Having a loan or bill go to collections is bad enough as it is, but now in the first half of 2024, the second largest debt collection agencies in the U.S. has revealed that it has fallen victim to another data breach in which nearly Two Million borrowers information was exposed online.
As first reported by BleepingComputer, Financial Business and Consumer Solutions (FBCS) has begun notifying impacted individuals after the sensitive personal information of approximately 1,955,385 people was recently accessed by hackers.
As a nationally licensed debt collection agency, FBCS collects unpaid debts from credit card companies, healthcare organizations, car dealerships, student loans and utilities. However, unlike with the other companies you do business with, if one of your loans or bills has ended up in FBCS’ hands, you’re stuck with them.
Here’s everything you need to know about this recent data breach along with some tips and tricks on how to stay safe after your personal or financial information ends up in the hands of hackers.
Unauthorized network access
In a data breach notice (PDF) submitted to the Attorney General’s office in Maine, FBCS explained that hackers first breached its network on February 14, 2024. The unauthorized actor remained there until February 26 and during that time, they were able to “view or acquire certain information on the FBCS network.”
During that 12-day window, they could have accessed the full names, Social Security numbers (SSNs), dates of birth, account information and driver’s license numbers or ID card numbers of almost 2 million Americans.
With this information in hand, the hackers behind this breach can easily launch targeted phishing attacks, commit fraud or use social engineering for identity theft. FBCS has enrolled thousands of them automatically for 12 months of credit monitoring through the company Cyex.
ALERT: Hackers Are Posing As ID.me To Steal Your Identity
Do You Know All .ME Domains like ID.ME Required by the IRS are Owned By Montenegro & Their Billionaire Club?
Identity verification services like ID.me have become indispensable in the digital age. By providing a secure and convenient way to prove your identity online, ID.me opens doors to essential services and benefits. However, as with any popular online platform, scammers are finding ways to exploit these services and trick unsuspecting users.
This article will take an in-depth look at the ID.me scams popping up, how they work, and most importantly, how to avoid becoming a victim. With identity theft and online fraud at an all-time high, awareness is your best defense.
ID.me provides a valuable service as a digital identity network used by government agencies, healthcare providers, and other organizations to securely verify user identities online. By acting as a trusted validator of personal information, ID.me opens the door for people to easily access essential services and benefits.
However, this convenience also creates an opportunity for fraudsters. Scammers are increasingly impersonating ID.me through phishing campaigns in order to steal personal information from victims. Once they have the data, they can hijack identities, drain accounts, and perpetrate other forms of fraud.
These ID.me scams are growing more complex and convincing, making it crucial for users to understand the tactics and stay vigilant. Here are the main types of ID.me scams and frauds being perpetrated:
Phishing Emails
This is one of the most common vectors for ID.me scams. Victims receive emails pretending to be from the legitimate ID.me security team. These emails may:
Warn that unusual activity was noticed on your account
State that immediate account suspension will occur if no action is taken
Provide a fake deadline such as 24-48 hours to re-validate your account
Include a “Verify Account” or “Reset Password” button/link to a phishing site
If the user clicks the deceptive call-to-action button or link, they are taken to a convincing but fake ID.me login page designed to steal login credentials as well as other personal data.
Smishing Text Message Scams
Similar to phishing emails, fraudsters send text messages also impersonating ID.me. They state your account is at risk of being locked or needing immediate validation via a link included. If clicked, the link directs victims to a phishing site masquerading as the legitimate ID.me site.
Once on the fake page, any information entered is captured by scammers. Smishing texts use urgency and threats to get users to comply without thinking it through.
Vishing – Phone Call Scams
This technique uses phone calls rather than messages to trick victims. Scammers posing as ID.me support agents call users claiming that suspicious activity means accounts will be suspended without immediate intervention.
The “agents” pressure and persuade victims to provide personal details or even remote access to the victim’s device, enabling installation of info-stealing malware.
