NYU Wordpress Theme

Social Security Administration Phone Scam Alert

Please be advised that the Social Security Administration (“SSA”) has noted a skyrocketing of fraudulent calls purporting to come from the SSA. These imposter scam phone calls have been reported to include the following scare tactics:

  • calls alerting you that your social security number has been suspended due to suspicious activity or due to involvement a crime.  
  • robocalls regarding the “reactivation” of your social security number. These calls  suggest that you should “press 1” to speak to a government support representative for help reactivating your social security number.

Further, scammers may advise you to:

  • withdraw funds for safekeeping or store money on gift cards in the event your assets are frozen. Scammers will then seek to steal the value of gift cards purchased by requesting the codes on the back of the gift cards.
  • withdraw cash and convert it into digital currency by depositing it in a Bitcoin ATM (where it’s accessible to them/thieves).

Many SSA scam calls appear to be coming from a spoofed SSA phone number. The number displaying in caller ids is the SSA’s fraud hotline number (1.800.269.0271). The SSA has advised that legitimate requests to confirm information will not come from the fraud hotline number. They also advise that they will never seek to confirm your SSN, ask you to send money or threaten you. If in doubt of the legitimacy of a call, you can contact the SSA’s main number: 1.800.772.1213 to confirm.

It is recommended that you do not provide your social security number or other sensitive information to unverified callers. If you have already done so, visit IdentityTheft.gov/SSA for recommendations. Imposter scams can be reported to the FTC at FTC.gov/complaint.


Update: Amazon Alexa Privacy Alert

As an update to our April 26th blog post entitled “Amazon Alexa Privacy Alert”, two lawsuits have been filed seeking class-action status regarding Amazon Alexa Echo Dot privacy issues. One lawsuit has been filed in the state court and the other has been filed in federal court. Both suits allege the routine recording of children and the indefinite storage of these voiceprints by Alexa without consent. Both suits also state that the technology is in violation of the laws of nine states, which require consent of all parties when recording, and the lawsuits seek fines, the deletion of existing recordings and prior consent for the future recording of minors.

Please note the following options and instructions for deleting recordings from Amazon Alexa (courtesy of Kim Kommando):

To delete existing recordings:

  • Go to the Alexa app and access the main menu by tapping the three lines on the top left of your screen.
  • Tap Settings, Alexa Privacy
  • Tap Review Voice History
  • From here you can delete the data for a specific day or delete All History

There is also a new feature in Amazon’s latest product, Echo 5, which will allow you to say “Alexa, delete everything I said today” or “Alexa, delete what I just said”. To enable this feature on your device:

  • Go to the Alexa app and access the main menu by tapping the three lines on the top left of your screen.
  • Tap Settings, Alexa Privacy, Review Voice History
  • Slide the toggle to the right of the option Enable deletion by voice

For more information on this and other Amazon Alexa privacy issues, please see: https://threatpost.com/amazon-alexa-secretly-records-children/145708/

Additionally, Amazon has launched an Alexa privacy hub, which can be accessed here: https://www.amazon.com/Alexa-Privacy-Hub/b?ie=UTF8&node=19149155011

Supplemental Resources:

The Ins & Outs of Text Message Phishing

Although phishing threats most commonly occur via email, please be reminded that phishing threats also occur via phone calls, social media updates and text messages. What all phishing threats have in common is that they are social engineering attempts designed to steal information or install malware.  

Text message phishing, also known as “smishing”, often attempts to lure victims with promises of free gifts, deals and debt relief. Scammers may also send messages that purport to come from trusted institutions, such as your bank, a government agency or a charitable organization. Clicking the links supplied in these messages may:

  • direct you to a spoofed website designed to look like the website of a trusted entity in an attempt to steal your credentials or money.
  • install malware on your device, such as ransomware, spyware or cryptocurrency mining code.  

Businesses and other entities commonly use numerical text message shortcodes, which allow you to send a one word answer in response to a message received. As you may know, these shortcodes can be used to trigger transactions, which will appear on your service provider’s bill. For example, if you text “PREVENT” to shortcode 90999, you will donate $10 to the American Red Cross Disaster Relief Fund. Please be advised that scammers may seek to steal money by posing as legitimate entities seeking donations or purchases via shortcodes. A recommended best practice is to check all shortcodes prior to donating or purchasing using the The U.S. Short Code Directory (https://usshortcodedirectory.com/), which is a resource for determining the authenticity of shortcodes. You can search the directory by shortcode or brand.

Please note that sending unsolicited commercial text messages to wireless devices is illegal. A commercial sender must obtain your permission first. Exceptions include:

  • non-commercial text messages, including surveys or fundraising messages
  • text messages from a company with whom you have an established relationship

AT&T, T-Mobile, Sprint, Verizon subscribers can report phishing messages to their service provider by copying the original message and forwarding it, free of charge, to 7726 (SPAM). Unwanted commercial text messages may also be reported to the FTC. Receipt of a threatening text may be reported to the FBI Internet Crime Complaint Center (IC3).   

Supplemental Recommendations:

  • Be suspicious of strange looking numbers that are not cell numbers, such as “5000” which may be used by email to text services. Scammers may use these services when texting in an attempt to mask their identity.
  • Do not visit sites via embedded links in text messages. Instead visit sites by typing a known and trusted URL into your browser’s address bar.
  • Do not click links in unexpected text messages. Clicking malicious links may lead to the installation of malware, such as ransomware or spyware. 
  • When in doubt of the legitimacy of the message, confirm with the sender via a trusted means of communication.
  • Delete messages that ask you to provide or confirm personal information. Legitimate entities do not request information in this manner.
  • Do not reply to smishing messages. Replies confirm that your phone number is active and that you review messages received.


BlueKeep Vulnerability Update

As an update to our May 15th blog post, regarding the severe security flaw, now known as BlueKeep (CVE-2019-0708), which is a Remote Desktop Services Remote Code Execution Vulnerability, please be advised of the following supplemental security recommendations from the NSA:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.  Note: NYU IT has confirmed that the RDP protocol at port 3389 is blocked for incoming / ingress RDP traffic.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.