Why are you getting this?

You signed up to receive the Tips, initiated contact with Rebecca and/or PSB, and asked to stay in touch, or you consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

'Tis the Season for Cybercrime

The holidays are ramping-up in November. That means that scams are popping up everywhere, along with tinsel and twinkling lights.

Thank you to the many readers who sent us messages about the October Tips. We read them all!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like for us to provide feedback on? Send them over! We may discuss it in an upcoming Tips.


We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

November Tips of the Month

  • Monthly Awareness Activity
  • Privacy & Security Questions and Tips
  • Data Security & Privacy Beacons*
  • Privacy and Security News
  • Where to Find the Privacy Professor

Monthly Awareness Activity

November is special for many reasons, and is the gateway to gratitude, gatherings, and gifting. Holiday spending will be about $1,800 per person this year and online shopping is way up.

Talk Money Week 2022, which is November 7–11, is a great time to plan activities that incorporate security and privacy education and awareness raising!

Most people do not realize how much money is lost through cybercrime, and through losing data because of weak (or no) security and privacy practices.

Here are some startling stats:

What can you do? 

Give a short talk, live or in a video, at your organization about these facts and stats, and then challenge others to determine the amounts of money that have been lost within your organization, city, state, immediate and/or extended family, or other types of grouping. Pinpoint why each incident happened, using the above categories.

What other activities do you suggest? Are you planning the above activities, or a different one related to Talk Money Week, in November? Let us know!

Rebecca includes a list of 250 security and privacy awareness activities and resources within her book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

October 2022

Here are a few of the questions we’ve received over the past several months that cover situations that could occur at various points in everyone’s lives. We’ve received many! Was this information interesting and/or useful to you? Please let us know! Also, please keep your questions coming!

Q: Medicare scam. My Texas neighborhood’s social media is blowing up with reports of Medicare fraud. Apparently, many locals are seeing charges for glucose monitoring and delivery equipment, all from the same “provider,” but none of them ordered or received it. They have reported it to Medicare, but Medicare is apparently just paying the charges and not doing anything about it. Have you heard of this happening in your area? 360 DME Supplies, LLC is the provider that is billing and getting paid for these charges. I am concerned that Medicare is unwilling to act on it.

A: Medicare and Medicaid fraud have been pursued by criminals ever since those services were introduced. We found many reports of a similar, and perhaps the same, Medicare scam. Looking further, we found several fraud cases that have been tried in court. 

One criminal in Florida was sentenced to 55 months in prison followed by 3 years of supervised release for submitting more than $2.2 million in fraudulent billings to Medicare. In another scam in New York, the criminal stole over $700,000 in bogus durable medical equipment (DME) orders, at about $500 per order. 

These types of frauds may seem like they are not being addressed by the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (“CMS”). We surmise that while the investigations are going on, a different part of the agency is still making the payments, until all the evidence is collected.

Be sure to continue to report these situations to the phone number listed on this Medicare site. When reporting, be sure to:

  • Write down the name of the person you are speaking to
  • Note the date and time
  • Get any case number they may assign.
  • Plus, ask them if you can call back to see how the investigation is going.

Q: I love your Q&As! I’ve learned a lot, including how to help make my older parents and overly-confident 20s-something children more security and privacy aware. Any suggestions for some good privacy- and security-improving gifts?

A: Thank you! That’s a timely and fabulous question. We’ve updated our 2020 gift list just for you! Here are some 2022 gift suggestions:

