Residents in multiple New Jersey municipalities have reported receiving suspicious phone calls from individuals impersonating police officers. These suspects are spoofing the phone number they are calling from, and displaying the respective police department’s phone number.
Reports state that the suspects have a thick accent and are using officer names obtained by searching municipal websites.
As a reminder, never give personal information over the phone, by fax, through the mail, or on the Internet unless you have initiated the contact or you are sure you know who you are dealing with.
If you receive an unsolicited phone call from an individual claiming to be a Linden Police Officer, obtain the caller’s name and disconnect the phone call. Then, call the Linden Police Department directly at (908) 474-8500 to verify the call was legitimate.
If you have fallen victim to this scam and provided your personal information or are a victim of identity theft, please contact the Linden Police Department to file a police report.
Neither the Linden Police Department, nor any police union or organization associated with the Linden Police Department will ever solicit over the phone.
As you may know, many business and residential utility customers are targeted daily by impersonation scams. Scammers impersonate the utility company (such as PSE&G, Comcast, Verizon, NJ American Water and others) through in-person, phone, and online tactics, claim the utility bill is past due, and threaten to disconnect services unless a payment is made immediately. Customers are pressured to make payments via prepaid debit cards (such as Green Dot, MoneyPak, or Vanilla), wire transfers, cash apps (such as Venmo or Zelle), gift cards, or cryptocurrency (such as Bitcoin). Additionally, scammers may claim that the regular payment portal for the utility company is currently offline, but the target can submit payment through another portal via a link or QR code. This fraudulent payment portal creates a false sense of legitimacy by using spoofed domains, impersonation, and stolen branding. Phishing and smishing tactics attempt to convince the target to immediately take action, such as responding or calling a fraudulent phone number, disclosing sensitive information, or making payment.
In Person
Scammers may visit the target’s home or place of business in person, claim to be a utility company collector, present fraudulent identification, and ask for personal information, including account number or Social Security number. However, legitimate employees wear a uniform, visibly display a company ID badge, drive a company car with the utility company’s logo, and visit during a pre-scheduled appointment with the customer.
Calls
Additionally, if customers receive an urgent call from their utility company’s trusted customer service number claiming termination of services for non-payment and that someone will arrive in 15 minutes to disconnect service, slow down the conversation before making any quick decisions and verify the information through official sources, as the phone number may be spoofed (faked)!
Web Searches
Hackers are targeting customers who use search engines to contact their utility companies. The search engine results may contain fraudulent websites with fake phone numbers that, if called, will put unsuspecting customers at risk for threat actors to collect personal and financial information. Furthermore, service disconnections are not immediate; there is a multi-step process, including payment arrangement options and multiple notifications to the customer, typically by mail and noted on their regular monthly bill.
QR Codes
Traditional attack techniques of malicious links or attachments are often detected by email security, forcing threat actors to pivot to QR codes as the primary attack method in various schemes. QR codes, sent through unsolicited communications or posted in publicly accessible locations, may appear to be associated with a reputable brand or organization and could direct targets to phishing websites, fraudulent payment portals, and unsuspecting malware downloads. In one campaign, the threat actors persuade their victims to withdraw money from their financial accounts and transfer it to them using a QR code and cryptocurrency ATM to avoid service disconnection. Once the funds are deposited into the ATM to purchase cryptocurrency, the QR code with the embedded address is scanned, and the money is transferred to the scammers.
Please make sure to be vigilant of these and similar impersonation scams. Refrain from answering unsolicited or unexpected communications, especially those containing QR codes. Additionally, do not provide personal or financial information or transfer money, especially in cryptocurrency, to unverified entities. If you need help with this or another type of scam, please call my office at (908) 474 8493 so that I can help.
During the holiday season and all-year round, it is common for consumers to purchase gift cards for themselves, for family members and friends. Hackers seek to exploit this common purchase in the form of gift card scams.
How does this happen?
Hackers will initiate fraudulent requests by spoofing a known or trusted person – such as a person in leadership or a position of authority within an organization, a friend, or a loved one – to make the request appear legitimate. They also create a sense of urgency with a fake story or emergency to convince the recipient to act quickly without verifying. These fraudulent requests may be sent through email, SMS text messages, and social media platforms.
