Consumer Update: October 2021

Dear Massachusetts Consumer, 

This past month of October has been a busy one here at the Office of Consumer Affairs and Business Regulation (OCABR) as it was declared by Governor Charlie Baker as Cybersecurity Awareness Month. It is a mission of both mine and OCABR to inform and educate all Massachusetts consumers on the importance of cybersecurity and keeping yourself safe online. Our office worked closely with the Division of Banks (DOB) on weekly campaigns throughout this month to educate consumers on various methods of online protection. The grand finale of the month was the DOB Connects Monthly Webinar entitled, “Cybersecurity Awareness and Overview of Preventive Steps,” which I was honored to participate in as a guest speaker, along with our very own industry expert Holly Chase, DOB Director of Cyber/IT/Fintech.

The Federal Bureau of Investigation (FBI) has been quoted many times in stating, “There are only two types of companies: Those that have been hacked and those that will be hacked.” Every single one of us, as consumers, are susceptible to a breach of our own personal data. No company, or person, is immune to a cyber attack.

Cybersecurity conjures different meanings for different people and organizations. It is defined by individuals, small business owners, firms, service providers, and the government, based on their own needs for online protection. More often than not, cybersecurity is not a concern on the top of our minds as consumers. That is until, you receive a notification or letter in the mail from your bank or a company you shop at, that you are a victim of a data breach.

People are continuously falling prey to online scams, mainly because people continue to believe they are not a target. The thing about online crimes are that they are scalable. The attacks are getting more sophisticated, and larger and larger, which means the odds of you becoming a victim are greater.

The more aware and proactive you are as a consumer at protecting your personal information online, the more likely you are to mitigate the negative impact on yourself or your finances, if your personal data is compromised. Taking simple preemptive steps and suggestions from industry experts like, Holly Chase, who recommends frequently updating your passwords or using two-factor authentication when offered, can make all the difference in stopping hackers and fraudsters. Educate yourself on all the appropriate steps to protecting your personal data and online presence. Don’t waste anytime, check out OCABR’s proactive tips to enhance your cybersecurity by clicking here.

“Do your part. #BeCybersmart!”

Sincerely, 
Edward A. Palleschi
Undersecretary, Office of Consumer Affairs and Business Regulation

A data breach is the unauthorized acquisition of personal information that creates a substantial risk of identity theft or fraud. The Massachusetts Data Breach Notification Law mandates that all data breaches involving Massachusetts residents be reported to the Office of Consumer Affairs and Business Regulation (OCABR).

In accordance with that law, OCABR was recently notified that UMass Memorial Health, a Worcester health care network was hacked, exposing the personal information 2,967 Massachusetts residents. The breach took place between June 24, 2020 and January 7, 2021. UMass Memorial Health notified patients earlier this month if their information was involved.

Affected patients may have had their driver’s license, financial accounts, and social security number exposed. However, some impacted patients only had their medical information involved, such as medical record number, health insurance information, and clinical or treatment information including dates of service, provider names, diagnoses, and/or procedure information.

If you were affected, you can call the hospital at 855-867-2673 for additional information. You will need to provide your engagement number, which is provided in the letter you received from the hospital.

As a precaution, review the statements you have received from your health insurer or healthcare provider. If you see any services that you did not receive, contact the insurer or healthcare provider immediately.

If you receive a phone call from someone saying they are from the hospital do not give any personal information to the caller, as there is no way to verify that the caller is legitimate. Instead, call the number listed above and speak to a hospital representative.

Everyone shops online these days, so it is not unusual to have order confirmation emails show up regularly in your inbox. The convenience and instant gratification of online shopping draws consumers in, sometimes leading to so many transactions that you lose track of purchases. Scammers are capitalizing on the e-commerce trend by sending order confirmation scam messages to consumers. The goal of an order confirmation scam is to gain access to the victim’s personal information or install software intentionally designed to cause damage to your computer, server, or network. 

Fraudsters send their target messages pretending to be from a retailer, with a link to provide personal information and confirm the deal or shipment. These “fake order confirmation” texts or emails often appear to come from stores you made purchases at before—like Amazon, Walmart, or Target.

The United States Census Bureau reports that online shopping is on the rise with a projected total of over $905 billion in expected retail e-commerce in 2021.  In order to keep consumers up-to-date with today’s shopping trend, the Office of Consumer Affairs and Business Regulation put together a list of warning signs to look out for if a suspicious online shopping message lands in your inbox.

• Check your purchase history. If you’ve recently shopped online and are awaiting delivery, login to the website you used to place your order, or contact the retailer using a verified method of communication to confirm any necessary information to receive your package. 
• Review the message for grammatical or spelling errors. Official order confirmation messages for legitimate purchases will not contain grammatical or spelling errors. These errors often are found in the website URL or email address. 
• Click to reveal the sender’s full email address. Most email programs have a small arrow located close to the name that reveals the full email address. Beware of messages coming from personal email services like Gmail, or Hotmail; and suspicious domains like order@amazonhelp.art. 
• Crosscheck phone numbers included within messages. If you are weary of a confirmation message, visit the merchant’s website and search for the contact information to compare against what was provided. Do not call any numbers that you do not know.

