The Hamburglar is loose on the McDonald's App
By in

The Hamburglar is loose on the McDonald's App

I’m not sure if you’ve noticed but McDonald’s has been doing a lot to modernize their restaurants, including big touch screen kiosks to take orders as well as being able to order and pay for food on a mobile app. But, as you may have guessed, where there’s technology and money involved, there’s sure to be criminal activity.

The so-called “Hamburglar” is at large, hacking customers’ McDonald’s app accounts and ordering food on their dime. Since February over 20 people have reported that fraudsters, we’ll call them “Hamburglars” somehow infiltrated their McDonald’s phone app which was linked to their debit or credit card — and ordered meals for pickup. In one case, more than $2,000 worth of meals was ordered in one day at different McDonald’s restaurants!

But, here’s the problem. When the victims reported the problem to McDonald’s, the fast food retailer acknowledged that there was a problem but downplayed it as a glitch in the system and assured the victims personal information is secure, but just to be safe, that they should change the password on any site that uses the same password as the McDonald’s app. Suspicious, right?
Unfortunately, McDonald’s isn’t issuing refunds, claiming that there’s a middleman processing the payments and that it’s not them and to instead the victims have to take it up with their bank. Victims have reported trying to do this, they’ve reported that it’s a hassle and in some cases they weren’t able to get their money back at all!

The Takeaway

Based on the way McDonald’s is handling this situation, completely disregarding any security problems with their system, making victims take up their problem with their bank, and seeing how obvious it is that that there’s an issue with their App, I’m going to give the McDonald’s app a solid D- score. I wouldn’t recommend using it until they figure this out.

Stay safe out there.

Alert: Phishing scam imitating state agency sent to local businesses
By in

Alert: Phishing scam imitating state agency sent to local businesses

Governer David Ige and the department of commerce and consumer affairs issued an urgent alert to local businesses last week regarding criminals targeting Hawaii businesses with a dangerous phishing scam that could potentially capture and hold a business hostage with ransomware. The Office of Consumer Protection (OCP) has received numerous reports of local businesses receiving emails purportedly coming from the Department of Commerce and Consumer Affairs (DCCA) and OCP. These emails commonly referred to as “email phishing scams” are fraudulent and are an attempt to illegally obtain private information and to place malware on the businesses’ computers.

The fraudulent email attempts to deceive consumers through the inclusion of a DCCA letterhead and uses a spoofed sender email of “” The phishing correspondence is as follows:

Dear Business Owner:

We are formally notifying you of a claim submitted against your company with the Office of Consumer Protection.

Your company has a rebuttal period of 7 business days from the receipt of this notice, to respond to the claim. The response must contain a final rebuttal and be no more than 5 pages in totality.

The full compliant [sic] filed as well as the response form and instructions for submitting your response have been attached to this email. Due to the privacy of the claim the file is password protected.

The password is located below. You can download the file at the link below.

Complaint Notification: Click to Download

Password: 56673637

Your reply must be sent to us as instructed within the reply form. If we have not received notification from you within the allotted time the claim will awarded to the party filing the claim and they may take further action if they choose to do so, depending on the severity of the claim.

Waiting for your reply,

Office of Consumer Protection

Anyone receiving this email should not click any links associated with it nor download any attachments. Neither the Department of Commerce and Consumer Affairs nor the Office of Consumer Protection has anything to do with this email. The Office of Consumer Protection never requests a business to download a password protected file through a link, like the one referenced in the email.

Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks like these every day—and they’re often successful.

The Takeaway

Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email.

Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens.

Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the number of phishing attempts.

If you aren’t 100 percent certain of the sender’s authenticity, don’t click on attachments or embedded links; both are likely to result in malware being installed. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original, so check the address bar to confirm the address.

Similarly, never submit confidential information via forms embedded in or attached to email messages. Senders are often able to track all of the information you enter.

Be wary of emails asking for financial information. Emails reminding you to update your account, requesting you to send a wire transfer, or alerting you about a failed transaction are compelling. However, scammers count on the urgency of the message to blind you to the potential for fraud.

Don’t fall for scare tactics. Phishers often try to pressure you into providing sensitive information by threatening to disable an account or delay services until you update certain information. Contact the merchant directly to confirm the authenticity of the request.

Be suspicious of social media invitations from people you don’t know. Phishers rely on your natural curiosity to click on the person’s profile “just to find out who it is.” However, in a phishing email, every link can trigger malware, including links that appear to be images or even legal boilerplate; scammers use your hijacked account to send spam to your friends, because spam from real accounts is more believable than spam from a fake account.

Watch out for generic-looking requests for information. Many phishing emails begin with “Dear Sir/Madam.” Some come from a bank with which you don’t even have an account.

Ignore emails with typos and misspellings. Recent real examples targeting TurboTax include ”Your Change Request is Completeed” and “User Peofile Updates!!!”

Update and maintain effective software to combat phishing. Reliable anti-virus software should also automatically detect and block fake websites, as well as authenticating the major legitimate banking and shopping sites.

Stay safe out there.

New $75 Costco cash card scam
By in

New $75 Costco cash card scam

The Costco Cash Card scam is back. Don’t fall for it!

If something on social media sounds too good to be true, then it may just be a scam. Costco is warning consumers that a $75 coupon being shared on Facebook is actually a hoax. The company is not giving away coupons for purchases at its stores after graphics of fake coupons purporting to be honoring Costco’s 50th anniversary started circulated on Facebook earlier this month.

The hoax resurfaced this month after occurring around the same time last year. The company posted an almost identical message on Facebook in November of 2018 saying it was not giving away $75 coupons and that it was not celebrating its 50th anniversary.

The coupons prompt users to click on a link that will supposedly allow them to collect a $75 deal. The links, which are visible under various URLs, are not affiliated with Costco.

Users are also asked to input information like their name, email address, birthday and phone number as well as fill out a series of surveys.

Some of the coupons also have red flags like grammatical and spelling errors, including “Coupon” being capitalized and ad copy that reads “for it’s anniversary” instead of “for its anniversary.” Spelling and grammatical errors in the advertisements and poor quality images are usually signs of scams. The link also has copy at the bottom that states it has nothing to do with Costco.

Stay safe out there.