The pain has only just begun for Equifax. Last Thursday, the giant credit bureau disclosed that hackers stole personal information for 143 million of its customers, presumably mostly Americans, but also Canadians and Europeans.

In less than 24 hours, two Oregonians, Mary McHill and Brook Reinhard, filed a federal class-action lawsuit accusing the Georgia-based company of failing to maintain adequate electronic security safeguards as part of a corporate effort to save money.

Then on Friday, Consumer Watchdog called on California state Attorney General Xavier Becerra to investigate. The advocacy group believes Equifax may have violated California’s benchmark data loss disclosure law, which requires timely notification of the victims in these types of breach cases.

Related podcast: How network analytics can stop intruders before they get too far

John M. Simpson, Consumer Watchdog Privacy Project director, minced no words in lambasting the company for allowing senior executives to dump stock before publicly announcing the breach.

It’s unconscionable that three top executives sold Equifax stock after the breach was discovered, but before the news was made public,” Simpson says. “The executives who sold their stock based on insider information should forfeit any profits and go to jail.”

Consumer Watchdog is asking AG Becerra to block Equifax’s attempt to push its victims into arbitration and investigate why public notification of the breach was delayed so long.

In this backdrop, ThirdCertainty convened a roundtable of cybersecurity experts to discuss the wider ramifications of Equifax’s disclosures. Here are their comments, edited for clarity and length.

Kenneth Geers, senior research scientist, Comodo

The sheer size of this breach, which spans at least the United States, Canada and Great Britain, may have frightened some Equifax officials into selling a portion of their company shares.

On the technical side, it is critical that we learn what application was exploited, and what vulnerability was leveraged, so that other companies can take defensive action. Equifax was simply not ready for the level of responsibility that possession of this quantity and quality of digital information requires. It is alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”

Venky Ganesan, managing director, Menlo Ventures

This isn’t just a few pieces of personal information that were hacked. A credit bureau has all of a consumer’s important information. It knows all the places people have lived, all the credit cards they have, the size of their mortgage, all their liabilities and all the payments they have missed. This is the equivalent to penetrating the Federal Reserve, not merely robbing an individual bank.

Equifax completely botched its response to the breach. They did not notify people promptly and have not told the public the full extent of the breach. Their response website is also a joke. The response may actually be worse than the breach.”

Pravin Kothari, chief executive officer, CipherCloud

The Equifax breach not only affects nearly half of the U.S. population, it also includes personal data of residents in the UK. If this breach had occurred after May 2018 when the EU’s new General Data Protection Regulation (GDPR) goes into effect, Equifax could have had to pay penalties of up to $120 million (4 percent of global revenues.)

The EU adopted GDPR in April 2016 and gave organizations a two-year period to prepare, however, many companies have yet to begin their compliance efforts. We expect GDPR to serve as a model for similar regulations in the U.S. and around the world, helping to protect individual privacy and thus minimize the economic threat from future data breaches.”

Derek Manky, global security strategist, Fortinet

Security breaches are a reality every organization faces, whether targeted or not. An important strategy to consider in addition to proactive lines of defense, strong cyber hygiene, and actionable threat intelligence is using segmentation to reduce critical impact of a threat. Once a threat gains entry, it can spread and eventually extract the valuable assets it was sent to retrieve. Or worse, it can encrypt and hold for a high-value ransom. Segmentation is extremely valuable to limit spread and reduce impact.”

Anthony Di Bello, senior product director, Guidance Software

Equifax’s breach is yet another data point, albeit a massive one, in the new reality of organizations being continuously compromised. We’ve done research that shows one in four businesses suffered direct financial losses due to a cyber attack in the past year, and the number of organizations reporting significant financial losses tripled.

We’re in a new reality where it’s not just ‘will my company get breached?’ but a question of when. Fighting back requires a well-planned endpoint detection and response strategy that can mitigate the otherwise crippling repercussions businesses are increasingly seeing from these cyber attacks.”

Bob Ackerman, managing director, Allegis Capital

The direct and indirect costs of this breach, including the class-action lawsuit, could easily surpass $500 million. It is almost inevitable for a large aggregator of highly sensitive data to be breached at some point. It is a big, juicy target. There is a strong argument for decentralization of data collections. No single failure should result in a catastrophic loss.

