Identity theft is a fancy word to describe impersonation. The theft occurs when someone is able to get hold of sufficient information about you to allow them, in effect, to become you or impersonate you. This can happen both online and off the internet. We’re going to focus on online ID theft risks and ways of managing those risks here, as it is the preferred method for criminals, given the vast amounts of personal information that is floating around on internet platforms.
There are several reasons why people may want to assume somebody else’s identity. Here’s a few.
- For financial gain
- For personal gain
- To commit a crime
- To defraud you of your assets
For financial gain
This one is easy to understand. Put yourself in the ID thief’s shoes for a minute. If you wanted to apply for a credit card or better still, a store card, you can use the stolen identity along with the stolen date of birth, address details and full name and telephone number on the application to order a new card and get it delivered to a different address or a PO box address.
In the case of a store card, you are in most cases, given a temporary card that you can immediately start using to make purchases without having to wait for the proper card. The ID thief obviously has no intention of paying back any of this money that is spent on the card in your name or your children’s name. It’s usually too late before you find out about the financial fraud being committed.
For personal gain
In the same vein, the ID thief could order a whole host of things other than a credit card. For example, they could easily order a mobile phone contract in your name along with all the bells and whistles with a quarterly billing cycle. They can have the SIM card and the mobile device delivered to a different address to yours and fully consume the service for months.
By the time you find out about it, most likely as a result of having received a bill from the mobile operator, it’s too late. Or they could equally get a car loan with 0% deposit in your name or your child’s name and drive away with a brand-new car and you will be none the wiser until you get a bill in the next quarter.
Even riskier are those that pay the bills on time and continue to use their ill-gotten goods such as a car or mobile phone contract on somebody else’s name for years without raising any alarms. The only way you are going to find out about it is if you make an application for a loan or apply for a new bank account or a new credit card or any other service that relies on a credit check to determine your creditworthiness.
To commit a crime
Financial fraud, believe it or not, is not the scariest thing or the most serious thing about identity theft. It is the possibility that someone might commit a crime using your, or your children’s identity. Criminals used to assume false and made-up identities but the simplicity with which identities can now be stolen online is changing all this. Criminals much prefer to use a real identity, one that is not associated with them personally.
To defraud you of your assets (or your children’s assets):
We’re not talking about tangible assets here but those that are almost invisible but are assets nonetheless. For example, your tax file and history with the HMRC, your driving license history and your driving record, or your PIN numbers. Think about the scenarios that could play out if the imposter were to get hold of your details to pick up a job using your tax ID (for example, your national insurance number).
They’ll happily collect their pay check and leave you to sort out the tax liability. The asset that gets damaged in this case is your record with the HMRC. Equally, if the ID thief were to contact your institutions using your details (for example, your college, your bank, your employer, your online service providers) to report a loss of your PIN numbers or feign forgetfulness and request a new set of PIN numbers or request a reset of your passwords, imagine what they could get their hands on.
Or imagine if the ID thief were successful in applying for a student loan in your children’s name and got their hands on the maintenance part of the loan, which is there to help cover living costs, such as accommodation, food, and so on. The maximum maintenance loan students can get this year (2019/20) is £8,944, and that figure is big enough to entice a criminal who can leverage identify theft to get their hands on that money before your children do.
What you should avoid, and recommend that your children avoid doing online
Avoid: Knee jerk reactions to emails or ads that promise something for nothing (Greed)
Avoid: Knee jerk reactions to emails or ads that are designed to scare you (Fear)
Avoid: Connecting to unsecure and unknown networks – both wired and wifi
Avoid: Giving away the 3 key pieces of information required for identity theft in any one transaction (your full name, your date of birth, and your full address), especially if they are surveys
Avoid: Using your biometric data, such as your fingerprints or your facial map, to login to online services, unless absolutely necessary
Avoid: Using password reminders that make it easy to guess your password
Avoid: The prioritisation of convenience over privacy and data security
Avoid: Giving away your personally identifiable information and sensitive information, unless absolutely necessary
To access your downloads, handouts, posters and quick reference guides, and services, please go to the member benefits page. You also have access to ProParent Technical Support from the member benefits page.
