Stealing Me, The Most Personal of Crimes

All crime is personal, yet some crimes will affect the victim(s) more intimately than others.  I spent twenty-six years as an NCIS Special Agent investigating the varied harms that one person inflicts on another, or an organization, and the injuries impacting individuals were always the most devastating—identity theft among them.

There are many reports of data breaches where vast troves of client and customer information is stolen.  If you are one of the victims, like my wife and I were when the Chinese stole personal information from the Office of Personnel Management, it can be disturbing.  We felt violated.  Like other intimate and impacting crimes, identify theft leaves the victims struggling to recover.

Little more can be as personal and detrimental to a person than to have his or her identity stolen and then used against them.  Maybe you have received one of the scam telephone calls from a purported Microsoft technician telling you that your computer is vulnerable, and if you work with him/her, he will secure your account.  Maybe you have received an email from a Nigerian prince who needs your help.  These are examples of well-known identify theft and fraud scams designed to steal somebody’s protected information for profit.  Losses from these scams are staggering.

According to the Bureau of Justice Statistics (BJS), identity theft includes three general types of incidents: unauthorized use or attempted use of an existing account, unauthorized use or attempted use of personal information to open a new account, and misuse of personal data for a fraudulent purpose. Simply put, identity theft is when a thief acquires your personal information and uses it.  Any personal information is useful to crooks.  Fraudsters use names, Social Security numbers, dates of birth, Medicare numbers, addresses, birth certificates, death certificates, passport numbers, and financial account numbers (i.e., bank account, credit card).

The Federal Trade Commission (FTC) states that identity theft complaints nearly doubled between 2010 and 2015.  The FTC’s Consumer Sentinel Network 2019, a database of consumer reports, says credit card fraud was the primary type of identity theft with over 157,000 consumer reports, and new accounts fraud was up 24% from the previous year.   

There are many ways criminals steal somebody’s identity.  Nontechnical methods include going through trash, burglaries that target credit cards, driver’s licenses, or mail, or shoulder surfing. Shoulder surfing is when somebody acquires your information in a public setting by eavesdropping.  I live in a rural setting on a private road and every spring as the weather improves, my neighbors and I begin to hear about thefts from mailboxes – we all have locked boxes now.

Technical methods include phishing schemes (among the most popular) to trick victims into revealing personal information, and pretexting, a form of social engineering where a person uses false pretense (lies) to obtain your personal information.  Credit and debit card fraud is the leader in reports of identity theft.  I remember the first-time identity thieves emptied my son’s bank account.  He was a teenager at the time, so I am not sure there was a lot to take, but it is very troubling to wake up and discover all your money is gone.  He learned that somebody used his debit card number to access and empty his account.  I taught him that a debit card is tied directly to his checking account, so once the card number is compromised, the crook is in his bank account.  Fortunately, his bank replaced his funds and I advised him to stop using a debit card.  He did not heed my advice to cut up his debit card, and the crooks tried to get him again.  Thankfully, he had taken my guidance to place alerts on his account, so he was notified when the thieves tried to access his account and the bank prevented the transaction.  My son asked me how he was going to get cash if he did not use his debit card.  I told him he could go to the bank and cash a check – he stared at me with a puzzled look.  I told this story to an audience of young people to whom I was giving a personal security awareness class, and they too looked at me puzzled when I mentioned a checkbook.  These crimes can be devastating, and while my son was young, the elderly is among the most targeted victims. They are ideal targets because they are vulnerable and tend to be more trusting.

What can you do to protect yourself?

• Buy a shredder and shred sensitive papers such as receipts, credit card offers, expired credit cards, and bank statements before throwing them away. You trash is an identify thief’s treasure.
• Stop using debit cards and guard your credit card when used.
• Cut up unused or rarely used cards.
• Do not let anyone copy your aging parents’ driver’s license. Anyone doing this has instant access to their address and, from there, can get bank account numbers and personal data.
• Get a locked mailbox or post office box.
• Ensure that fraud alerts are set up with your bank and that you have fraud alerts established with the credit reporting companies.
  • How do I set a fraud alert?
    You can call any of the three credit bureaus to place a fraud alert:
    Equifax: +1 800 525-6285
    Experian: +1 888 397-3742
    TransUnion: +1 800 680-7289

• Establish a credit freeze as this is one of the best ways to protect yourself.  A credit freeze on your credit report restricts access to your credit report, making it more difficult for identity thieves to open new accounts in your name.  Contact the three credit reporting bureaus to set up a credit freeze and consider these credit freeze FAQs.
• Stay away from public Wi-Fi networks or hotspots like the ones in coffee shops, airports, and hotels.  They are convenient but often not secure and can be an easy way for criminals to steal personal information from your portable device. If you must share personal information online for transactions, make sure you are using a secure network.
• Be cautious when giving out personal information over the phone. Identity thieves may call you, posing as somebody official. Do not give out personal information over the phone unless you initiated the call. Register your phone number with the National Do Not Call Registry to avoid all calls from telemarketers trying to get your information over the phone.
• Protect your identity online and be wary of email scams. Be aware of any information that you, your friends, family, and organizations you are with post online. Any personally identifiable information about you online like date of birth or mother’s maiden name may be used for identity theft. Be aware of suspicious “phishing” email scams and never send information such as your Social Security number, credit card number, or user ID/password through an email.
• Create unique passwords or PIN numbers out of a random mix of letters and numbers. Generating unique passwords makes it harder for identity thieves to discover these codes and gain access to your personal information online.
• Use the latest anti-virus software and update your computer and devices with up-to-date anti-virus software to help protect against harmful malware and viruses.

Identify theft scams are not limited to individuals; businesses are increasingly falling prey to business email compromise scams (BEC).  The BEC scam is sophisticated and targets both companies and individuals who perform legitimate transfer-of-funds requests for businesses.  The scam is perpetrated when a fraudster compromises legitimate business or personal email accounts through social engineering or computer intrusion and then poses as someone within an organization, or as an influential external person, to obtain sensitive information and conduct unauthorized transfers of funds.  Senior corporate leaders’ compromised identity is often used to send a targeted email requesting that another official within the organization make a wire transfer.  The FBI reports that between October 2013 and July 2019 domestic and international dollar loss exceeds US$26 billion.

What can companies do to protect against BEC scams? Education and awareness are the foundation of sound security prevention plans.  Among the things to include in training are:

• Ensure the URL in emails is associated with the business it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or personally identifiable information (PII) in response to any emails.
• Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the sender’s email address appears to match who it is coming from.

Remember, identity theft can happen anywhere and to anybody, even businesses. Fraudsters use the phone, online, snail mail, or in person social engineering techniques to obtain sensitive information. Never give out personal information on the phone, over the internet or through the mail, unless you know the receiver and have initiated the contact.

There are steps you can take to protect yourself and minimize the risk for a crook to steal your information.  If, however, you become a victim of identity theft the Identity Theft Resource Center can help with information and guide you through how to recover.

AT-RISK International threat managers and analysts provide tailored training and protective activities that will help you and your organization understand the threat of identity theft and protect you and your employees from becoming victims of these debilitating scams.  Please contact us if you wish to discuss your unique needs.