Authorities continue to receive reports of gift card scams from New Jersey residents and organizations. For example, an employee received an email sent from an external account purportedly from the CEO, who was attending a meeting out of state. The CEO requested their phone number to perform a task. The employee provided their phone number and then communicated through SMS text messages. The request was to purchase two $500 Apple gift cards, to which the victim complied and submitted the back of the gift cards. The request was was only identified as a scam when the victim was asked for the remaining balances.
Example of a real attempt to defraud.
In the above campaign, the hackers stated that they are traveling and having an issue purchasing a $500 Apple gift card for their niece’s birthday. They request the recipient to purchase the gift card and will pay them back as soon as they get back. Other campaigns may, for example, apologize for bothering the potential victim and inquire if they have an Amazon account or order from them.
What should we do?
Refrain from responding to unsolicited communications, clicking links or opening attachments from unknown senders, and exercise caution with communications from known senders. If you are unsure of am email’s legitimacy, then contact the sender via a separate means of communication, such as by phone, before taking action. Call the sender from a phone number that you already have, and NOT from a phone number provided in the email requesting the gift cards.
Refrain from complying with requests to purchase gift cards and sending the numbers to someone without first verifying the request via a separate means of communication. These are unusual requests or demands, typically portraying a sense of urgency, and should be handled with suspicion.
What should I do if this is happening or already happened to me?
If gift card information was already sent, then immediately contact the company who issued the gift card to inquire if the funds are still on the gift card and can be frozen.
Incidents should be reported on https://www.cyber.nj.gov/report (the NJCCIC Cyber Incident Report Form), and https://www.ic3.gov (the FBI Internet Crime Complaint Center), and to the Linden Police Department at 908 474 8502.
Let’s all remain vigilant of these and similar scams.
Cybercriminals are using Facebook ads to distribute malware and hijack users’ social media accounts, researchers have discovered.
What’s an info-stealer?
Info-stealers are malware that enable hackers to steal victims’ browser cookies and take over Facebook accounts. Once inside the account, hackers can change passwords and activate additional security measures on accounts to completely deny access to the legitimate owner, allowing cybercriminals to commit fraud.
How does this happen?
This happens when hackers exploit legitimate tools for online ad distribution and insert infected links into typical advertisements. To entice users into clicking, campaigns often offer “provocative enticements”, which in this case, contained lewd images. Each click on the ad instantly downloads the malicious file to the victim’s device. Researchers estimate that nearly 100,000 users downloaded the malware in just 10 days.
What should we do?
Be extra vigilant when using any social media platforms, and make sure to connect only with people you know. Be weary of friend requests and messages from unknown people, especially when they ask you to click on a link or download a file. Before clicking on any ads, go to the company’s website to verify ad claims, such as discounts or special offers.
Let’s all remain vigilant of these and similar scams. Please refrain from answering unsolicited or unexpected communications. Additionally, do not provide personal or financial information or transfer money, especially in cryptocurrency, to unverified entities.
What should I do if I am hacked?
Incidents should be reported on https://www.cyber.nj.gov/report (the NJCCIC Cyber Incident Report Form), and https://www.ic3.gov (the FBI Internet Crime Complaint Center), and to the Linden Police Department at 908 474 8502.
Please register to attend this free webinar on Wednesday October 25th, from 1pm until 2pm to learn simple actions to help keep your workplace, home, you and your family cyber-secure!
In honor of National Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity, the Region 2 National Preparedness Division is hosting this seminar that encourages four simple steps every American can take to stay safe online. Joining the seminar will be Rich Richard, Cyber Security Advisor for the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
Who – This event is for individuals, families, the whole community, community-based and faith-based organizations, small businesses, federal, state and local government.
What – Free cybersecurity webinar that encourages four simple steps every American can take to stay safe online.
When – October 25, 2023 from 1pm until 2pm EST.
Where – Online.
Why – To protect your workplace, home, you and your family cybersecurity threats.
