Why Are You Getting This?



You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Note & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

FebruaryTips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

February 7th is International Safer Internet Day and is now celebrated in approximately 180 countries and territories worldwide. It started in 2004. 

This aligns perfectly with our emotional scam theme. Why? Because emotional scams are not new. Crooks have been using them since long before the internet existed. And the scams are getting more creative, and playing on people’s emotions more than ever. 

They target everyone on the internet -- of all ages and on various sites.

What is Sextortion?

The US Department of Justice and the FBI just released this past December a warning about sextortion, a mashup of “sex” and “extortion.” 

Sextortion occurs when an individual is threatened or extorted, usually online, by a person demanding sexual content (photos/videos) or money from the targeted victim against his or her will. For example, after a child, teen or adult shares an image with someone they thought they knew or trusted. The sextorter gains the victim’s trust through deceit, coercion, or deception.

This often happens when the crooks falsely claim that they have obtained illicit photos of a person through the phone or computer webcam. We’ve gotten MANY of these messages, but we also know that there was no way they had such photos or videos.

Scammers will tell their target lies. For example, they may say they took photos or videos of someone in the bathroom or shower. 

The scammer then threatens to release the compromising material unless the victim sends additional images, money, cryptocurrency, etc. If the crooks have been able to convince the victims to provide such images, they will go ahead and release the images even if payments are made. Victims’ shame, fear, and confusion often keep them from asking for help or reporting the abuse.

For Safer Internet Day consider:

• Sharing one or more of the following videos about scams of the heart:
• Sextortion: The Hidden Pandemic. NOTE: This is not free, but available to members of the live stream services shown at the hyperlink.
• A 17-year-old boy died by suicide hours after being scammed. The FBI says it’s part of a troubling increase in ‘sextortion’ cases.
• Widow loses $430,000 in romance scam - NBC 15 WPMI
• Hunting a Romance Scammer Out of Africa (Confronted at his house)
• “I missed being in love” Romance scam victim swindled out of life savings
• FBI Salt Lake City: Tips To Avoid Romance Scams
• ‘They will punish you’: Malaysian’s death connected to internet scam in Thailand
• Plainfield family almost loses $11K to thieves using 'grandchild scam'
• Scammers now preying on grandparents with a new scheme that targets elderly victims
• BBB: Scammers targeting older adults using 'emergency scams'

• Showing the example of a real-life extortion scam email I received: 

Compare our real-life extortion scam email with a description of this widely-used message…the verbiage is the same! This is commonly called the “Professional Hacker” extortion scam. If you get such an extortion email, copy and paste one of the sentences from the message, do a search of it, within quotation marks (“”), and you will probably find similar messages that show it is an extortion scam.

What other activities do you suggest for Safer Internet Day? Are you planning to do my suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in February? Let us know!

I include a list of 250 security and privacy awareness activities and resources within my book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Here are a few questions we’ve received over the past several months about privacy, security, and current trends and products. We've received many!

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: I'm 16 and an EMT. My mom wants me to share my location 24/7 including when I’m on calls. I know she just cares about me. But I’m worried too. Would that sharing violate HIPAA?

A: You are very smart to wonder about this! Organizations where EMTs work have been penalized for HIPAA non-compliance. For example, in 2019 West Georgia Ambulance, Inc. had to pay $65,000 and adopt a corrective action plan (CAP) after an unencrypted laptop containing the clear text health records of 500 patients fell off the back bumper of an ambulance. The laptop was not recovered. It contained a lot of protected health information (PHI), including the patients’ mailing addresses. 

Roughly 50% of ambulance calls are to residences. So if your mother had access to your location, she might be considered to have personal health information (PHI) for the patients you help and you could possibly be liable for releasing it. Some lawyers argue that the address is associated with the vehicle and not the patient, but others argue that within the context of the use of an ambulance to provide medical care to a patient, that address would be associated with the patient and thus then considered to be PHI.

How about a compromise with your mom? Keep your location device active when you are not responding to a patient call. As soon as an emergency call comes in, deactivate your location tracking. Discuss this with your employer and see if this is acceptable to them. If it is, let your mom know that you need to do this to protect patient privacy, and comply with legal requirements. I’m a mom too, so I understand both perspectives! Good luck!

Q: We just had our first baby. We’re so excited and babies are so cute that we’d like to share some photos with family and friends. Is sharing a photo of a naked son or daughter illegal?

A: Great question! Posting pix of a naked newborn can create problems. How are you sharing the photos? On social media or Google Photos, or another type of photo/video sharing cloud service? Via email? Hard copy? On a USB thumb drive?

