Monday, August 28, 2017

In the wake of Hurricanes Harvey and Irma, be alert for relief scams

Gulf of Mexico radar image August 24, credit NOAA

Update 30 August 2017: the Federal Trade Commission is reporting scam robocalls telling victims their flood insurance premiums are past due, and demanding immediate payment in order for their Hurricane Harvey damages to be covered. Don’t do it. Instead, contact your insurance agent.

Update 11 September 2017: everything said of Hurricane Harvey in Texas is equally true of Hurricane Irma in Florida and Georgia.

This is a blog post I do not enjoy updating after each major natural disaster, but alas where there is disaster, there are lowlifes looking to profit from it.

August 25, Hurricane Harvey hit the middle Texas Coast as a major hurricane, packing sustained 130 mph winds. It then camped out in southeast Texas, dropping heretofore unheard of amounts of rain along a path from east of Austin, to the Houston metro area. 


Two weeks later, Hurricane Irma trashed the Caribbean before running up the west coast of Florida, again bringing widespread wind damage and flooding to much of that state and its neighbors.

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of the day.


International Business Times
published an article in September 2015, as donation scams popped up to prey on the generosity of those wanting to help Syrian refugees. In this article, IBTimes cited examples of the same sort of scams appearing after the 9/11 attacks in 2001; the Haitian earthquake in 2010; and the Ebola epidemic and Nepal earthquakes of 2015. In each case, generous people wanted to support those in need after a crisis that was in the news worldwide; criminals took advantage of the publicity and created fake opportunities to donate. By various accounts, the same is already occurring with the current disaster.


If you would like to assist those affected by a disaster


Take note of the source for any requests for assistance you may receive. Numerous state and local government organizations are publishing legitimate requests for assistance. Social media posts from Harris County Office of Homeland Security Emergency Management and from Houston Police ask those with boats or high-water vehicles to call an established volunteer coordination hotline. On the other hand, posts and messages from organizations you do not recognize or cannot verify may or may not be legitimate.

After a series of natural disasters in 2015, the FBI published a warning about disaster scams, describing many different ways that malicious actors will use a major news incident to their advantage. In particular, the FBI notice included the following recommendations:

Before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

  • Do not respond to any unsolicited (spam) incoming e-mails, including by clicking links contained within those messages, because they may contain computer viruses.
  • Be cautious of individuals representing themselves as victims or officials asking for donations via e-mail or social networking sites.
  • Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities.
  • Rather than following a purported link to a website, verify the existence and legitimacy of non-profit organizations by using Internet-based resources.
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files, because those files may contain viruses. Only open attachments from known senders.
  • To ensure that contributions are received and used for intended purposes, make donations directly to known organizations rather than relying on others to make the donation on your behalf.
  • Do not be pressured into making contributions; reputable charities do not use coercive tactics.
  • Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
  • Avoid cash donations if possible. Pay by debit or credit card or write a check directly to the charity. Do not make checks payable to individuals.
  • Legitimate charities do not normally solicit donations via money transfer services.
  • Most legitimate charities maintain websites ending in .org rather than .com.

The State of Oregon Department of Justice added one more recommendation:

  • Never give out personal information via phone, text or email. Legitimate charities will be pleased to receive a contribution by check or other secure form of payment and will never request your bank account number or social security number. 


If you are affected by a disaster


Those directly affected by a disaster face a different sort of risk. You may already have been displaced from your home, or have lost prized possessions. You may even have lost loved ones. Scammers add insult to this injury in several ways. FEMA published a list of things to look out for:

Fraudulent building contractors. Check references, ensure the contractor (and their subcontractors) are insured and bonded, and never pay in full until the work is done.

Identity thieves. These scammers will walk through a neighborhood pretending to be government officials, and demanding personal information or payment. According to the Department of Homeland Security, federal and state workers do not solicit or accept money. FEMA and the U.S. Small Business Administration staff never charge applicants for disaster assistance, inspections or help in filling out applications.

Phony housing inspectors. FEMA inspectors have the job of verifying damage - they do not demand or accept payment, nor do they perform repairs or recommend contractors.

Federal and state representatives carry photo identification. Ask to see it. If unsure, call FEMA to verify the employee at 800-621-3362 (FEMA) or TTY 800-462-7585.

The Federal Trade Commission has some solid advice for the immediate cleanup and debris removal, as well as rebuilding your home after a disaster. Some tips:

  • Safety first: a stuck door may mean the structure has shifted and the door is holding a wall up. If in doubt, don't enter the home.
  • Take your time before signing a repair contract. Unscrupulous scammers will try to force you to make a quick decision; legitimate contractors will give you time to think.
  • Paying by credit card gives you some added protection if the contractor turns out to be fraudulent.
  • Trust your gut! If you have any doubts about hiring someone or entering into a contract, take your business elsewhere.


If you are not affected


If you are not affected, and are not helping out, stay out of the way! 

The FAA is reminding drone operators not to interfere with emergency operations. If your drone gets in the way of a Coast Guard or National Guard helicopter trying to rescue a victim, heaven help you, because I sure won't.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.