Latest news with #NationalCybersecurityAlliance
Yahoo
02-03-2025
- Yahoo
Should You Trust That Random QR Code?
You could probably tell the difference between a real text message and one sent by a scammer. The phishing text likely has a sense of urgency, asks for payment as a gift card and might make you wrinkle your brow at some of the wording. But could you tell a fake QR code from a legitimate one? Many of us are familiar enough with phishing scams -- where thieves impersonate a trusted sender to deliver a malicious web address -- to steer clear. But it can be significantly harder to recognize QR phishing, sometimes called Quishing or QRishing. Unlike phishing, in which you can typically see the web address to identify its legitimacy, there's no way to easily distinguish between the QR code for a menu or a parking payment app with one that takes you to a fraudulent site with a malicious download. The number of QR phishing attempts soared from 0.8% in 2022 to 12.4% in 2024, according to a recent Phishing Threat Trends Report from Egress. Although you can try to avoid QR codes altogether, there are many times when we have to rely on them to pull up menus or pay for parking. "To protect yourself from QR phishing, ensure your mobile device's security settings are up to date and use trusted security software," said Lisa Plaggemier, executive director of the National Cybersecurity Alliance. Plaggemier also recommends that you only scan QR codes from reputable sources, whether on a physical sign, website or email. And if a QR code seems suspicious or directs you to a site requesting sensitive information, stop immediately. QR phishing or QRishing is a cyber attack that uses QR codes linked to sites that trick users into downloading malicious content or providing sensitive information. After the victim has downloaded the content, the attackers steal user information such as passwords, financial data and other personally identifiable information, or PII. The information can then be used to commit identity theft and financial fraud. The trouble is, with QR codes, you may not be able to tell the difference between a malicious code and a legitimate one until you've scanned it. However, use your intuition. If you're at a gas pump and there is a random QR code beneath a questionable sticker, it's likely not worth scanning. Always be skeptical of any QR codes you see and consider their source. Be extremely suspicious of QR codes in the following places: Airports Restaurants Bus stops Flyers such as fake parking tickets Phony emails and text messages And remember that it's always possible for someone to place a sticker with a malicious code over a legitimate code on a sign, parking meter or other trusted location. Take a moment to examine public QR codes for signs of tampering. Watch out for QR codes from unsolicited text messages and emails, and be extra cautious of QR codes that promise free goods or prizes. To avoid QRishing scams, always use a trusted QR code scanner app that includes security features that can detect malicious links. You could try TrendMicro's QR Code scanner, QR & Barcode Reader by Gamma Play or QR Code Reader by TeaCapps. As a last resort, be sure to double-check the URLs you are being sent before clicking on them. Particularly for URLs that include common misspellings of popular company names or ones that merely contain the name of a trusted company within an untrusted domain name. If you're the victim of QRishing scam, it's important to report the crime and protect your information. Any information you've given to the scammers may be compromised, including your name, address, Social Security number and financial accounts. Contact your bank and inform them that your account has been compromised. You should immediately change your passwords, scan your devices for malware and implement multi-factor authentication if you haven't already. Also check your credit reports for fraudulent activity and consider freezing your credit. Here are some additional resources for victims of QR code scams: Federal Trade Commission -- The FTC has an online reporting site so that consumers can report fraud. You can also call the FTC's Consumer Response Center at (877) 382-4357 to file a fraud report by phone. -- The FTC also offers this site to help consumers report cases of identity theft, get a recovery plan and put it into action. You can also call the FTC Identity Theft Hotline at 1-877-IDTHEFT (1-877-438-4338). Social Security Administration -- The Social Security Administration offers resources for those who have had their Social Security number stolen. You can also report it to the Social Security Administration at or by calling its Office of Inspector General fraud hotline at 1-800-269-0271.
Yahoo
05-02-2025
- Yahoo
25 Investigates: Sutton man turned to credit bureau for credit protection, it led to identity theft
An identity theft story with a frustrating twist. A Sutton man called 25 Investigates saying he took the right steps after learning he was a victim of identity fraud. But he says doing the right thing made led to an even bigger headache. For Anthony Deyoe, it started with a routine letter in the mail from a credit card company. It said they were working on a new credit card application that he had submitted, only he did submit it. Deyoe knew immediately he was a victim of identity theft. H says he called the credit card company to dispute the application and then contacted the three major credit reporting bureaus, including Experian. 'And all I did was open a can of worms and make it worse,' Deyoe told Boston 25′s Kerry Kavanaugh. He set up accounts with each bureau and froze his credit. 'So, I'm at soccer practice on a Saturday morning. It's 8:30 in the morning and I my phone dings with an email,' Deyoe said. The email from Experian said someone had changed his account information. His email, password, and security questions all new and he didn't know what they were now. Deyoe says he spent days trying to get someone from Experian on the phone. 'It just loops you around, loops you around. I even call their business line to try and, you know, just get to a person,' Deyoe said. 'The only way to fix it was to send a bunch of personal documents either to a P.O. Box in Texas or to fax them on some unsecure line.' Identity theft resolution is also costing consumers a lot of time. According to one fraud study, in 2022 consumers spent an average of 6 hours dealing with identity fraud incidents. In 2023 it jumped to a nearly 10-hour average. Deyoe says he just wasn't comfortable mailing or faxing those personal documents. Later, he got another alert. 'So, the people that got into my account use the information in my credit report and then opened up a digital checking account under my name,' Deyoe said. For months, he couldn't access his account until he called 25 Investigates. We reached out to Experian asking how Deyoe's information was compromised and if this happened to others. A spokesperson told us their protocols worked since Deyoe got that notification when his account was changed. In a written statement Experian said 'Protecting consumers' identities is among our highest priorities. We believe this is an incident of fraud using stolen consumer information.' Experian also contacted Deyoe directly helping him regain access to his account to close it. 'We call this an account takeover like this,' said Lisa Plaggemier, the executive director National Cybersecurity Alliance. The NCA educates people on best ways to keep their data secure as identity fraud is affecting millions of people and costs Americans about $43 billion dollars a year, according to a recent report. Plaggemier says despite stories like Deyoe's, contacting the credit bureaus and freezing your accounts is still best practice if you're a victim of fraud. 'That means you have to create accounts on the credit bureau sites. And you just you know, our recommendation is to create those in a way that they're secure,' said Plaggemier. So, the NCA suggests making the passwords tougher to crack. Use 15-16 characters, always use multi-factor authentication on sites where it's enabled, and don't repeat passwords from site to site. 'Maybe we were using a password that has been involved in another data breach in another company, so best practice is not to use the same password twice,' said Plaggemier. The NCA also recommends using password managers because it makes it easier to have completely unique long, random passwords on every account. Especially as large-scale breaches become all too common. In August we learned of a major data breach affecting nearly 3 billion social security numbers, and other personal information, which were then for sale on the dark web. But Deyoe says he had taken all those suggested steps. 'It's upsetting when you go to a company that's supposed to be protecting things and you make things worse,' he said. Experian added 'Our authentication processes go beyond requiring users to provide personally identifiable information (PII) and answering knowledge-based authentication (KBA) questions. We do not disclose those additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. " Download the FREE Boston 25 News app for breaking news alerts. Follow Boston 25 News on Facebook and Twitter. | Watch Boston 25 News NOW