The data should have been encrypted. No excuses—period. This is an example of the type of dataset that will benefit from homomorphic encryption (encryption for data in use) as it becomes available.”

Matthew Gardiner, senior product marketing manager, Mimecast

While the collection and aggregation of consumer information to feed the generation of credit scores is tremendously important to the consumer credit market, the downside of the mass centralization of this sensitive data is risk of loss on a mass scale. This is an example of how a single breach can lead to the release of data on nearly half the U.S. population.

This data in the hands of malicious actors can be used in many ways to steal money or data from individuals and businesses and, of course, can be sold on the black market to other specialized cyber criminals. It is important that consumers and businesses take this breach seriously and double down on their security controls.”

Josh Mayfield, platform specialist, FireMon

Seeing what happened to Equifax should awaken us to the realization that we must do something different. These things happen because we continue to follow an outdated playbook with directives that haven’t evolved to address the changes in the world.

Threat hunting is a discipline that uncovers the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries. We should demystify the notion that threat hunting is the preserve of super-elite organizations or individuals. Threat hunting involves open-ended, recursive, combinatorial search across all datasets to reveal what is currently hidden. Anyone can hunt, it only requires following the methods and principles for threat hunting.”

John Gunn, chief marketing officer, VASCO Data Security

The magnitude of this breach is unprecedented, and, unlike a breach that involves credit card data, these millions of victims will be at increased risk of fraud for the rest of their lives. You cannot get a replacement Social Security number because your service provider had inadequate security measures.”

Andrew Avanessian, Chief Operations Officer, Avecto

Basic security hygiene could have been enough to prevent a breach of this scale from happening. Security is never a one-time investment, it is a journey not a destination — and it requires constant thought, attention and action.

It’s crucial that those affected stay vigilant as the details exposed in this incident are enough for a hacker to commit fraudulent acts and even steal personal identities. I’d recommend watching out for emails asking to confirm personal details, or requesting username and password information. If you’re ever unsure, it’s always best to contact a company directly by phone, to check it’s an authentic communication.”

By Byron Acohido
September 12, 2017

As Equifax consumers attempt to check whether they are among the 143 million individuals whose information has been compromised in a massive cyber-attack, the consumer credit reporting agency has included a clause on its TrustedID portal that could disqualify victims from joining a class-action suit.

In response to the hack, Equifax has established a website allowing individuals to check whether their personal information has been impacted. However, by using the portal and joining TrustedID, it appears from the terms of service that people are implicitly agreeing to a clause that bars them from taking part in any class action against the company: “Please read this entire section carefully because it affects your legal rights by requiring arbitration of disputes (except as set forth below) and a waiver of the ability to bring or participate in a class action, class arbitration, or other representative action. Arbitration provides a quick and cost effective mechanism for resolving disputes, but you should be aware that it also limits your rights to discovery and appeal.” The caveat was first reported by TechCrunch.

On Friday, Equifax updated its terms of service allowing consumers to opt out of this arbitration clause, but that requires them to “notify Equifax in writing within 30 days of the date that you first accept this agreement on the site,” according to The Washington Post.

One of the attorneys involved with a proposed class-action lawsuit filed on Thursday evening warned customers about using the portal.

“Equifax has placed a stealth arbitration clause, which waives the victim’s right to sue,” Ben Meiselas, attorney with Geragos & Geragos, told FOX Business on Friday. “By checking the Equifax site if you are a victim and entering your information binds a consumer to a complex arbitration scheme.”

Another problem with using the TrustedID program is that it is operated by Equifax, so consumers are once again giving sensitive information to the company.

Equifax did not return FOX Business’ request for comment at the time of publication.

Geragos & Geragos along with OlsenDaines filed a proposed class-action suit Thursday evening on behalf of two plaintiffs whose information was stored by Equifax and hacked by an unauthorized third party. The complaint alleges Equifax was negligent in failing to provide adequate technological safeguards to protect consumer information and that it should have spent more to prevent cyber-attacks, but chose not to.

