Not to name names (cough, cough, Equifax), but it seems a particular data breach involving the sensitive information of 145.5 million people may have something to do with the spike in identity-related crimes reported in Javelin Strategy and Research’s 2018 Identity Fraud Study.
As if 2016’s record didn’t serve as warning enough, along comes 2017 with 1.3 million more people—the total coming to 16.7 million identity fraud victims with the amount stolen rising to $16.8 billion—still significantly less than the record loss of 2012, which was $22 billion—but clearly a disturbing bit of news for consumers.
The latest “successes” in the field of identity-related fraud are particularly terrifying when you consider that the study also found that “rising fraud incidence and extensive media coverage of the Equifax breach,” has increased public awareness. “The proportion of consumers who are concerned about fraud rose from 51 percent in 2016 to 69 percent in 2017.”
Translation: public concern is at an all-time high. People know identity theft is a real and present danger; they know there are defensive strategies that can help stave off an attack on their personal finances, and yet more people are getting got than ever before.
First, the facts: While attacks on healthcare and still more esoteric kinds of identity fraud do happen, the overwhelming number of cases reported are about money. There are the smash-and-grabs and the deaths by a thousand cuts, but what all these scams have in common is the use of personal information to trick an organization into enriching a criminal using the power of an individual consumer’s personal financial situation—most often their creditworthiness.
As anticipated, the adoption of EMV (embedded chip-card) technology had a whack-a-mole effect last year. With card cloning no longer an option, and with that the use of physical cards, thieves migrated online where card-not-present transactions provide the perfect workaround.
Opening new accounts was yet another growth area for identity thieves in 2017, especially intermediary accounts like Paypal and Amazon, which thieves have discovered aren’t always noticed right away. These incursions can be caused by a guessing game based on data exposed and sold on the dark web, or poorly defended cell phone and email accounts. Once a thief gains access to one of these accounts they can re-set passwords, shipping addresses, bank accounts and the like directing all stripe of fraud. Text and email alerts about transactions don’t work if a thief changes your access credentials.
While ID theft may seem like a victimless crime, the Javelin study found that the average account takeover costs the victim $290 in out-of-pocket expenses, and that’s not taking into account the 16 or so hours it usually takes to resolve the matter. Incidents of account takeover were three times higher in 2017.
Identity thieves are very good at cobbling together what they need to know in order to trick an organization into opening the floodgates, whether that means the loss of money or services. The Equifax breach made identity theft a lot easier last year, since it included the skeleton key for all things identity-related: Social Security numbers.
While money is the usual focus, all scams are not focused on a dollar amount. Some scammers steal services, like healthcare, and still others target reputation to commit crimes or to evade an arrest warrant.
The treasure trove of SSNs made available to criminals by the Equifax breach should be a matter of grave concern for all consumers as should be the evolution of the kinds of fraud that are not only working, but proliferating.
Here’s What You Can Do
Be paranoid. Practice the Three Ms that I discuss at length in my book Swiped.
- Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
- Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) And of course, sign up for transaction alerts on all your financial accounts.
- Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.
Remember that all your accounts matter, but especially the ones that you use for two-factor authentication, i.e., your cell phone and email.
Good security requires at the very minimum something you have (your cell phone, access to an email account) and something you know (a password, answers to security questions). If any of the places where you do business or maintain accounts offer you the ability to set up even more robust authentication than two-factor, you should do it.
Javelin has issued five tips to help consumers ward off fraud.
- Turn on two-factor authentication wherever possible—Enabling two-factor authentication on sites that have that capability, where a separate action must be taken beyond providing a user name and password to access an account, can make it significantly more difficult for fraudsters to take over your accounts. For sites without two-factor authentication, use strong passwords or a password manager to secure accounts.
- Secure your devices—With consumers increasingly relying on their digital devices to obtain goods and services, making purchases and sharing personal information, criminals have shifted their focus to these devices for the access they can provide to accounts and the information they store or transmit. Secure online and mobile devices by instituting a screen lock, encrypting data stored on the devices, avoiding public Wi-Fi and/or using a VPN, and installing anti-malware.
- Place a security freeze—If you are not planning on opening new accounts in the near future, a freeze on your credit report can prevent anyone else from opening one in your name—which is especially important if you have been a victim of data breach that has exposed sensitive personally identifiable information. Credit freezes must be placed with all three credit bureaus and prevents everyone except for existing creditors and certain government agencies from accessing your credit report. While costs vary per state, typically each bureau costs below $20. Should you need to open an account requiring a credit check, the freeze can be lifted through the credit bureaus.
- Sign up for account alerts everywhere—A variety of financial service providers, including depository institutions, credit card issuers and brokerages, provide their customers with the option to receive notifications of suspicious activity—as do businesses in other industries, such as email and social media providers. These notifications can often be received through email or text message, making some notifications immediate, and some go so far as to allow their customers to specify the scenarios under which they want to be notified, so as to reduce false alarms.
- Protect yourself from unauthorized online transactions—As EMV makes fraud at physical stores more challenging, fraudsters are moving to target online merchants. Some financial institutions offer alerts for online transactions, the ability to institute limits on online transactions, or even advanced controls through 3-D Secure (e.g., Verified by Visa, SecureCode from Mastercard, etc.). These can help quickly detect and even prevent online fraud from occurring.
Adam Levin is chairman and founder of CyberScout and co-founder of Credit.com, where this article originally appeared.