With the other cyber frauds examined, cybercriminals must convince the victim to part with their money. Identity theft is different. Through no action of their own, people can become identity theft victims. Someone impersonates them to rack up debt or steal in their name. Victims’ credit scores can crash. It can sometimes take years for victims to recover from identity theft.

With the ever-increasing amount of personal data stored online and company data breaches, it isn’t difficult for cybercriminals to get victims’ details. As you will soon find out, it could not be any easier for cybercriminals to do so.

There is another side to identity theft. What about the organisations that give identity thieves their money or something of value in the first place? They have been deceived into believing the cybercriminals were the individuals they pretended to be. How does an organisation recover their funds in this case? There may be insurance in some cases, but most of the time, the organisation takes on those losses. Even if there is insurance, premiums will most likely rise, costing the company money.

As you will learn in this chapter, there are key measures to limiting the impact of identity theft and protecting yourself.

ANATOMY OF IDENTITY THEFT

The term ‘identity theft’ can be misleading. No one can steal someone’s identity; it is unique to all individuals. It’s not a thing and cannot be acquired or lost. Identity theft refers to stealing someone’s personal, private or financial information with the intent of using it to assume another person’s identity. Once the information is stolen, cybercriminals impersonate their victims to commit identity fraud.

Fraud is the underlying crime here. According to the National Fraud Database in the UK, identity fraud made up 60 per cent of total cases in 2020 (Cifas, 2020). In the US, according to the Consumer Sentinel Network Data Book, maintained and updated every quarter by the FTC, identity theft accounted for 25 per cent of all fraud reported in 2021. It is the number one fraud reported (FTC, 2022).

Technology advances are fuelling identity thefts. People and organisations are storing more personal data than ever online. Cybercriminals are stealing this data. Millions of people have had their personal data stolen by cybercriminals via data breaches (more about this later in the chapter). These factors are creating more victims of identity theft than ever before.

Let’s begin by understanding the history of identity theft.

LESSONS FROM HISTORY

In the past, there were no birth records or credit history. A person could live openly under an assumed identity without incurring suspicion. It wasn’t until the 20th century, with the arrival of income tax and social benefits, that it became necessary for everyone to register their identity with the government.

There have been numerous cases of identity theft throughout history. The first recorded case took place in the Bible. In the book of Genesis, Jacob posed as his brother Esau. Jacob pretended to be his older brother and deceived his dying father into leaving Jacob his entire estate (Genesis 27 in Holy Bible, 2011).

Here are a couple of other famous examples. Let’s start with the case of Martin Guerre in France.

Martin was born around 1524 in the Basque town of Hendaye in the south of France. By 1538, he had married Bertrande de Rols and soon after had a son. Not long afterwards, Martin began to grow restless. He abandoned his family and left his village. People assumed he had died, but no one knew for sure. Life wasn’t easy for Bertrande. Because of the church laws, she was forbidden to remarry without firm proof her husband was dead.

Something significant happened in 1556, 10 years after Martin had left. Someone claiming to be Martin arrived in the village. He knew everything about Martin. From his family to his life in the village. He even sounded like him. It had been a long time since anyone had seen Martin; many thought he might have changed during this time. There were no portraits of him to confirm. At first, Bertrande and her family were not sure it was him. However, the supposed Martin knew detailed memories from 10 to 15 years earlier. In the end, everyone came around to the belief that Martin had indeed returned. He was welcomed back into their family.

Except, this wasn’t the real Martin. It was Arnaud du Tilh from a nearby village where he was a well-known drinker and gambler. He had a chance encounter with some soldiers from Spain where they mistook him for Martin. He had heard about the story of Martin leaving his family. Arnaud concocted a plan where he would steal the identity of Martin. Once preparation had begun, he entered the village to start his deception.

Arnaud was successful. He gained a wife and a considerable inheritance. Within three years, he had a daughter with Bertrande.

Arnaud began taking advantage of his newfound finances. He began selling, buying and leasing land from the family property. The entire family, including Martin’s uncle Pierre, managed the properties together. But Arnaud started to get greedy and inserted himself more aggressively into the family business.

Around this time, Pierre had had enough; the relationship between Pierre and Arnaud reached a breaking point. Pierre wasn’t going to give any further access to the family business accounts. Arnaud fought back and brought a civil suit against Pierre. In retaliation, Pierre began a public campaign claiming Arnaud wasn’t Martin; he was an imposter taking advantage of Martin’s wife.

