A Consumer Action News Alert • August 2020
SCAM GRAM is Consumer Action's monthly e-newsletter alerting you to the dirtiest players in the world of tech fraud, credit card scams, ID theft and general con-artistry. Don't be fooled by liars, cheats and crooks; wise up with SCAM GRAM!
  Bad seeds  
  Over the last few weeks, people in all 50 states have been wondering if some little shop of horrors mailed them unsolicited "seeds and stuff." Many have sent the strange seeds (originating from China) along to the U.S. Department of Agriculture (USDA)--as one should--to find out what, exactly, the would-be invaders could germinate into if they hit U.S. soil. Rather than a Day of the Triffids-style plot to overthrow America, the USDA says the seeds belong to fairly benign flower, herb and vegetable species, although you still should never plant them, since they could be invasive to your local ecosystem. Still, it turns out the packets are an integral part of what's known as a "brushing" scam. Hallmarks of the scam: 1) fraudulent sellers gain access to your name, address, and sometimes even your Amazon or other online retail account; 2) they create a new account using your address (or log in to your existing account); 3) they order the product they claim to be selling from "your" account; 4) they send some cheap stand-in for the product (e.g., seeds); and, finally, 5) once the U.S. mail, Amazon, etc. marks the shipment as "received," the seller writes glowing reviews of their products under "your" account. And it's not just seeds; sellers will send any item with a weight similar to the product they claim to have sent, in order to fool the system, since the mail is weighed/tracked to make sure it reaches its destination prior to any online review being allowed. Anthony from Connecticut wrote us to say he'd received a bracelet, while others have reported getting PPE (how topical!). Matt from Florida wrote: "Y'all be getting weird, unsolicited, seeds from China while I get surprise cutlery." We're not sure if Matt would rather have gotten seeds? Either way, the Federal Trade Commission says you can keep the unordered merchandise if you want to (Matt!). If you get unsolicited stuff, change your online retailer passwords--and feel free to contact the store and let them know that they need to up their tech game to give these fake accounts the brush-off.  
  The gig is up  
  This career criminal may be wishing he could collect unemployment, but it appears he's not eligible. While searching his home under a warrant for a different case involving bank account phishing schemes, Las Vegas police discovered around a dozen unemployment benefits cards from the state of Nevada and another dozen from nearby Arizona. The benefits cards carried unemployment insurance (UI) credits that should have gone to victims. Often in these types of cases, unsuspecting individuals named on the cards haven't yet lost their jobs, but the scammer is using their information to claim they have and file for unemployment. Unfortunately, even though officials stopped the UI gravy train for this scammer, for many others across the country, business is booming--which, according to the Department of Labor, "poses a major threat to the integrity of the UI program." No kidding! Take the situation in Arkansas, for example: Even the state's own governor is one of 37,000 victims who's had benefits filed "on his behalf" by opportunistic outlaws who know that unemployment offices are simply overwhelmed by legitimate and fraudulent claims during the COVID crisis. This is why it's particularly important for consumers to remain alert to UI fraud: Don't ignore strange emails or mailed correspondence mentioning UI or benefits findings. This likely means that someone has signed you up, which means you must report it to your state UI office immediately--or risk not getting unemployment insurance if you lose your job. Don't respond to unsolicited calls to "help" you obtain UI benefits, and report it to your state UI office if you get a prepaid debit card (like the one this family received) with benefits "intended" for a long-dead relative.  
  Teamwork makes the dream work  
There's no 'I' in empowerment. It's official! Consumer Action has launched our COVID-19 Educational Project (free to the public) to empower consumers in a variety of pandemic-related situations to understand and exercise their rights. One very popular project webinar that recently brought hundreds of consumer advocates together from across the country--"COVID-19 Scams and Healthcare Fraud"--is now up on our YouTube channel to help everyone learn about the latest COVID cons. It covers those scams you're most likely to encounter, including: bogus investment "opportunities" in fake vaccines/masks, etc.; ID theft targeting Medicare and Medicaid beneficiaries, which is huge right now; and a plethora of phony or downright dangerous products commonly sold online, such as toxic hand sanitizers (think: wood alcohol....*shudder*) and "PPE" that doesn't protect. Not to brag (well, okay, to brag a little): The great thing about our new "Coping with COVID" project is that we're up on all the latest threats to consumer wellbeing, from what to do if your landlord discriminates against you because you've been diagnosed with the 'rona, to how everyone--including undocumented workers--can find financial assistance in the pandemic. (And we share this info in multiple languages.)

