Archive, when it was apparently launched in 2010. How can this possibly be a “LIMITED time” offer? To further suggest its authenticity, the website claims that “Go RV Park is the #1 Google ranked portal and intuitive network of websites for RV information.” Beyond the fact that this gobbledygook is total nonsense, a Google search for “RV information” shows the website totally missing in action, at least on the first 10 pages of search results.

Fortunately, the assessment that I provided to the Maryland Association of Campgrounds was shared with its membership as well as National ARVC, which issued a press release warning members to read their emails carefully before responding to this type of offer.

Another type of email that is not specific to the campground industry but seems to continually make the rounds are the ones that scare recipients into believing that their domain names are ready to expire and need to be renewed immediately. Only the fine print (which many people either skim or do not read) explains that the senders are not domain name registrars but are selling highly suspect “traffic generator software tools”, implying that failure to pay for the “search engine optimization service by the expiration date, may result in the cancellation of this search engine optimization domain name notification notice.” (Don’t think for a minute that anything you do will stop these email notices!) Along with a number of payment links and the recommendation to “Act immediately”, the recipient will typically misread the words “Failure to complete your SEO domain name registration search engine optimization service process may make it difficult for customers to find you on the web.” This statement means absolutely nothing, but many people think that their domain name registration is ready to expire, or that their listing on Google is ready to suddenly disappear, and pay the fee (typically $84.00 or $86.00) before they realize their mistake. Fortunately, most reputable email service providers (such as Gmail) send these solicitations into spam folders.

Another email scam is the one that sells compiled email lists. They usually state that the lists are “opt-in verified, 100% permission based and can be used for unlimited multi-channel marketing.” One that I recently received began with the words, “Greetings of the day! Would you be interested in acquiring an email list of ‘RV Owners List’ from USA? (sic)” Another that came in within the last 48 hours offered “100K Email Marketing only for $160 USD, regular price $360 USD” or “900+ Million World Wide Email List only for $75 USD, Regular Price is $450 USD (sic).” Unless you like receiving spam yourself, want to get your email account closed, want to have an email marketing account terminated, and want to be reviled by most recipients, do not even think of buying or using a compiled list. Again, most of these solicitations end up on spam folders themselves.

Confusion over email scams like these is quite valid, as evidenced by the dozens of emails that clients have forwarded to me, wondering whether or not the emails are legitimate. Scammers like these profit tremendously if only a small percentage of recipients fall for the bait, and knowledge like this is your best defense against becoming victimized.

This post was written by Peter Pelland

There Is a Test for That!

June 14th, 2017

Here in my home state of Massachusetts, a problem in recent years involved elementary schools (already considered to be among the best in the country) that were concentrating too much effort on teaching students to pass the Massachusetts Comprehensive Assessment Test, commonly known as MCAS. More recently replaced by newer testing that is in line with the national Common Core Standards that have been adopted by most states, the problem with MCAS was that teachers had to devote far too much classroom time teaching students to score highly on tests rather than actually learning. I am not a teacher, but is seems to me that it is more important for students to learn effectively than to be taught to pass tests with the highest possible scores.

A similar issue takes place when companies that market their website services run bot-based tests that present audits of potential website errors, warnings and load speeds. There is no question that it is important to have a site that renders properly and loads quickly across a full range of browsers and devices; however, all speed tests have their limitations. To run an automated test that purports to present the final word on the quality of a website and the experience that it offers to visitors is a flawed concept at best and a competitive potshot at worst.

No bot can effectively measure the quality of the end-user experience because that is an inherently subjective process. There is a tradeoff between a site that is visually exciting and a site that loads instantly, and many of the “errors” that bots identify account for mere milliseconds in the scope of initial overall page load times. A site that consists of nothing but text will usually run a perfect score, but how many reservations do you think such a site might generate for a campground or outdoor resort? My advice is to avoid falling for the bait, particularly when it is offered by companies that fall short themselves when it comes to overall quality and integrity of design – factors that directly influence human-based decisions rather than bot-based tests.

