Your Source for NPR News & Music
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Scammers Taking Advantage Of Retail Data Breaches

MICHEL MARTIN, HOST:

Now it's time for our Money Coach conversation. You've heard by now about the problems at a number of retail stores like Target and Neiman Marcus, where hackers were able to access supposedly private information from the millions of customers who used credit and debit cards at the stores. But now there are people trying to take advantage of that chaos and scam you again. Here to tell us more is Sheryl Harris who writes for The Plain Dealer in Cleveland. Welcome back. Thanks so much for joining us.

SHERYL HARRIS: Oh, thanks for having me on, Michel.

MARTIN: So this particularly ugly, you know, of all of the consumer fraud that you deal with. So how is exactly this working - that people are pretending to help people who were affected by this whose data may have been compromised? So now what are they trying to do?

HARRIS: OK, so really we see these all the time. They're phishing and malware-laden e-mails. But there just are a lot more vulnerable people right now because of the Target breach, the Neiman Marcus. Everyone - we know that there are large pools of people out there who may have had, you know, card data stolen. So there are e-mails, called phishing e-mails, that can go out. And they can steal, like, a Target logo or a bank logo or a Neiman Marcus logo. It doesn't matter. I mean, they just look like they're coming from a real source. And so spammers send these out to lots of different people hoping to scoop up these people who were in the breach. So...

MARTIN: So they don't know that you actually were. They're just figuring, well, if they throw it at a wide enough target, it'll hit somebody who actually was affected.

HARRIS: OK.

MARTIN: So how would you recognize - and phishing, by the way, is spelled P-H-I-S-H-I-N-G. How might you recognize one of these phishing e-mails?

HARRIS: First of all, they might know that you were in there because - don't forget - in the Target breach, e-mail was stolen. E-mail addresses were stolen. So you are particularly vulnerable because they know it's you. So they can target it at you in a way. But you will know - OK. You get an e-mail - and let's just talk about the differences between phishing and malware. So a phishing e-mail will have a link that takes you to a site that looks like a real site, and it's designed to trick you into giving your information. So say I pretend to be Target, and I say, come here and learn about credit and, you know, sign up for credit monitoring. And you go to my spoof site, which looks very much like a legitimate site, and you just start putting in your own info. You're willingly giving me all sorts of information. That's what phishing is. It gets you to give up your information. Malware is different because that means that the link is infected with code. And when you click on the link, you can get bits of code in your computer. And sometimes those are big bad things right away. And sometimes they're little bits of code that kind of sneak in, and your anti-malware doesn't find it.

MARTIN: What's the goal? What's the goal of these scammers? What are they trying to accomplish? Are they basically...

HARRIS: They both want your information.

MARTIN: ...Trying to drain your bank account?

HARRIS: They want to get information. They might want to get money. So both, really. So the malware will build itself into something that can - say, is a keylogger. And it can pay attention to when you're typing in, like, say, accounts that you have, you know, going to websites, typing in your password information, your bank account information and, you know, what your account numbers are and what your login is. So malware is meant to go retrieve information so that the bad guys can convert it into cash.

MARTIN: So what would they do, open credit cards accounts in your name that you didn't actually request and then cash them out? I mean, how would they use this information?

HARRIS: So they could do that. They could, you know, hack into your accounts get your passwords and hack into your bank or other accounts possibly. They could just find information that will let them hack into, say, your social media accounts. And then they can pretend to be Michel Martin, and they can e-mail all your friends using your contact information. And they'll say, you know, help, I'm traveling abroad...

MARTIN: Oh, yeah.

HARRIS: ...And I was robbed...

MARTIN: The classic, I've been robbed.

HARRIS: ...At my hotel.

MARTIN: Send me money.

HARRIS: Right, so they can use this information in many different ways to trick people or to get people to buy into the scam. So...

MARTIN: So let's just talk about what do you do. So the first thing you would tell people to do is don't open these e-mails, right? I mean...

HARRIS: Yes...

MARTIN: Yeah.