Fake ID.me Websites
Beyond phishing pages, scammers also create entire fake websites impersonating the real ID.me site. Links to these fraudulent sites are sent out en masse via email spam campaigns. They are designed to capture login details and personal info from unsuspecting victims who were persuaded the site was legitimate.
Malicious Software Scams
Scammers may also use phone calls, emails, or texts to trick users into downloading malware. This can occur by:
Sending a phishing message with an infected file attachment
Persuading victims to click a link to download fake “security software”
Requesting remote access to devices in order to “diagnose connectivity issues” then installing malware
Once installed, info-stealing malware can harvest data and credentials directly from the compromised device.
Account Takeover Scams
Sophisticated scammers may attempt full account takeover rather than simple phishing. By gathering key details like usernames, passwords, and partial SSNs from data breaches, they can convince ID.me’s system they are the legitimate account owner.
This enables them to bypass identity verification and fully compromise the account. 2FA often thwarts these takeover attempts however.
In summary, ID.me scams aim to exploit trusting users through impersonation and clever psychological manipulation. By understanding the deceptive tactics used in these scams, people can better recognize the warning signs and avoid being victimized.
How the ID.me Scams Work
Fraudsters use clever psychological tactics to manipulate victims in ID.me scams. Here is an inside look at exactly how they operate:
Step 1 – Initial Contact
Scammers initiate contact via:
Emails pretending to be ID.me security alerts
Texts claiming your ID.me account is at risk
Calls posing as ID.me support agents
Their goal is to cause panic so you act without thinking.
Step 2 – Creating Urgency
Next, scammers pressure you to take immediate action by:
Stating your account will be frozen if you don’t re-verify
Claiming the deadline to avoid suspension is approaching
Warning of penalties or losses if you don’t comply
This plants a fear of missing out, causing you to stop questioning.
Step 3 – Requesting Information
Scammers will instruct you to confirm sensitive details such as:
Login credentials
Social Security Number
Bank account info
Credit card numbers
They may pretend it’s needed to verify your identity and keep your account active.
Step 4 – Gaining Remote Access
In some cases, scammers will try to gain remote access to your device by making you:
Download suspicious files allowing control of your system
Enter codes sent to your phone number enabling account takeover
Allow screensharing applications giving them access to your data
Step 5 – Leveraging Your Identity
Once scammers have your information, they can:
Access and drain your financial accounts
Make purchases using your credit cards
Commit tax fraud with your SSN
Steal your identity to open accounts or apply for loans
The damage can be extensive if scammers successfully exploit your identity.
What to Do if You Fell Victim to an ID.me Scam
If you suspect your ID.me account or identity has been compromised, take these steps immediately:
Step 1 – Lock Down Your Accounts
Reset your ID.me password and enable two-factor authentication
Contact banks to freeze accounts potentially accessed by scammers
Place fraud alerts and monitor your credit reports closely
Change passwords on any compromised accounts
Step 2 – Report the Incident
File identity theft reports with the FTC and your local police department
Notify ID.me directly so they can secure your account
Contact companies where your identity was likely abused
Report social media and email phishing attempts
Step 3 – Monitor for Suspicious Activity
Set up account alerts to notify you of any unusual activity
Periodically get free credit reports to catch new fraudulent accounts
Review all statements thoroughly for any unauthorized charges
Sign up for identity theft protection services to detect misuse
Step 4 – Recover From the Fraud
Dispute any fraudulent charges or accounts opened in your name
Work with creditors to close fraudulent accounts and reverse damages
Update information related to your identity, accounts, and credentials
Change compromised account numbers and request replacement cards
Frequently Asked Questions About the ID.me Scam
1. What is the ID.me scam?
The ID.me scam involves fraudsters impersonating the valid ID.me identity verification service in phishing attempts via email, text messages, and phone calls. Their goal is to trick victims into revealing login credentials or sensitive personal information.