Many users connect to the internet and access multiple accounts and services for business, including email platforms, applications, and vendor websites. The increased use of online accounts and services, combined with users engaging in risky password management practices, puts both themselves and their employers at risk of account compromise and data breaches. Therefore, it is important to practice good password hygiene to protect accounts and data.
Strong, unique passwords for each account help prevent password reuse attacks in which threat actors obtain the password for one account and use it to compromise an additional account using the same credentials. Threat actors succeed when users reuse credentials across multiple accounts, use easy-to-guess or simple passwords, and do not enable multi-factor authentication (MFA). Strong, unique passwords help secure information, networks, servers, devices, accounts, databases, files, and more against cyberattacks.
Password managers are an effective method to assist users in creating strong, unique passwords and storing them securely. These accounts should be secured with unique and complex master passwords and multi-factor authentication (MFA) using an authentication app or hardware token. Password managers contain sensitive data and, therefore, require implementing the strongest possible security measures. Users are encouraged to research password manager providers thoroughly prior to use.
According to reports received by the FTC Consumer Sentinel Network, scammers are leveraging social media platforms to generate substantial profits. New data released by the FTC reveals that scams originating on social media have resulted in $2.7 billion in reported losses since 2021, surpassing all other contact methods.
Social media gives scammers an unprecedented advantage at little to no expense, reaching billions of users worldwide. They can easily create a fake persona, hack into profiles, pretend to be the user to deceive contacts, and spread misinformation, disinformation, and malinformation. Scammers learn to tailor their approach to what users share on social media. Furthermore, scammers may place ads using tools available to advertisers, systematically targeting users based on personal details like age, interests, or past purchases.
Image Source: FTC
In the first half of 2023, social media was the contact method for over 38 percent of fraud cases reported by people aged 20-29. For people aged 18-19, that figure was 47 percent. The numbers decrease with age, consistent with generational differences in social media use. Data indicates that, while online shopping scams have the highest number of cases, the most significant monetary losses are due to scams that promote fraudulent investment opportunities via social media. More than half of the money lost to social media fraud resulted from investment scams. Additionally, there has been an increase in romance and investment scams, commonly referred to as “pig butchering.” These scammers often advertise their fake investment successes and try to entice users to invest in fake websites and apps.
Social media users should set stringent security settings for social media accounts and critically evaluate sources of information consumed, seeking reliable and verified information. Verify information before sharing posts, clicking links, or promoting the post’s content, including familiar and shared contacts. Bait-and-switch posts often originate from pages that are not associated with a specific individual, have comments turned off, and are relatively vague in the descriptions used in the post.
The State of New Jersey’s Cybersecurity and Communication Integration Cell (NJCCIC) recently highlighted a cyber threat involving unemployment scams and fraud. In particular, the NJCCIC has received reports over the last several weeks detailing this insurance fraud and referencing emails claiming to be related to NJ unemployment with a COVID-19 lure, sense of urgency, and promise of financial assistance.
Please look out for suspicious activities and offer guidance on how to protect your personal identifiable information (PII) as received from a July Press Release from the FBI.
The FBI advises the public to be on the lookout for the following suspicious activities:
Receiving communications regarding unemployment insurance forms when you have not applied for unemployment benefits
Unauthorized transactions on your bank or credit card statements related to unemployment benefits
Any fees involved in filing or qualifying for unemployment insurance
Unsolicited inquires related to unemployment benefits
Fictitious websites and social media pages mimicking those of government agencies
Protection Tips:
Be wary of telephone calls and text messages, letters, websites, or emails that require you to provide your personal information or other sensitive information, especially birth dates and Social Security numbers. Be cautious with attachments and embedded links within email, especially from an unknown email sender.
Make yourself aware of methods fraudsters are using to obtain PII and how to combat them by following security tips issued by the Cybersecurity and Infrastructure Security Agency, including:
Monitor your bank accounts on a regular basis and request your credit report at least once a year to look for any fraudulent activity. If you believe you are a victim, review your credit report more frequently.
Immediately report unauthorized transactions to your financial institution or credit card provider.
If you believe you have been a victim of identity theft related to fraudulent unemployment insurance claims, report the fraud to:
