Many people do not make the connection between an email or phone call and identity theft. But this is how cybercriminals are doing damage to individuals and organizations.

With a phishing email or imposter phone call, cybercriminals steal personal and financial information from victims and use this to assume identities and do significant harm to people and organizations.

The impacts of identity theft run deep – ruining the reputation of an organization that is breached, hurting the employee who accidentally installed ransomware, and exposing clients/vendors/investors/partners/colleagues to long-term financial and personal fraud.

From opening bank accounts, signing up for credit cards to even applying for jobs in the victim’s name – there are no limits on what cybercriminals can and will do with stolen personal information.

And unfortunately, identity theft is on the rise. According to a recent report from the Identity Theft Resource Center, 165 million sensitive records were stolen and exposed due to close to 15,000 breaches of private and government organizations in the U.S. in 2019. This is a 17% increase from 2018.

However, even with awareness of cyber security threats, many people do not understand how identity theft happens. As a CISO or security leader, it’s key you improve your employees’ understanding of what really happens with the information that is accessed and stolen due to a cyber attack.

What is Identity Theft?

Identity theft is the act of obtaining and using a victim’s personal information to commit fraudulent activities in that person’s name. With enough information about their victim, a criminal takes over the victim’s identity and conducts a range of fraudulent activities in their name.

While a victim is personally damaged by identity theft, the ramifications of the cyber attack are typically not limited to just one person. Cybercriminals prey on employees at corporations, schools, government agencies, hospitals, and other institutions – hoping an employee clicks a link in a phishing email to trigger access to databases of personal and financial information.

Damage done by identity theft has a trickle-down effect and hurts everyone, causing personal and emotional trauma for the person who accidentally gives the cybercriminal access, the serious consequences to the people whose personal information is stolen, and the reputation of your organization.

Identity theft is a serious threat around the world and many governments have implemented programs for their citizens to help them report identity theft and establish a recovery plan:

1. In Canada, contact the Canadian Anti-Fraud Call Centre at 1-888-495-8501.
2. In the Unites States, contact the Federal Trade Commission at 1-877-438-4338.
3. In other counties, check your government’s website for information.

How Serious is Identity Theft for Organizations?

A recent report by IBM reveals that a data breach, resulting in stolen identities has an average cost of $3.86 million for an organization and it takes on average 280 days to realize a data breach has occurred.

Along with the stolen personal and financial information of your employees, clients, investors, and third-party partners, identity theft and data breaches cause loss in three primary ways:

1. Financial loss: this includes the costs of recovering from a data breach, making ransomware payments, compensating victims, increase in insurance premiums, rebuilding computer networks and technical infrastructure, and the loss of business.
2. Reputation and trust: it is very difficult to rebuild trust internally and externally once a cyber attack causes identity theft. Rebuilding trust with customers, partners, and the media is expensive, takes a long time, and very difficult.
3. Business impacts: whether it’s a school, healthcare organization, large corporation, or government department – the business impacts are long-ranging. There is the loss of confidential and intellectual property, the costs of rebuilding the business, legal costs, and loss of future business opportunities.

Because many people do not connect a data breach and cyber attacks with real-world impacts, you need to remind employees what identity theft means for them on a personal level.

For example, identity theft can mean the cybercriminal uses the victim’s identity to:

• Accumulate credit card charges.
• Get a new loan or line of credit.
• Transfer funds out of the victim’s account.
• Sign a lease in the victim’s name.
• Collect government benefits owed to the victim.
• Submit fraudulent insurance claims.
• Obtain identification or travel documents.

 What CISOs and Security Leaders Need to Know about How Identity Theft Happens

It’s important to remember that cybercriminals are savvy. They are reading the news, following the trends, and using new and evolving techniques to commit crimes.

We have seen in recent months how cybercriminals are using fear and uncertainty around COVID-19 pandemic to commit crimes against people who simply want their questions and concerns answered.

Identity theft happens with these 7 key cyber attack tactics:

1. Social engineering with an email, text, or phone message.
2. Malware – such as installing spyware or keyloggers on the network.
3. Researching social network sites for personal information, email addresses, employee connections, recent conferences, promotions, etc.
4. Hacking computer and databases through a range of tactics.
5. Eavesdropping on telephone conversations employees have in public places, the lobby of the office building, on the bus, etc.
6. Retrieving documents from mailboxes, recycling bins, or trash cans and using this information to commit identity theft or additional cyber attacks such as spear phishing or business email compromise.
7. Creating fake online profiles convincing employees who do their due diligence on an unknown caller or email sender that the person is legitimate and can be trusted.

To protect your organization and employees from an identity theft incident, remember the following cyber security best practices:

• Do use phishing simulations to monitor employee awareness of phishing and to measure the effectiveness of cyber security awareness training and campaigns.
• Use newsletters, micro-learnings, and other campaigns to raise employee awareness of the impacts of identity theft. Remind them that identity theft hurts everyone including colleagues, clients, and their employer.
• Ask employees to use social networking sites such as LinkedIn, Twitter, Instagram, and Facebook cautiously. Explain how cybercriminals use information from these sites to send convincing messages or to make imposter phone calls tricking people into giving up confidential information.
• Give employees access to the latest cyber security awareness training on topics such as social engineering, identity theft, vishing, and smishing.
• Make it easy for employees to access company policies on working remotely, working from home, and Bring Your Own Device (BYOD) security. Include links to key cyber security articles and resources in your company newsletter.
• Establish strong password policies and force employees to update their passwords on a regular basis.

10 Ways You Can Protect Yourself and Our Organization from Identity Theft

All it takes for a cybercriminal is knowing key personal information about you to take over your identity and commit a range of fraudulent activities in your name.

Identity theft impacts you, your colleagues, and the reputation of our organization.

This is why we want you to remain vigilant and aware of cyber threats and attacks used to commit identity theft.

To protect yourself and our organization from identity theft, follow these 10 cyber security best practices:

1. Do not provide confidential personal or corporate information over the phone or on a website. Always verify the legitimacy of the organization and the person requesting the information. When in doubt, talk to a colleague and your manager about the request.
2. When filling out online forms and providing information online, make sure the website URL uses https:// and has a padlock icon in the URL field. This indicates the website is secure.
3. Choose strong passwords to protect the access to your online accounts, and change passwords regularly. Follow our password policy rules and contact us if you’re unclear about our password policies.
4. Limit the amount of personal information you share on social networks. Cybercriminals use social sites such as LinkedIn, Twitter, Instagram, and Facebook to learn details about you and our organization that they use to trick you into trusting them.
5. Do not provide personal details such as your date of birth, social security/insurance number, postal address, or other private information to people who call, text, or email you unsolicited.
6. Never write down your PIN or passwords. Memorize these details and use our recommended password tool to securely store your passwords.
7. Securely dispose of documents containing personal, company, and confidential information when they are no longer needed.
8. Always communicate personal and confidential information with colleagues using secure methods such as encrypted email. Follow our organization’s recommendations on how to securely share information with colleagues.
9. Always verify a caller’s identity before providing information over the phone. This includes when the caller says they are a customer, client, vendor, or third-party partner. Be suspicious of people contacting you to request identifying information that they should know – such as confirming a mailing address, phone number, contact person, or password.
10. Be aware of people acting as pollsters or representing government organizations calling to collect information for statistical or research purposes. These people should not ask you for information such as your date of birth, postal address, salary, academic degree, or mother’s maiden name.