2. How do scammers carry out the ID.me scam?
Scammers initiate contact posing as ID.me through:
Fraudulent emails warning your account is at risk
Smishing texts claiming you must reverify your ID.me account
Vishing phone calls pretending there is suspicious activity
They pressure you to act urgently and provide info to avoid account suspension.
3. What techniques do scammers use in the ID.me scam?
Scammers manipulate victims using:
Fear – Threatening account suspension or penalties
Urgency – Impending deadlines to reverify accounts
Social Engineering – Pretending to be ID.me support agents
4. What information do scammers attempt to steal with the ID.me scam?
Scammers phish for:
Usernames and passwords
Bank account and routing numbers
Credit card details
Social Security Numbers
Driver’s license numbers
Digital wallet account access
5. What do scammers do with my information from the ID.me scam?
Scammers can use your information to:
Drain financial accounts
Make purchases with your credit cards
Steal your tax refund
Apply for loans or credit in your name
Access government benefits using your identity
6. How can I avoid falling for the ID.me scam?
To avoid the ID.me scam:
Never click links in unsolicited messages
Don’t provide info to incoming calls alleging to be ID.me
Verify custom URLs before entering login credentials
Enable two-factor authentication as an extra layer of security
Monitor accounts closely for unauthorized activity
7. What should I do if I fell victim to the ID.me scam?
If you fell for the scam, immediately:
Reset your ID.me password and security questions
Contact banks to freeze accounts
Place fraud alerts on credit reports
Report identity theft to the FTC and police
Close any accounts opened fraudulently
8. How can I recover from identity theft related to the ID.me scam?
To recover, be sure to:
File police reports regarding the identity theft
Dispute fraudulent charges with banks and creditors
Change compromised account numbers and request new cards
Monitor credit reports and financial statements for misuse
Sign up for identity theft protection services
9. How can I help others avoid the ID.me scam?
You can help others by:
Reporting scams and phishing emails to help shut them down
Making family and friends aware of the tactics scammers use
Encouraging people to use unique passwords and two-factor authentication
Advising caution against unsolicited calls, texts and emails
10. Who can I contact for help after falling victim to the ID.me scam?
Reach out to the following for assistance:
ID.me Support – They can secure your account
Your bank’s fraud department
Federal Trade Commission – To report identity theft
IRS – If tax fraud occurred
Local police – To file an identity theft report
The Bottom Line
ID.me provides a valuable service, but also opens the door for scammers to steal identities. Stay vigilant against phishing attempts via email, text and phone. Never click unverified links, provide sensitive information to strangers, or allow remote access to your device. If you do fall victim, take steps immediately to lock down your identity and report the fraud before irreparable harm is done. Spread awareness about these scams to help others avoid becoming victims too.
How to Stay Safe Online
Here are 10 basic security tips to help you avoid malware and protect your device:
Use a good antivirus and keep it up-to-date.It’s essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.
Keep software and operating systems up-to-date.Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.
Be careful when installing programs and apps.Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you’re agreeing to before you click “Next.”
Install an ad blocker.Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.
Be careful what you download.A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.
Be alert for people trying to trick you.Whether it’s your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it’s easy to spoof phone numbers, so a familiar name or number doesn’t make messages more trustworthy.
Back up your data.Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.
Choose strong passwords.Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.
Be careful where you click.Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.
Don’t use pirated software.Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.
To avoid potential dangers on the internet, it’s important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.CategoriesScamsLoad Comments
Meet Thomas Orsolya
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
Since 2010
Founded in 2010, MalwareTips is a leading cybersecurity community providing free malware removal tutorials, tech news, scams exposure, dedicated help forums, user education, and security guides.14+ years of activity65K+ security and tech guides180M+ annual readers
Our Community
With over 60,000 members, we invite you to join our tech-focused community. Discuss malware, security tips, emerging threats, and more with fellow enthusiasts. Share your questions and insights to spread awareness. We welcome you to our diverse, growing forum!70K+ registered members900K+ forum messages65K+ topics discussed
We offer free and tested self-help guides. MalwareTips.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our dedicated support forums.