Never engage with the fraudster using the phone number given. Do not reply to the email or click on any links within the scam message.

To report fake order confirmation messages to the Federal Trade Commission (FTC), call 1-877-382-4357 or complete their complaint form at: http://reportfraud.ftc.gov.  You may also report these fraudulent messages to the Federal Communications Commission (FCC) by calling 1-888-225-5322.

Connecting with local, state, or federal government entities can usually be done with a few clicks online. Although convenient, this ease of connection also open consumers up to fraud, specifically government imposter scams.  In 2020, the Federal Trade Commission (FTC) received nearly 1.4 million reports of identity theft.  Of the identity theft reports received in 2020, over 406,000 came from people reporting their information was misused to apply for government documents or benefits.

Most government agencies have websites to help citizens renew or apply for government issued documents. Third-party vendors also offer “runner” services to complete document applications, registrations, or renewals. While these companies may be legitimate, they usually charge high fees to complete the process.

The Office of Consumer Affairs and Business Regulation compiled the below tips to assist consumers in identifying secure government websites:

• Check the URL address.  A website URL can often tell you several things about the website, including the site owner/creator.  Review the domain name (after the www.), this is the considered the site’s proper name and should include a recognizable government associated suffix at the end.  The most common government domains suffixes are ‘.gov’ or ‘.us’.  For example, the domain for the Commonwealth is www.Mass.Gov.
• Utilize USA.gov. USA.gov is the web portal and search engine of the United States Federal Government. Websites and phone numbers included here are official government resources.
• Read the fine print. Third party vendor websites will include a disclaimer in small print stating that they are providing a service and not affiliated with any government entity.
• Beware of discounts. Law, regulation, or statute often determines registration, renewal, license, or other applicable fees for government issued documents. Websites claiming to offer deals on these fees may be scams. Contact the agency you are doing business with using a verified phone number or email address to confirm the discount before providing any personal information.

If you have reason to believe you are the victim of a government imposter scam visit the Office of Consumer Affairs’ identity theft resources, including the consumer’s checklist for handling identity theft.

If you answer the phone and hear a recorded message instead of a live person, it's a robocall. If you’re getting a lot of robocalls attempting to sell you something, odds are the calls are illegal. Many have a high probability of being organized scams. According to YouMail, over 4 billion robocalls were placed in September nationwide, with more than 35 million of those calls occurring in Massachusetts alone.  Not only can these calls be frustrating, but in some circumstances, illegal robocalls can be dangerous.  In 2019, a Cambridge resident fell victim to a scam call that almost cost her $95,000, while another Massachusetts consumer and victim fell into a trap that caused them to wire $17,000 to a fraudulent company, before getting suspicious, and reporting the incident.

These alarming statistics and victim reports stress the importance of understanding the differences between legal and illegal robocalls.  Generally, it is illegal for a company to call you and try to sell something, unless you gave the company written permission to contact you in such a manner. Furthermore, the company must explicitly ask to contact you via robocalls.  It is worth noting that political campaign robocalls are legal and exempt from the state’s Do Not Call Registry.

Read the information below from the Office of Consumer Affairs and Business Regulation to get the 411 on robocall and scam call prevention.

• Never answer calls from unknown numbers.  If you do answer and recognize that it is an illegal robocall, hang up immediately.
• Beware of spoofing. Scammers will often call from what appears to be a local number to trick you into answering. This is called “spoofing”­ – even if the number seem familiar, do not pick up. The Federal Communication Commission’s (FCC) enacted STIR/SHAKEN protocols in an effort to reduce the number and frequency of spoofed calls.
• Do not enter any solicited information or engage with robocalls. If you answer the phone and the caller or recording asks you to enter a number prompt to stop receiving calls, hang up.  Scammers may use this tactic to identify potential targets.
• Do not respond to any questions. ­Especially those seeking personal identifying information.
• Call verifiable numbers of robocallers claiming to be from well-known companies or agencies. If you receive a call from an individual claiming to represent a company or a government agency, hang up and call back using a verifiable phone number.
• Contact your phone/cellular service provider about available call-blocking tools.  Some companies offer automatic call labeling and will mark certain numbers as “scam” or “scam likely” to assist you in filtering unwanted calls.

The Office of Consumer Affairs and Business Regulation oversees and maintains the state’s Do Not Call Registry.  Registration on the Do Not Call List blocks legitimate telemarketing calls.  However, scammers and bad actors not adhering to the law may still attempt to contact you regardless of your Do Not Call registration status.

Earlier this month, Undersecretary Palleschi spent a nice Fall afternoon with the staff, friends, and family of former Massachusetts Office of Consumer Affairs & Business Regulation Director, Beth Lindstrom and husband Ray Murphy, co-owners of Body Mind Spirit Salon and Day Spa in Groton, MA to present Body Mind Spirit with OCABR’s Licensee Recognition Program’s Certificate of Appreciation for their outstanding service and high business standards.