Meiselas said the class-action suit against Equifax could be one of the largest “in U.S. history.” The firm is seeking up to $70 billion in damages as a result of two years’ worth of identity theft for victims, Meiselas told FOX Business. He also voiced concerns about the three executives who sold stock after the company became aware of the breach on July 29, but before it was disclosed publicly on Thursday.

 

By Personal Finance FOXBusiness

Identity theft is reaching “epidemic levels,” says U.K. fraud prevention group Cifas, with people in their 30s the most targeted group. A total of 89,000 cases were recorded in the first six months of the year, a 5 percent increase over the same period last year and a new record. “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” said Cifas CEO Simon Dukes. “The vast amounts of personal data that is available either online or through data breaches is only making it easier.” ID theft accounts for more than half the fraud that Cifas records. More than four in five crimes were committed online, with many victims unaware that they had been targeted until they received a bill or realized their credit rating had fallen. Fraudsters steal identities by gathering name, address, date of birth and bank account details, often by stealing mail, hacking computers, trawling social media, tricking people into giving details, or buying data through the dark web. Cifas said the latest figures show there has been a sharp rise in fraudsters applying for loans, online retail, telecoms and insurance products. Sources: BBC News, Huffington Post U.K.

By Byron Acohido August 25, 2017

Scam artists claiming to work for "U.S. Immigration" are calling victims across the country seeking to steal their personal information and commit identity theft, the Department of Homeland Security's inspector general warned.

The thieves are using a technique called spoofing, where they alter the caller ID so it looks like the call is coming from the Department of Homeland's hotline number (1-800-323-8603).

"The scammers demand to obtain or verify personally identifiable information from their victims through various tactics, including by telling individuals that they are the victims of identity theft," the U.S. Department of Homeland Security's Office of Inspector General said in its fraud alert Wednesday. It also noted that many of the scammers "reportedly have pronounced accents."

The inspector general said DHS never uses its hotline to make outgoing calls. It only uses the number to receive information from the public. It said individuals shouldn't answer calls from 1-800-323-8603, and if they do, they shouldn't divulge personal information.

Arlen Morales, a spokesman for the agency told CNNMoney that this is the first time that the hotline has been spoofed and that it has received about a dozen complaints about the scam.

Related: Why undocumented immigrants pay taxes

While that number may appear small, Erin Quinn, a staff attorney at the Immigrant Legal Resource Center, said the number of occurrences is likely much higher. She noted that immigrants often are afraid to come forward to report scams for fear of being ensnared in the heightened immigration enforcement dragnet.

Quinn said that she has heard of several instances in which the phone numbers for local offices of U.S. Customs and Immigration Services have been fraudulently copied and used to scam victims.

Joanne Talbot, a USCIS spokeswoman, recalled a spoofing scam in 2013 in which immigrants applying for visas, green cards and citizenship were targeted. "The scammer poses as a USCIS official and requests personal information (such as Social Security number, passport number, or A-number), identifies supposed issues in the recipient's immigration records, and asks for payment to correct these records," Ferreira wrote in an email.

Talbot also noted that USCIS never asks for any personal information or form of payment over the phone.

Fraudsters have also used phone spoofing to impersonate Internal Revenue Service agents, threatening vulnerable people like immigrants with deportation or the loss of their diver's license if they don't pay what they owe immediately.

In October, the Department of Justice filed charges against 56 individuals and five call centers, alleging they were part of a transnational criminal organization that stole millions of dollars from tens of thousands of victims through telephone impersonation scams.

Earlier this month, Bharat Patel, an Indian national living in Illinois pleaded guilty for his role in liquidating and laundering victim payments generated through the scams, according to a USCIS press release.

According to admissions from his plea, Patel, 43, worked with people in call centers in Ahmedabad, India, who impersonated officials from the IRS or U.S. Citizenship and Immigration Services and defrauded U.S. victims. Patel said the call center operators used information from data brokers and other sources to target victims who were then threatened with arrest, imprisonment, fines or deportation if they did not pay money they allegedly owed the government.

Patel is scheduled to be sentenced on July 7. Other cases are still pending.

Immigrant advocates say that they have seen an uptick in frauds targeting immigrants in recent months.

