An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Expert offers tips on how to avoid scams, keep online data private

  • Published
  • By Shannon Collins
  • Army News Service

Soldiers, veterans and their family members can keep their identities safe, minimize their online footprint and avoid scams by leveraging password complexity, using a password manager, separating work and personal accounts and enabling two-factor authentication.

Data privacy is how people’s information is traded and sold in the marketing and advertising space, mainly in social media with targeted marketing and spam in email.

Supervisory Special Agent Deric Palmer, Army Criminal Investigation Division, has more than 20 years of law enforcement and more than nine years focused on social media and data privacy.

Palmer said these public data brokers sell comprehensive reports on someone for as low as $20 to obtain physical addresses, email addresses, phone numbers, social media accounts, contacts such as relatives and associates, professional licenses, court proceedings or a civil lawsuit and anything else that could be used for a social engineering scam campaign.

Scams
 

While the current scams are credit repair, crypto, social media account takeover fraud and two factor authentication scams, the ones with the biggest growth are confidence and romance scams, Palmer said.

“A pretty big problem for DOD is online impersonation accounts,” he said. “It’s a multi-layered attack.”

For impersonation scams, they impersonate a general or the chief of staff of the Army. The impersonator will send a direct message via text message or social media saying, “I’m in a meeting with clients and need to get them some gift cards immediately,” or “I’m stuck in Syria and need to get $2 billion out of Syria.”

“Will a two-star or four-star be text messaging you?” Palmer said. “Would they be using the word, ‘clients’ or asking for money? You’re dealing with a scammer. Impersonation accounts are predominant on social media. We’re starting to see them on Reddit, Quora and other sites like that.”

This scam causes reputational harm for the Soldiers who aren’t even involved in the scam.

“I’ve seen impersonation accounts of high-ranking officials as well as enlisted personnel,” Palmer said. “It causes a bit of reputational harm for those individuals, their service branch and the DOD.”

For romance scams, the scammer may target men or women over the age of 50, trying to get them to send money. A young woman may lure a young Soldier into a relationship where inappropriate photos are exchanged. Then the scammer pretends to be a parent, telling the Soldier the woman was underage, in the possession of child pornography and extorts money.

The credit repair scam tells people it can help them it can increase their FICO score by 100 points or more. People concerned with their credit can raise their credit score 10 to 20 points by talking directly to creditors and the credit bureaus, he said.

Cryptocurrency scams are get-rich-fast schemes, usually citing high returns on investments, he said.

“With social media account takeover fraud, a hacker actually gets control of someone’s social media account,” he said. “They’ve hacked into the account, or they’re able to know information that showed up in a breach data site or password sale site.”

For example, a Facebook account gets hacked. The password shows up in clear text and hackers purchase it off the dark web. They’ll go in and lock the individual out of the social media account. They’ll post about fake investment opportunities; share links about applications designed to do credential harvesting; gather personal details about their victim’s friends and family members; and use that to take over their account, Palmer said.

For the two-factor authentication scam, the scammers will pretend to be friends or contacts who need to get their accounts back. They ask for your phone number or email.

“If they’re your friends or family, they already have this information,” Palmer said.

Scammers will also set up fake online websites and stores. Check the website URL. For example, the URL for Bank of America is boa.com, not bo.a.com. Also, check their tab links. If there are broken links, odds are, it’s a fake page, he said.

Tips
 

“One of the ways you can protect yourself is password complexity,” Palmer said. “A lot of people tend to utilize the same password that’s either eight to 14 characters long across multiple accounts.”

For example, someone might use FozzieBear and use variations such as FozzieBear123! The hacker can run a script in the background to get different iterations of what that password would look like and use that for brute force attacking to a specified target.

To increase password complexity, Palmer recommends using password manager applications such as 1Password, LastPass, Dashlane, Bitwarden and KeyPass.

“When setting up password manager for the first time, you’re going to have to create a master password. This is something only you would know. Not even these institutions will know what your master password is to your password manager,” he said. “This is where you want complexity. Use a pass phrase, space bars, replace letters with numbers, an exclamation point for a 1. The password manager will give you passwords up to 30 characters, making it more difficult for hackers.”

Palmer recommends siloing out bins. What this means is use separate email addresses for social media, home life, reward programs and work.

“When you start segregating your life into these buckets or silos, we want to focus on data compromise. When companies are compromised, when you’re signing up for accounts, what information does that organization hold on you?” he said.

“If we utilize the same email address in all these different types of silos, you increase your exposure, your risk or your information getting compromised,” he added.

He said two-factor authentication isn’t 100 percent effective but develops a defense for your social media, e-mail and financial information websites.

Palmer also suggests giving false answers to security questions on accounts.

“Different platforms tend to utilize the same questions, and people tend to inadvertently post information on social media,” Palmer said. “We don’t naturally look through the lens of [operational security] on social media.”

Because of this, he recommends purposely giving false answers on security questions. He also recommends using VPNs and to use all security and privacy features on social media sites.

Palmer said Soldiers, veterans and their Families can never be 100 percent safe in the cyber domain but with these tips, they can better guard their information against scams.

“Separate siloing out your accounts, utilizing a really good password complexity, utilizing a password manager and two-factor authentication, this requires a lot more work on that hacker to go after your information,” Palmer said. “It lowers cyber risk and adds defensive layers.”

With about 3,000 people assigned to more than 120 locations around the world, Criminal Investigation Division investigates and provides intelligence while working to proactively prevent crimes. These crimes impact the operational readiness of the Army.