  1. The book, Cybersecurity for Grandparents: Credit Reports, Device Updates, Social Media.
  2. Privacy screens/filters: for smartphones, laptops, tablets, large monitors, IoT device screens, etc.
  3. A UPS (uninterruptible power supply) and surge protector.
  4. Backup drives: USB or actual hard drives that connect to your computer.
  5. Cable locks: To use while traveling, when working in a shared type of business space (e.g., rented work areas), when leaving the hotel room, in home offices where there are others in the house that do not live there, or when you don’t want to move your computing device.
  6. Remote locator, data wipe, and activity logging/recording tools.
  7. Portable battery chargers. Many available are small and can do a full charge on smartphones, tablets, and laptops.
  8. Subscription to anti-malware software.
  9. Backup service subscription. Make sure the service is one that has strong security and privacy practices.
  10. Encrypted USB drives. To store copies of photos, videos, important financial papers, wills, etc.
  11. Covers for webcams (e.g., a cute sticky note cube, etc.
  12. Physical privacy screen, to use in online meetings, to keep the surroundings from being seen.
  13. Related to the previous suggestion, a green screen with a background generator tool, for those who do a lot of online meetings, schooling, etc. This will keep the inside of their work areas (often in their homes) from being seen.
  14. Faraday/security sleeves/wallets/billfolds to protect credit cards, passports, etc. from having data stolen from the RFID chips within them from nearby RFID proximity readers.
  15. USB data charging port blockers, for protecting those who recharge in public USB ports. 
  16. Portable VPNs for work-from-home (WFH) folks, students, etc.
  17. Privacy clothing. Particularly to keep travelers from being a victim of pickpockets. 
  18. Two-factor authentication hardware tools. 
  19. Offline (your password is not stored in the cloud) password manager
  20. Microphone/audio device input blocker
  21. Device USB port blocker
  22. For friends and family still using landlines, a call blocker

Do you have more suggestions? Drop us a line!

Q: What new (and not well-known) scams are out there?


A: New ones emerge every day! These two seem to be increasing in frequency.

Domain Extortion Scams 

They’ve been around for years but were not being widely sent to targets. They happen more now because more people have their own domains -- particularly domains that are the name of individuals. Parents are buying their children's names as domains before or shortly after they’re born. 

Requests look like they come from a business owner or manager (often overseas). What looks like a legitimate inquiry about purchasing domains then evolves to a mention of extensions you don’t currently own. You are then told that you need to pay to get those domains in addition to the extensions you currently own. Below are some screenshots of my own experience with this, showing the order in which I received the main scam email messages.

Although I haven’t seen a complete “price list,” I was asked for tens of thousands of U.S. dollars for each domain.

  • If you get similar e-mails, don’t click on links or attachments.
  • If the email appears to come from a sender you know, your acquaintance may have had their email address hacked. Call them and tell them about the email. 

I always report these types of emails to the FBI. If you don’t feel comfortable doing that, then delete the message, and for extra security (especially if there was an attachment) delete the message from your trash bin.

Cryptocurrency Scams

Because crypto is a relatively new type of investment and payment method for the majority of the population, cybercriminals try to dupe people who are new to the field.

Organized criminals are using fake cryptocurrency sites and applications, and many victims are losing a lot of money

Here are a few red flags for cryptocurrency scams:

  • Promises of guaranteed returns on sites claiming to provide cryptocurrency. No such promises can be made with cryptocurrency. This is a scam!
  • Requirements to provide cryptocurrency in advance on sites that are taking cryptocurrency for payments. This is a scam!
  • New online “friends” who offer to show you how to invest in cryptocurrency, or ask you to send them cryptocurrency. This is a scam!

We provided a couple of beacons in this issue that also provide some good advice about cryptocurrency scams. Check them out, below.

Q: I’m going to a family reunion in early November, with many generations. While we’re eating, I’d love to discuss current scams with them so they will be on the lookout over the holidays. I’ve made a shortlist, but I know you can provide me with one that is more current. What scams would you discuss with a wide range of generations?

A: Oh, we love this question! That's a great non-controversial topic to bring up over the holidays. (But remember to talk about happy things too!)