In 1560 Arnaud was arrested. He was taken to Rieux for trial. The trial would prove to be complicated. The court needed witnesses to verify his identity, so 150 witnesses were called to testify. Some swore Arnaud was Martin without a shadow of a doubt. Others didn’t know since it was so long since they had seen Martin. People couldn’t decide conclusively one way or another if he was the real Martin.

Bertrande had her honour at stake. She was in a bind. Even if she had realised Arnaud wasn’t Martin, she couldn’t be seen as an adulteress. She had to protect her reputation as a respectable woman, so her son could inherit her family fortune. Against Pierre’s wishes, she testified Arnaud was the real Martin. Pierre himself testified, but he seemed vindictive and unreliable. The court was leaning heavily towards Arnaud’s favour.

It was around this time the real Martin returned. He had heard about the trial and decided to return home and reclaim his family, property and identity. Pierre and Martin’s sisters instantly recognised him. It didn’t take long to establish Arnaud was a fraud. Bertrande went back to Martin, begging forgiveness, saying Arnaud had tricked her. Martin was not having any of it from his wife. He is quoted as saying that a wife ought to know her husband.

Arnaud was found guilty. His punishment was to perform a public penance in Artigat and then be hanged. He died testifying to Bertrande’s innocence, honour and virtue (Davis, 1983).

This case illustrates identity theft happening to the everyday person. At the other end of the spectrum, identity theft was often an occurrence concerning royalty.

In 1491, Perkin Warbeck claimed to be the rightful king of England. He claimed to be Richard of Shrewsbury, Duke of York. Richard was the second son of Edward IV, who had died in 1483. The Duke was one of the two princes locked up in the Tower of London by King Richard III. If Richard had been alive, he would have been the rightful heir to the throne if his older brother Edward V had not been alive. The last time anyone saw Richard was in the summer of 1483, walking around the tower’s garden. Everyone believed Richard and his brother had died, but no one could say for sure.

Warbeck was a young Flemish merchant. He arrived in Ireland in 1491. Shortly after his arrival, he became friendly with the king’s enemies who live there. With their influence, he decided to claim to be the missing prince and declare himself the rightful King of England. He went to the Burgundy court in France to make his claim. He was successful. He told the following story: his brother Edward was murdered, but the murderers had spared him due to his age and innocence. As part of the deal for him not to be killed, they made him promise not to reveal his true identity for a certain number of years. From 1483 to 1490, he had lived in continental Europe.

He convinced kingdoms in France and Scotland of his claim. They supplied him with armies. For years, he tried unsuccessfully to overthrow King Henry VII (he became king in 1485 when King Richard III died). While he had the support of foreign governments, he could never gain the support of Englishmen to join him. Without their support, he was eventually caught and executed (Arthurson, 2009).

A common way criminals would often avoid capture was to steal someone’s identity. Outlaw John Wesley Hardin did just that. While evading capture in the late 1800s in Florida, Hardin stole the identity of a Town Marshal he knew in Texas, James W. Swain. Unfortunately for Hardin, he shot someone while using his new identity and was captured anyway (Hardin, 1896).

Then there are more unusual identity theft cases like ‘The Will Forgeries’ in 1844 in England. In this case, criminals identified many dormant accounts in the Bank of England that contained large amounts of money. They pretended to be the owners of the accounts and created forged wills in the account holders’ names. The wills, of course, left everything to the criminals. Then they registered a fictitious death for the owners of the accounts. Once they had death certificates and wills, they could go through the legal procedures of collecting the money in the dormant accounts. At the time, there was no medical certification required to issue a death certificate. A person’s word was all that was needed. The criminals not only stole the victim’s identity but also had them killed (figuratively speaking).

Identity theft has frequently happened throughout history because it has often been easy. Anyone could go to another town and assume someone else’s identity if they chose to, like Hardin did. There were no fingerprints, no photos and no documents needed hundreds of years ago. Today, it can be argued, it has never been easier. The internet has given criminals access to millions of stolen identities to choose from, and the geographical limitations have been removed. In the case of The Will Forgeries, the criminals were in England. Today, for a similar type of crime, the criminals could be located anywhere in the world – in many cases, making it all but impossible for local law enforcement to apprehend them.

At least in the past, an identity thief would have had to know a little bit about their victim to tell a convincing story to people. Now cybercriminals don’t need any background story. They only need personal data. The data does the convincing.

