Online Identity theft refers to online techniques that steal a victims personal information, be it there bank details, logon details or any other personal information, with the intent thereafter to either commit identity fraud (online or otherwise) or direct profit. (I.e. selling those details).
There are many ways an identity thief can obtain these details, and it is the aim of this article to show you how they do it, so you can avoid falling victim to these scams in the future.
You don’t have to be technically savvy to understand this, but it helps if your familiar with computers and how to send and receive emails.
According to a Gartner Report, US banks and wirecard login issuers lost approximately $1.2 billion in 2003 alone as a result of online identity theft, so it is a serious issue. The monetary loss rises significantly when you also take into consideration the money spent recovering from such attacks. Also monetary loss isn’t the only detrimental effect identity theft can have when you take into consideration the human element such as depression and embarrassment that can result with this crime. This is not helped with other consequences such as wrongful criminal prosecutions and bad credit reports.
So how to identity thieves go about stealing your data?
There are many ways a thief can steal your data, and providing a full list of these techniques is not possible as the methods are so diverse, including hybrid techniques whereas the scammer may use more than one known system or multiple scams in order to complete their goal.
However, the most common methods are outlined below –
The most common method is using phishing attacks. (we have another article specific to this) Phishing is essentially when the scammer pretends to be somebody they are not in order to gain your trust and provide personal details. The scammers will often pretend to be from your bank, or from another reputable company you are a member of such as a social networking site, PayPal, eBay or your email provider. As is typical with phishing attacks they are nearly always initiated by the scammer through email. (though sometimes through instant messaging services)
The email may simply ask you to reply with personal information, or more commonly they will take you to a website that requires you to enter personal information. The website will usually look similar or even identical to the site of the company it is pretending to be (e.g. you banks website). This makes the scam look much more believable and has a much higher success rate.
Emails that take you to websites that duly steal personal information need to give you a reason to click the link they provide. Merely reading the information on the email can’t do any direct harm to the victim (this is not including email attachments.) It is a common fallacy that opening emails can harm your computer but this is not true. Opening email attachments CAN and DO harm computers, but the email itself it perfectly safe.
The emails need a response from the victim, so in order to get the victim to click the link provided, scammers will make up a reason to motivate the them to do this. Popular reasons include
– Verify personal details due to a software or security upgrade
– Claim the account has been compromised and they need the owner to verify their details
– Make false claims to motivate the victim to clearing up the “mistake” such as a fake bill.
– Limited offers to join various promotions and programs
– Fake claims of rewards
Rule of thumb: Don’t click on links on emails. If you believe the email is real, go direct to the source without using the link (i.e. banks website.)
For more information on email phishing you can click here.
Another popular method of stealing data is through installing malware onto a victim’s computer. Malware is essentially malicious software downloaded to the victim’s computer in order to cause some detrimental effect.
A common method to get malware onto the computer is to get the victim to execute an email attachment. In some examples this can be essentially email phishing and an email malware scam rolled up into one. For example emails from your bank. The email won’t persuade the user to click a link but will encourage the user to open the email attachment. It does this in a variety of ways, depending on the nature of the phishing attack but for example an email claiming to be from your bank can say your statement is attached and needs to be viewed.
The email can purport the attachment is a receipt, or what is increasingly common is to tell the victim the attachment is juicy celebrity photos or gossip, which will always appeals to many. The attachment then installs malware on to the computer.
Emails can also (like phishing) link to websites, but instead of the website asking for personal details it can install malware onto your computer. Most of the time, providing you are using up-to-date- firewall protection the majority of this type of attack should be blocked, but firewall protection can never guarantee 100% safety so it is best practice to never visit these sites.
Malware can be installed through legitimate sites as well through a process called content-injection where a scammer will “inject” malicious code into a website through customer input features such as feedback sections or forums. However it is up to the website designer to prevent these attacks by ensuring potentially damaging code is deleted before letting any customer input through to the site.
Facebook applications can and have also been used to install malware onto a victims computer, so always be careful when installing these. Research the name first, or contact Facebook.
Through email and the websites is how malware will typically infect a victims computer, but what types of malware are there and what will they do once they are on a computer? This is where it gets pretty scary….
First we have “key sniffers” or “key loggers”. This type of malware will record everything a user types, including passwords, bank details and other personal details. The malware will then be instructed to transmit that data to the scammer at certain times, so the thief can then use this information to steal your identity, and potentially much more.
Also present is malware that acts as a remote desktop feature. Remote Desktop is a legitimate program that Microsoft bundle with Windows so technicians can potentially fix problems remotely without having to physically at the computer. However malware programs take advantage of features like this and give a scammer complete control over a victim’s computer, and lock the victim out. The thief can then do anything he wants on your computer, including stealing your personal information.
When malware in installed onto your computer it can bring up pop-ups. Pop-ups are usually the first sign victims notice along with slower performance when malware is installed. Mostly pop-ups (windows that pop up without the users consent or instruction) will just be advertising, but many can pose as fake login screens. Malware can determine what sites you visit and when you visit them, so if it registers that you are entering your banks website, it can instruct a pop-up window to appear with fake login details. These details are then either transmitted straightaway to a scammer or stored locally on your computer and transmitted to the scammer at regular intervals (like the key sniffing programs).
Another popular and potentially damaging symptom of malware being installed is auto-forwarding to websites the user has not instructed the web browser (e.g. Internet Explorer) to go. This can potentially make the problem worse as this websites the victim in forwarded to can install even more malware onto the computer. This technique can also have a similar effect to the example above but instead of bringing up damaging pop-ups, when the victim visits his e.g. banks website, the malware detects this and forwards the user to a malicious site that masquerades as his banks login page. Banking details are then duly stolen.
So other than malware and phishing attacks how else can identity thieves get your details? One other popular way is through advanced fee fraud. This is where scammers will tell the victim they are somehow entitled to a large sum of money. In order to get that money the victim is required to pay a series of smaller fees for various reasons. However the victims can and often do request photocopies of the victims identification as well as money. Passports, driving licences and birth certificates are popular identification that scammers of advanced fee fraud will request. The primary objective of advanced fee fraud is to get money from the victim, but a secondary objective is identification.
Another relatively simple and effective way of getting your details is to simply setup a fake website selling fake goods. Victims surf the site, pay for their items using credit card details which are then duly stolen. Unimaginative, yet deadly effective.
So what do scammers do when they steal your details?
The most obvious “next step” is to steal money or assets from the victim. If the thief has stolen bank/card details or Paypal details then this would be the next logical step for a criminal. Directly stealing from a victim isn’t always the intended objective however. Identity theft leads to Identity fraud and thieves will typically use these details for as long as possible to gain as much as possible. When a thief has your details they will often use these to commit further crimes, such as check cashing scams and money wiring scams. Using hacked EBay accounts or hacked Paypal accounts they can make illegal payments to other victims in order to receive goods for sale. Or they can pretend to be you in order to get money from your contacts, like in the Facebook Friend in Need scam. They can directly sale your personal details to other scammers for money or use your details as their own to win the confidence of other potential victims, which is popular in advanced fee fraud.
There is no one way to be completely safe from phishing, but your chances of becoming victim are greatly reduced if you adhere to some easy guidelines, such as never clicking links from people you don’t personally know. Run a good firewall program and run good antivirus software. Don’t give out passwords unless it was you who typed in the URL address. Never give out ATM PINs, no one should ever ask for them. When entering banking details make sure you are on the banks website, not an impostor site. Never give out very personal data through email, and always use your common sense. If something doesn’t feel right, ask for help.