"Generally we see an uptick in scams when there is fear in the community," Quinn said. "Any change in policy, even if it's a positive policy change, can increase the number of scams against immigrants and others."

This makes it even more important for immigrants to be vigilant if they receive a suspicious call, they say.

"As scammers seek to capitalize on the anti-immigrant political climate, people should know never to offer payment or personal information over the phone," said Steve Choi, executive director of the New York Immigration Coalition. "All official, government requests will come by mail from a verifiable address with a case reference number," he said.

by Octavio Blanco  @CNNMoney 

CNNMoney (New York)

First published April 20, 2017: 6:10 AM ET

 

The general public simply does not understand how they are affected.

I hate how corporations constantly use fear as motivation to buy something or do something. But, as I am the President of FreedomID, I see the personal impacts of Identity Fraud, first hand. I also have a comprehensive understanding of the industry, marketing gimmicks, and actual risks. I follow corporate data breach news closely and read between the lines to understand how this issue affects the everyday American. This article will provide my forthright opinion that I believe all FreedomID members and non-members need to truly understand.

Data Breaches & ID Theft are big business and insanely profitable. Sticking your head in the sand can have serious consequences. Since 2012, there have been hundreds of millions (some say billions) compromised records in data breaches. A compromised record is a record that contains a person’s personally identifiable information. (PII). At this point the Identity Theft Resources Center estimates that one in three people have had their private information compromised.

Below are some key points you need to understand.

It’s Not IF – It’s WHEN

The numbers are astounding – an identity theft occurs once every 1.9 seconds. If you are like most middle class Americans, going to work, going grocery shopping, buying from Amazon, sending emails, active on social media, have a debit card, go see the doctor and file your taxes – then it is only a matter of time before your family is dealing with an identity theft situation. It could be just a simple credit card fraud case, or it could be as serious as a criminal case wrongly filed against you. Why? Because it’s highly likely that your information has already been stolen, and will be sold on the black market. The reality – it’s just a matter of time.

You CANNOT Prevent It

I hear ads on the radio & television saying they can prevent ID theft if you have this service or that monitoring. That is absolutely false. You can take every precaution recommended by every identity professional, you can sign up for super monitoring packages, you can shut down everything you do electronically and you still cannot prevent this crime. Here’s the truth, the #1 from of ID theft is taxes and government benefits. Close behind is medical ID theft. How exactly is any ID theft protection company going to stop this from happening to you? How is a monitoring dashboard going to stop a criminal from stealing your ID, building a fake driver’s license, test driving a car and never coming back – or walking into a bank and making a withdrawal in your name? Both are actual cases that occurred in the last 12 months by the way. So anyone who says they can prevent it from happening is falsely advertising.

Monitoring is fantastic – it can serve as a notification system that your ID is being used in certain circumstances – like a new loan or credit card is opened for example.; or that your information was sold on the black market (if you have cyber monitoring). But the notification is AFTER your information has already been compromised. It will not prevent your information from being illegally sold to begin with. Thus, it cannot prevent what happens next – it can only notify you that it did. The mess still has to be cleaned up and that is why the resolution/restoration services are so very important.

What You Don’t Know CAN Hurt You

Recently, Kansas Department of Commerce was breached. According to the AP News release on July 21st. 2017, there were 5.5 million Social Security numbers compromised, in nine states (AR, AZ, DE, ID, IL, AL, OK, ME, VT). The breach was discovered on March 12th, 2017.

Now the part everyone missed – the department was required by law to notify the victims – via email. But they only had 260,000 email addresses on file – so they notified a dismal 5% of the victims. It get’s better – they are providing ID Theft resolution services for victims (if you know you are a victim), if you call an 800 number before the end of July 2017. So to sum it up, 95% of the people whose information was compromised in this breach were not notified and the 5% that were notified can call a hotline before July 21st – if they are paying attention, and if the email didn’t go to junk or spam. So I guess the sunset on criminals using your information is just a couple months – because we put a time limit on them.

