You may want to keep a close eye on your credit if you’ve worked or shopped at JCPenney. The ShinyHunters hacking group last week claimed to have stolen hundreds of thousands of records from the department store and several other well-known retail brands operating under Catalyst Brands and Authentic Brands Group.
The hacking group posted the alleged breach on its leak site on Friday, warning that affected companies have until Monday to contact each other before details are revealed.
JCPenney has not publicly responded to the claim, and ShinyHunters has not published any samples to verify it. Still, what the group says it has is shocking: Social Security numbers, dates of birth, W-2 tax records, payment information, physical scans of government-issued IDs and driver’s licenses, and other personally identifiable information. It is not yet clear whether the stolen data only affected employees (and former employees) or whether customer data was also included.
While passwords are easy to change after a potential hack, Social Security numbers and government IDs are not. They last for years and are among the most useful tools available to identity thieves. In addition, stolen W-2s and payroll records can fuel phishing attacks by providing detailed personal and professional information.
ShinyHunters claim has not been verified, but their track record gives it some credibility. The group has been tied to major data theft and fraud campaigns, including a major cyberattack last year that resulted in several other companies and breaches at Ticketmaster, AT&T, Canvas and Rockstar Games.
In the meantime, it’s best to stay alert and take extra precautions if you have an account at JCPenney or other retail brands connected to the Catalyst Brands and Authentic Brands Group, such as Aéropostale, Brooks Brothers, Lucky Brand and Nautica. Consider freezing your credit, be aware of breach warnings and keep an eye out for any unusual tax or payment notices in the coming days.
Some current scams to watch out for
Housing assistance program
The Federal Trade Commission (FTC) announced last week that it is refunding nearly $3 million to consumers who were defrauded by a home improvement program that operated under a network of names, including Golden Home Services, Home Matters USA and Academy Home Services. These scam companies falsely promised to lower mortgage payments and prevent foreclosures, taking millions of dollars from people struggling financially. A federal court banned the companies and their employees from telemarketing and debt relief businesses.
Now, the FTC is sending checks to 1,821 affected consumers, and recipients have 90 days to cash them. If you think you may be eligible, contact the refund administrator, JND Legal Administration, at 1-833-674-0067. Remember that the FTC will never ask you to pay anything to get a refund.
Fake VA postcards
The Department of Veterans Affairs (VA) is warning veterans about a new postcard scam in which fraudulent mailers claim that the recipient or their spouse is entitled to more VA benefits — including more health care and dental coverage — regardless of their disability rating. The postcards are designed to look official and instruct veterans to call the number immediately, sometimes within five days. According to the VA, the goal is to get recipients on the phone, where scammers can convince them of their military service before trying to collect sensitive information like your Social Security number, bank account information or other personal data.
The VA says veterans should not call unverified numbers on suspicious cards and should hang up immediately if they receive unsolicited calls asking for personal or financial information. Don’t trust benefits offers that come out of the blue – especially if they pressure you to respond quickly – or call a number listed on a suspicious postcard. Instead, confirm benefit questions directly with the VA by calling 1-800-827-1000. Veterans who suspect fraud can report it through VSAFE.gov or by calling 1-833-38V-SAFE.
Protect your digital life: See the current Lifelock identity theft plans and get your first year of the standard plan for just $7.99 per month.
The most common types of scams you should be aware of
Fraudsters are always upping their game, coming up with new and (their) fun ways to trick their targets. AI-powered scams are one example of this; technology is used to reach a large number of people with increasingly convincing techniques
But some tricks never go out of style. Most scams fall into a few common patterns, and many long-standing schemes are still a threat today. They have recently evolved to better fit today’s digital landscape
- Fraudster scams: Fraudsters often pose as trusted figures such as government agencies, banks, employers and even friends or family to pressure victims into sending money or sharing personal information.
- Phishing and fraud: These scams use emails, texts or phone calls that appear to be from legitimate organizations. The goal is to trick you into clicking a malicious link, downloading malware or providing sensitive information
- Online shopping scams: Fraudsters can create fake online stores or listings with hard-to-find items at unusually low prices. After paying for an article, what you end up getting may be fake – or it may never arrive in the first place
- Investment scams: This type of scam often comes with promises of high returns from crypto, forex or other “exclusive” opportunities. Many involve long-term make-up schemes where victims are encouraged to invest more money over time before losing it all
- Scams in love:Some scammers try to get into your pocket by heart. They build relationships with you on dating apps or social media, then convince you to give up money and assets by creating contingency or investment opportunities.
Plans for everyone: Explore Aura identity theft options for you and your family, starting at $9 per month when you pay annually.
What to do if you are a victim – or the victim of a scam
No one is immune to fraud or embezzlement, but a few consistent practices can reduce their risk and the damage they cause.
First, be suspicious of unsolicited messages, especially those that create fear or urgency. This may look like an email from your bank threatening to close your account, a text from an online marketplace saying you’ll lose your rebate or a call from the IRS saying they’ll report you to the authorities unless you “act now.”
Scammers like to use this type of language because it puts you in a position, which they expect will move you to action.
Always confirm any requests from the organization by checking their official phone numbers, email or website. And don’t click on any links, download email attachments or reply to messages you suspect are fraudulent. A legitimate organization will not pressure you into immediate action or secrecy
Now, if you’ve already sent financial information or money to someone you suspect is a scammer, you’ll need to take a few steps to protect your data and possibly get your money back. Contact your bank, credit card company or payment platform immediately and try to stop or reverse the transaction. Be sure to change any passwords and enable multi-factor authentication to protect your accounts as well.
Reporting a scam can also help protect others. You can file a report with the Federal Trade Commission and local authorities at the nearest police department or sheriff’s office. Victims of identity theft should also consider temporarily freezing their credit
Finally, review your financial statements and credit reports regularly, keep your software up to date and limit how much personal information you share online. Fraudsters often rely on publicly available information to make their schemes more believable
More from Mali
How to Protect Yourself from Card Skimmers at ATMs and Gas Pumps
The Best Tools for Identity Theft Protection
Best Credit Monitoring Services