Sharing naked photos of anyone of any age online and through cloud and synced services is risky. 

When you share photos of anyone under 18, that’s especially risky. Artificial intelligence (AI) is increasingly being used throughout the internet in a noble effort to identify possible pedophiles, but baby photos can often wind up triggering the senders as being possible pedophiles.

For example, a father concerned about his toddler’s swollen and rash-covered genitals took multiple photos to send to a pediatrician. The pediatrician diagnosed the problem and prescribed medicine, and the toddler was soon better. 

However, the father sent the photos using Gmail, which he had synced with Google cloud, and a few days later the Google AI flagged the father as a possible pedophile, disabled his account and alerted police, who then obtained everything in his Google account including all his internet searches, his location history, his messages and every document, photo and video he had stored within his Google accounts. Ultimately the police determined he had not been doing anything illegal. But, he never got access back into his Google account and lost all the information he had there. 

Ultimately the determination of what is illegal depends largely upon local, federal and international law enforcement decisions, often (but not always) relating to the context of the photos, videos and other types of images.

Those many different laws do not always align. For example, in the European Union sharing nude images of children under 18 is generaly illegal. Even when photos and videos are determined to not be illegal, tech companies housing the images may use AI that is engineered to remove access to accounts where the images are housed. As demonstrated with the example of the father sending photos to his pediatrician.

Here’s another consideration. When children get older, they may exercise their legal rights to bring charges against those who shared their naked baby pictures/videos without their consent. 

Case in point: A naked baby in a pool appeared on the cover of a Nirvana album. As an adult, the young man filed a lawsuit against the band for violating a federal child sexual exploitation law. (It was ultimately dismissed…twice so far.)

Consider the points in all the previous information before posting photos of your naked child. Use alternatives that do not involve online storage or sharing if you want to capture an innocent photo of a baby in a bubble bath. And consider how your child might feel as an adult.

Q: Where should I report online scams when I encounter them?

A: You can report online scams to various authorities.

In the U.S.:

Report scams to your local government 

Report the scam to your state consumer protection office. If you lost money or other possessions in a scam, report that to your local police too.

Report scams to the Federal government

You can report scams to the federal government. Government agencies use reports of scams to track scam patterns. They may even take legal action against a company or industry based on the reports. However, agencies don’t typically follow up after you report, and can't recover lost money.

Do not use the contact information included in scam messages. Use verified contact information in the USA.gov Federal agency directory to report other government imposters. 

Worldwide:

Report online and international scams

Report fake websites, emails, malware, and other internet scams to the Internet Crime Complaint Center (IC3). Those living in the US are often targeted by criminals from other countries. If you have been affected by an international scam, report it through econsumer.gov. Your report helps international consumer protection offices spot trends and prevent scams.

Do you have more suggestions? Drop us a line.

Q: My neighbors are upset that I installed a surveillance camera in front of my door. Is that reasonable? 

A: Neighborly love (or at least respect) is important. Whether or not your decision is unreasonable depends on several factors. Are you pointing the camera at their windows or doors? Or, into their yard? Perhaps into a backyard with a privacy fence? 

In the UK the court ruled in the favor of the neighbor of a homeowner who installed a security camera in his backyard.  It captured both audio and video and was pointed at an angle that also captured his neighbor’s backyard. The neighbor claimed this violated the Data Protection Act 2018 and the UK General Data Protection Regulation and took him to court. The man who installed the camera was fined £100,000 (approximately $124,000 USD).

Is this perhaps why your neighbors are offended? Is your camera capturing them on their property? Or recording the sounds from their property? 

If you are not capturing your neighbors on their property, then they do not seem to have a basis to be offended by what you are choosing to do for your own safety on your property. 

If you are not recording them or their properties, have you asked them to explain why they do not like your use of the surveillance camera? Perhaps they would love to know that you are concerned about their opinions, and then may agree that if you don’t capture them in your video feed that it will no longer be a concern.

Q: What are the most common online scams targeting those in Europe?

A: According to research and scam crackdown operations by Europol throughout October, 2022, the most common current scams include the following:



• Phishing, vishing and smishing fraud: Stolen credit card numbers are often obtained through phishing/vishing/smishing attacks when criminals contact people by phone, text messages, messaging apps or email and attempt to convince them to hand over their credit card information.
• Account takeover fraud: This fraud occurs when a criminal gains access to a user’s account on an ecommerce store. 
• Triangulation fraud: This type of fraud happens when online criminals set up a fake or replica website and entice buyers with cheap goods. The catch is that these goods don’t actually exist, or of course are never shipped.