Breaches have doubled thus far in 2017 according to the ITRC, and it’s not getting any better. People’s private information is compromised in these breaches, then sold illegally to other criminals who want to profit from it. Most people don’t know they were a victim of a breach to begin with, much less taking action. There is no time horizon for you to become a victim – it could be a week, month, year or more – and you will have no earthly idea how, why, where or when your information was stolen in the first place. See #1.

It’s About Profit – Not You

ID Theft feels very personal and invasive when it happens to you. But, unlike many crimes – it really isn’t personal. You are just a number in a system and the number is worth money when stolen, sold and then used by another party.

Here is an example. A nurse working in a small doctor’s office became disgruntled and began selling medical records for $75 per record to a criminal broker who then resold these records to buyers willing to pay $1,000 for a legitimate record with good medical history and insurance. The buyer then had a procedure costing mega dollars. Of course the deductible was never paid, and was eventually turned into a collection agency – which promptly went after the actual person for payment. It took approximately $9,000 in legal fees to resolve this issue.

In a data breach the victimized company can be on the hook for significant expenses that may or may not be covered in their insurance policy. The company will use whatever means necessary to protect the COMPANY from financial liability resulting from the event such as services provided to victims, mailing costs, lawsuits etc. There are data breach regulatory laws in every state that companies must comply with. The state’s attorney general is looking out for the victims, and may require the company to provide notifications and/or ID theft services. But it is typically a negotiation requiring months of discussion and investigation depending upon the size. You should also know that six in 10 businesses fail within six months of a breach.

If you understand the previous paragraph, then you will understand why an estimated 80% of data breaches go unreported. I have spoken to countless business owners and C-Level officers about this subject. What became apparent is the need to protect the business first. The risk to the business profitability and viability was the focus – not you.

So – What Do I Do?

In conclusion, the digital world we take advantage of is a great thing. It is estimated the collective global knowledge is doubling every 13 months as a result. That is simply incredible and wonderful. The downside is your information is more easily compromised than say in 1985. I am asked all the time what they should do to prevent ID theft chaos. The answer is simple – purchase an ID Theft Management service that you can afford, with focus on resolution and reimbursement. You don’t have to spend $20 or $40 per month – you can get a solid policy that works for less that $6 per month for your entire family. Employers offer some great plans in benefit packages as well.

FreedomID offers LifeStages Family Identity Theft Protection for under $6 per month that includes $25,000 in expense reimbursement and fraudulent electronic withdrawals reimbursement. That’s about the price of a good burger from any fast food chain – but gives you and your household so much more. You can add monitoring packages as you see fit, but for far less than typical retail products. Use Promo Code Protect25 to get 25% off monthly plans here.

By Associated Press

July 21, 2017, 11:36 a.m. Updated July 21, 2017, 12:42 p.m.

TOPEKA — Hackers who breached a Kansas Department of Commerce data system in March had access to more than 5.5 million Social Security numbers in 10 states, along with another 805,000 accounts that didn't include the Social Security numbers, according to records obtained from the agency.

The department will be required to pay for credit monitoring for most of the victims of the hacking, according to records obtained through an open records request by the Kansas News Service.

Besides Kansas, the other states affected by the hack are Arkansas, Arizona, Delaware, Idaho, Maine, Oklahoma, Vermont, Alabama and Illinois.

The suspicious activity was discovered March 12 by America's Job Link Alliance-TS, the commerce department division that operates the system. It was isolated March 14 and the FBI was contacted the next day, according to testimony from agency officials to the Legislature this spring. The Kansas News Service filed its open records request May 24 and the commerce department fulfilled the request Wednesday.

A commerce department representative didn't immediately return a call Friday from The Associated Press seeking comment.

The data is from websites that help people find jobs, such as Kansasworks.com, where people can post resumes and search job openings. At the time of the hack, Kansas was managing data for 16 states but not all the states were affected.

After the hack, AJLA-TS officials called in a third-party IT company specializing in forensic analysis to verify the coding error the hackers exploited was fixed and to identify victims.

The documents show the commerce department also contracted with private companies to help victims, provide IT support and to provide legal services. The state is paying $175,000 to the law firm and $60,000 to the IT firm. The commerce department didn't provide the cost of the third contract.