Identity thieves had much to gain if they were successful. Imagine the transformation Warbeck went through. He went from a merchant to a potential king. He was entertained by other monarchs, his reputation was immediately transformed. He was given wealth to help him in his battles. It’s easy to see why this would appeal to some people; the same is true today.

IDENTITY THEFT ATTACK METHODS

There are two primary ways someone can become a victim of identity theft. The first is by actions outside the victim’s control; the second is from actions within the victim’s control.

Actions outside the victim’s control

The following are the more common ways someone can become an identity theft victim through no action of their own.

SIM port hacking

In SIM port hacking, a cybercriminal convinces the victim’s mobile service provider to get their number reassigned to another phone, then all their texts and calls are redirected to the cybercriminal. They then have the power to break into crucial personal accounts using multi-factor authentication text messages. The goal is to access personally identifiable information (PII), bank account information, email and even other logins like an Apple ID. Cybercriminals can then commit a range of identity frauds, like applying for new credit cards.

Data breaches

Organisations continue to report data breaches at an alarming rate. Millions of people have had their PII stolen from organisations they trust to keep them safe. In 2020 alone, close to 300 million people had their details lost because of a data breach (Bekker, 2021).

Equifax, one of the US’s three major consumer credit agencies, had a data breach in 2017. It was one of the most significant breaches ever. Cybercriminals were able to steal 147 million identities (Bernard, 2020). The types of data stolen included names, birth dates, addresses, credit card numbers and personal documents.

While there have been larger data breaches, the Equifax breach stands apart due to its severity. Equifax has a file on almost everyone. ‘On a scale of 1 to 10 in terms of risk to consumers, this is a 10,’ said Avivah Litan, a fraud analyst at Gartner (Siegel, 2017).

Every one of those 147 million people is now at risk of identity fraud through no fault of their own.

Think of it this way: imagine you own an Audi car and find out one day that cybercriminals have stolen the key codes from Audi that gave them the ability to open and drive off with any car those codes matched – which includes your vehicle. Maybe the cybercriminals will target your vehicle, maybe not. The point is they now have the keys and can break in anytime they choose.

How cybercriminals use PII on the dark web Data breaches are how cybercriminals can get your information. The dark web is one way they begin using it. Just as cryptocurrencies have been an accelerator for cybercrime, so too has the dark web. Cybercriminals love the dark web, and for good reason. Anything that cybercriminals can think of buying or selling is most likely for sale on the dark web. It’s eBay for cybercriminals.

Initially, the dark web was for the members of the intelligence community to communicate anonymously with each other. This began to change when researchers at the US Naval Research invented TOR, ‘The Onion Routing’ project. The idea behind their project was to route traffic through multiple servers and encrypt it each step of the way, thus hiding the identity of users. They invented the TOR browser to make it easier to use the dark web (TOR, no date).

Whistle-blowers, journalists and citizens living under repressive regimes began to use it to communicate safely. The same benefits were also appealing to cybercriminals. They flocked to it. Online marketplaces that hid the identities of buyers and sellers began opening up. There is no eBay-like identity verification to prove who people are before transacting on the marketplaces. As such, there are no credit cards accepted here. It’s all about buying and selling with cryptocurrencies, namely Bitcoin. Sellers of illegal goods and services now have a global reach like never before.

Dark web marketplaces go beyond selling only physical goods. They sell anything virtual too. One hot item is data, particularly data that can be used to steal someone’s identity. Login details, credit card information, anything that is PII is being sold.

There are hundreds of different things to buy. They range from cloned Mastercard/Visa credit cards to a valid passport from a country of your choosing.

There are even package deals for those wanting a completely new identity that include a university diploma, bank account, credit cards, birth certificate and a passport. Table 5.1 shows pricing for different countries (Gomez, 2022).

There are even bulk data options available for purchase. In 2017, security researchers at 4iQ found a 41 GB file containing 1.4 billion username and password combinations for sale on the dark web. That is a massive amount of information. All the data was in plain text, making everything readable, ready for anyone to use the login details and get started. The data had been collected from multiple different data breaches and combined. The sellers claimed the data was from popular websites like Netflix, LinkedIn and Minecraft (Waqas, 2017).

Could it be any easier for aspiring cybercriminals? The dark web has made it easy for anyone to commit identity fraud. In addition to vast amounts of sensitive data ready to be purchased, online courses are available via the dark web that teach amateur cybercriminals how to use stolen card details.

