Trouble from the Toy Box: Will that “Smart” Holiday Gift for the Grandkids be a Spy for Hackers?

Photo Credit: iStock/nd3000

If so-called “smart toys” are on the holiday wish list of the children in your life, know this: The FBI warns that such interactive, Internet-connected gifts could be compromised by cyber hackers – and advises that security precautions be taken before playtime begins.

Although the agency doesn’t identity specific risky products, “these toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options,” notes the FBI. “These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” They include dolls, stuffed animals, card packs, wrist bands and other playthings typically connected to the Internet, either directly through Wi-Fi or indirectly via Bluetooth to a smartphone (which, in turn, is connected to the Internet).

Among the concerns: Many smart toys, often intended to promote learning, have microphones that “could record and collect conversations within earshot of the device,” says the agency – including ID theft-worthy details such as the child’s name, address and birthdate. (Meanwhile, such details may be provided or required when creating user accounts.)

“In addition, companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, Internet use history, and Internet addresses/IPs,” says the agency. “The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”

Some smart toys have already come under fire. Earlier this year, an Internet-connected doll called “My Friend Carla,” with an internal microphone, was banned in Germany. Meanwhile, an Australian security researcher reports that more than 2 million voice recordings were exposed via “Cloud Pets,” stuffed animals that allow parents and children to exchange voice messages. And last December, smart toy manufacturer V-Tech acknowledged that close to 5 million customer accounts were hacked via smart toys “Learning Lodge” and “Kid Connect,” allowing hackers to access children’s names, addresses, birthdates, chat histories and photos.

In addition to microphones, recording devices, cameras and GPS capability, other risks in Internet-connected smart toys include features such as speech recognition technology, speakers, and/or wireless transmitters and receivers. Also be mindful (and cautious) with products that request names, addresses, and other personal information when you register; have cloud connection capability (and remain connected to the cloud when the toy is turned off); and/or don’t include an End User License Agreement or identify its cloud storage provider.

As with other risk-posing “smart” devices in your home, here’s how to be smart with these high-tech toys:

  • Before buying, research the product for any reported security issues. Also look for certification or verification by members of the COPPA Safe Harbor Program (for Children’s Online Privacy Protection Act), an FTC-affiliated group.
  • Read the company’s privacy policy and user agreement. Find out where user data is stored (with the company, third party services or both), and research their reputations, especially in regards to cyber security.
  • Determine how (or if) you would be notified about a possible data breach or if vulnerabilities in the toy are discovered.
  • Only connect and use the toy on a trusted and secure internet access – not on public Wi-Fi.
  • Use a strong and unique PIN or password when connecting to a Bluetooth device. If the product comes with default password, change it.
  • Use encryption when transmitting data from the toy.
  • If the toy can receive software updates and security patches, ensure it is using the most updated version.
  • Make sure the toy is turned off when not in use, especially if the toys use microphones and cameras.
  • Be stingy with personal information when setting up user accounts. A teddy bear really doesn’t need to know your child’s last name, address or birthdate. Also teach young’uns to not “overshare” personal details when playing with or near the toy.
  • Turn the toy off when your children are not using it, especially if it has a camera and/or microphone.

For information about other scams, sign up for the
Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.

Source link

Mother’s Day Scams: Top Tricks to Dupe You (and Mom)

Mother’s Day Scams: Top Tricks to Dupe You (and Mom)

To that most special woman in our lives we eagerly pay tribute on Mother’s Day. And for next Sunday’s tributes, we’ll pay a record-breaking $23.6 billion – a $2 billion uptick over last year and some $9 billion more than spent on Father’s Day.

The coming days are prime time for crooks to cash in on the mother of all spring celebrations. Beware of these common Mother’s Day cons (and expect a slight tweaking in similar scams for upcoming Dad’s Day and graduations):

Floral fleecing. At least $2 billion is spent on Mother’s Day flowers. Scammers angle for their cut by posing as online florists and in emails, online ads and social media, they promise bargain-priced bouquets, “free” vouchers and overly generous coupons. Don’t be fooled: Most lead to scammer-run websites to collect (your and Mom’s) personal information and your credit card account. Some also deliver malware.

