What is Identity Theft?
A common identity theft meaning is when someone takes someone else’s personal information and then uses it for their own benefit, particularly without getting the individual’s permission. Identity theft can take many forms, and each one affects the victim in different ways. Regardless of how you define identity theft, in every instance, the target’s reputation, financial security, or financial future is put at risk.
Because there are so many ways someone can steal your identity, it is virtually impossible to prevent becoming a target altogether. Even if you do not have a lot of liquid assets, an impressive credit score, or access to valuable targets, such as people or secured systems, a thief can still make a profit off your identity.
In many cases, what happens after your identity has been stolen may have a minimal financial impact. However, a thief can make anywhere from a few to hundreds of dollars by selling your identity. Therefore, identity thieves typically go after anyone because each identity has an intrinsic value on the black market. In other situations, the thief aims to personally exploit your identity. If this is the case, they may be more surgical regarding who they choose to target.
In either case, you can minimize your chances of falling victim to identity thieves by learning how it happens, the different kinds of identity theft, signs you have been targeted, and how to protect yourself from these kinds of attacks.
How Identity Theft Happens
The term “identity theft” encompasses a broad range of methods of stealing other people’s information. However, it is common for a thief to target high-value information, such as a Social Security number, and use it to buy something, open an account, or commit fraud that involves impersonating the individual, particularly online.
There are several ways this happens.
A data breach is when a thief or hacker is able to access the data of an organization without receiving the proper authorization. The company may have sensitive information stored in a central location. The thief targets the database or file holding that information and tries to penetrate any cyber defenses in place. In many cases, the thief will focus on getting credit card or Social Security numbers, as well as the complete names of the owners.
Files containing other information can be highly sought-after targets as well, particularly because that information can be used to correlate the identity of each person. For example, where the individual lives, has lived in the past, their phone number, old phone numbers, or maiden names can all be the targets of a data breach.
In 2019, there were 1,506 data breaches in the United States, resulting in the exposure of 164.68 million sensitive records. It is difficult to avoid having some of your information included in one of the many data breaches that occur each year. This is because most people have their personal data stored within the databases and files of multiple companies with whom they do business.
However, as discussed below, there are things you can do to protect yourself, your reputation, and your finances from the effects of a data breach.
In most cases, the websites you visit are safe. They are protected by security measures that prevent hackers from gaining access to the information you enter. The protection often involves encrypting the data that gets entered. This way, if a thief were to intercept data, they would only get a jumbled arrangement of letters, numbers, and symbols instead of your Social Security number, name, address, etc.
However, if you use websites that are not as well-known, you may be putting yourself at risk. Even if the website’s designer had good intentions, the website itself may have been compromised by a hacker. In other cases, a hacker can design a fake website that looks like a real one. When you enter your information, it goes straight to the hacker instead of the company you thought you were sending it to.
Often, your browser can detect fraudulent websites and alert you to the danger. If you get an alert, it is best to take action by leaving the website and closing your browser.
Dark Web Marketplaces
The dark web consists of a network of websites hidden from regular internet users. When someone visits the dark web, they can use software to hide who they are, as well as what they are doing while connected. This makes the dark web an ideal place for thieves, hackers, and others looking to defraud users.
As a result, the dark web is a prime selling ground for your personal information. Hackers recognize the elevated risk associated with trying to exploit personal information themselves, so they often head to the dark web to sell it off to someone else. The initial buyer may use it or sell it to another malicious actor to make a quick profit. Therefore, if your information goes to the dark web, it is virtually impossible to say how it will be used.
With malware, or malicious software, a hacker can accomplish any number of things—from taking over a computer system to controlling a network, to providing backdoor access and more. Malware can also be used specifically to steal personal information.
The most common way malware is used to execute identity theft or fraud is when it is programmed to spy on the target’s computer activity. The attack may begin with a phishing email or other trap designed to get the user to click on a link or image that automatically installs the malware.
An attack can be performed using a number of methods, such as keyloggers, which can keep track of which keys a user strikes. When the user accesses a particular website or logs in to their computer, the keylogger can record their keystrokes and report them back to the thief. In this way, the attacker can ascertain their password to a specific site, workstation, or application. Once the attacker uses that login information, they may be able to collect the target’s personal information.