The Cambridge-based AI firm Featurespace has been researching this latest trend. Featurespace says the following:

[O]pportunistic amateur fraudsters are now able to enrol in comprehensive classes and take modules – from tips on who the easiest issuers and banks are to defraud, all the way up to learning how to perpetrate large-scale credit card fraud.

(Brignall, 2019)

The online video creators know how to market their products. Titles such as ‘The art of ordering goods online using a credit card’ and ‘Want to know how to get free goods! Let’s get started’ are used to pique interest.

These are not amateur courses. They look and feel like professionally produced teaching courses. One course provider was selling their course for $600 for tuition and $200 for course materials, payable by Bitcoin or other cryptocurrencies. The course is interactive, and it is apparent that it was not cheap to create. It is a six-week course consisting of 20 lectures (Brignall, 2019).

Credit card fraud

The most common type of identity fraud is credit card identity theft. Most people probably don’t even realise that this is a form of identity theft. A cybercriminal uses someone else’s identity to make unauthorised purchases on their credit card. Sometimes the cybercriminal will obtain the account numbers and PIN (most of the time via the dark web), or they will physically steal the card.

Criminal identity fraud

As part of any police process, an individual’s driver’s licence is usually checked by the officer when they pull someone over. This is to determine if there are any arrest warrants out for them. Imagine if when the officer checks the licence, their dashboard lights up like a Christmas tree for a list of outstanding arrest warrants. It appears the driver has been arrested numerous times and failed to appear in court for any of the hearings and, subsequently, the judge has issued a warrant for their arrest. The driver is stunned; they did not know of any of this. This is what criminal identity theft is. The criminal used someone else’s details when they were arrested. They stole an identity to conduct illegal activities.

In other cases, the criminal will show up for the offence they were charged with and plead guilty under someone else’s name. This establishes a criminal record for the victim without them knowing. Victims often only find out about this when they are denied employment or terminated from employment. Often employers will conduct a background investigation where they will discover the victim’s fake criminal history.

Medical identity fraud

How valuable would it be to an opioid addict to steal a legitimate user’s medical prescription? Stealing medical records has become incredibly common. By stealing someone’s medical identity, cybercriminals can obtain prescriptions and medical services. Health care data contains medical records and prescription accounts that cannot be cancelled or changed as quickly as a credit card.

Cybercriminals are stealing medical records at an astonishing rate. They attacked the American Medical Collections Agency, causing a large-scale data breach in 2019. Over 24,780,533 records were lost. These included contact information, social security numbers, medical information, dates of medical service, name of lab or medical service provider, payment card information and names; only one case out of many (ID Theft Center, 2020).

Tax identity fraud

Tax identity theft is on the rise. Filing fake tax returns wasn’t a typical identity theft until the last few years. Because of the dark web, it’s easy for cybercriminals to buy individual’s PII. Once they have someone’s PII they can start filing fake tax returns. Cybercriminals artificially inflate the amount of money the victim should get on their tax return. They will then have the funds sent to an address they control.

Account identity fraud

Account identity theft is when cybercriminals open new accounts under the victim’s name. The account can be a bank account, government benefits account or any other type of account cybercriminals can steal from – it takes less time than ever to open a new account somewhere.

Organisations have designed the online account sign-up process to take as little time as possible. There is a strong correlation between new sign-up speeds to sign people versus wait times. If it takes too long, people will not wait. They will seek another option if available. While improved sign-up speeds benefit consumers, it also helps cybercriminals.

Synthetic identity fraud

In the previous identity frauds explained, cybercriminals use PII to assume the identity of the victim. These typically work in real time. In other words, cybercriminals will use them to steal right away. Synthetic identity fraud is a long-term strategy. Cybercriminals want to fly under the radar as long as possible.

Cybercriminals use a legitimate government ID (for example social security) and combine it with a fake name and address, then open up bank accounts or credit card accounts. Then for months to years, they build up good credit with these fake identities. Their goal is to maximise all possible credit for them. Once that is done, they will do what is termed a ‘bust out’. They stop using that identity and disappear, leaving accounts to default. The creditors are left without any recourse ever to get their money back. Cybercriminal rings have created thousands of these accounts. One of the largest synthetic ID rings detected to date racked up losses for banks of $200 million from 7,000 synthetic IDs and 25,000 credit cards (Richardson and Waldron, 2019).

