Identity theft is one of the things you never expect to happen to you until it does.
The scariest part is not the theft itself but what follows after. Victims of identity theft don't often discover their financial, reputational, and bureaucratic lives are destroyed until long after the crime was committed. This delay makes it extremely difficult for authorities to investigate identity theft cases.
We wish we were exaggerating the impact of identity theft, but the recent numbers prove why you need to worry about it now before it's too late. According to FTC data, almost 1.4 million identity theft cases were reported in 2021, making it the most common fraud category in the U.S. The same report singles out government programs and credit card fraud as the most popular types of identity theft. Also, as of June 2022, there are 2.4 million cases of identity theft and credit card fraud tops the 2022 list with 230,937 reports.
Uber recently faced a severe data breach where a teenage hacker managed to access OneLogin, allowing them to possess system-wide critical data. Despite the evidence, the company is yet to concede the extent of customer data that has been compromised.
Threat actors are trying ingenious ways to steal consumers' personal data, and as the Uber hack shows, they're not limited by experience or technology to undermine big companies. So where does that leave us, the consumers? The best thing you can do to prevent identity theft is to understand it.
In this guide, we'll discuss how identity theft works, how to detect one, and the ways you can react to such incidents.
What Is Identity Theft?
Identity theft occurs when malicious actors steal someone's personally identifiable information (PII) to commit fraud or steal money.
Getting hold of PII is critical here. Some of the most common PII include name, address, phone number, date of birth, SSN (social security number), online login details (usernames and passwords), and credit card details. What makes PII theft so damaging is the hacker's ability to piece multiple threads of information together to create an accurate profile of the victim.
Identity theft is carried out in various forms and sizes, but some are more common than others.
Government and tax-related fraud
Recent Paycheck Protection Program (PPP) loans for pandemic-affected businesses and other government programs have been happy hunting grounds for fraudsters. They often use the victim's identity to apply for unemployment checks, tax refunds, and new jobs. Since governments automatically carry a high level of trust, this is one of the most popular types of identity theft.
Credit card fraud
Hackers often use PII to attack your credit card and credit score. Even if they don't have physical access to the card, they can clone it using PII to take out loans or create new accounts.
Some hackers go straight for your bank account by cloning debit cards or carrying out ACH transfers. According to the FTC report, opening new bank accounts has seen the second fastest YoY growth.
Hackers can use your PII to link their utility accounts and use the strong credit score to keep the lines active for months. Eventually, the authorities will reach your door, asking you to pay a hefty amount for utilities you didn't use.
Since PII is often static and shared between multiple accounts, hackers can scale their attacks to exploit financial loopholes. All they need is a crumb of data to start.
How Identity Theft Happens
Identity theft can cause irreparable damage, so you need to understand how hackers go about their business once they get hold of PII and what you can do to minimize the impact.
Phishing is the process of sending malicious links or attachments via emails, team chat apps, text messages, or social media. The content mimics a legitimate business to gain your trust and use urgency to undermine your rational thinking. Cloudflare employees were recently targeted with phishing text messages which exposed a large amount of company data.
Lost or stolen assets
Some criminals don't hide behind screens; they simply go ahead and steal your wallet or phone. Once they break into your phone or find documents in your purse, they can piece the puzzle together and possess the entire gamut of your PII.
Public wifi is convenient, but it rarely uses industry-standard security protocols. Hackers know it, and they target public wifi to stalk users. If you use cafe or airport wifi to share personal or business data, you might already be at risk.
Shoulder surfing is the subtle way of tracking a victim in a coffee shop or a crowded bus when they punch in their credit card or log in to websites. Rookies spy on nearby devices, while advanced hackers can follow typing patterns from a distance to figure out sensitive information.
Skimming is the process of replacing or modifying point-of-sale systems and ATMs with tracking devices that store your card details. When you use your card to pay or withdraw money, you unknowingly give away your pin and other information for hackers to exploit later.
Dumpster diving is the old trick of recovering paperwork, sticky notes, and discarded computer hardware that might contain sensitive data. It was popular in the pre-cloud era, but it's still effective today since many businesses forget to shred documents before putting them in the trash. In today's digital world, it can also mean going through the computer's recycle bin to find sensitive documents the user thought were deleted.
A data breach in a company that hosts your account may lead to hackers gaining your PII. It's one of those cases where you can do very little to prevent it from happening, but with proper knowledge, you can mitigate the impact. Like the Cloudflare attack, Twilio suffered a data breach in August this year, exposing hundreds of customer data.
Even if hackers don't get your complete PII, that doesn't stop them from committing identity fraud.
They can create a synthetic ID by combining your authentic details with made-up information if they have your SSN. They can use this legit-looking ID to trick officials, make a new bank account, or sign up for government checks. Children and the elderly are often victims of synthetic ID crimes.
Burglaries and home invasions
With so much emphasis on cybersecurity, we often forget about generic crimes. Burglars often break into houses not to steal cash or jewelry but access credit cards, driving licenses, and SSNs. Since they can just copy the information without stealing, victims don't realize it until it's too late.