Please ensure your data is backed up before proceeding.
Follow Us
Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.
Geobox: A Hacking Device That Is Basically Untraceable
In summary, a Geobox transforms the mini-computer Raspberry Pi into a Swiss-army knife type of hacking device!
Sold for a lifetime fee of $700 or a monthly rate of $80, the software is able to:
1. Spoof location
2. Mimic Wi-Fi access points
3. Manipulate DNS and network parameters while providing anonymity.
4. Copying and emulating the same commonly used Wi-Fi landing page that most restaurants and concerts use to log on to avoid suspicion. The operators can even charge 0.99 cents or more depending on the location/Clients of where they are located at (such as a fitness gym, where the upcharge is usually $2.99 for unlimited data use or free for limited data).
Imagination is not required: this Geotool allows any person to set up a virtually untraceable Wi-Fi box that most people take for granted and can own all of the data or even the device or laptop once one connects to it!
After researching a few operators using it at a popular tourist site (March, 2024), it was observed that “three malicious individuals utilized several Geobox devices, each connected to the internet. These devices served as proxies, significantly enhancing their anonymity. This approach complicated the investigation and tracking process for any one attempting to investigate them using them, especially since, by default, Geobox devices do not store any logs nor any digital or paper trail for themselves or whomever logs on to the created Wi-Fi access point. They also have an amazing choice: to either create a Wi-Fi point similar to the official location name of where they are operating from, such as naming it “McDonald’s Free Wi-fi”
OR
They simply use it for their own fully anonymous purposes, such as emulating an internal Wi-Fi access point; which is quite common at Malls, shopping areas and concert venues where the general public or even workers/vendors would have no ability to distinguish between a Geobox created Wi-Fi point and the authentic one. To make it even more authentic, an operator would mimic the secure password of the host site – such as a popular shopping Mall’s password for internal Employees/Vendors.
It only takes these bad actors 2 – 5 minutes on average by simply using the popular $300 Flipper device to get the password or passcode of any device or Wi-Fi router today as well in combination with the Geobox!
Raspberry Pi is a widespread, low-cost, and small single-board computer used for various projects and praised by enthusiasts.
However, with Geobox, it is transformed “into a potent weapon for digital deception.” Malicious software is specifically designed for the Raspberry Pi 4 Model B with at least 4GB of RAM.
The price is $700 for lifetime, which is very cheap and affordable considering the amount of data, private and personal information it can easily obtain within a few minutes of being set up once just one person unwittingly connects to it in this day and age of people expecting free or low-cost internet everywhere!
These device operators also have the ability to create a bogus free or one-time .99 cent-for-24 hour unlimited internet access via a simple landing page to mask and emulate, as an example, your favorite restaurants like McDonald’s or Starbucks!
With Geobox, malicious actors target a broad audience as the setup process is streamlined, clear, and concise, with easy-to-follow instructions also provided. The manual links to the official Raspberry website for OS installation.
Multiple tools are included with Geobox: multiple VPN connections, GPS and Wi-Fi emulation, DNS configuration, data substitution tools, network configurators, and others.
The Geobox Can Be Easily Used For Anonymous Geolocation or Multiple Internet Purposes
“The device’s functionality is diverse, allowing for various forms of digital manipulation and disguise. Key features include the ability to use WebRTC IP for discreet online communication and GPS spoofing to simulate different geographical locations, which is particularly valuable for activities that require geolocation manipulation. Furthermore, the Geobox can completely mask (hide) Wi-Fi MAC addresses, making the user’s network activity more difficult to trace.”
*Most High Schools and Colleges Use Wi-Fi MAC Addresses As Standard Internet and Wi-Fi Usage Tracking Controls*
The emergence of Geobox raises significant concerns and introduces new complexities for cybersecurity – as well as the general public! One simple dot or variation of a “Starbucks or McDonalds Wi-Fi” authentic connecting point at any location is all it takes for operators of a Geobox to own and obtain all of the data on your laptop/phone or any other connected device!