A common target for synthetic identity fraud is children. When minors turn 18 and apply for their first loan or credit card, they are increasingly finding out that they are an identity fraud victim. In most cases, cybercriminals stole their identity years prior.

Cybercriminals find children easy prey due to their clean credit history and the lower likelihood of detection. Most of the time, children’s credit reports are left unmonitored for years. This provides cybercriminals ample time to cause substantial damage to the child’s credit. On the dark web, children’s identities are more valuable than adults due to this.

Synthetic identity fraud takes a huge emotional toll on young adults. Cybercriminals are creating hidden time bombs for them. When they turn 18 and apply for their first loan or credit card, they will be shocked to discover their credit scores are terrible. It is an awful thing for young adults to experience.

Actions within the victim’s control

The second type of identity theft attacks are those where the victim has some degree of control. Cybercriminals have a range of ways to compromise victims. Here are the more common methods.

Poor passwords

According to NordPass’s worst password list for 2020, millions still used ‘123456’ as their password. The familiar ‘password’ was also in the top 10 (NordPass, 2021). Bad passwords make it easy for cybercriminals to get into your online accounts and steal your information. Many passwords take less than a second for cybercriminals to hack.

Storage of passwords

How passwords are stored matters. Writing them down in an Excel document on a laptop or in notes on an iPhone is a bad idea. If any of these devices get stolen or hacked by cybercriminals, they will instantly have the keys to the kingdom. Consider using a password manager or password vault to store passwords securely, so even if your computer devices are lost or stolen, passwords will be safe.

Mobile apps

Over four-fifths of time spent online is on mobile devices (Ofcom, 2020). Mobile apps are an increasing security concern. Dodgy apps mask themselves as games, wallpaper and other valuable programs to steal personal data. One example is that once a victim downloads an app, it will scan the mobile looking for applications like Facebook. Once Facebook is found, it waits until the user tries to open it. Then it launches a lookalike instead, tricking the user into putting their login credentials into the fake app. The information is then sent to a remote server run by cybercriminals.

A 2020 study from researchers at Ohio State University and the Helmholtz Centre for Information Security found hard evidence that thousands of Android apps have backdoor functions, such as creating secret access keys, master passwords and secret commands (Zhao et al., 2020).

In other cases, cybercriminals have been able to access voice, text messages and email, monitor all keystrokes, access cameras and pictures, track device location via Global Positioning System (GPS), and more (methods for detecting malicious apps can be found in Chapter 7). There is a lot of information on a mobile phone that cybercriminals find valuable.

Phishing, smishing, vishing and social media attacks

As discussed in previous chapters, phishing, smishing, vishing and social media are critical attack methods for cybercriminals. In addition to the uses already explained, they also use these attacks for identity theft. Cybercriminals want to get your identity. In these cases, the goal is to trick the victim into providing their login details, entering their PII or clicking a link that installs malware on their device that gives cybercriminals access to it. Malware can often contain keylogging software. Any of these methods can provide cybercriminals with the information they need to steal an identity (name, address, birthdays and so on).

Timing of phishing, smishing, vishing and social media attacks matters It isn’t just receiving a phishing, smishing, vishing or social media message that matters. The timing of when someone receives these messages also plays a part in whether they fall for it.

Consider this example. Driver distraction is the leading cause of fatal motor accidents and motor injuries. When driving today, more distractions than ever are competing for a driver’s attention. A study done by Michelle Chan (Department of Psychology, University of Alberta) and Anthony Singhal (Neuroscience and Mental Health Institute, University of Alberta) found that even the wording on billboards mattered to drivers. The presence of negative words like ‘abuse’, ‘disaster’ or ‘poverty’ decreased driving speeds and slowed response times compared to positive words like ‘enjoyment’, ‘laughter’ or ‘gift’. They found wording could influence decision-making abilities and have adverse impacts on driving behaviour. Distractions caused drivers to behave differently from how they usually would (Chan and Singhal, 2015). The same is true for phishing. When distracted, people can sometimes fall for a phishing lure they would typically recognise.

Today, there are more distractions (social media, email, mobile phones) than ever vying for our attention. Cybercriminals know this. They will often time their attacks around more susceptible days or times. For example, attacks can come during early morning commutes to work or Friday afternoons as everyone is starting to think about their weekend activities.

