Currently, around 35% of the world has smartphone access. In the U.S. alone, 18 billion texts are sent each day.
These numbers are staggering.
No wonder then, that our communication channels have become a perfect vehicle for cybercrime with the theft of data and our identity.
Phishing and SMShing At Large
The theft of an identity begins by stealing the data that is used to create our digital ID.
Phishing is used by cybercriminals as a way to steal data. Once stolen, either the data is sold to other cybercriminals (usually via a darknet marketplace) or it is used directly to commit fraud. A survey by Proofpoint found that in 2018, 83% of companies were victims of a phishing campaign. Phishing works, it is the main method behind a data breach. But phishing is often only the beginning, used as a conduit into other areas of our lives and businesses.
There are several types of phishing to look out for:
A typical email will use tactics to encourage us to either click a link or download an attachment. The trick is to manipulate human behavior. Cybercriminals compose the emails, so they sound urgent or make you feel you are missing out on a great deal. They will also use well-known brands, like Microsoft or PayPal in the hope that as you trust the brand, you are more likely to do as the email asks. If the email contains a link it will invariably take you to a website that is infected with malware. Alternatively, the website will look like the trusted brand the email pretends to be from and will attempt to steal data and/or login credentials.
Where email phishing tends to be sent out to the masses, spear-phishing is targeted. The cybercriminal chooses a victim carefully. Typically, this will be a person with high-level privileges in a company. The cybercriminal is looking for login credentials to a corporate database, for example. The Yahoo breach, which exposed the data of over 1 billion individuals, originated with a spear-phishing email.
This is a form of phishing that uses mobile text messages or mobile messaging apps like WhatsApp to target an audience. SMShing uses the same type of tactics as email phishing.
This is a phone call version of phishing. Like the email counterpart, the phone call will attempt to steal data, login credentials, and/or money.
All of the above have variants. For example, the Vishing form was recently in the news when a British CEO transferred $240,000 after a phone call request from the head of the parent company. That phone call turned out to be a fake, possibly a ‘deepfake’, created using Artificial Intelligence; the caller sounding exactly like the CEO’s boss.
From Stolen Data to a Stolen Digital Identity
When a phishing email, SMShing, or Vishing attempt is successful, certain things happen. Data is usually stolen. Either directly through a website or indirectly via malware infection; the malware stealing your data as you type it into the computer. This theft can be on an individual level or on a mass level if a corporate database is breached.
In the U.S. 33% of adults have been victims of identity theft; this is twice the global average. When data is stolen it is used to steal identity either directly or using other methods, the most well-known being:
Cybercriminals use a mix of real and fake data to create a synthetic identity. The scammers take data, stolen and available to purchase on the darknet. Data such as addresses, identity documents (e.g. driver’s license details), names, dates of birth, and social security numbers. They mix and match this with fake data to create all new, blended IDs. 446 million records were stolen in 2018, so there is plenty of data to work with.
A synthetic identity ring was recently discovered having stolen $200 million using 7,000 synthetic identities and 25,000 credit cards.
Earlier this year, it was revealed that over 617 million leaked passwords and usernames were for sale on a darknet marketplace. This is the tip of a large iceberg. Hopefully, when a password is stolen it will be protected by the robust encryption methods used to store it. However, this is not always the case. If you go to HaveIBeenPwned and enter a password you commonly use, you can see if it has been stolen. I put one of my old passwords in and could see that it has been viewed 579 times.
Cybercriminals know that we often use the same password with multiple accounts. A stolen password will be used to try and hack into popular accounts to attempt to take over your online accounts. This is known as credential stuffing. In a recent review of this practice, Akamai, identified 61 billion credential stuffing attempts in the year to June 2019.
5 Ways to Protect Yourself from Identity Theft
Identity theft is a crime that can ruin lives. However, there are ways to protect ourselves and our customers from identity theft:
- Security awareness training: This is used to teach your staff and potentially your customers, about the tell-tale signs of phishing. Security awareness vendors offer simulated phishing which can be tailored to your needs. The simulators send out fake phishing emails to help train users in dealing with phishing campaigns.
- Robust authentication measures:
- If you believe a password has been stolen, change it immediately.
- Always use robust passwords to prevent brute force attacks.
- Wherever possible, set up second factor (2FA) authentication, for example, use a mobile code to augment a password for logging in.
- Email gateways: In a corporate and increasingly often a personal email environment, a gateway, which checks for spam and phishing, can be setup. However, cybercriminals can use ways to circumvent these gateways, so a gateway alone should not be depended upon.
- Check your credit file and bank statements regularly: Always perform regular checks of your personal and company credit files and bank statements. You might be able to see early warning signs that your identity has been used fraudulently.
- Use anti-malware: Run up to date anti-malware regularly.
Of the five tips above, none of them stand alone. Identity theft is a complicated and insidious crime and takes a number of actions to prevent it. Both companies and individuals need to be wary and take precautions against the loss of data. By reducing data theft, we can ultimately help to reduce identity theft.
To make sure your cybersecurity systems are up-to-date, please contact us anytime for a complete audit of systems.