How do Identity thefts happen?
There’s usually three ways in which identity theft is initiated.
We’ll look at a few examples for all three. These are equally effective offline but they do take on a new sense of urgency and scale when executed online.
Don’t respond to that survey which promises to give away a free holiday or a free car
You might wonder why innocent sounding surveys do start off with easy questions about the product or service and then move into questions such as your income range, education level and marital status. What’s that got to do with the product or service? The answer may be the harvesting and widespread processing of Personal Data. Not just any personal data but one that can be sold and resold on the internet.
We collect personally identifiable information from participants, including, without limitation, during participation in a survey and in connection with the receipt and redemption of rewards. You will be asked to provide certain personally identifiable and demographic information including, without limitation, your name, addresses, telephone numbers, email addresses, date of birth, and occupation, your education, and racial and gender information.
In addition, you may be asked to voluntarily provide or disclose Sensitive Data. Sensitive Data means personally identifiable information that discloses or reveals health and medical conditions, sexual orientation or sexual life, political opinions/views, race/ethnic origin, religious and philosophical beliefs and trade-union membership.
Do you think they are solely interested in your opinions? or are they after your personal information that can be sold and resold on the internet to data brokers? Think carefully about participating in surveys that promise you gift vouchers or money, and do educate your children about these risks.
If you do want to indulge in surveys despite the risks, ensure that you are not inadvertently giving away the three key pieces of information that could facilitate identity theft – your full name, your full address and your date of birth.
Would you like some cashback? Just give us your life history and we’ll give you a £20 voucher to spend at your local chippy
It’s very easy to get tempted by cashback offers. The most important thing to consider is the nature of the bargain i.e. what are you giving away to get a bit of cashback?
Let’s have a look at the following excerpt from a popular UK based cashback site.
We collect, use, store and transfer different kinds of personal data about you as follows:
.. data you provide concerning a purchase made from a retailer as part of the process of raising and processing a cashback claim on your behalf.
postcode, address, email address and telephone numbers.
bank account, PayPal account and payment card details.
first name, last name, username, date of birth, gender.
your username and password, purchases or orders made by you
cashback allocated to you, your interests, preferences, feedback, reviews and survey responses.
your IP address, your login data, browser type and version
your time zone setting and location, browser plug-in types and versions your operating system and platform and other technology on the devices you use to access <cashback website>.
information about how you use <cashback website> and about the websites that you accessed prior to accessing <cashback website>.
Of particular interest to an identify thief is your date of birth and your full name and address, however, all the terms in bold above will also be equally valuable.
How about a $1 million straight to your bank account?
These ‘requests for help’ usually arrive in the form of an email or through social media.
You’ll notice that it’s often a long-winded sad story about someone trying to transfer money out of their country and why they can’t do it without your help. All you have to do is quickly give away your sort code, account number, your address, your full name and of course your date of birth and telephone number, to be able to claim a share of the bounty for helping out.
Even though the stories presented in these emails and social media posts are demonstrably ridiculous, people still fall for it and end up giving away their personal details. Some of the crafty scammers will even ask you to pay a small amount of money upfront before they let you have access to a share of the bounty.
There is no bounty. There is no million dollars. No prince. No exiled politician. No oil baron. All of those hooks are designed to scam you.
Just to put this particular scam into context, the Australian Competition and Consumer Commission reports that in 2019, at the time of writing this, there were a total of 176 incidents with 19.3% of those reporting a financial loss. The total recorded financial loss for 2019 so far is $199,563, and that’s just in Australia.
The biggest worry here is not so much the financial loss, but identity theft, which allows these scammers to rinse and repeat the financial fraud several times over.
Fear is a popular lever for ID thieves wanting to steal personal and financial data. We all react immediately, and often without thinking through the consequences, when we feel anxious, worried or under pressure and ID thieves love to put you under pressure.
Here’s a few examples of what is known as phishing, which involves the stealing of data, personal information and often money.