Armed with such an affordable and easy to obtain cyber device, operators can easily carry and coordinate various attacks; such as being a data dump for anyone logging on to the newly created “free Wi-Fi” identity theft and credit card fraud under the veil of anonymity, circumventing network restrictions and surveillance, malware distribution, credential stuffing, spreading misinformation, content piracy, etc.
It was observed one operator used Geobox in combination with two LTE-based wireless modems, “proxyfying connections via multiple chains of SOCKS and PROXY servers globally and automatic pseudo-randomly via AI”. In essence, these easy proxy steps further ensure they are anonymous and cannot be tracked unless known to be doing this activity in advance!
Leveraging several devices deployed in various locations using this model is easy if the operator has a few friends working as a small tight-knit team. Note that this device can be easily carried in a purse, bag or backpack; easily disguisable as simply being a popular Notebook or laptop.
“Once the malicious action has been conducted – they can simply wipe the device or physically destroy it if they have a hunch that they are being monitored or tracked – but this device is so cheap, simple and easy that the chances of them getting caught are slim to none and thus they simply move it to other locations depending on their intent and motives – such as an up coming concert venue or local restaurant that people go to fully expecting and using free Wi-Fi”.
If you receive a calendar invite to view new fax documents, be careful – it’s most likely a phishing attack, attempting to obtain your identity and login credentials for your corporate accounts.
It all starts with a hijacked email account, which uses a compromised identity to send out a message containing an invitation to “view newly received documents”, via a link.
In today’s digital landscape, receiving a calendar invite for a meeting is as common as checking your email. However, amidst the sea of legitimate invites lies a new threat targeting Mac users. Hackers have now found a way to exploit calendar invites and meeting links, using them as vectors to inject malware onto unsuspecting systems.
Cyber criminals are leveraging the popularity of scheduling tools like Calendly to execute their nefarious schemes. Unlike traditional malware attacks focused on financial gain, this tactic aims to compromise users’ systems for cryptocurrency theft.
Moreover, these malicious actors are employing sophisticated social engineering tactics, presenting fake video conference links to lure unsuspecting victims into clicking. The days of Mac users feeling immune to malware threats are officially behind us.
However, all hope is not lost. By practicing vigilant cyber hygiene and exercising caution before clicking on any suspicious links or invites, Mac users can shield themselves from falling prey to these insidious malware infections. Here is another example of the most recent Calendly link cybersecurity shenanigans:
If you receive a calendar invitation to see fresh fax papers, be cautious: it’s almost certainly a phishing effort to steal your identity and login credentials for your corporate accounts.
INKY cybersecurity researchers issued the warning, which revealed the phishing effort that was initially discovered at the end of February 2022.
It all starts with a hacked email account that sends out a message inviting recipients to “see newly received documents” via a URL using a compromised identity.
It appears to be a Calendly calendar link at first glance. Calendly was most likely used, according to INKY, because anyone may sign up for a free account without having to provide their credit card information.
The plot thickens at this point. The invite pages on Calendly can be customized. The Add Custom Link function allowed criminals to construct a fake fax document notification with all of the standard fax data (number of pages or file size, for example), then inject a malicious link on the event page using the Add Custom Link tool.
The victim is taken to the credential-harvesting page after clicking on the “preview document” link. The page in this instance is a spoof of Microsoft. However, hovering over the link reveals where it leads: INKY cautions users of https://dasigndesigns[.]com/ss/update/index.html, a hijacked site that is listed in Google, Firefox, and Netcraft threat feeds.
If the victim enters their login credentials here, the attackers will receive them, and the victim will receive an error message stating that an invalid password was input. The victim would be sent to their site after the second attempt, which the researchers regarded as a “smart touch” that reduces the suspicion.