Malware can also be used to provide backdoors for attackers who wish to gain access to a database or file that contains personal information. The malware, once installed, allows the hacker to get behind the system’s defenses. The hacker uses this avenue to penetrate the system and then glean the personal information of internal users or the company’s clients and customers.
Credit Card Theft
Credit card theft is one of the most simple ways a thief can steal your identity. Once they have access to your credit card, they often do not need any other aspect of your identity—the card itself is enough to make purchases under the target’s identity. A thief may even make relatively large purchases the user could not possibly pay off. They could then sell the item to someone else at a steep discount, banking a profit along the way.
Credit card theft can also be used to grab card numbers for resale on the dark web. A credit card number may go for a few dollars or far more. The thief gets your credit card information and then sells it to someone else. It is important to instantly cancel any credit cards that have been lost or stolen, but often, a data breach is used to get ahold of your card information.
Companies store long lists of credit card information to help their customers make quicker purchases. When the customer first does business with the company, the credit card information is obtained and kept in a secure location. When the customer returns, because their card information is already in the company’s system, their next purchase is quicker and easier. This convenience comes at a cost, however, because if someone is able to penetrate the defenses protecting customers’ card information, they can get a storehouse of account numbers.
Even before the internet, identity thieves were busy taking people’s personal information and using it for their benefit. A common method was mail theft. In this kind of attack, the thief grabs the target’s credit card or other information from their mailbox. They then try to use it to make purchases—or sell it to another thief for a quick profit.
A thief does not have to go into your mailbox to take your credit card or gather personal information. It is just as easy to go through your trash. Often, people throw out letters, notices, or account statements that contain sensitive information. Even if the information in the trashed document is not enough to execute a complete theft of your identity, it can be used by the thief to confirm who you are. It is best to shred your old mail instead of just throwing it in the garbage.
Phishing and Spam Attacks
An attacker may send an email or text message that looks like it is coming from a legitimate source. When the target clicks on a link, they are taken to a fake website that asks you for your username, password, or other personal information like your Social Security or credit card number. The hacker can then use that information to assume your identity or make purchases.
Anytime you use your computer or mobile device on a public network, you may be vulnerable to a hacker that can eavesdrop on your communications with the network. This is a particularly prevalent issue at places like coffee shops, department stores, or airports where anybody can get onto the network, often without a password.
Once the hacker has started spying on your communications, they watch to see if you enter your personal information. They may specifically be after your Social Security, credit card, or bank account number. Once they have it, they can use it to make purchases, masquerade as you online while opening accounts, or sell the information to someone on the dark web.
Mobile Phone Theft
Some people use their mobile phones to log in to sites automatically, without having to enter their username or password. If someone gets ahold of your mobile phone, they may be able to access these same sites, especially if they do not need to enter a password or use biometric verification, such as a fingerprint or facial scan.
Mobile phone theft is also popular because people often store their personal information, including passwords and account numbers, in applications on their phones. This may include an app where you can manage and edit notes or email and text apps. If a thief can take your phone and get into it, they can easily navigate to your emails and text messages to steal information.
Further, if they want to execute a more sophisticated attack, they can use your phone to fulfill the second stage of a two-factor authentication (2FA) access procedure. When the site or application sends a text to you, the thief receives it and can then enter a verification number to gain access to the application or site.
Credit card theft may also involve skimming. In a skimming attack, a fake credit card machine is installed on a gas pump or another point-of-sale (POS) device. It is then used to collect the card information of customers as they swipe their cards. A skimming attack often uses a hidden camera to record the target’s password, particularly if they are using a debit card.
It is important to keep an eye out for any credit card machine that looks out of the ordinary. For example, the card-swiping device may protrude excessively from the machine or the device may be loose when you shake it. If anything seems suspicious, stop using the machine, check around for small cameras pointed toward it, then alert the proper authorities. Letting them know the reasons why you suspected a skimming machine, as well as the exact location, can help them track down the perpetrator and protect your information and that of others.
Child ID Theft
With child ID theft, the child’s personal information is used to execute the attack. This may include the child’s Social Security number, which can be mailed to you soon after they are born. The attacker may not use the information for many years, waiting until the child is old enough to get a credit card. When they reach the right age, the thief then uses the information to open an account or obtain credit in the name of the child.