Oxford English dictionary’s definition of phishing.
Phishing: the activity of tricking people by getting them to give their identity, bank account numbers, etc. over the Internet or by email, and then using these to steal money from them
Let’s take a look at a few examples.
Your email account is hacked, give us your money and we’ll restore it
This one usually arrives as an email, and often your email provider will have successfully flagged this as a spam/junk message. But that doesn’t stop people from falling victim to ID theft and financial loss. Have a read of the message below and see if you can pick out the fear triggers in there.
Hi, this account is now hacked! Change your password this time!
You might not know anything about me and you really are definitely wondering for what reason you're receiving this particular electronic message, is it right?
I'mhacker who crackedyour emailand OSsome time ago.
You should not attempt to msg me or alternatively find me, it is definitely hopeless, since I forwarded you an email from YOUR own hacked account.
I have created malware soft to the adult vids (porno) site and suppose that you enjoyed this website to enjoy it (you know what I want to say).
Whilst you have been attention to vids, your browser began to act like a RDP (Remote Control) that have a keylogger which granted me ability to access your monitor and network camera.
Then, my software programgoall data.
You have put passwords on the web-sites you visited, and I intercepted them.Surely, you are able modify them, or already changed them.
However it doesn't matter, my program updates it regularly.
And what did I do?
I generated a backup of every your system. Of all the files and personal contacts. I got a dual-screen record. The 1st screen reveals the clip you had been watching (you have got the perfect taste, wow…), and the second screen presents the movie from your own webcam.
What exactly must you do?
Clearly, in my opinion, 1000 USD is basically a good price for this very little riddle. You will make your deposit by bitcoins (if you don't recognize this, search "how to buy bitcoin" in any search engine).
My bitcoin wallet address:......
(It is cAsE sensitive, so copy and paste it).
You will have 48 hours to send the payment. (I built in a unique pixel to this email, and at this point I know you've read through this email).
To trackthe reading of a messageand the activityin it, I installeda Facebook pixel. Thanks to them. (Anything thatcan be usedfor the authorities might actually helpus.)
In the event I do not get bitcoins, I shall undoubtedly send your video to each of your contacts, along with relatives, colleagues, etcetera?
Looking beyond the atrocious grammar and composition of this message, you can see that the ID thief/scammer is trying to scare you into thinking that your email account was hacked and that you should be worried because it looks like this email was sent from own email address.
This is known as spoofing. Here’s how Oxford English dictionary defines it.
Spoofing: the practice of sending emails that appear to come from somebody else's email address
It’s not too difficult to spoof email addresses and make them look like they are coming from a particular email address. There are ways of checking and verifying the real source in most cases by investigating the headers of your email message, which should reveal a whole host of information about the origin of the message and the likely route it took to arrive in your inbox.
In this example, the scammer is hoping to play on people’s fears associated with their web browsing habits, real or otherwise, to get them to part with their money. Note also how the ID thief is trying to build a sense of urgency by putting a 48 hour deadline for the payment.
And guess what, some people do part with their money and personal data, regardless of whether they were involved in the kinds of things that the scammer is alluding to.
Important Notification from your bank
Another common phishing exercise which happens over email is related to your banking habits. It’s easy to get your attention when the email appears to be communicating matters related to your bank account, and that’s precisely what the ID thieves are hoping for.
Let’s take a look at this email, which appears to come from the banking institution MBNA Europe.
Dear <your email address>,
We discovered an unknown activity on your MBNA Card.
For your protection, We require you to verify your account as the primary owner before you can continue using your card.
We will review the activity on your account and remove any restrictions placed on your account
Please kindly review your account by following the reference link below :
Please do not reply to this message. For questions, We will contact you as soon as possible.
MBNA Europe Limited.
The scammers are trying to get you to click on the link provided in the email, which you must not do, as banks rarely ever send out emails like that. In most cases, you will end up installing malicious software on your computer by clicking on spoofed links within such emails. They are designed to steal your data and your personal information.
