The World of Identity Theft: From Phishing Scams to Dark Web Markets

Identity theft: a growing threat with serious consequences

Cybercriminals use advanced techniques like phishing, vishing (voice phishing), malware, and social engineering to steal sensitive financial information. The dark web offers a marketplace for this stolen data. With not only the banking sector going digital there are increasing opportunities for breaches and fraud that pose significant threats to customers and institutions. Identity theft in banking can lead to severe consequences, including financial losses, damaged credit, legal issues, and emotional distress. It also burdens financial institutions with losses, penalties, and trust issues. For example, in the Czech Republic penalties for cybersecurity breaches can represent a fine up to CZK 130 mil. (approx. EUR 5.3 mil.). In the case of AML non-compliance, the fine can be as high as 10% of the annual turnover. Moreover, banks risk potential banking license forfeiture.​ Addressing this issue is crucial in order to protect customers and maintain the financial industry's stability and reputation.

Common types of fraud

There are several types of identity theft and new ones may emerge in the future. In general, we can divide them into 6 main areas:

1. Financial identity theft - This is the most common form of identity theft, when one person uses another’s personal data for financial benefit by misusing credit card information to buy things, stealing funds from your bank account, or open a new account using your social security number and other data.
2. Synthetic identity theft - This method involves creating fake identities using real people’s information like birthdates, addresses, and social security numbers, blending them to create a fake profile. This persona can be misused to apply for loans or credit cards, or commit other financial crimes.
3. Criminal identity theft - This occurs when a person arrested by law enforcement uses someone else’s name instead of providing theirs. They might be able to pass this off by creating a fake ID or using a stolen ID, like your driver’s license, to show to the police. This can result in receiving a surprising court summons or having a false criminal record in the police database.
4. Medical identity theft - When a criminal poses as another person to obtain healthcare services such as getting prescriptions for drugs, accessing medical services including costly surgeries, or obtaining medical devices and supplies, such as wheelchairs.
5. Child identity theft - A minor’s information can be misused to commit financial fraud, like opening a new account or line of credit under the child’s name.
6. Other identity theft - Other methods may include tax identity theft using your personal information. In other words, filing a tax return and getting a refund – your refund. In case of employment identity theft, identity thieves may use your information to get a job or pass a background check. Estate identity theft occurs when an ID thief uses the personal information of a deceased person to steal money or open accounts.

Several practices can be spotted not only in the banking industry. Despite phishing being the most common approach, other methods are becoming increasingly common. For example, deep fake technology is leveraged in onboarding processes to make a fake video and approach customers, employees and others. To create a deep fake video, your face and iris is crucial, as such information can improve the quality of the deep fake considerably. Therefore, one should be very cautious to whom they provide such information. Potential threats include suspicious applications from questionable owners that usually have access to your camera, or having your iris scanned directly. There are cases of projects which propose money in exchange for your iris scan. Everybody should secure their personally identifiable information (PII) when the background of the recipient is not crystal clear.

Personally identifiable information

Any information used to identify an individual, including biometrics (fingerprints, facial, voice, iris, and palm, or finger vein patterns), date of birth, driver's license number, employment information, financial data, name, personal address, or social security number (SSN), represents PII. If enough elements are exposed, it can quickly result in identity theft, making it vital that any personal information is protected from unauthorized access or disclosure.

Why now?

Cybersecurity threats arise consequently with technological advancement, but it is undoubtedly the COVID period that boosted identity theft incidence. According to the Federal Trade Commission (FTC), the number of consumer complaints relating to identity theft lodged with the US FTC between 2018 and 2020 multiplied threefold to over 1.3 million reports. Despite a slump in 2022, the number is still over 1.1 million reports. The responsible approach of companies to invest in cybersecurity seemingly pays off but it is far from a desired scenario. In the case of the Czech Republic, the most common cyber-attacks are phishing (e-mails pretending to award the recipient a prize or inform them of an inheritance, suspicious messages on social media,…). Only 7% of respondents have experienced fake non-banker calls. In the case of a fake banker calls, it was only 4%. This is, however, one of the main candidates for future identity theft and thus a rising threat.

What should you or your company do to stay safe?

As you can fall into this trap quite easily, we recommend regularly checking credit card statements, using unique passwords and avoiding exposing them, tracking your email and being vigilant when it comes to downloading suspicious apps or participating in questionable projects. If you have not yet read our article on the threats linked to using the Barbie filter, read it here. At the company level, employees should be properly and regularly trained, security standards should be at a high level, and the tools that the company uses should be compliant and effective.

For data security, Trask is here to help

At Trask, we believe that data security stands as a cornerstone indispensable for nurturing robust and enduring technological advancement. We provide penetration testing and current onboarding process assessments to fight against misuse of sensitive data and avoid fraud. If you deal with cyber security, online onboarding, or any other related topic at your company and need more information or solutions to your concerns, do not hesitate to contact our consultants.

Martin Bares
Head of Cybersecurity
mbares@thetrask.com

Jozef Michalovcik
Digital Identity and Signature
jmichalovcik@thetrask.com‍