Earlier testimony to lawmakers indicated a fourth company, Texas-based Denim Group, was contracted in April to review code and provide advice for improvements, which has since been implemented. The agency didn't provide documents related to that contract.

Kansas will pay for up to a year of credit monitoring services for victims in nine of the affected states. Delaware residents are eligible for three years of services because of contractual obligations to that state.

The agency said in May this was the first known breach of AJLA-TS' databases and the contractor's response exceeded requirements in Kansas law. However, the commerce department said it had sent about 260,000 emails to victims but couldn't contact all victims because it didn't have their email addresses. Kansas law does not require notification to the victims via post or telephone, the department said.

FreedomID Note: The call center for victims will only remain open through the end of July.

A day doesn’t go by when we don’t read news of a data breach at a major company, healthcare facility or financial institution. What should you do when a data breach notification letter lands in your mailbox? The best advice: Don’t panic. Just pay attention. 

Whether the trouble starts with a pilfered laptop or an insidious cyberattack, a breach of personal electronic data triggers mandatory notification laws in nearly all U.S. states and territories. If you haven’t received such a notice already, chances are, you will. 

But, receiving a breach letter doesn’t mean you’ll become a victim. It means something’s happened that could put you at risk. Faced with a breach notice, most people do one of two things—both wrong. They ignore it and throw it away or they freak out and start closing accounts. Do this instead:

  1. Read the notice carefully to learn what information may have been exposed and how. (Keep the notice in case you ever need to prove that your data was compromised through no fault of your own.) 
  1. Review the breached account. Identify what information it contained and what was compromised. Look for unauthorized activity, such as a change in address or telephone number.
  1. Know exactly what’s at risk. If it’s debit or credit card numbers only, there’s a good chance someone will try to use them. On the upside, exposure is limited and, if your bank thinks the risk is high, it will automatically reissue new cards (effectively shutting down the identity thief). Degree of risk gets stickier when data like Social Security numbers, birth dates, and addresses are stolen. This information has a long shelf life and can be traded internationally among organized criminals. It’s valuable because, unlike a single credit card number, it can spawn dozens of new accounts. While it’s less likely to be used than a single stolen credit card number (which requires much less time and work), potential damage to your good name is greater.
  1. If you’re offered a year of free credit monitoring, take it.
  1. Pay extra attention to your account and billing statements. Check for charges that aren’t yours.
  1. Check your credit report and watch for other fraud. After about 30 days (long enough for fraudulent activity to show up), log on to annualcreditreport.com to get a free copy of your credit report from each of the three major credit bureaus. Look for any unusual activity. Investigate suspicious activity and stay on top of it until the matter is resolved. Also, look for signs of fraud in your medical files, on your Social Security statement, in insurance claims, or in public records.
  1. Change all user access credentials. If you use the same passwords for other financial institutions, change them. Watch financial statements—on paper and online—for unauthorized transactions. Be aware of potential email, phone and snail-mail scams. Enable text and email alerts when possible.
  1. Notify existing creditors of the breach. Consider canceling your cards and getting new ones. Take advantage of issuers’ services that alert you to unusual transactions.
  1. Place a fraud alert on your credit file. An alert placed with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.
 

NEW YORK — A security researcher says a lapse has exposed data from millions of Verizon customers, leaking names, addresses and personal identification numbers, or PINs.

Verizon Wireless says 6 million customers were affected, but the company says that none of the information made it into the wrong hands. The company says the only person who got access to the data was the researcher who brought the leak to its attention.

The security firm, UpGuard, says the problem stemmed from a cloud server that a third-party vendor had misconfigured.

Gartner analyst Avivah Litan says the issue comes down to human error and it doesn’t make sense to blame cloud service providers like Amazon and Google. She says such lapses are likely common, but it’s hard to know since we only know what’s disclosed.

Copyright 2017 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

No matter how many criminal complaints you read, the expression “JV” always sends chills down your spine. But this line, from a complaint filed April 27 in a California federal court, stands out.

“Petersen stated that he recently received via email from JV#1 a video of JV#1’s younger brother…masturbating in a bathroom. Petersen stated that JV#1 told Petersen he had recorded JV#2 without (his) knowledge. Petersen believes JV#2 is approximately ten years old.”