HARRIS: ...And so you can set on your e-mail server - you can set your spam filter pretty high. You can set it to the highest setting. And that will scoop out a lot of different types of mass e-mail mail. The other thing you can do is you can set your e-mail up to a read view. So you don't actually have to open an e-mail to look at it. You can just read it on a read. And you can delete it from there without ever having opened it. And that's really useful for those goofy e-mails that you get all the time that just contain a link. Those are deadly. Like, you just want to kill those out before...

MARTIN: So what if you did not hear this conversation, did not know about this until just this minute, and you thought, oops, I know I clicked on one of these links? What do you do now?

HARRIS: OK, so now what you want to do is you want to make sure that you can go to - that you have your firewall up to date, that you run an antivirus program, that you're kind of, like, proactively cleaning out your computer and checking for viruses. You want to make sure that you're up to date on your firewall and your antivirus. That's what you want to do. But if you don't know anything about it, don't click the links. That is my best advice ever. Like, if you get an e-mail and there's a link, unless you're expecting that e-mail, unless you just bought something and you said, yes, e-mail me the receipt, and it's an e-mail you're expecting, don't click the link.

MARTIN: What about the stores, like, that we know? Like, we know that Target and Neiman Marcus and I think Michaels and we think maybe six other retailers were affected. And there are e-mails going about saying, if you think you were affected, you know, we'd like to help you. We're going to...

HARRIS: Yeah.

MARTIN: ...Offer you a free credit report and all this other stuff. You're saying that's bogus.

HARRIS: No...

MARTIN: Those pretty much...

HARRIS: It's so confusing.

MARTIN: Are some of those legitimate?

HARRIS: Yes, some are. And it's really confusing because Target, for example, they sent out a giant e-mail to many affected customers saying, gosh, we're so sorry about this. Please, be aware of phishing e-mails and be suspicious, you know, don't click on links. Oh, and by the way, here's a link to a credit monitoring thing. And that was a legitimate e-mail. And if you hover over the links in an e-mail - you just take your cursor and you put it over those blue links - it will tell you where it's going to take you. And if that doesn't look like a company site, then you know that's a bad, bad thing. But that's kind of tricky. I would just say, don't click on the link at all.

MARTIN: And go to a credit reporting site on your own. You know, it's interesting because a lot of these times, these places have clues. I mean, like, they go to a site in - offshore that's very clearly offshore, or there are misspellings, for example, or there are spellings of commonly used words in the U.S. that are spelled differently overseas...

HARRIS: Right.

MARTIN: ...For example. So those are kind of the - because I'm sure that there's somebody listening to our conversation who's still terrified, though. So, I mean, they're thinking, wow. You know what? I'm just going to convert to cash, live off the grid. I'm done with this. Is there anything you would suggest to people going forward - we have about a minute left - just to, you know, to try to protect yourself on an ongoing basis in addition to the steps that you've already told us? Like, for example, should you streamline your finances, try to not use a debit card? Is there anything like that, or what?

HARRIS: Oh, well, definitely no one should be using debit cards for shopping. I'm sorry. I know people love it - love to do that. But the difference is if you use your credit card for shopping or cash - let's just say you use a credit card. Someone steals that credit cared information. They make a charge. You know what? You don't have to pay it 'cause it's not your charge. If they use your bank information, and they - if they steal your bank information and use it, you're out the money until you go to your bank and say, oh, that money was wrongly taken from my account. They investigate. Then they put it back. That can cause a delay, a time period where you are out your money. So I think use credit cards or cash. But I wouldn't be using debit cards for shopping.

MARTIN: Well, thanks, Sheryl. Thank you. Sobering as always, but useful. Sheryl Harris is consumer columnist for The Plain Dealer. She joined us from member station WCPN in Cleveland, Ohio. Sheryl, thanks so much for joining us. I'm not leaving my house the rest of the day.

HARRIS: Thank you.

MARTIN: That's it. I'm done. Transcript provided by NPR, Copyright NPR.

Related Stories