Identity Theft: 101
The US Department of Justice defines Identity Theft (Identity Fraud) as all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain. Although you may have not been a victim of identity theft yourself, chances are you know someone who has. According to the Bureau of Justice Statistics, in 2014, in the United States alone, more than 17.5 million individuals experienced at least one identity theft incident for a cumulative loss in excess of $15 Billion. With this amount of money at stake, you can be sure that identity theft and similar activities will be an ongoing problem in the coming years.
While identity theft has likely been around as long as there have been identities to steal, the advent of the internet and email communication has ushered in a golden-age for identity thieves. Physical documents and fake identification cards are no longer required for a thief to steal your identity. In fact, a vast majority of the identity theft incidents in 2014 involved access and misuse of existing accounts, such as credit cards, checking / savings accounts, telephone & online accounts. To obtain the personal information necessary to access, and ultimately control, your online accounts, identity thieves have developed a variety of sophisticated cyber tools and social engineering methods designed to trick you (or one of your service providers) into providing them the information. In this sense, the very tools developed to provide consumers with convenience and ease of access, such as email and online account access, are also providing thieves with the means to steal our identities.
Email & Social Media
The fact that so much of our communication, both business and personal, is now handled via electronic means has pushed criminals to utilizing these same communications methods in an attempt to steal our identities. Some of the most common techniques utilized by identity thieves to obtain our personal information include: SPAM, Phishing, Spear Phishing and Open Source Intelligence (OSINT).
While spam may seem more of a nuisance than a threat, these unwanted emails often contain dangerous elements designed to steal your information. Most spam is attempting to sell a product that either doesn’t exist or doesn’t work. Spammers are looking to trick a small percentage of their targets into clicking a link to purchase their product. The email recipient ultimately loses their money as well as their personal information. In addition to fake or faulty products, clicking on a link can often lead to the download/installation of malware on your computer. This malware is often used to either steal personal information from you or potentially download additional malware.
Fortunately, most email providers include some form of spam filtering with their service to help reduce this threat. Additionally, there are a variety of commercially available products designed to identify these potential threats and protect you from them. The downside to such products is that they are not perfect, and from time to time will block emails that you do want. It is a good practice to review your spam folder on a regular basis to ensure it is working properly. It is also highly recommended that you simply ignore and delete emails that are attempting to get you to purchase something.
Phishing attacks utilize a fake / “Spoofed” email in an attempt to get you to provide your personal or financial information. Rather than attempting to sell you a product, these scams attempt to win your confidence by pretending to be a financial institution, retail web-site, governmental agency, or other service or business. A common theme to these attacks is that your account with the spoofed company has been compromised, and that you must contact them or log-in to confirm some information to ensure the safety of your account before your order can be processed or some similarly false pretense. Clicking on the provided link often will take you to a website that appears to be the spoofed company, and ask you to log-in to your account. Alternatively, the link may simply infect your computer with some form of malware, such as spy-ware) designed to capture your personal information.
To avoid becoming the victim of a phishing attack, try to employ best practices for handling email. Always pay attention to the source of the email, don’t simply open an email and start following links. Never click a link from an email that you weren’t expecting without taking proper precautions. Hovering the mouse pointer over a link without clicking will show you the actual destination you will be taken to if you click on the link. Always pay attention to a web-site’s URL and email address. Small discrepancies or alterations in spelling from the legitimate site, such as “.biz” versus “.com”, or “nn” versus “m” are common techniques used by identity thieves. Never send personal or financial information via email to an unverified source, and if you are asked to log in to a web-site, type the web-site in your browser as opposed to simply following the link. Finally, if you are still unsure about the validity of an email, contact the company directly to confirm it came from them.
Spear phishing is characterized as a highly specialized attack against a specific target or small group of targets to collect information or gain access to systems. These emails are sent to a certain person or group instead of a mass mailing like normal phishing.
For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic. And, because the recipient is already a customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.
To reduce the risk of being a victim of spear phishing, follow the same guidelines proposed to stop broad phishing attacks.
Open Source Intelligence
Open Source Intelligence is broadly defined as intelligence collected from publically available sources. The staggering growth of social media in both our personal and professional lives has led to an exponential increase in the amount of personal information that can be obtained from these open social platforms. Cybercriminals will often use social media platforms to obtain basic personal information regarding a target, which then is utilized for more advanced attacks such as Spear Phishing.
To avoid providing such personal information to cybercriminals via social media, it is highly recommended that you limit the amount of personal information included in any social media profiles. Additionally, reviewing the privacy settings of your social media accounts may also provide you with the means of limiting who has access to your profile and data.
Although there are a variety of software and services designed to help keep you from becoming a victim of identity theft, often it is our own actions and habits that are the weak spot in our defenses. Developing good habits with the handling of the emails you receive is essential to protecting yourself. It is also far better to be skeptical and untrusting of the email you receive, as opposed to simply assuming that it is authentic. Don’t be afraid to pick-up the phone and verify the authenticity of a request.
Cyber Security at HFS
Protecting sensitive and confidential client information from cyber threats is a top HFS priority. HFS maintains cybersecurity policies and procedures relating to cybersecurity because of the risk cyber threats pose to our clients and our business. Our goal is to protect our clients, the Firm, and our employees from illegal or damaging actions created through cyber activities with HFS.
The threat created by nefarious operators is real and constantly evolving. We routinely review our cybersecurity procedures and make adjustments as new threats and concerns are identified. One area of focus is the transmission of confidential information via electronic correspondence, namely email. As a result, we are implementing new procedures regarding the handling of email communications that contain confidential or sensitive information.
The communications in question most commonly contain at least two types of personal or other identifying information including your name along with your Social Security number, date of birth, drivers’ license number, account numbers, credit/debit card numbers and other like information. In addition to refraining from explicitly including your confidential information in the body of an email, documents containing confidential information will now be sent to you via a cloud based, password protected service called “box.com”. This will allow us to share your personal and financial information in a manner that reduces the threat to your identity