JV stands for juvenile victim, an expression often used in public court documents to protect the identity of a child. Behind it is a life, probably a whole family, in tatters. Rarely do you get a true picture of how deep the damage can be; the anonymity usually prevents a full accounting of evil’s ripple effects. But not this time.

JV#1 and JV#2 are the sons of Jeremy and Sara Thompson. The swirl of sickness that consumed the family in the past several weeks is cruel. They have taken the brave, unusual step of coming forward to help others avoid the crazy nightmare they have lived—and are still living.

Nightmare begins

Life changed forever for the Thompson family on May 4. It was a normal afternoon, the Thompsons hanging out in their suburban Seattle home, enjoying time with their two seemingly well-adjusted kids, 17 and 11 (I won’t be naming them). A ring at the doorbell roused the couple, who soon found themselves talking to a Snohomish County sheriff’s officer and a social services expert on the front porch.

Their 17-year-old son has been sexually abusing his 11-year-old brother, the officers said. The FBI has pornographic videos, images and chat logs. There is strong evidence, though the parents can’t see it—yet. The officers demand to speak to the older son. He denies everything, insists it must all be a crazy mistake.

The Thompson boys caught the FBI’s attention on April 26, when federal agents arrested an alleged pedophile in California, near San Francisco, named Bryan Petersen. He was arrested along with another man in late April, according to local media reports.

The Petersen complaint chillingly cites JV#1 and JV#2. Separately, the Thompsons were told JV#1 and JV#2 are their kids. About a week later, officers were dispatched to the Thompson’s home. That weekend, Jeremy—who works in IT—skipped sleep and spent hours conducting forensics on his kids’ computers and other gadgets, looking for any kind of evidence.

Saved by Sleuthing

“Laptops, desktops, phones, email accounts, Facebook, text messages, Snapchat, Instagram, followers, contacts. Years and years of content,” he says. “Nothing was found.”

Five days after the initial contact, the Thompsons get to speak with a detective assigned to the case. They are told about some of the evidence against their older son. They still can’t see the pornographic video, but they are told about years’ worth of family photos. But things aren’t adding up. All the photos described by the detective are harmless; they all match photos that have been posted by the family on their own social media pages. The kids on the beach, at Legoland, posing in the cockpit of an airplane.

The detective also mentions a Facebook page made by the older son that includes “gay” in the title, apparently in an effort by the boy to explore his sexuality online. That night, Thompson redoubled his digital sleuthing effort. He discovered a digital creep had been using his elder boy’s photos to create a “fan” club for him. The creator added titillation by saying the boy was possibly gay, inviting commentary on that.

End Game Becomes Apparent

Three years ago, “digital kidnapping” became the new creepy thing for parents to worry about online. I appeared on the “Today” show warning parents about this weird, but perhaps not illegal, pastime. “Kidnappers” would pilfer photos of babies, then post them on their own social media pages and pretend they were the kids’ moms and dads. They would revel in the cute compliments, create entire narratives around these faux families, and so on. At the time, folks couldn’t quite figure out what the harm was in this game. Now we know.

The man who registered the website had noticed the Thompson child when he was a finalist in a modeling contest for a national brand clothing company. Several years ago, the man had messaged the family, saying he hoped the boy would win. The Thompsons thought it was creepy at the time, but nothing more, and blocked him.

They forgot about it until the sheriff’s officer showed up at the door accusing one of their children of raping the other.

“At this moment we knew 100 percent that our son was not involved,” Thompson said.

Elaborate Faux Profiles

The perpetrator had created an alternate universe with their son at the center. The efforts were elaborate. There was a fake Facebook profile claiming to be a classmate of their child, and which got 28 other classmates to accept friend requests. That gave him access to even more photos. There were other profile pages, a network of online comments and reviews, possibly even other fake child identities.

Their son had an impostor. The impostor had sent the emails and video to Petersen. The chats about abuse weren’t real. The next morning, the Thompsons visited the detective and unveiled the evidence. The case would be dropped, the investigator said, once she could verify the research. Only then did they get to see still images from the harmful video. There was a reason police couldn’t find a green shower curtain in any bathroom—the Thompson family never had one.