Let me offer an analogy that relates to the family camping industry. Many parks have begun offering one of the many “wine and paint” sessions that have become popular in recent years. They all follow a similar formula, where an artist whose career has never caught fire leads a session where attendees drink just enough wine to encourage their creativity but not so much wine that they can’t find the end of the paintbrush with the bristles. The idea is for everybody to copy the painting that the session leader paints. The order of the day is uniformity, a lack of originality, and the building of self-esteem. If Pablo Picasso was still alive and attended one of these sessions, his work would be the laugh of the evening.

When it comes to websites, the single most important consideration is whether or not a site is mobile-friendly. A site that is not optimized for display on mobile devices – particularly smartphones – presents an impediment to the end-user experience. What is most important is how long it takes before a user is able to read and navigate your site. Whether some images might take a few seconds to load is not an impediment to that experience.

If you are wondering whether your website is up to par, ask for a human, personalized evaluation of its strengths and weaknesses. That will take some time and effort to prepare, but it will offer results that are based upon the actual experiences of human end-users, not the bots that will never contact you to make a reservation for Site 127 for the second week of August.

Times change, along with the ways that websites are viewed and the algorithms that determine how they are ranked in search results. The one thing that is consistent is the importance of working with a knowledgeable and reliable company with a trusted track record to stay on top of things and to represent the best interests of your company.

This post was written by Peter Pelland

It’s Never Too Late to Start Guarding Your Privacy

May 10th, 2017

I logged onto Facebook this morning, and I was immediately presented with a sponsored display ad hawking a t-shirt design that read, “Never underestimate an Old Man who listens to Neil Young and was born in September.” If I was naïve, I would see that ad and think, “Wow! This is my perfect t-shirt”, then order one. In the short time in which this ad has been displayed, it has been “liked” by 480 people, shared by 182 people (multiplying its reach at no charge to the advertiser), and has received 61 comments. Every one of those comments is from a man who confirms that he was born in September (usually adding a year from the 1950’s or 1960’s) and wants one of the shirts.


Man-NeilYoung-September-FacebookAd

Is the fact that I was shown this advertising a coincidence? No way! It is custom-tailored to my identity. If I went to the order page and modified the URL, I could display any of a number of t-shirt designs based upon:

  • The name of the performer.
  • The birth month.
  • Whether I was a man or a woman.

Here is an example:

Woman-Bob-Dylan-August-FacebookAd

To make the ad even more effective, the ordering page includes a countdown clock to create a false sense of urgency:

Ordering-Urgency-FacebookAd

Depending upon how you view it, being presented these ads is either a brilliant use of Facebook’s marketing potential or an egregious violation of the personal privacy of Facebook users. In this case, I was being shown advertising that was based upon the disclosure of my gender, age, month of birth, and taste in music … all information that I had either voluntarily or unwittingly published on Facebook for either my friends or the world to see.

Yesterday, I was presented with another variation of the ad, based upon the fact that I drive a Jaguar … another fact that I had disclosed on Facebook. Now, I can also order a coffee mug! I am sure that I could modify the URL on the ordering page to change the design to show the name and logo of just about any car company. (On a side note, I have to wonder if these performers and companies are being paid royalties by the t-shirt company for use of their trademarks.)

Man-Jaguar-September-FacebookAd

You may think that this is all innocent, fun, and the price we pay for the otherwise free use of social media apps like Facebook, but there is more involved. I don’t know how many times I have seen friends on Facebook post a complete set of answers to 50 personal questions such as the name of their elementary school, their first phone number, name of their eldest sibling, and so forth. Whenever I see this being treated as a harmless and fun exercise, I cannot help but ask myself, “Are you insane?” If any of these questions and answers seems familiar, it is because they are among the same ones that are used as security tests on your online banking or an e-commerce site when you reset a password. Yes, the name of your first pet can lead to the theft of your identity!

You may have seen the recent news about the “Google Docs” phishing scam that proliferated in e-mails on May 4, 2017, said to be the most effective e-mail worm since the “I Love You” virus that caused havoc back in 2000. The scam was effective because it looked legitimate (it is so easy to copy the appearance of a legitimate website!), came from somebody you knew (rather than some random name chosen by a hacker in Belarus), and was spread through the type of shared online document that we have come to accept as routine. Even cautious recipients who would never open an e-mail attachment from a stranger thought that it was safe to download the same sort of document that appeared to have been shared via a cloud service by a known sender. All of these scams, whether relatively harmless or downright nefarious, play upon the human willingness to trust those with access to our personal information.