Q: Is sextortion a problem in Australia?

A: Yes. Sextortion is a problem throughout the world. In Australia, children between 10 and 17 are most commonly targeted, with boys 15 to 17 years old being the majority of victims, according to Australian Federal Police (AFP). The average extortion amounts are between $50 and $1,000 AUD, but the AFP indicates some have been as high as $10,000 AUD. The AFP recommends parents who are concerned about a conversation their child is having with someone online should:

• Stop the chat immediately
• Block and report the account
• Report it to the Australian Centre to Counter Child Exploitation

In the U.S. 25% of sextortion targets are boys age 13 or younger.

Q: Did the Iowa Governor grant the Iowa Privacy Day proclamation request this year? If yes, YAY! If not, why not?

A: The answer is, YAY! We just found out on January 25 that it was accepted. Here is a photo of the official proclamation, with the pressed gold seal! Zoom in to see the verbiage. We have also posted a copy of it on our Privacy & Security Brainiacs page.

Q: What are the penalties for scams that prey on people’s emotions? 

A: We love the fact that hefty penalties are being assessed for online scams. These penalties can be significant, and include prison time, as well as fines. They vary from case to case, and from judge to judge. Here are a few U.S. examples:

• A 31-year-old man was sentenced to 97 months in federal prison for mail fraud and money laundering offenses related to his role in a nationwide elder fraud “grandparent” scam.
• A 36-year-old Oklahoma man was sentenced to four years in prison and ordered to pay $500,740 in restitution to the victims of the crime for an online romance scam that defrauded multiple victims across the U.S. of at least $2.5 million. 
• A 33-year-old man was sentenced to serve 27 years in prison and ordered to pay $1.7 million in restitution to his victims for a romance scam. 
• A 55-year-old man was sentenced to three years and five months in prison, to be followed by five years of supervised release, and ordered to pay restitution in the amount of $541,032.10 for committing a charity for veterans fraud scam.
• A man was sentenced to 43 years in prison followed by a lifetime term of supervised release for victimizing more than 1,100 minor girls across the US and other countries throughout the world in an extensive online sextortion scheme. 
• Two South Carolina prison inmates, ages 59 and 43, were charged with a sextortion scam that targeted an Army veteran shortly before he killed himself on Sept. 11, 2018. One of the criminals was sentenced to 10 years in prison with the last three serving on parole. The other criminal was already serving a 15-year sentence for assault and battery, and will complete that term with no additional time for the sextortion.

• Go Banking Rates for their, “Zelle Scams on Facebook Marketplace: How To Recognize and Avoid Them”
• The Salt Lake City FBI office for their Tips To Avoid Romance Scams
• The BBB for their information about how scammers are targeting older adults using 'emergency scams'
• The Federal Trade Commission (FTC) for sponsoring Identity Theft Awareness Week for 2023 from January 30 – February 3. We support this! As the January guest, Christine Abruzzi, on Data Security and Privacy with the Privacy Professor can attest to! The FTC also put out a useful warning, “Looking for a job? Scammers might be looking for you”
• Polk County, Iowa, Sheriff’s Office for their warning about phone scams using employees’ names claiming to be from the Sheriff’s office.

• AARP for their information about the “Do me a favor” scam. 
• Spokane County, Washington, Sheriff’s office for their “Scammers are Lurking” information. 
• The Organized Crime and Corruption Reporting Project (OCCRP)  for catching phone call scam crooks and providing Eurojust and Europol evidence and support to put these criminals away. They ruined so many lives; read more details about how their crimes harmed many people here.
• DocuSign for warning about scams improperly using DocuSign to commit crime.
• In the UK a warning about fake Marks and Spencers sites.  
• Reader’s Digest for their articles, “17 Facebook Scams You Need to Take Seriously,” and “If You Hear This 4-Word Phrase When You Pick Up the Phone, Hang Up Immediately.”
• Bankrate for their warning, “Biggest credit card scams to look out for in 2023.”
• ABC 15 Arizona for their report, “Job seeker loses $5,000 to online scam. How to spot the warning signs an employer is fake.”
• CBS Philadelphia for their report, “Dating apps warning users of romance scams.”
• Australian Competition and Consumer Commission ScamWatch article, “New year, new job? Beware of scammers.”
• Investopedia for their advice, “Watch Out for These Top Internet Scams.”
• Norton for their list of, “Online scams: An overview + 20 internet scams to avoid in 2023.”

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions which support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard before. We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing.

Congratulations to Rebecca for being recognized as one of the

Top 40 Data Privacy Pioneers!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. February 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.