  • Grandparent scam. The crook calls claiming to be a grandchild who is in need of money for an emergency (like theft or an accident). Many different variants exist. See more here, along with the sad story of a couple who lost $100,000. A couple was recently sentenced to several years in prison in Florida for this type of fraud.
  • Holiday scams. They abound and the FBI even publishes a “naughty” list.
  • The Google Voice scam. If you post an item for sale online or post some other type of ad (e.g., lost pet), criminals will call the phone number you provide, and tell you that you'll get a verification code from Google Voice (their virtual phone and text service). They’ll then ask you to read it back. What they are actually doing is setting up a Google Voice account in your name that they will then use to commit crimes, pretending to be you, to cover their tracks from law enforcement. Never share your verification codes with anyone!
  • Fake job frauds. During the holidays, many people take side jobs to bring in extra money. They are highly susceptible to fake job offers. Scammers take personal data (like resumes) from online job posting sites and then contact job seekers, pretending to be a recruiter or a business looking to fill openings. They will then collect more personal data from you, such as SSN, bank account number, etc. Some will even ask you to pay a job application fee. Here’s some good information about bogus job offer scams.
  • Typosquatting scams. Typosquatting is when people are tricked into visiting a fake website by registering a domain name similar to that used by genuine brands. This is nothing new. However, what is increasingly common is for these sites to be used to spread ransomware and other types of malicious code. We've tracked 200+ typosquatting domains impersonating at least twenty-seven brands, tricking site visitors into downloading various Windows and Android malware. Look closely at the domain name before visiting a site. Some of these typosquatting malicious sites are using misspellings pretending to be Google Wallet, PayPal, Snapchat, TikTok, and many other popular sites and apps. For example, the TlkTok-apq link has been used to trick people into thinking it is the TikTok app.
  • Deepfakes of celebrities are increasingly being used by unethical marketing firms to sell products. The viewer believes celebrities are promoting the products. Cybercriminals are also using deepfakes, trying to make their sites look legitimate. If a celebrity promotion seems surprising or out of character for the associated person, it could very well be a deepfake.

We could go on and on! But we don’t want to steal your joy. We’re simply providing the gift of raised security and privacy awareness!

Enjoy your family time!

Q: Several years ago my friend lost his elderly father, who was a pillar of the community. After he died, some people came forward and made claims about how he had a secret family and had committed crimes. They demanded a large amount of money to not release the “evidence” they had about these claims. Ultimately, my friend did not pay and the criminals published the claims. After years of investigative work, the son was able to prove the truth. How can I make sure that after I die my identity will not be stolen, and that my own life facts are not altered? I not only want to protect my own legacy, but I also want to keep my family from going through such a horrible situation.

A: You have no guarantee that criminals won’t try to steal the identities or tarnish the reputation of the deceased. But you can take these simple steps to reduce the likelihood.

  • Perform a regular (once a year) self-audit of all online personal data and remove as much as possible. That includes:
  • Social media accounts
  • Association and other membership sites
  • Subscription sites
  • Retail sites
  • Also delete all data on computing and storage devices, and then completely destroy the devices you no longer need.
  • Create a secure digital life box with all the information you want one or more of your survivors to have. These life boxes often include an inventory of your digital assets (network and online account IDs and passwords, digital documents, records, photos, phones, tablets, IoT devices, any other type of digital device, etc.), hard copy documents, photos, videos, jewelry, heirlooms, a list of people (and their addresses) that you want to be notified of your death, etc.
  • Include within your will explicit instructions for named individual(s) to take the actions you direct with all your digital -- as well as hard copy -- information. During this time, you might consider crafting a life story to show at your memorial service and/or put in a secured monument at a cemetery or similar location. Photos, videos, accomplishments, newspaper clippings, books, and more can all be added to your memory box.
  • Be aware that the U.S. has a revised Uniform Fiduciary Access to Digital Assets Act. All states, except for Massachusetts (which has bills pending) have adopted a version of this to address access to digital assets after a person’s death (related to the first question above).

Q: This isn’t so much of a question as a warning to your readers. I almost entered my personal information at a student loan debt relief scam site! What else could would-be victims do?