Family identity theft
Family identity fraud works similarly to synthetic ID fraud, where children's blank credit score is used for crimes, but it also goes beyond that. Sometimes family members, such as an older kid or a sibling, steal PII to commit fraud without the victim's consent. Familial identity fraud is more common than you think.
What Are the First Signs of Identity Theft?
If you're a victim of identity theft, you must detect the red flags well in advance before it harms you or your family. Here are a few signs of identity theft that you should look out for:
Your bank statement or credit card bills look unfamiliar
Hackers will target your bank sooner than later if your PII is compromised. It's not an ideal situation, but the good thing is that the changes won't be subtle, and you will need to act quickly.
You're likely a victim of identity theft if your bank statement contains unexpected transactions, your check bounces (hinting at a possible lack of cash), or you get calls from your bank to verify an unfamiliar purchase.
You might also see unfamiliar credit card charges, notifications of a new credit card or loan, a sudden drop in credit score, or calls from debt collectors asking you to repay loans you've never taken. Any unusual activity can lead to identity theft.
Your income is misreported, or you haven't received a tax refund
We all wish the tax season to be simpler, but if someone files taxes on your behalf without your consent, that's a red flag. Cybercriminals file taxes in order to receive your tax refund. They might also use your SSN to get jobs which will complicate your income reports.
If the IRS alerts you of an activity you didn't personally engage in; you might be set up for a tax scam.
Your emails and utilities don't work properly
This is a dumpster diving plus a utility scam all rolled into one. If your mail keeps missing from the mailbox or doesn't arrive at all, someone is either stealing them or has routed the address to a new place to receive your mail.
Similarly, if you're handed an enormous utility bill for unknown accounts or your water, electricity, or phone services are suddenly shut off for non-payment, you might have become a victim of identity theft.
The website feels different after logging in
Hackers often use phishing websites that impersonate real ones to trick users. If you visit a website and feel the branding or the structure is off, you might have seen a fake website. In case you logged in recently, act quickly to contain the issue. A similar thing can happen with emails as well.
You get MFA notifications and sign-in alerts
Most companies encourage multi-factor authentication (MFA) for users, and if you have it turned on and received a login code, know that someone is trying to access an account with your PII. You might even receive a notification or email updating you about a recent login you didn't initiate. Be aware of the notifications and alerts to detect an issue in its infancy.
How To Prevent Identity Theft
Fighting against cybercriminals might seem like a losing battle, but all you have to do is stay under their radar and cover your tracks. By becoming a more challenging target, you can protect your online privacy.
Here are a few ways you can avoid falling prey to identity theft:
Watch out for the red flags
It's not enough to remember the most common ways people lose their PII; it's also essential to put that knowledge to practice. Start with being extra cautious of phishing attacks that use social engineering to mimic real people and companies. Keep your assets close to you in public, and avoid typing personal data. Use public wifi only if you use a VPN as well.
Reconsider your online presence
The burden of data governance keeps growing with more website accounts and social media platforms. If it's possible, consider reducing your online footprint.
Start by limiting the number of social media platforms you use and what you share in them, restricting the privacy settings, deleting old accounts, and setting up a Google Alert for your name. This way, you'll be notified if your name pops up on a website.
Occasionally monitor the dark web and credit report
It's a security best practice to periodically scan the dark web to see if your or your family members' PII has been listed for sale, and it's also critical to monitor your credit report to catch anomalies.
Extend theft protection to the entire family
Children are often more at risk of identity theft than adults because of their clean slate. While considering an identity theft protection service for yourself, don't forget to extend it to the entire family. A good theft protection service should include credit monitoring, device, and network security, an insurance policy, and a 24/7 fraud resolution team.
Advanced threat protection should also include data backup. Identity theft leads to data loss. And in some cases, it can be impossible to restore your records after a cyber attack if you don't back up your data.
Prepare to react quickly
We wish you never have to use any of the measures listed below, but if the worst does happen, here's what you should do immediately:
- Change your passwords immediately and log out of other devices.
- File a complaint on FTC's website identitytheft.gov to receive an ID theft report. You can also do it by phone by calling the FTC directly at 1-877-438-4338.
- You can also file a police complaint if you know the thief or if your name has been used in police interactions.
- You can also file a report by identity theft type. Contact Medicare's fraud office for medical identity theft, contact the Internal Revenue Service for tax identity theft, and contact the labor department for unemployment identity theft.
- You should also call one of three credit bureaus and freeze your credit.
- For senior citizens, the report should be filed with the National Long Term Care Ombudsman Resource Center.
- Finally, you should reach out to each institution or company where you have an account and request them to close the existing account and create a new one.
Stay Alert Online!
Identity theft is hard to prevent and even harder to contain. You can mitigate most of the risks by staying vigilant, but it's a good idea to subscribe to an identity theft protection service and move to privacy-first cloud apps to store and share your life's moments.