If they are not installing malicious software on your computer, clicking on the links might take you to a web page that looks exactly like your bank’s website and attempt to steal your banking login details, which also gives them their most priced asset – your personal information.
Take a look at the report from Business Standard in December 2016, which highlights a real incident that affected online banking customers of 26 banks in India.
Business Standard December 2016 article
"In this phishing attack, victims are asked to enter their account number, mobile number, email address, one time password (OTP) and other details. Once the information is collected, the website displays a fake failed login message to the victim."
"The phishing site served fake logins from 26 banks in India, including HDFC Bank, ICICI Bank, IDBI Bank, State Bank of India, among others."
"a new domain (csecurepay[.]com) that was registered on October 23 this year and appears to be an online payment gateway but actually is a phishing website that leads to the capturing of customer information from 26 banks operating in the country"
Always be careful with emails that purport to come from your bank and never click on links embedded in such emails. If in doubt, contact your bank directly using the methods you have always reliably used in the past, for example by calling the bank’s phone number and asking them about the suspicious email.
If you do click on such links, please do not enter your bank’s login details on the website or share any personally identifiable information such as your full name, date of birth and address.
Would you like to save your password for this site?
Chasing convenience is also a factor in facilitating identity theft. We all have multiple devices and multiple accounts, and as a consequence multiple user ids and passwords. One of the outcomes of this proliferation has been the development of online password managers (websites that save your login details and promise to save you the hassle of having to remember hundreds of passwords).
Although no method offers 100% guarantees on security and encryption, it’s best to avoid online hosted password managers as you have no control over their infrastructure. If your password manager website suffers a data breach or gets hacked, as was the case with LastPass, one of the popular online password managers, back in 2015, you run the risk of losing your entire database of password entries for most, if not all, of your accounts.
The February 2019 report from Independent Security Evaluators (ISE) found fundamental flaws in the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass.
If you do need to save your passwords, please employ a secure offline method for doing so. At the very least, it will give you some control over where and how that sensitive data is stored.
Would you like to sign in with your fingerprint next time? Or how about facial recognition?
Biometric data is one of the most sensitive types of data when it comes to your privacy. You always have the option of resetting or recreating your passwords in case of a security breach but if you lose your biometric data, your options around getting a different set of fingerprints and irises are quite limited.
Given the prevalence of fingerprint enabled login options on mobile devices and in some cases, facial recognition, the probability of losing this sensitive data, which is very uniquely tied to you as a person, is also going up.
Here’s a few examples of biometric data
- Iris and Retina
- Facial Structure
- DNA profiles
Like most people, you may be forming habits that easily give away biometric data without realising how sensitive this is for your personal identity. For example, you may be giving away your fingerprint data to apps on your phone, to websites that promise to make your login experience better, faster and efficient. You may also be using your voice to search the web and interact with smart devices such as Amazon’s Echo or Alexa without thinking about the risks to your identity if this data (your fingerprint signature and your unique voice signature) got into the wrong hands.
Be very careful about giving these things away unless absolutely necessary, and always do your research before you entrust your sensitive biometric data over to organisations and companies that promise convenience.
What can you do to protect your identity online
Keep an eye on your credit report, and regularly check your credit report for any surprises or unexpected entries
Enable Two Factor Authentication and strong passwords for all supported apps, websites and online services that rely on your personal data
Keep your devices updated, and use well known anti-virus, firewall, VPN software to protect your devices
Use up-to-date and secure browsers, such as Firefox for example
Only connect to safe, known networks – both wired and wifi
Always ask why an organisation wants your personal and sensitive data (such as your date of birth, your tax ID, your national insurance number) before deciding whether to share it
Always use encryption where possible
Opt-out of surveys and marketing lists
Read privacy policies
If you’ve been scammed, defrauded, or experienced cyber crime, report it to Action Fraud, the UK’s national reporting centre for fraud and cyber crime
If you have any questions arising from this article, please do get in touch with us.
To access your downloads, handouts, posters and quick reference guides, and services, please go to the member benefits page. You also have access to ProParent Technical Support from the member benefits page.