Tuesday, March 22, 2016

In the wake of a disaster, be alert for relief scams

Hurricane Isabella in 2003, seen from the International Space Station. Credit Mike Trenchard, Earth Sciences & Image Analysis Laboratory, Johnson Space Center


Updated 2016 October 7: As Hurricane Matthew makes its way up the US East Coast, I've updated this post with advice both for would-be givers dodging fake charities, and for those affected by disaster avoiding unscrupulous contractors.

The morning (local time) of Tuesday March 22, 2016, an airport and a metro train station in Brussels, Belgium, were struck by separate but presumably linked explosions (warning: the linked articles contain some disturbing images). 

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of today.


International Business Times published an article in September 2015, as donation scams popped up to prey on the generosity of those wanting to help Syrian refugees. In this article, IBTimes cited examples of the same sort of scams appearing after the 9/11 attacks in 2001; the Haitian earthquake in 2010; and the Ebola epidemic and Nepal earthquakes of 2015. In each case, generous people wanted to support those in need after a crisis that was in the news worldwide; criminals took advantage of the publicity and created fake opportunities to donate. There is no reason to expect the same will not happen in the coming days.



If you would like to assist those affected by a disaster


KnowBe4 published a similar brief article following the April 2015 earthquake in Nepal, discussing they types of ways malicious actors would try to steer web users toward false aid organizations. Around the same time, the FBI published a warning about disaster scams with a broader scope, describing many different ways that malicious actors will use a major news incident to their advantage. In particular, the FBI notice included the following recommendations:

  • Before making a donation of any kind, consumers should adhere to certain guidelines, including the following.
     
  • Do not respond to any unsolicited (spam) incoming e-mails, including by clicking links contained within those messages, because they may contain computer viruses.
     
  • Be cautious of individuals representing themselves as victims or officials asking for donations via e-mail or social networking sites.
     
  • Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities.
     
  • Rather than following a purported link to a website, verify the existence and legitimacy of non-profit organizations by using Internet-based resources.
     
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files, because those files may contain viruses. Only open attachments from known senders.
     
  • To ensure that contributions are received and used for intended purposes, make donations directly to known organizations rather than relying on others to make the donation on your behalf.
     
  • Do not be pressured into making contributions; reputable charities do not use coercive tactics.
     
  • Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
     
  • Avoid cash donations if possible. Pay by debit or credit card or write a check directly to the charity. Do not make checks payable to individuals.
     
  • Legitimate charities do not normally solicit donations via money transfer services.
     
  • Most legitimate charities maintain websites ending in .org rather than .com.

The State of Oregon Department of Justice added one more recommendation:

  • Never give out personal information via phone, text or email. Legitimate charities will be pleased to receive a contribution by check or other secure form of payment and will never request your bank account number or social security number. 


If you are affected by a disaster


Those directly affected by a disaster face a different sort of risk. You may already have been displaced from your home, or have lost prized possessions. You may even have lost loved ones. Scammers add insult to this injury in several ways. FEMA published a list of things to look out for:

  • Fraudulent building contractors. Check references, ensure the contractor (and their subcontractors) are insured and bonded, and never pay in full until the work is done.
     
  • Identity thieves. These scammers will walk through a neighborhood pretending to be government officials, and demanding personal information or payment. According to the Department of Homeland Security, federal and state workers do not solicit or accept money. FEMA and the U.S. Small Business Administration staff never charge applicants for disaster assistance, inspections or help in filling out applications.
     
  • Phony housing inspectors. FEMA inspectors have the job of verifying damage - they do not demand or accept payment, nor do they perform repairs or recommend contractors.


Federal and state representatives carry photo identification. Ask to see it. If unsure, call FEMA to verify the employee at 800-621-3362 (FEMA) or TTY 800-462-7585.

The Federal Trade Commission has some solid advice for the immediate cleanup and debris removal, as well as rebuilding your home after a disaster. Some tips:

  • Safety first: a stuck door may mean the structure has shifted and the door is holding a wall up. If in doubt, don't enter the home.
     
  • Take your time before signing a repair contract. Unscrupulous scammers will try to force you to make a quick decision; legitimate contractors will give you time to think.
     
  • Paying by credit card gives you some added protection if the contractor turns out to be fraudulent.
     
  • Trust your gut! If you have any doubts about hiring someone or entering into a contract, take your business elsewhere.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.