PETER Tumilag, an OFW in the United Arab Emirates made a purchase from a Chinese online shopping site.
A few days later he received information that his shopping account had been compromised and that there was a data breach.
Privacy and data protection are among the most discussed information technology topics.
There have been local breaches detected by the National Privacy Commission (NPC) involving banks, fast food chains and most recently privacy violations by financing companies using apps. These companies used private personal data and sent emails and texts to friends or contact of borrowers who owe them money. The NPC moved to shut down 26 of 62 financing companies investigated for privacy breaches.
Huge and stiff penalties are being handed out to companies that have experienced data breaches. The Philippines has one of the toughest and tiered penalty structures–as much as P500,000 for the simple act of not assigning a Data Privacy Office (DPO) or up to P5M and over for breaches that involve the release of private sensitive information.
This makes privacy a target for fraudsters who are eager to earn money at the expense of others.
After Tumilag received an email informing him of a privacy breach, he assumed that it was because of the purchase he made, mostly because of the timing and the way the cyber criminals word the emails. But instead of just being informed of a data breach, Tumilag was to receive compensation for the data breach which was allegedly charged to the erring shopping company.
Kaspersky experts have detected this new online fraud scheme. Designed to trick people into thinking they are owed compensation because of personal data leaks, scammers urge users to buy “temporary US social security numbers” worth around $9 (P50) each. A small sum to pay but the volume of people fooled could be massive.
Victims were found in Russia, Algeria, Egypt and the UAE, as well as other countries.
The scheme involves a website allegedly owned by the Personal Data Protection Fund, founded by the US Trading Commission. This fake website looks like a legitimate site but carries a different URL. On the website (which is in Russian but with available translations to most languages) the fake fund “issues compensation to those who may have been subject to a personal data leak and is available to citizens from any country in the world.”
“The scammers themselves are most likely Russian speakers, as suggested by the request for payments in rubles, plus the suspicious similarity of the scheme to other easy money offers that regularly tempt residents of Russia and the CIS. The e-bait in those schemes varies – giveaways, surveys, secret retirement savings, even a part-time job as a taxi dispatcher – but they tend to be in Russian (as are some of the preceding links),” Tatyana Sidorina, security expert at Kaspersky said.
The site can easily fool the unwary. It offers to check whether user data has ever been leaked. For this, one needs to provide their specific surname, first name, phone number, and social media accounts.
The promised compensation is anywhere between $10,000 to $1 million. But the SSN is required. For residents of other countries outside the US, to be able to get alleged compensation, they need to “purchase” the “temporary own social security numbers (SSN)”
Thus in any possible scenario–be it the absence of the SSN or entering the correct existing SSN–the website alerts mistakes and offers to sell a temporary one for the $9 (PHP 450) price. Upon agreement, the victim is redirected to this payment form in Russian or English with the purchase price specified in rubles or dollars respectively.
The specific form depends on the victim’s IP address.
“The bottom line is always the same: the juicy promise of quite a bit of easy money, followed by a demand to pay for an inexpensive service, be it a commission, a ‘securing’ payment, or a temporary SSN. The new scheme is quite a topical one and is related to offering compensation for data leaks. Once some organizations have started to pay users, fraudsters decided there is a monetary opportunity for them as well,” Sidorina says.
In order to stay protected from the potential risks of online fraud, Kaspersky experts advise not to trust payment offers. The rule is that “if we are asked to pay something to then receive the funds, you can be doubly sure it’s a swindle.” Next, always go for trusted resources. One way is to use a reliable security solution, such as Kaspersky Security Cloud, for comprehensive protection from a wide range of threats. It is also imperative to investigate the URL or search the organization to see if it actually exists and if it does, take a close look at its website–look at the “About Us” or do a language evaluation. As a rule a reputable organization will not publish text full of errors and typos.