At the moment, leading into Mother’s Day 2017, there are several gift card scams that are proliferating on Facebook almost faster than they can be identified and taken down. One purports to offer a $50.00 coupon for use at Lowe’s home improvement stores in exchange for taking a short survey, in which you will be disclosing a wealth of personal information. Another purports to offer a $75.00 coupon to Bed Bath & Beyond, the same sort of scam that attempts to gather your personal information for exploitation later.

As I have said in the title of this article, it is never too late to start guarding your privacy. In fact, today is the best day to begin!

This post was written by Peter Pelland

All Links Are Good … or Are They?

April 4th, 2016

One of my clients recently contacted me, concerned that his New Hampshire campground was listed without his prior knowledge or authorization on several websites that purported to be online campground directories. He discovered this when one of the sites contacted him on behalf of a camper who wanted to make a reservation to stay at his park and another contacted him to “claim” his listing. At first glance, these would appear to be good things, wouldn’t they? Any resource that is sending you business is generally welcome to do so. After all, your campground is probably sent online traffic from a variety of referring sites – everything from Go Camping America to your state association website to Good Sam to your local tourism association.

In the instances that my client described, something just didn’t seem right.

Over the years, a number of websites have sprouted up that are essentially directories of local businesses. Many of these have evolved from so-called “yellow pages” companies, and their business model is to persuade gullible business owners to pay for enhanced listings. In my own instance, about a third of these local directories lists my company’s street address correctly, but then locates us in the next town. Another third list our fax number as our phone number. Do I care? Not really, because these sites get close to zero traffic, and they have little if any effect – either positive or negative – upon the SEO of my company’s official website. These websites are working with compiled data, obviously harvested from unreliable sources.

The sites that my client described were an entirely new breed. Also based upon compiled data, their business plans are no longer focused upon selling enhanced listings but in providing reservation services where they collect referral or transaction fees. These can be problematic indeed. My client has gone through a fairly labor-intensive process of getting his business de-listed from several of these sites. The more that I looked into them, the better my understanding of how my client’s instincts were probably right on target.

Campground reservations are accurately perceived as a multi-billion dollar business, and companies that would like a piece of the action are suddenly coming out of the woodwork. Funded with infusions of venture capital, the focus is on generating income from the collection of processing fees on those reservations, either in real-time (with campgrounds that get on board) or with the type of delayed booking that initially caught my client’s attention. One such site posts that it “anticipates” use by 1 million campers per month, even though it does not currently show up as even a blip on the radar at Alexa, the leading provider of comparative website traffic analytics.

What is the problem with these sites? Well, first of all there is a problem with compiled data. How often is the data updated and how accurate is the initial source? (Think back to those local sites that list my business in the wrong town or with our fax number as our primary phone number, where incorrect data tends to perpetuate itself.) On one of these sites that my client called to my attention, I perused the campgrounds listed in my home state of Massachusetts. I am intimately familiar with the industry players in my home state, and I found fictitious listings, listings for municipal parks that have nothing to do with camping, listings for campgrounds that have been out of business for several years, and listings for summer camps.

The second problem is the potential for these sites to compete with your own official website and your own chosen online reservation engine, a situation that can only serve to confuse consumers and that could inflict harm upon your business. I know that I do not want any other company representing my business, and I would be feverishly protective against any threats to my company’s unique online identity. Particularly if pricing (that may or may not be accurate) or reservations enter into the equation, the potential for problems is very real.

Thirdly, if you choose to get on board, be sure to read the fine print. The “Terms of Service” listed on one of these websites, when copied and pasted into a Word document, consisted of over 20,000 words that ran 42 pages in length. That’s a far cry from the old-fashioned handshake agreement of years past and probably reason to proceed with caution.

Keep in mind that any online directories or search engines built upon compiled data (even Google itself!) need businesses like yours as much as you need them. Without listing real businesses that consumers are seeking, they have no product to offer. It is your decision whether or not to get on board with any particular website. Understand the potential risks and benefits, and then make a decision based upon what is best for your business and how it can most effectively meet the needs and expectations of its core clientele.

