If you haven't fallen victim to identity theft—or haven't heard of someone who has—consider yourself a member of a slowly shrinking minority: statistics show there's a new identity fraud victim every two seconds! Most of us have some level of protection against identity theft, such as credit monitoring or multifactor authentication, enabled for our online accounts. But identity thieves often take it a step further.
The sad truth is that stealing someone's identity requires little to no professional hacking experience. How—and why—do the identity thieves do it? And more important, how do you protect yourself from identity theft?
To help answer these important security questions, let's start by exploring the anatomy of identity theft.
Step 1: Research
The most common way identity thieves get their hands on your personal information is via the Internet. After all, a simple Google search can reveal your e-mail address, date of birth, previous addresses, and more.
For example, millions of people had their information compromised in the many major data breaches of the past few years (Target, Home Depot, and Staples, just to name a few). This information is in the hands of the bad guys, and they can share this information with and sell it to other bad guys. It might take some time, but one of the easiest pieces of information to get is probably your e-mail address. Once the criminal has that, he or she will move on to your password.
Step 2: The Con
There are several ways for a cyber thief to get your password. With personal e-mail accounts, such as Gmail or Yahoo!, one can try a password an infinite number of times without getting locked out. This means hackers can use brute-force password-cracking tools to figure out your password and access your account. Or, if enough of your personal information can be found online (e.g., where you went to high school or your pet's name), the thief might be able to answer your security questions and simply reset the password.
Your password can also be the target of phishing e-mails. For example:
- You receive an e-mail purportedly from PayPal asking you to verify or change your password.
- A link takes you to a site that looks like a legitimate PayPal site, but it's actually a dummy site created by the hacker.
- You enter your password, and voila! Now the hacker has it.
Step 3: The Hack
Now that the identity thief has your password, he or she is going to use it to get into your e-mail account and find out where you do business, your credit card companies, and your banking institutions. This is where you fall into trouble if a more confident hacker uses your personal information to take that extra step and actually call the organization.
Step 4: The Call
Here at Commonwealth, if a client wants a third-party wire transfer, our policy requires the advisor or staff to reach out to the client and get verbal confirmation. This request typically deters a cyber criminal, and the con stops there. But what if a cyber thief has the guts to actually call and impersonate his or her intended victim? It's one thing for a company or advisor to be suspicious of an e-mail, but human nature will likely lead the customer service representative to trust that the identity thief on the other end of the line is who he or she claims to be.
When someone calls a company to do business over the phone, the representative will likely ask for answers to security questions or for verification of the last four digits of the social security number. But remember that the thief has done the research; much of the personal information he or she has found online can likely be used to answer typical security questions. It's enough to verify your identity, and once the thief is in, your accounts are completely vulnerable.
Now, the thief can use the phone rather than the Internet to take out a loan, explain questionable purchases made in your name, or verify approval for third-party wire transfers—all fraudulent and done without your knowledge. So, what can you do to stop this from happening?
What Can You Do to Protect Yourself from Identity Theft?
Although these con artists are relentless, there are ways you can protect yourself, including:
- Sign up for identity theft protection services. More comprehensive than basic credit monitoring, these services include features such as fraud monitoring, recovery assistance, and monitoring your bank accounts and public records to ensure accuracy. Be sure that you're keeping an eye on your credit score and watching for any sudden fluctuations.
- Choose obscure security answers. For security questions, choose questions about obscure things that someone wouldn't be able to research online, or simply make up the answers. This will significantly decrease the likelihood of an identity thief getting past security questions over the phone. To avoid forgetting the answers, store them in an encrypted file or use a password manager that allows you to securely store notes.
- Use the phone to your advantage. Call your financial institutions and ask them to require a password that only you will know before the customer service representative can proceed. Another way to err on the side of caution is to have a note placed on the account asking the organization to call you back on a number you have listed. That way, a call placed by an identity thief will be immediately identified as fraudulent when customer service calls and finds out it isn't you.
- Search for yourself. Do an Internet search on yourself to see what information is publicly available and easily found. Then, be sure to tighten up your account privacy settings for any online account. Think before you post on any social media sites, blogs, or forums!
- Be wary of phishing and unsolicited e-mail. Always verify the source before you respond or provide any sensitive information. It's best practice to go to the company's website yourself by typing the URL directly into your browser—or simply call them at a number you know is legitimate. This will prevent you from handing over your password or financial information and mitigate the risk of the thief taking the con any further.
- Destroy and dispose. When discarding old tax records, preapproved credit card offers you get in the mail, bank statements, and credit card statements, be sure to shred them before throwing them away.
Cyber crime and identity theft are unfortunate consequences of the digital age, but the best defense is perpetual vigilance. Protection products, minimal sharing, tough passwords, and a healthy dose of caution can all help you stay a step ahead of the bad guys.
What tools do you use to protect yourself from identity theft? Have you fallen victim to cyber crime? Please share your thoughts with us below.