Plundered payment program. If you get all het up at the thought of this Houston "high roller" buying a Lamborghini and making it rain on strip clubs with the taxpayer money meant to help millions of struggling Americans keep food on the table, just know that the feds have a place for you to report such egregious grift. The man, who has since been arrested for "making false statements to a financial institution, wire fraud, bank fraud and engaging in unlawful monetary transactions," took part in what has become an all-too-common con by submitting $1.6 million in loan applications through the pandemic-era Paycheck Protection Program (PPP). The Small Business Administration (SBA)-led program has been getting billions out to small biz owners (and even, questionably, big businesses, and lawmakers involved in approving the funding) to help keep the businesses afloat and employees on the payroll while COVID rages. The speedy delivery of the funds and shocking lack of underwriting or oversight, however, has (predictably) resulted in massive fraud. And when we say massive, we mean massive, like, "an extensive nationwide scheme to file at least 90 fraudulent applications for millions of dollars in PPP loans in exchange for illegal kickbacks of portions of the loan proceeds"--and that's just one operation that the U.S. Department of Justice (DOJ) has busted so far! The SBA and DOJ have stated they will "aggressively" pursue fraud in the PPP, and are encouraging anyone with info on COVID cons to check out this webpage for a very comprehensive list of the various types of virus-related frauds floating around (and to which corresponding government agency you should report them). If the fraud is specific to PPP, Uncle Sam will thank you if you report it here. And, for the record, no one's stopping you from "turning in" those rotten lawmakers we mentioned above, too.
A promise they plan to keep. The Department of Homeland Security (DHS) has launched another COVID fraud-fighting initiative, this one called Operation Stolen Promise. From what we gather, it's different than many of the programs mentioned above. Rather than investigating and prosecuting fraud, waste and abuse in government programs, it promises (get it?) to use DHS expertise in "global trade" to put the breaks on international criminal operations. Many of these are run through the regular or dark web to "criminally exploit the pandemic" by selling and shipping dangerous counterfeit pills, bogus test kits, phony PPE, snake oil supplements and the like to "the homeland." As of this writing, the operation boasts that it has analyzed 554,374 COVID-related website domains (whew!) and made 969 COVID-related seizures worth millions in shady stuff that would have reached our shores. This Georgia woman, for example, fell afoul of Stolen Promise for illegally importing and selling a strange, unregistered pesticide (called Toamit Virus Shut Out) on eBay, to be worn as a "card-shaped device" around the user's neck (!?) in order to "lift" viruses "within 1 meter of the wearer's body, just like a portable air cleaner with its own protective cover." (These scammers can be creative!) Of course, Operation Stolen Promise can't find these kooky cons without your help, which they want so much that they've given you their personal email address: covid19fraud@dhs.gov.
In the crosshairs. While some might call this a political hit job, we're not so sure. Recent New York State attorney general (AG) allegations detailing the NRA's scandalous use of donor money are pretty damning, and so far, the gun rights group is lacking a bulletproof defense. To summarize the AG's 166-page suit: The nonprofit isn't using donor gifts to protect the second amendment rights of gun owner donors, but to prop up its execs' high livin'. The suit accuses NRA top brass of "losing" $64 million in funding over three years (money that, under the law, must be spent to further the group's mission), with much of it diverted into leadership's lavish lifestyles. According to the AG, "the organization went unchecked for decades," engaging in "years of self-dealing and illegal conduct." The NRA is firing back, suing the AG for defamation. Of course, the defense to defamation is the truth, and we'll see how this plays out in court--but until then, donors should read up on how NRA CEO Wayne LaPierre and his family "visited the Bahamas by private air charter on at least eight occasions, at a cost of more than $500,000 to the NRA," and how LaPierre and his cronies quashed efforts to stop suspect spending--including official whistleblower complaints (from senior leadership) to the board's "audit committee." And all of this on top of an estimated $100 million that the NRA had already paid out to stop scandals, along with $89,000 to settle a "potential sexual discrimination claim"...talk about dodging bullets!