This post was written by Peter Pelland

If a Contest on Facebook Sounds Too Good to be True …

September 2nd, 2015

You probably know how that sentence ends. If something sounds too good to be true, it probably is too good to be true. In this case, there have been a number of hoaxes that have circulated on Facebook, and it is amazing how many thousands of people unwittingly think these “contests” are authentic before the pages get reported and eventually get taken down.

Over the weekend, one of my friends on Facebook shared a link and commented how she hoped she would be one of the lucky monthly winners of $5,000.00 in travel money being given away by Qantas Airlines. The page looked very authentic but I immediately detected a scam. The page had relatively few posts for a big corporation, all of which dealt with the contest, and I noticed that it had a total of only 14,190 “likes”. That low number of likes is a dead giveaway that you are not at a legitimate page. A quick search brought me to the real Qantas page, with 715,496 likes and, of course, no such contest.

It turns out that this is not the first time that Qantas has had to deal with the public relations nightmare that can result when people think that a business is somehow responsible for a scam in disguise. In an earlier instance this year, a fake page announced that the airline would be offering free upgrades to first class for all passengers through the end of 2015. That bogus page accumulated some 130,000 likes and over 150,000 shares in the first 24 hours of its existence. Yes, people can be very naïve.

Another friend not long ago shared a link to another Facebook page that captured his excitement. It alleged to be Chevrolet and was encouraging people to enter a contest to win a free Chevy Camaro. I noticed that all of its posts involved the fake contest, most extending the entry deadline in order to get more people to “enter”. Once again, I noticed that the page had relatively few “likes”, and I provided my friend with a link to the real Chevrolet Camaro page on Facebook, not surprisingly with 4,407,269 likes as of this writing. Until somebody reports a page that mimics the identity of a legitimate page and violates its legal trademark, scams like this will perpetuate indefinitely.

One way to quickly confirm the authenticity of a Facebook page is to look for the blue checkmark icon next to the page’s name, confirming that the page of a global brand or business, celebrity or public figure, or media outlet has been verified to be legitimate. Unfortunately, Facebook does not offer this authentication option to small businesses like yours and mine.

If you encounter one of these fake pages, you may be wondering why somebody has taken the time to create it. Typically, the pages are built by individuals who are engaged in the practice of “like farming”, hoping that their page will not be reported and taken down before they will be able to increase its value and profit from it in a black market engaged in the buying and selling of this type of content. Visitors to these pages are usually encouraged to “like” and “share” the pages, whether the incentive is a bogus contest, a chain letter, or simply a photo of a cute puppy or kitten. If a page has more “likes”, it will sell for more money to subsequent scammers who can then engage in more nefarious cons. Many of those are engaged in the collection of personal information that only begins with e-mail addresses and Facebook profiles but could very well end in full scale identity theft.

We all know people who have gotten their personal profiles compromised on Facebook. It can be a nightmare, but for a business, this type of violation can be far more damaging. As a business owner yourself, probably with a Facebook page of its own, you need to be vigilant about protecting your company’s online identity. There can be very real costs in crisis communications and the loss of consumer confidence in your brand. Back in 2012, another airline – Jetstar – suffered tremendous corporate damage when a scammer set up a bogus Facebook page and began posting highly offensive responses to customers posting questions to what they thought was its official page. Instances like this are nothing less than corporate sabotage.

Thinking hypothetically, what would be the direct – and indirect – impact of hundreds or thousands of people being led to believe that you were giving away free merchandise to anybody who showed up at your business next Saturday? It has been sometimes said that all publicity is good publicity, but it does not take much imagination to realize that this adage can be far from true.

Sadly, it is extremely easy to build an official-looking page with very little skill or talent. A con artist copies and pastes a few graphics and trademarks, registers a deceptively similar page name, then posts something that sounds so good to the unwitting that it goes viral faster than it can be taken down. If your business ever finds itself in this unenviable situation, it is imperative that you immediately report the bogus site and that no time is wasted before engaging in damage control and exposing the hoax as broadly as possible.

This post was written by Peter Pelland

Beware of Some of the Latest Scams

August 17th, 2015

I always try to do my best to warn readers to avoid getting entrapped by any of the wide range of scams that are prevalent today. We read about them in the newspaper and hear about them on the TV news, but most of us think that they could “never happen to me”, that they only victimize the elderly or people of lesser intelligence. Guess what? Scam operators are good at what they do, and they are getting better all the time.

