Identity theft occurs when a criminal obtains or uses the personal information; e.g. name, login, Social Security number, date of birth, etc., of someone else to assume their identity or access their accounts for the purpose of committing fraud, receiving benefits, or gaining financially in some way.
We're all in the middle of an identity crisis—an identity theft crisis, that is.
According to a 2017 report from Javelin Strategy, there were 16.7 million victims of identity theft in the United States, while total losses across all types of identity theft reached $16.8 billion. For perspective, if the criminals responsible banded together to create their own country, which we'll call Crimeland (Crimea is already taken), the nominal gross domestic product would put Crimeland at 118th place just below Gabon and above Georgia.
The top forms of identity theft according to the Federal Trade Commission (FTC) Data Book 2018 are:
Identity theft occurs when a criminal obtains or uses the personal information; e.g., name, login, Social Security number (SSN), date of birth, etc., of someone else to assume their identity or access their accounts for the purpose of committing fraud, receiving benefits, or gaining financially in some way.
In the US, “identity theft” wasn't legally defined until 1998. It was then Congress passed the Identity Theft and Assumption Deterrence Act, which made identity theft a prosecutable offense in and of itself. Prior to this, identity theft was prosecuted under a hodgepodge of state and federal fraud statutes designed with old-timey grifters and con-artists in mind (think Leonardo DiCaprio in the 2002 film Catch Me if You Can).
Pre-Internet criminals typically had to go through your physical mail box or suffer the indignity of rummaging through your smelly trash to get the information they needed to steal your identity—like those “you're already approved,” pre-screened credit offers we all get in the mail.
Thanks to the miracle of modern technology, today's cybercriminals don't have to work nearly as hard to invade your privacy, but they stand to gain so much more. Big businesses and the large caches of data contained on their networks present a much more lucrative target than piecemeal attacks on individual consumers. Accordingly, attacks on businesses are up 235 percent year over year, according to the Malwarebytes Labs Cybercrime Tactics and Techniques report. At the same time, attacks on consumers went down almost 40 percent.
According to the Identity Theft Resource Center's (ITRC) 2018 End-of-Year Data Breach Report there were 1,244 data breaches, exposing over 446 million records in 2018.
“Thanks to the miracle of modern technology, today's cybercriminals don't have to work nearly as hard to invade your privacy, but they stand to gain so much more. Big businesses and the large caches of data contained on their networks present a much more lucrative target than piecemeal attacks on individual consumers.”
Chances are your data has already been compromised in a data breach.
For example, the 2013 Yahoo data breach affected all three billion Yahoo user accounts (yes, that's billion with a “b”). If at any point in time you had an account with Yahoo, you're a victim. The stolen data included names, emails, a mix of encrypted and unencrypted passwords, and security questions and answers—all of which are immensely useful for hacking into other accounts that use the same login credentials (aka credential stuffing attacks).
As a result of the Yahoo data breach and others like this, this, and these, your personal data is likely for sale right now on the Dark Web. The Dark Web is like the Bizarro World version of the Web we use every day. While the average person uses the normal Web to stream movies, buy groceries, and download software. The Dark Web caters to a different kind of customer looking for illegal porn, drugs, and caches of stolen data.
According to the New York Times, three shady buyers paid $300,000 each on a Dark Web marketplace for the stolen Yahoo data.
Collection 1, the largest assemblage of stolen data in history was at one point selling on the Dark Web for a mere $45.
This is a familiar narrative within the world of cybercrime—you place your trust in an organization, organization is hacked, your data is stolen, cybercriminals sell your data on the Dark Web, buyers use your data to commit fraud.
Before you resign yourself to victimhood, take heart. There are steps you can take to safeguard the privacy of your data and protect your identity from would-be identity thieves. Even if the bad guys already have your personal information, you can make your information entirely useless to them.
Let's take a deeper dive into the sordid world of identity theft, the signs, the causes, how to protect yourself, and what to do if your identity has already been stolen.
“This is a familiar narrative within the world of cybercrime—you place your trust in an organization, organization is hacked, your data is stolen, cybercriminals sell your data on the Dark Web, buyers use your data to commit fraud.”
Credit identity theft happens when a scammer steals your credit card number outright and uses it to make fraudulent purchases or obtains a credit card or loan under your name. According to the FTC, credit card related identity theft was the most common form of ID theft for 2018—up 24 percent over the previous year.
Tax identity theft occurs when a scammer gets a hold of your SSN and uses it to obtain a tax refund or get a job. This might come as a result of a data breach that exposes your SSN online, for example. The US Internal Revenue Service doesn't get much love from taxpayers, but the organization's efforts to reduce tax-related identity theft appear to be working. The IRS reports cases of tax-related identity theft are down 38 percent from 401,000 in 2016 to 242,000 in 2017.
Child identity theft. Why would someone want to pretend to be a child? Many reasons.
Scammers can use your child's SSN to obtain a tax refund, claim them as a dependent, open a line of credit, get a job, or obtain government ID. There are lots of ways you can protect against child identity theft, including freezing your kid's credit. Generally, they need to be under 15 or 16 years of age, though the age limit varies by state (more on credit freezes later).
Medical identity theft happens when criminals use your identity to see a doctor, get medical treatment, or obtain prescription drugs. In years past, medical identity theft could affect your ability to get health coverage or cause you to pay more for treatment. That's not the case anymore thanks to recent changes in the law, but past due medical debts incurred by a scammer can appear on your credit file and hurt your credit score. Seniors are a prime target for medical ID scams, because they receive Medicare and no one will think twice about frequent medical visits. With the Baby Boomer generation entering Medicare age (65+), scammers have more targets than ever before. Medical ID theft is up 103 percent year over year, according to the FTC.
Criminal identity theft happens when a criminal is arrested and provides law enforcement with a name, date of birth, and fraudulent ID based on a stolen identity. Criminal ID theft typically comes up when applying for a job or an apartment. If the employer or landlord performs a background check, the crimes of your nefarious doppelganger might stop you from getting that job or housing.
Here's a sampling of the more common attack methods cybercriminals use to breach an organization, network, or your personal computer in order to steal your personal information and your identity. And if you're interested in the history of data breaches, head over to our article on the subject.
An exploit is a type of attack that takes advantage of software bugs or vulnerabilities, which cybercriminals use to gain unauthorized access to a system and the data contained within. These vulnerabilities lie hidden within the code of the system and it's a race between the criminals and the cybersecurity researchers to see who can find them first. The criminals, on one hand, want to abuse the exploits while the researchers, conversely, want to report the exploits to the software manufacturers so the bugs can be patched. Commonly exploited software includes the operating system, Internet browsers, Adobe applications, and Microsoft Office applications.
Spyware and keyloggers are a type of malware that infects your computer or network and steals information about you, your Internet usage, and any other valuable data it can get its hands on; e.g. your usernames, passwords, and SSN. You might install spyware as part of some seemingly benign download (aka bundleware). Alternatively, spyware can make its way onto your computer as a secondary infection via a Trojan like Emotet. As reported on the Malwarebytes Labs blog, Emotet, TrickBot, and other banking Trojans have found new life as delivery tools for spyware and other types of malware. Once your system is infected, the spyware or keylogger sends all your personal data back to the command and control (C&C) servers run by the cybercriminals.
Phishing attacks work by getting us to share sensitive information like our usernames and passwords, often employing social engineering tricks to manipulate our emotions, such as greed and fear. A typical phishing attack will start with an email spoofed, or faked, to look like it's coming from a company you do business with or a trusted coworker. This email will contain urgent or demanding language and require some sort of action, like verifying payments or purchases you never made. Clicking the supplied link will direct you to a malicious login page designed to capture your username and password. If you don't have multi-factor authentication (MFA) enabled, the cybercriminals will have everything they need to hack into your account. While emails are the most common form of phishing attack, SMS text messages (aka smishing) and social media messaging systems are also popular with scammers.
Oversharing on social media. It's not our fault when a social media site like Facebook or Google+ gets hacked, but oversharing personal information on social media does increase our risk of identity theft in the event of a data breach. A Facebook bug allowed spammers to get around login requirements and access personal information for 30 million users. Likewise, a bug in Google+ gave third-party app developers access to personal information, including name, email, DOB, gender, places lived, and occupation for nearly half a million users. Two months later Google pulled the plug on the social media service when it was discovered another Google+ bug exposed over 50 million users. Should you limit your exposure and delete yourself from social media? If you answered yes, check out our guide.
Scam calls and robocalls are live or pre-recorded phone calls designed to trick you out of your personal information. A recent robocall covered on the Malwarebytes Labs blog involved scammers purporting to be from the Social Security Administration. Recipients were accused of “leaving behind trails of suspicious information” and if the recipients do not call the scammers back and confirm their SSN, a warrant would be put out for their arrest. The really grifty part of this scam is that the perpetrators used spoofing technology to make the calls appear to come from the Social Security Administration's national customers service number. According to the FTC, scam calls from people pretending to be from the Social Security Administration went up 994 percent from 3,200 in 2017 to 35,000 in 2018.
A SQL injection (SQLI) is a type of attack that exploits weaknesses in the SQL database management software of unsecure websites in order to get the website to spit out information from the database. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway. A bad guy enters malicious code into the search field of a retail site, for example, where customers normally enter searches for whatever they're trying to buy. Instead of returning with a list of search results, the website will give the hacker a list of customers and their credit card numbers. This may sound like an oversimplification, but it really is this easy. Attackers can even use automated programs to carry out the attack for them. All they have to do is input the URL of the target site then sit back and relax while the software does the rest.
Broken or misconfigured access controls can make private parts of a given website public when they're not supposed to be. For example, a website administrator at an online retail site will make certain folders on the network private. However, the web admin might forget to make the related sub-folders private as well, exposing any information contained within. While these sub-folders might not be readily apparent to the average user, a cybercriminal with strong Google-fu skills could find those misconfigured folders and steal the data inside.
Credential stuffing. In the aftermath of a data breach, affected organizations will often force reset the passwords for all impacted users, but that doesn't necessarily mean everyone is safe. Cybercriminals can use stolen emails, usernames, passwords, and security questions/answers to break into other accounts and services that share the same information. Using off-the-shelf automation tools designed for testing webpages, cybercriminals enter a list of stolen usernames and passwords into a website until they land on the right credentials for the right website. This is credential stuffing and while it can be used to hack individual consumer accounts, it's typically used as part of a remote desktop protocol (RDP) attack.
“The Internet consensus seems to be that you shouldn't pay for credit monitoring services, but if it's offered to you for free (i.e. after a data breach) go ahead and sign up.”
After a data breach, affected companies will usually offer free credit and identity monitoring services as a conciliatory measure. Are these monitoring and protection services actually worth the money?
The Internet consensus seems to be that you shouldn't pay for credit monitoring services, but if it's offered to you for free (i.e., after a data breach) go ahead and sign up.
Writing for the Malwarebytes Labs blog, cybersecurity researcher William Tsing said, “Identity theft monitoring services sound great on the surface. They're not that expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don't, at present, protect against the worst impacts of identity theft—the theft itself.”
What does “credit monitoring” or “identity theft protection” actually entail and why does everyone seem to think these services stink?
As Tsing pointed out, the biggest problem with credit monitoring services is that they can't actually stop cybercriminals from stealing your identity. Though they can alert you when someone opens up a line of credit under your name. Think about it this way, these services alert you to changes on your credit report if you can't be bothered to check your own credit report. If that's the case, then you may want to consider signing up and paying someone else to monitor your credit file for you, but the bottom line is that these credit monitoring services are just that—monitoring services, not protection.
If all of this talk about identity theft and data breaches upsets you, you're in good company. A data privacy survey conducted by Malwarebytes Labs found the majority of respondents want to take steps to protect their data online and distrust search engines and social media with their data.
As we've established, you probably don't need to pay for identity theft protection services that don't actually protect you against anything. Instead, follow our completely free, DIY tips below.
For readers in the UK. First, consider opting out of the open electoral register—it won't hurt your credit score. Second, consider getting a Royal Mail PO box. Both will make it much harder for criminals to get their hands on your personal info by taking your name and address of those huge public lists. And UK readers should still check their credit reports with the three UK bureaus, but keep in mind, you don't get the free annual reports like US consumers.
You did everything right. You took every measure possible to keep and protect your identity and then the worst thing happens. You start receiving calls from debt collectors for accounts you never opened, and you see delinquent lines of credit on your credit report.
Here's our identity theft response checklist. Print it out and stick it to your fridge or save it to your desktop as a sobering reminder that identity theft has become a sad fact of life.
Finally, for the latest on identity theft and general cybersecurity news, visit the Malwarebytes Labs blog.
Select your language