“The boy looked similar to a younger (version of the younger son), but it was absolutely not him. This was a massive relief. Our kids were safe. Our kids were victims,” Thompson said. “Our family members were victims. This poor boy in the video was a victim. His face continues to haunt me.”

Case Closed But Damage Done

After child protective services conducted more interviews with the younger son, and with the parents, the sheriff’s department did indeed drop the case. Shari Ireton, public information officer for the department, confirmed to me that the agency was asked to investigate potential abuse, found none, and closed the case. The FBI said it could not comment on any ongoing investigation.

(At the family’s request, I am not naming the impostor so this story does not interfere with the ongoing investigation.)

Meanwhile, what now? The kids are getting counseling to work through the trauma. The parents are left wondering what they could have done differently. And that’s the reason they’ve decided to come forward with this story.

This is the kind of crime that could only happen online. The toxic mix of twisted minds, anonymity, and social media can turn the innocent act of sharing a happy family moment into a knock on the door from the sheriff’s department. The Thompsons want you to know this can happen. They have locked down every piece of their digital lives, and they’d like you to consider doing that, too.

Bob Sullivan is a contributor to ThirdCertainty.com, where this article originally appeared.

True or False: The time for IRS-related swindles and scams is behind us — until next tax season. If you’re still reading this, you probably guessed “false.” And yep, it’s sad but true: Those pesky swindlers are still at it.

Normally, when summer arrives with its parade of warm days and fewer demands on our attention, there is a quiet month or so when very little happens in the way of IRS-related activities (quarterly payments being the only thing you might expect on a list of tax-related things to do). So, you should be safe from the current scam making the rounds — but you’re not. The IRS recently issued a warning about a scam that’s been luring summertime tax-fraud victims.

You know never to respond to a phone call from the IRS, because — say it with me — they never call. (The agency does have debt collectors representing them now, but you’ll receive several notices before they call you and you can expect to be contacted by one of four firms —CBE Group, ConServe, Performant and Pioneer Credit Recovery — not an IRS agent, more on this below.) Well, this latest scam put a saddle on that old nag and has been taking taxpayers for a ride.

Here’s how: You get a call from the IRS telling you about official correspondence sent via snail mail — certified mail, no less. The letters were returned to the IRS as undeliverable. They tried to mail you the notice you needed. They have to call you.

So, what do you do? Hang up.

The thing about these scams is that they always have the ring of truth to them. (Remember, con man is short for confidence man.) If you stay on the phone, you will be informed that there was an issue with your tax return and you owe money that is extremely late in getting where it’s supposed to be. You have to pay with a card that is connected with the Electronic Federal Tax Payment System (EFTPS). Sounds legitimate, because the EFTPS is one of the ways you can pay your taxes. That said, you can’t do it with a gift card or any other kind of prepaid card, which is what the scam requires to pay out the fraudster. (You can also pay taxes with credit cards, which you can learn about here.)

The IRS never calls to bird-dog money, although there is one new exception. Congress has mandated that the IRS hire collection agencies to chase certain extremely delinquent taxpayers. If you receive such a call, get off the phone and contact the IRS directly to verify the situation.

Also bear in mind that taxpayers who owe the IRS money generally know it. They have received multiple notices, did not dispute the assessments and/or did not make the payments. If you get a surprise call asking for money, be doubtful. (You can see how unpaid taxes are impacting your credit by viewing two of your credit scores for free on Credit.com.)

Can You Scam-Proof Yourself?

In this particular instance, you actually can avoid getting got 100% of the time. It’s pretty simple: Simply hang up. But there is no way to absolutely scam-proof yourself.

There are more ways to get burned by tax scams than you can shake a beach umbrella at — bogus tax preparers, scam artists who file a tax return using your identity and steal the refund, sleazeballs who promise huge tax refunds for an extra fee, which is nothing compared to the penalty you will pay after the IRS audits you.

My book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves provides countless stories about how cyber criminals lure victims, but the best way to stay safe is to do what you’re doing now: Stay aware.

Adam Levin is chairman and founder of CyberScout and co-founder of Credit.com, where this article originally appeared.