The way that scams succeed is by being as believable as possible. People fall for the house rentals on Craigslist because the houses are actually there at the addresses listed. They are simply not available for rent, and they are not owned by the crooks who want to collect the first and last months’ rent and security deposits. As people become more aware of the scams, the scammers do a bit more research and become more creative in order to increase their odds of finding their mark.

419 Scams

I recently received a half dozen e-mails from a “woman” who expressed an interest in having a website built, a project that at first glance appeared to be a perfect fit for my company. One of “Jennifer’s” first questions was whether we accepted credit cards. (Had my answer been “no”, I am sure that would have been the end of the e-mails.) The scammer claimed to be based in South Carolina, had an established business importing specialty agricultural products from South America, had a “project consultant” who would be providing us with a logo and text, had a very generous budget, and was very anxious to get the project underway. What was vague was the actual identity of the business and her credentials, other than a fictitious business name.

When my searches for both “Jennifer Mark” and “DW Fresh” came up empty on Google, Manta, LinkedIn, and other online resources, I explained that we would need to review a full credit application and be paid a substantial deposit before any work could commence. Then came the kicker: The scammer offered to roughly double the required deposit, but needed me to do her a “favour” by paying her “project consultant” a $2,800.00 cash payment so that he would release the creative materials while she was “presently in the hospital for surgery”. In other words, I was supposed to accept a $6,500.00 deposit (most assuredly on a stolen credit card), then pay the scammer nearly half of that, with the funds gone from my account before the charge was declined due to the card being identified as stolen.

This type of advance fee fraud is what is generally referred to as a “419 scam”, based upon the section of the Nigerian penal code that addresses fraud schemes. It can involve letters, faxes or e-mails, and – as I have just demonstrated – it has gotten very creative, not necessarily involving extremely large sums of money or trips to Nigeria. What they all have in common is some sort of advance fee. If you run a campground, you could be contacted by somebody who wanted to reserve a block of 100 sites during your off season. That would be welcome income, but curb your excitement unless all of your questions are answered to your satisfaction and there is no suggestion of funds flowing in the opposite direction for any reason.

Officer Ray Fleck

Another scam that has been making the rounds lately has been a robocall from “Officer Ray Fleck”, allegedly working in the audit division of the Internal Revenue Service. I have received these calls. The caller, in a very brash and threatening voice, claims that the Internal Revenue Service is filing suit against you, and that it is imperative that you return the call to make a credit card payment that will satisfy your alleged tax obligations and prevent the filing of suit in your local court. Needless to say, the IRS does not employ a force of thugs who call citizens and demand their credit card numbers, but some people are easily intimidated, making this scam highly successful for its perpetrators.

Windows Service Center

Finally, the “Windows Service Center” scams are still alive and kicking. The callers – usually with heavy accents – claim that they are calling from Microsoft. They are hoping to reach people who have little technical experience and who are coincidentally experiencing some sort of problem with their computers. I received such a call from a person who identified himself as “Jim Sparkle”, and who said that he had been “monitoring my computer” and found that it had a “major problem”. He said that he was “doing his duty” because my computer was “ready to crash down at any time”.

What these scammers want is not only your credit card number but also remote access to your computer, allowing them to install spyware and steal sensitive information. They have various “service plans” that will solve your computer problems, of course suggesting the “lifetime” service plan which was, in my case, discounted to $299.00 and would cover any computer that I ever owned over the course of my lifetime. If you receive one of these calls and have some time to spare, act dumb, and string the caller along a bit (which can admittedly be a bit of fun). You will typically learn at the end of the call that people in other countries have an extensive vocabulary of English language profanities.

The point is that you need to remain vigilant and cautious whenever you are contacted under circumstances that just don’t feel quite right. If you receive an unsolicited contact by anybody who asks you for a credit card number, it is time to end the conversation and continue with business as usual. Scams will always be with us, but with a healthy dose of skepticism, you can prevent yourself from becoming a victim.

This post was written by Peter Pelland

Truth in Packaging

June 10th, 2015

When it comes to processed foods, probably the most deceptive phrases are:

  • Serving suggestion.
  • Enlarged to show detail.
  • All natural.

The serving suggestion lets you know that the strawberries and blueberries in that bowl of cereal are not included in the box, the image that is enlarged to show detail helps you to really see what that cracker or potato chip looks like, and the words “all natural” have no definition whatsoever and can include just about every chemical compound found on the planet. The first two phrases are usually shown in very fine print, whereas the last phrase is generally promoted in large text with an eye-catching graphic.

PackagingBuzzwords

It is unfortunate that parts of the business world have adopted language that essentially applies this same sort of lipstick to their pigs. A used car becomes “previously owned”, previously frozen fish in the supermarket becomes “thawed for your convenience”, products made in China might be “assembled and packaged in the USA”, and most people know that a “processed cheese product” is anything but real cheese. In particular, some of this deception has become commonplace in the Internet industry.

Serving Suggestion

If you have ever registered a domain name with a company like GoDaddy, you will encounter their version of the “serving suggestion”. I just went to GoDaddy to try to register a domain name for $9.99, the sale pricing for new domain name registrations. Before checking out, I am presented with an offer the “Get 3 and Save 67%” by registering the .net, .org, and .info versions of the domain name, as well as an opportunity to “target local shoppers” by adding the .nyc version of the domain name for an additional $39.99.

As I pass on those options and proceed to the checkout, I am encouraged to “Protect My Personal Information” by adding so-called “Privacy Protection or Privacy & Business Protection” for between $7.99 and $14.99 per domain per year. (The $14.99 price is made to appear particularly attractive, since it is discounted from a “regular” price of $32.97.) The next options are “Website Builder Hosting” for anywhere from $1.00 to $10.99 per month, and E-mail hosting for anywhere from $3.99 to $7.89 per month. Then, of course, I will be encouraged to register my domain for the maximum period of 10 years, rather than only paying for a single year.

Under this exercise, I only wanted to register a single .com domain name for $9.99 (plus a mandatory $0.18 ICANN fee). Most people are confused by all of the options – after all, doesn’t “privacy protection” sound important? – and will pay for at least some of the unnecessary add-ons. If I purchased everything that GoDaddy suggested, but still only registered my domain name for a single year, I would be paying $375.51 per year for that $9.99 domain name. Yes, those are “serving suggestions”.

Enlarged to Show Detail

Many website builders have a way of exaggerating their skill levels. Often, these are the local jack-of-all-trades computer shops in town, where the owner fancies himself a webmaster in between attempting computer repairs and selling home theater systems. In other instances, this might be your son or daughter or that smart kid down the street, generally telling you that “anybody can build a website.” In yet other instances, you might be misled by TV commercials from companies like Wix, Weebly, SiteBuilder.com, VistaPrint, or those wonderful folks at GoDaddy again … all suggesting that it only takes a few mouse clicks to build a website for your business for next to nothing or even free (before, of course, leading you back into the “serving suggestions”).

Needless to say, there is not a single website for any seriously legitimate business that was built under any of those scenarios. Even among companies that are engaged full-time in website development, there is a propensity toward exaggeration and a “sure, we can do that” attitude. Your best protection will be a careful review of their portfolio and references. It has been said that “the proof is in the pudding”, and you may want to confirm that the dessert being served matches the dessert being described on the menu. If you are being promised a world-class website, that is unlikely to result if there are no signs of the necessary skills visible in previously completed projects.

All Natural

The trickiest to detect is the claim that a product is made with all natural ingredients. From processed foods to pet food, from cosmetics to candy, there are no clear standards or definitions for the term “all natural”. As a result, consumers need to rely upon their own instincts, underfunded consumer watchdog organizations, or the slowly moving wheels of governmental regulatory agencies for protection. Snake oil was all natural, but it never cured a single disease other than psychosomatic disorder.

The snake oil of the Internet age is search engine optimization, commonly known by its acronym: SEO. How many phone calls have you received recently from somebody offering to get your website “listed at the top of the Google search results”, offering to help get your business listed on Google Places, or asking you to “update your Google front page listing?” In most instances, you have probably gotten dozens of such calls. Not a single one of them has actually come from Google or a company that is legitimately sanctioned to call on Google’s behalf.

In a recent phone call with the former president of one of the world’s leading e-commerce companies, I was struck (but not surprised) by his advice to “never hire an SEO agency”. Wasting time trying to find a legitimate SEO company is like trying to find a “good” fortune teller, used car salesman, or payday loan company. They are all truly good at taking your money. SEO is nonetheless big business. Be suspicious of companies that offer SEO reports as a means of getting their foot in the door, offer to “fix” your website so that it will “start ranking higher on the search engines”, or show you Google Analytics charts and graphs with misleading annotations that allegedly document their expertise.

We are living in challenging times. In order to survive and prosper, you need to cut through the chatter and filter out the noise. Should you really expect one business to provide the same services for significantly less than most others, should you really expect companies to provide free services with no strings attached, and should you really believe that there are companies with magic wands that will make your website suddenly appear more highly ranked than any other relevant search results? Sometimes business decisions come down to who you can trust, and trusting your own instincts is almost always the soundest business decision.

This post was written by Peter Pelland

The Sky Is (Not) Falling

April 6th, 2015

Chicken Little was well-intentioned when he hysterically warned of impending disaster. The only problem was that his predictions were based upon conjecture rather than facts. Back at the turn of the millennium, modern-day Chicken Littles mongered fear over the impending “Y2K” disaster that, of course, never happened. More recently, there has been more than a bit of press about the implementation of the next round of Google search ranking algorithms that will only begin to be rolled out on April 21, 2015. Without doing any research of their own, many self-proclaimed “experts” are citing a Google blog post, a comment reportedly made by a Google employee, and a speculative article that recently appeared in Entrepreneur Magazine as the bases for their warnings of dire consequences for today’s typical website. Like grade school students spreading rumors in the schoolyard, it is time for some people to take a “time out”.

TheSkyIsFalling

Like the news networks that love to exaggerate stories and develop sensationalist headlines like “Stormageddon” and “Blizzard of the Century” (and, of course, the aforementioned “Y2K”), the new buzz word amongst the uninformed is “Mobilegeddon”. People using this type of terminology remind me of those who blindly share urban legends on Facebook, without taking a moment to first check the facts. The stories may generate excitement, but they lack credibility.

The fact is that Google will be rolling out a new set of search algorithms starting on April 21st; however, this does NOT mean that a website that is not deemed mobile-friendly will suddenly drop from the results of Google searches made from mobile devices. That is an outright exaggeration. What the new algorithms mean is that sites that are mobile-friendly will have an edge over sites that are not mobile-friendly, being flagged as “mobile friendly” alongside those search results. This rise in the rankings of mobile-friendly sites will come at the expense of sites that are not deemed mobile-friendly, but it does not mean that those latter sites are suddenly going to be dropped from being indexed.

Chicken Littles have suggested that half of a site’s traffic is suddenly going to disappear effective April 21st, if the site is not mobile-friendly. This is patently untrue. Using historical Google Analytics data that I have drawn from actual campground websites, let’s presume that 35% of the traffic to a website comes from search engines, and that 50% of that traffic comes from Google, and that 50% of THAT traffic comes from users of mobile devices. Do the math. That would mean that, if a website was totally dropped from mobile search results on Google (which is NOT going to happen at this time), that site would lose approximately 9% of its traffic. That is the reality, rather than conjecture and misguided speculation.

There are plenty of valid reasons why every business should be moving to replace a conventional website with a new mobile-friendly site, and to do so sooner rather than later. However, the people who are suggesting panic are doing a tremendous disservice by encouraging the jerking of knees rather than the exercise of a careful plan for execution that includes properly methodical planning and budgeting for the long-term investment in mobile-friendly technology.

In years past, many businesses were advised to buy into expensive mobile apps or separate mobile websites, in an attempt to capture the market for users of mobile devices. In retrospect, those dollars were generally not well spent. Today, the dust has settled and responsive website technology has taken its place as the mobile-friendly solution that Google and the other search engines prefer, with one site presenting full content that is optimized for every device. If your site is not currently mobile-friendly, make plans for the transition – as I have said, sooner rather than later. In the meantime, don’t panic. The sky is not falling, and the world is not about to end on April 21st.

