The last thing in the world I want to hear from a client is, “I did something really stupid,” because sometimes I am inclined to agree with them. This was the case the other day. I received a very distraught call in the middle of the afternoon. My client sputtered, “I should have known better, but I just wasn’t thinking.” She went on to tell me that she received a phone call from someone who alerted her to the fact that something was wrong with her computer and that he had to remote in to fix it.
What makes this situation a bit puzzling is that she uses a Mac, and most of these fake callers say they are from Microsoft. Now for the truly terrifying part: She proceeded to let a complete stranger remotely access her computer for about an hour.
I won’t go into the recriminations she must be feeling. While I tried to offer as much comfort as possible, I am quite embarrassed that one of my clients would not think to call me, or at least tell the person calling that “I already have a computer guy who takes care of this for me.” But that is not the point of this security brief. I need to concentrate your attention on what has to happen after this atrocious event.
I could try to come up with an analogy or equivalent in real life to what occurred, but words won’t do it justice. In simple terms, it is a violation of personal space and privacy. This stranger had access to a computer that contained someone’s life story. There are documents, which detail a variety of things, such as doctor appointments, banking information, letters to family members, and the like. There are the web sites that are bookmarked as favorites, including email, financial institutions, travel sites, and periodicals. These are the bits and pieces of everyday life that criminals will take and use to their advantage.
There is a thriving black market in the digital underground. Credit card details sell for anywhere between $2 and $90; iTunes accounts go for $8, and physical credit cards for up to $190. The information this stranger could have obtained from this Mac can provide information to sell on the black market or to use for his own personal gain. I cannot stress this enough, what occurred to this client is extremely scary!
Here are the seven steps that I advise anyone in this kind of situation to take:
- Contact your bank and change your checking and savings account numbers. The stranger tried to engage in a “fair trade” incident: The cost of my service is $250, but I mistakenly transferred $3,250 to your bank account. Please send me back the $3,000 in a wire transfer. This is total, complete, absolute fraud! But if you are scared about the situation – or don’t realize the danger you are already in – you could easily send a small fortune to a criminal. Similarly, if your bank account information is stored on your computer that is personally identifiable information, which is something a criminal can use.
- Contact your credit card companies and request that they issue you new cards. Explain that your accounts may have been compromised, and that rather than wait for the charges to appear and then have to explain them, you want to be proactive. Note that any merchant with which you have a recurring charge will need to be notified of the change in card number.
- Contact the three credit reporting agencies (TransUnion, Experian, and Equifax) and have them put a credit freeze in place. Refer to https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs for more information. There may be a nominal fee for this, but your peace of mind is a priority. If any criminal attempts to open a new credit card, or purchase something that triggers a credit check, you will receive a call from the credit bureau to verify that you are, in fact, making the request. If the criminal is doing this, you can stop it immediately. Note that when you take this action it does not affect your credit score.
While you are in contact with these agencies, ask them for your current credit report – this is free. Review it to make sure it is accurate; if it is not, make sure you go through the (sometimes arduous) process of correcting any errors.
- If you have an online brokerage account, change your password! Then contact that company and find out what measures you can take to protect yourself against any fraudulent transactions.
- Change the password on your email account(s). This person may have picked up a saved password and used a translator to hack it. You don’t want your friends, acquaintances, or businesses you deal with to receive emails that purport to be from you. Make sure the password is something you can remember, but is still complex enough to be difficult to guess.
- Change the password on the Mac and the Apple Store account with it. In this case, a hacker would need the Mac’s administrator ID to install any additional software. By changing the password, the likelihood of the criminal using the old one is eliminated. Similarly, changing the password for the Apple Store account will prevent fraudulent charges for music and software from taking place. The key thing is to also update any iPhones or iPads with this same information.
- If there is any evidence that any private personal information (e.g., Social Security number, driver’s license number, or financial account number) has been misused, a report should be filed with the Federal Trade Commission (FTC) at https://www.identitytheft.gov/ and then with your local police department.
I am sure that as time goes by I will amend this list, but for now I hope this will do.
In the meanwhile, this is as close a case of possible identity theft as I have seen since I started counseling you on the risks of Internet security. And while New Jersey has an Identity Theft Prevention Act that is enforced by the Division of Consumer Affairs, it is designed for businesses to protect the personal information it collects from customers. For consumers, some additional information is available here https://www.consumer.gov/scams. It is similar to what I have proposed; you essentially have to become your own advocate after the fact to keep yourself safe. The easier, smarter, thing to do is to avoid becoming a victim in the first place.
Any questions? Send them to info@heliotropicsystems.com or call 866-912-8808.