Identity Theft - The Silent Stalker

My 4.5-year-old daughter loves to play “make believe” with me. One of her favorite characters is “Princess Sofia the First.” She draws her inspiration from the episodes and then adds her own spin to the stories. Her stories inevitably end up with me being the witch, mean giant, or just all-around bad guy. She is the hero, Princess Sofia! She slays the bad guy, saves all the people, and remains the ruler of her kingdom! While our stories are far from reality, it is important for her, and us as adults, to understand that not everyone has our best interests in mind.

Most of us surround ourselves with people we believe to be “good.” We choose not to surround ourselves with or generally think about the people who intentionally set out to harm others. In many cases, including identity theft, we aren’t even aware of the threat that is present. Unfortunately, there are people in the world who prey on others through cybercrime. These criminals spend their time trying to steal your identity and when they succeed, it causes a mountain of problems. Several people I know have had this experience. In fact, approximately nine million people in the US every year have their identity stolen, as estimated by the Federal Trade Commission. These fraudsters are crafty and do this as their profession. This month’s article will discuss how criminals steal your identity as well as recommendations to help protect yourself.

How does this happen?

Criminals steal personal information and identities for monetary gain. Identity theft ranges from people stealing bank account numbers so they can transfer out funds, to opening credit cards in a victim’s name, to even living under the guise of another person’s legal name and social security number. Here are some of the more common ways they do it.

1. Changing a victim’s address
   Keep an eye on the mail. If statements that used to arrive at regular intervals stop showing up, a thief may have completed a change of address form to start having financial statements and other sensitive documents sent to their residence instead. (A sensitive document is anything that contains financial or personal information such as a person’s full name, date of birth, social security number, address, or phone number.)

2. Skimming
   There are machines called “skimmers.” They can be implanted into ATMs and they collect card numbers and PINs. They can also be put into credit card readers and collect the number, expiration date, and cardholder name. These stolen numbers are then made into fake cards, sold on the black market, or used in identify theft.

3. Phishing
   Fraudsters may try to steal passwords to sensitive websites by sending their victim a fake password reset link. The link directs the target to a site that looks like the legitimate website for the organization the fraudster is pretending to be. Emails may also contain attachments or fake advertisements for products and a link. Opening these attachments or clicking on links may install malware on the victim’s computer, giving the fraudster a direct route into the device.

4. Keystroke tracking
   Malware can perform a variety of different activities. One of the things it can do is track keystrokes. When a keystroke tracking victim logs into their email, financial websites, or enters a credit card number to make a purchase, these keystrokes are captured and sent to the criminal.

5. Fake wi-fi networks
   Hackers will go into public places to set up fake wi-fi networks that look like legitimate ones. If a person logs into them, the hacker can see everything that person is doing and may even be able to access their computer. When using wi-fi in a public setting, it is important to make sure to use a legitimate, password protected network. There may be many fake websites in the area that look similar to the real one. For example, available wi-fi networks at a Starbucks may include the legitimate Starbucks network, plus a few others that may have a “1” in the name, or that start “Starbucks” with a dollar sign instead of an “S.” Those are probably fake and designed to trick people.

6. Dumpster diving
   This is exactly what it sounds like. When mail is thrown away which contains valuable puzzle pieces of sensitive information, the thief comes along and grabs it right out of the trash.

7. Social media stalking
   Public social media profiles are a gold mine for identify thieves. Answers to many “security questions” that a person sets when creating a username on a website can be found by scrolling a person’s social media feed.

How is this prevented?

Most people have unknowingly engaged in several of the items listed above, thereby making themselves vulnerable to cyberattack.  That being said, a person can help secure themselves against fraudsters and prevent future attempts of identity theft by following the prevention strategies listed below.

1. Utilize credit reports and credit freezes
   There are three credit bureaus (TransUnion: www.transunion.com, Experian: www.experian.com, and Equifax: www.equifax.com), and each year they are required to provide a free report. This report is an excellent log of lending activity and requests for credit lines. If there are items on the report which are not familiar, it may be a sign of identity theft. If there are no surprises on the report, that is good news. The next step is for a person to freeze their credit. Credit freezes can be initiated on each of the three credit bureau websites. A credit freeze keeps any credit inquiries from being made and stops additional lines of credit from being opened. Freezes can be temporarily suspended by revisiting the website.

2. Update software and apps
   Phones and computers are constantly getting updated versions of apps and operating systems pushed to them. Why? Usually, it is because a hacker has discovered a vulnerability in the code. Software companies rebuild their products when these entry points are discovered to provide a safer experience for their users. Not downloading updated versions of software leaves a device vulnerable to hackers. Installing anti-virus software on a PC is also a good move. It should be kept updated as well.

3. Utilize a password manager
   Using strong passwords and changing them often is a good way to encourage security. A password manager can help keep track of all of them. Different password managers have various bells and whistles. Technology publication PC Mag has a rundown of some of the most popular: https://www.pcmag.com/picks/the-best-password-managers

4. Buy a shredder
   Then use it. Every time. Do not throw away or recycle whole pieces of mail, particularly those pieces with sensitive information on them. These are valuable puzzle pieces to a fraudster.

5. Be social media savvy
   Online quizzes are fun. It is nostalgic and enjoyable to post about memories with old friends from high school and college. However, take a moment to think about how many people have their high school mascot, birthday, or hometown referenced on their Facebook feed. These are answers to many online security questions! Set social media profiles to private and limit what is shared.

6. Use two-factor authentication
   There are two general ways to use two-factor authentication. The first way pertains to logging onto a sensitive website. After entering the username and password, the site can send a code to the user’s cell phone, which then must be entered into a pop-up window in order to complete the logon process. Two-factor authentication can also be used with financial and other institutions. An agreement can be set up whereby these professionals contact the approved account owner via a method specified in advance before executing any instructions that have been received via email or text.

7. Do not visit sensitive websites on public wi-fi
   It can be hard to tell fake public wi-fi from legitimate public wi-fi. Also, real public wi-fi can be hacked. It is best to avoid visiting sensitive sites while on public wi-fi or proceeding with any transaction over public wi-fi that requires entry of personal or financial information. As a rule of thumb, it is best to avoid public wi-fi altogether. Using a cell phone as a hot spot to connect to the internet is more secure. The best option is using a Virtual Private Network (VPN) to encrypt any information being sent or received on a device.

8. Do not click that
   Do not open or download attachments from unrecognized senders. Even if the sender’s email address is familiar, be wary of text within the body of the email that does not resemble how that person would usually write a message. If there is doubt, contact the sender for verification before clicking. In addition, businesses will never send an email requesting their clients to update a password or personal information by clicking a link within the email. Delete these messages immediately. If there is a question as to the legitimacy of the message, call the organization directly at the phone number listed on their official website. Do not click the link in the suspicious email, use a website provided within the email, or call any phone numbers provided in the email.

It is hard to tell who is at the other end of an email message or if somebody is watching your keystrokes. The good news is that taking the precautionary steps given above can help reduce your chances of being part of the nine million Americans every year who fall victim to identify theft. If we have not yet discussed setting up two-factor authentication or security questions for your online access, let’s get that taken care of sooner rather than later. Remaining vigilant can help you remain the ruler of your kingdom, and keep the bad guys out!