This post was written by Peter Pelland

Do Not Fall Victim to the Tech Support Phone Scam

March 2nd, 2015

One recent instance after another has compelled me to attempt to warn people about some of the scams that are proliferating and making the rounds these days. Although most scams use e-mail to seek new victims, due to the almost nonexistent cost of e-mail compared to the snail mail that was the vehicle of choice in earlier days, telemarketing is still one of the most common points of entry for scammers and cyber-thieves. In this installment I would like to warn readers about the very active Tech Support Phone Scam, offering suggestions on how to avoid becoming the next victim.

Everybody has problems with their computers from time to time. Files may get corrupted, programs crash, and sometimes a software update contains unanticipated bugs. Worse yet, you could inadvertently install malware on your computer, typically when opening an e-mail or an e-mail attachment. One of my clients recently called me, telling me that he was suddenly experiencing a problem synchronizing Microsoft Outlook with his reservation software. Later that day, he called me again with the “good news” that Microsoft was helping him to resolve the problem. Out of total coincidence, he had been the recipient of a telemarketing call from a dubious outfit that calls itself “Tech Zone Windows”. The caller led my client to believe that he was a Microsoft representative, charged his credit card $199.00 (which was a less expensive alternative to his original $599.00 offer), and was using remote access to do who knows what with my client’s computer! Perhaps the company was actually scanning my client’s computer and removing malware, something that anybody could do themselves for free. Far more likely, it was installing spyware and accessing sensitive information.

HackerLaptop_190832117_600x400_90

Fortunately, the client called me while this was happening, and I instructed him to immediately turn off his computer and found him a legitimate computer technician in his local area. Within seconds, the company’s representative called him, concerned that he had not yet finished the task at hand. My client demanded a refund, but as a result of this experience, has had to take the precaution of replacing his credit card. Hopefully, this represents the end, rather than the beginning, of his problems. Time will tell.

Microsoft has actually warned consumers about this and similar scams, where the callers impersonate help desk engineers from legitimate software companies. According to a Microsoft survey of 1,000 English language computer users back in 2011, 15% said that they had received one or more of these calls, and 22% of those who had gotten a call were tricked by the scam and paid an average of $875.00. If you do the math, you will see how somebody sitting at a desk in some remote part of the globe can rake in well over $2,500.00 simply by making 1,000 random phone calls. That dollar amount is only the haul from the bogus fees that they charge, earnings which could pale in comparison to what they can earn from the malicious software that they will install on your computer or the subsequent sale of your credit card number! The malware that they install is designed to harvest anything of value on your computer – including passwords, sensitive information and access credentials to things like your online banking and tax returns.

Continuing with the Microsoft report, 79% of those who were victimized by one of these scams reported some sort of financial loss, with 17% discovering money withdrawn from their bank accounts, 19% reporting passwords stolen, and 17% becoming victims of identity theft. A majority of victims also incurred significant costs in subsequently having their computers repaired or replaced after the experience.

To prevent this from happening to you, keep the following in mind:

  • Microsoft (or Apple or any other tech company) will NEVER call you to offer assistance. If you need assistance from one of these companies, you probably know how impossible it is to obtain. Rest assured that they will NOT be the ones trying to call you!
  • Never allow anybody to run remote access to your computer, unless you totally trust that individual. Remote access allows a total stranger total access to your computer. There is far too much at risk.
  • Never purchase any type of software service from somebody who approaches you on the phone.
  • Do not trust Caller ID. It is very easy to spoof the phone number that appears on Caller ID, and thieves use this trick to make themselves appear to be legitimate. Although Caller ID spoofing is a violation of the Truth in Caller ID Act and subject to a penalty of up to $10,000 per violation, thieves laugh in the face of the law. (Feel free to file a complaint with the Federal Communications Commission, the regulatory agency that is responsible for enforcement, either online or by calling 1 888 CALL-FCC.)

If you are uncertain about a company, I always suggest performing a quick Google search from the company’s name followed by the word “scam” or “complaints”. In the case of Tech Zone Windows, a Google search for “Tech Zone Windows Scam” currently produced 2,970,000 search results.

To learn more, read the following Microsoft security bulletin:
https://www.microsoft.com/en-us/security/online-privacy/avoid-phone-scams.aspx

This post was written by Peter Pelland