A: Thank you for this warning! We’re happy that you spotted one of the red flags of these increasingly more common student loan debt relief scams. Here are a few more:

  • Some scammers pose as organizations that can help individuals “correctly” file their loan forgiveness applications. They ask you for the fee upfront to do so. Asking you to pay upfront before they’ve even provided any help is usually illegal.
  • If the organization claims they are a federal agency, such as the US Department of Education, IRS, Treasury Department, or other, don’t believe them! Even if they include the claimed agency’s logo on their site or communications media. Look at the web URL. Legitimate federal agency URLs end in “.gov” while scammers’ sites do not. 
  • You may be asked for a fee to expedite student loan forgiveness. The process normally takes time. Legitimate government agencies will not allow your loan to disappear at the press of a button. 
  • Do not give your SSN, FSA ID, or other personal information over the phone or in an email or text; only scammers will ask you to do this.  
  • If the organization uses pressure tactics on you or tells you that you must make a decision within a very short period of time, don’t believe them. Cybercriminals want to take your money as quickly as possible, and then disappear, so they of course will be pressuring you to hurry up. 
  • We’ve sadly heard of a completely crazy tactic that works sometimes…claiming that you must sign over power of attorney to an entity to allow them to speak on your behalf. Holy cow! Don’t even think about it!
  • And of course, many of us are asked for a credit card number. Government programs similar to the student loan forgiveness program will not ask for your credit card number.
  • Military personnel (and their families) are increasingly targeted with scams. This is especially common with regard to programs providing benefits to military members, such as through the PACT Act. Information is then taken and used for identity fraud. Military families and veterans have been found to be 40% more likely than civilians to become victims of scammers and cyber thieves, with 80% of the attacks specifically taking aim at their military benefits. If you’re in the military and get an unsolicited offer from a non-government entity to help you with a benefits program, it is very likely a scam.  

Data Security & Privacy Beacons*

People and places making a difference

  • The Iowa Secretary of State for providing tips during October Cybersecurity Awareness Month.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts.

We have added a large amount of news on our three news pages since the last Tips! We have our all topics Privacy & Security Brainiacs News Page. It contains news grouped by each month, and within each month by specific topic. We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here.

Training Classes

HIPAA Basics for Business Associates

is getting great reviews!

Clients who took “HIPAA Basics for Business Associates 2022” have told us they have learned about issues that were not covered in other classes they’ve seen and taken. They also have found the real-world examples particularly helpful in not only identifying where they need to beef up their own HIPAA compliance practices, but also in helping them see where they, and their family member and friends in the U.S., have rights under HIPAA that they didn’t even know about before.

Almost Here!

We also are in the pilot phase of our first new Master Experts education classes, with the brilliant Dr. Mich Kabay, who create and was the former director of the NSA-accredited Norwich University Master of Information Security and Assurance Program, as our first Master Expert in residence. His first class being offered is Secure Coding, and his second class is Software Quality Assurance.

Now would be a perfect time for you and/or your colleagues and cybersecurity and privacy pros to take these classes. Students receive certificates, showing 2 continuing professional education (CPE) credits. class. The certificates will also reflect how well you did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing

Register Today!

Where to Find the Privacy Professor

See our Privacy & Security Brainiacs page for our business in the news!

Did you miss attending the in-person FutureCon Des Moines event on September 8? You can view Rebecca’s session, leading a discussion with prominent CISOs in different industries here.

Did you miss attending the online September 13th ISACA event presented by Rebecca, “Post-Dobbs Privacy & Compliance”? The controversial Dobbs decision, overturning Roe v Wade, is the topic for this provocative online session, covering implications for HIPAA compliance, employee security and benefits, and privacy of women's health data. You can view the recording for free, but registration is still required. Just click on the link below. 

Register HERE!

Rebecca's Radio Show

If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of

real-world topics within the data security and privacy realm.

Latest Episode

First aired on October 1, 2022

Michelle Dumay

Wacky Tobaccy and Privacy

Popular guest and medical cannabis security and privacy expert Michelle Dumay returns for this fourth in a series of shows about personal data privacy and security risks involved with cannabis sales, and discusses current laws.

Next Episode

First airs November 5, 2022

Ben Rothke

Let’s Stop the Robocall Scammers!

Security expert Ben Rothke is fed up with all these robocall scammers! He discusses the problem, the security and privacy risks that they can bring, and what needs to be done to get rid of this scourge!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Facebook  Twitter  Linkedin  

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. November 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

  1. subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com;
  2. making a request directly to Rebecca Herold; or
  3. asking Rebecca Herold to be a connection on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the Unsubscribe link below.