The CAPTCHA might get ya! When we think of an online scam, we think of criminals rolling out the red carpet to make us want to give up our personal or financial info--which is why the latest "Netflix" email is catching recipients off guard: Clever con artists have added a CAPTCHA form to turn everything we think we know about phishing fraud on its head. As TechRadar points out, the email "masquerades as a billing error alert, pressing victims to update their payment details within 24 hours or have their Netflix subscriptions voided." Of course, the urgency raises a red flag, but as we would expect from a real company, the emailed link takes the target to a CAPTCHA page hosted on a legit domain (that hackers managed to exploit), where the victim is asked to "prove" they're not a bot (oh, the reverse psychology!) before being prompted to "log in" and give up their username, password, billing address and credit card details--over what appears to be a very realistic copycat site. Despite the novelty of this phishing attempt, our advice remains the same: If you get an email with a hyperlink to a website (any website: Amazon, your utility company, Netflix, whatever) do not follow that link! Contact the company via its official website (which you find by separately logging into your known online account or app or checking a recent billing statement). And if you take to a search engine to find the company, make sure the "official" website URL appears legit--don't Google words like "Netflix billing questions" and call the first number that pops up, because scammers often buy these types of ad words and insert their own contact info!
From the comfort of your own bed. Thinking your Zoom video is off and picking your nose in front of your coworkers while standing in your skivvies? Believe it or not, there are even more embarrassing scenarios when it comes to working from home, such as preventable security breaches resulting in stolen client information, or the downloading of ransomware resulting in your being locked out of your own computer. Fortunately, the IRS has released a five-part guide for "tax professionals" (but really, for anyone) entitled "Working Virtually: Protecting Tax [and other] Data at Home and at Work." Explained in five news releases and a bunch of shareable "e-posters" that you can read in your yoga pants, the info covered includes: how to avoid falling victim to a phishing email scam (particularly popular in the era of COVID); how to use multi-factor authentication to keep criminals out of your accounts; the importance of a VPN (virtual private network); and the use of firewalls, encryption and antivirus software to keep your computer and networks on lock. Speaking of antivirus software, Norton offers additional tips, including understanding and using the "vetted" tech tools that your company likely already offers, remembering to pay attention to often overlooked emails from IT (and other internal comms, e.g., via the company intranet) and keeping in touch with those long-lost colleagues (an often underestimated way to learn about new safety threats).
Sunlight is the best disinfectant. ID theft these days often stems from nefarious ne'er-do-wells nabbing your usernames, passwords and personal info on the dark web. With tons of data stolen via giant corporate breaches (including Equifax, Marriott, LinkedIn, Ticketfly, and the list goes on and on), it's important to shine a light on the subject to see if your info has ended up "out there." CNET posted an article about two free services (similar to "Have I been pwnd?") designed to help you expose stolen data: Mozilla's Firefox Monitor, which will search for emails associated with breaches and even allow you to set up ongoing alerts for future breaches, and Google's Password Checkup, which is helpful if you use Google's password manager service. One thing the CNET article needs to update, however, is the fact that you can now obtain free credit reports weekly, rather than only once a year. Checking your credit more frequently is a great way to make sure "you" haven't bought a house or a yacht! You can also see if your phone or internet carrier (or perhaps your credit card company or bank) is running a deal for free monitoring. For instance, in announcing its new partnership with Sprint, T-Mobile also just announced a program with McAfee called ID Aware, which customers can sign up for until the end of August to be notified "if their private info shows up on the underbelly of the internet." Other companies, like Experian, prompt users to create free accounts for a "one-time [dark web] scan" of their Social Security number, email and phone number. Worried you can't keep up with all this? We recommend simply freezing your credit at the three major credit reporting bureaus--Equifax, Experian and TransUnion--and calling it a day.