Tax ID Theft
With tax ID theft, the attacker uses your social security number and other necessary information to file taxes and then collect your refund. They may also alter the tax information they enter to inflate the refund they get. If this happens to you, there is a chance you will not know until you try to file your taxes. The Internal Revenue Service (IRS) will then alert you that someone has already filed a tax return in your name. After an investigation, you should be able to file your taxes and get the refund you are entitled to.
What is Identity Fraud?
Identity fraud and identity theft are similar, and the terms can sometimes be used interchangeably. However, identity fraud is different in that it specifically refers to using the stolen information, while identity theft may only involve stealing your personal information. There are several different types of identity fraud, including using a credit card, taxes, employment, phone or utility bills, bank account information, leases or loans, and government benefits or documents.
Regardless of the type of fraud, the execution of the attack is similar: The thief uses account numbers, Social Security numbers, and other personal information to make another entity believe they are you. They then use that to make or take money.
Effects of Identity Theft
There are several ways identity thieves can use your personal information to their advantage. Some involve using it to steal money from you, while others require multiple steps before the thief realizes a profit.
Stolen Money or Benefits
A criminal can use your credit card number, address, and name to buy things with your card. They can also file a tax return or even use your insurance and other information to get medical treatment while pretending to be you. If you have airline miles or can get access to government services like the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) or Social Security checks, the thief could use your information to take advantage of those provisions as well.
Identity Sold on the Dark Web
Once your data has been taken, particularly during a data breach where the thief can grab many victims' information at once, it may be sold on the dark web. Even though each piece of information may only yield a few dollars, if a thief has thousands of account numbers, addresses, and names, their profits can add up quickly.
A thief may pretend to be you on social media or to get a job or apartment. This is particularly true when there is an element of their own identity that gets in the way of what they are trying to do, such as a criminal record.
Possible Signs of Identity Theft
Keep an eye out for the following signs that may indicate your identity has been stolen:
- Discrepancies in your financial statements
- Unauthorized purchases in your bank statements
- You get calls from debt collectors about charges you did not initiate
- You get a letter from the IRS about multiple tax returns
- You get medical bills for services you never used
- You see strange charges on your credit card statement
- You are not getting bills in the mail, which could be because the thief has changed your address, resulting in your mail getting routed somewhere else
- You get rejected for a loan even though you usually have good credit, which could mean a thief was borrowing money in your name and not repaying it
How To Protect Yourself from Identity Theft Attacks
To protect yourself from identity theft, you can implement the following measures:
- Use complex passwords for all your accounts and devices. This should include multiple, non-sequential or logical letters, numbers, and symbols
- Enable multi-factor authentication (MFA)
- Never provide personal information, especially over the phone, to someone who calls unexpectedly
- Shred all documents prior to putting them in the trash
- Use paperless billing to prevent account numbers from getting to your mailbox or trash
- Store your debit, credit, Social Security, Medicare, and other cards in a secure area in your home
- Frequently check your bank and credit card accounts for unusual activity
- Never click suspicious links
- Arrange for your bank or credit card company to alert you every time a withdrawal has been made from your account
What To Do if You Think You Are a Victim
If you think you have been targeted, you should immediately cancel your credit and debit cards. Also, reach out to the credit bureaus Experian, Equifax, and TransUnion. If you report the situation to one, it is required by law to pass the information on to the others. This way, your credit score can be protected if unauthorized transactions are performed in your name.
You should then alert the authorities. You can use the website of the Federal Trade Commission (FTC) to figure out how to proceed.
How Fortinet Can Help
Regardless of the type of industry your organization serves, Fortinet has a solution to help you protect the identities of your clients. The Fortinet Security Fabric incorporates advanced threat protection that keeps attackers from breaching your network and gaining access to sensitive information. The FortiGate next-generation firewalls (NGFWs) use application-specific integrated circuit (ASIC) technology for faster, low-latency processing of network data. In this way, they can perform deep inspections to detect new and existing threats.
The Fortinet secure software-defined wide-area network (SD-WAN) solutions can be used by managed security service providers (MSSPs) to provide security alongside powerful and flexible networking performance, all under one roof. In this way, an MSSP can monitor the entire network for identity theft attacks.
Further, with FortiGuard Labs, organizations avail themselves of threat detection, prevention, and mitigation. Solutions include FortiMail, which prevents phishing attacks, FortiEDR to stop malware, and FortiSandbox to analyze previously unknown threats that could be used to hack your system and steal identities.