Find reputable local florists (close to Mom) through word-of-mouth or via directories from Teleflora and FTD. Online, look for proof the website is secure – including an “https” opening on pages that require personal and financial information. When calling, ask about tack-on charges and get insist on guaranteed refunds for missed or late delivery or if flowers come in poor condition.

Other gift grift. The latest Mother’s Day gift scam making the rounds on Facebook alleges to be a $50 coupon from Lowe’s. If Mom’s wish list leans more toward jewelry, designer clothing or the like, the same flower-wise rules apply: Those insanely discounted online deals for brand-name bounty often lead to copycat websites that capitalize on high-priced and respected names, but sell cheap counterfeits…if anything at all. Like phony florists, many are also fraudster-run fronts phishing for personal and financial information.

To spot trouble before it can happen, very carefully read website addresses before visiting – and especially before “buying” there. Look for extra or missing letters (like or even punctuation (such as, a now-defunct website previously exposed by Scam Alert whose .mn ending meant it was a Mongolia-registered website). Before clicking, hover your computer mouse over the link to see its “real” address; avoid those that wildly deviate from the legit company name. If that doesn’t work, copy-and-paste the link into a Word document, then right-click on the pasted link and select “Edit Hyperlink” from the menu for a pop-up window that should display, in the “Address” field, the web address to which the link directs. When buying jewelry in-store, know what you’re buying with this advice from the FTC and how to spot fake appraisals.

Greetings gotchas. Fake notifications for electronic greeting cards are a common way to spread malware to the computers of mothers (and others) so scammers get remote access to files, passwords and online financial accounts. Scammers trick their prey with emails that promise an awaiting greeting card, usually from a bogus “sender” with a supposed title like “” or touting a generic heading such as “Happy Mother’s Day from Your Loving Son/Daughter.” But even if a specific name is used (namely, yours), it could have been gleaned from online directories or social media.

So, instruct would-be recipients to not open greeting cards via links in emails. Legitimate notices will include a confirmation code that should be entered at the card company’s website, such as Hallmark or American Greetings, for malware-free viewing. If there’s no waiting for you, the email Mom got was sent by a scammer.

Courier cons. Another way to spread malware: Bogus shipping emails claiming to be from retailers or services such as FedEx, UPS or the U.S. Postal Service that claim a supposed scheduled delivery, tracking update, or shipment snafu – with a link promising details. Unless you or recipients already provided the courier with an email address, assume these as scams. If you signed up for tracking updates, expect them to be in text form, not with links promising details.

Also beware of mailed postcards about “undeliverable” packages. Although less used because of required postage, they’re sometimes an attempt to get you to make an expensive overseas phone call – most commonly used area codes include 809, 876 and 284 – or to reveal personal and financial information. And if someone shows up at Mom’s doorstep with a package and request for payment, no matter how small, know this ruse: The deliveryman claims he can’t accept cash – only a credit card, and it’s a scheme that can run up unauthorized charges on the provided plastic. Besides, what self-respecting offspring would send Mom a gift by cash on delivery (COD)?

Gift card scams. Whenever choosing that most requested present of all – gift cards – choose wisely: In-store, thieves can remove gift cards from end-cap racks, copy codes with portable scanners or pen and paper, and then dial toll-free numbers listed on gift cards to learn when those cards were activated and their value for online spending or to cloned cards for in-store use. The safer move: Purchase gift cards directly from a store cashier, customer service counter or the company’s website. And make sure the cashier scans and activates the card in your presence and that you get a receipt in case there’s a problem.

Online, buy directly from websites of retailers, restaurants or Groupon, or through gift-card exchanges such as, and, which buy unused cards at a discount of their face value and resell them at a profit but at a still-reduced price. Avoid low-ball offers on Craigslist or auction websites like eBay, where buyers may purchase already-redeemed gift cards or pay for cards that are never delivered.


For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.

Source link

Pin It on Pinterest