A study by Stanford and Tessian looked at this issue for cybersecurity. Over 45 per cent of victims reported they were distracted when they fell for a phishing attack in their report. Another factor complicating things is that most workers (93 per cent) say they are tired and stressed at some point during the workweek. People are dealing with pressure to get things done, often in a heightened emotional state with their attention elsewhere (Tessian, 2020).

It is in this state that the persuasion techniques used in the messaging work so well. It is when mistakes are most likely to happen. The email pretending to be from Microsoft asking for login details was easy to spot during cybersecurity awareness training when everyone was calm. It’s not so easy when someone is emotional or distracted.

Social media attacks

The lowest hanging fruit for cybercriminals is information victims share on social media sites like Facebook. Everything a victim shares is within their control.

Cifas, the UK’s leading fraud prevention service, found that 65 per cent of identity theft victims had a social media or online presence (Cifas, 2020). Cybercriminals only have to scan the internet for readily available information like name, date of birth, email or telephone number. They can use this information to their advantage.

There is a lack of understanding by many people about the dangers of posting information on social media. Unfortunately, social media companies are not much help.

Using social media safely Social media should always be used with a degree of caution. There is always the risk that the person you are communicating with on social media isn’t who they say they are. Is the friend, link or follow genuine? Take the time to pause and verify you know the person before engaging with them.

Understanding your digital footprint is important. Publicly available information can be used by cybercriminals to steal your identity or craft more convincing social engineering attacks against you.

Here are three things you should do to protect yourself across social media:

1. Understand how to set your privacy options so that only the people you want to see your posts have access to them. Put some thought into what you are posting and who has access to it.
2. Do your followers and friends need to know the information you are posting? Consider only putting up necessary information. The less cybercriminals can see, the better.
3. Do you know what your friends, colleagues or other contacts say about you online (NCSC, no date)? If you see anything online you are not comfortable with, contact the administrator of the website or author of the content to remove it.

Quiz attacks

Social media platforms encourage the sharing of information. There are often news stories, games or quizzes shared that people find interesting or funny. Except, sometimes, these innocently shared items have an underlying criminal intent.

Cybercriminals have created some quizzes to collect personal information. These quizzes look like they are asking meaningless or harmless questions, but on closer inspection, they are not. Questions like these can sneakily pop up: ‘What is your mother’s maiden name?’ or ‘What is the name of the street you grew up on?’ (Better Business Bureau, 2020). This type of information is commonly used for security questions on banking and other financial sites and may be just what cybercriminals need to target you.

HOW ARE PEOPLE IMPACTED?

The impact of identity theft can be far-reaching. Victims can feel they are unjustly victimised, and rightfully so. Often through no action of their own, they are forced to deal with the after-effects of other organisations’ lack of controls. And now, out of the blue, they are often blindsided with problems, in many cases serious problems.

Sometimes, identity theft can be fairly minor. A victim’s credit card number may have been stolen and used to buy something online. It is a minor inconvenience. The victim will call their credit card provider, and, in most cases, fraudulent transactions are reversed, and a new card is issued. It is such a common problem credit card companies have large fraud departments to manage it. At most, it might take several hours to resolve.

Then there are more severe cases of identity theft. Take the case of Catherine Martinez, a victim of a SIM port attack in 2020 (Martinez, 2020).

While at church one day, Martinez lost her mobile phone coverage. It was a large building, and she thought it was no big deal. She didn’t need her phone at that time. It wasn’t until later that she realised there was a problem when she went home and tried logging into her computer. Two dozen emails arrived thanking her for subscribing to different newsletters. She contacted her network provider and learned her number had been stolen from the provider.

Once the cybercriminal had her number, her Apple ID was broken into using multi-factor authentication. The email address for the Apple ID was changed. The cybercriminal now knew her primary bank, credit card and health insurance details – not to mention had access to her photos. She managed to quickly recover her phone number before the cybercriminal could take over her bank accounts and credit cards and thought she had succeeded in stopping the attack.

It wasn’t until months later she learned the cybercriminal had obtained an Apple Card in her name and maxed it out. Her credit score crashed.

Consider the time it takes to dispute all the charges made with the different organisations. In some cases, legal help is required to sort things out. If cybercriminals successfully take over someone’s investment accounts or other financial accounts, the losses can be enormous. It could impact retirement plans, children’s education or lifestyle, at a minimum.

The toll on victims goes beyond just financial loss and stress. Depending on the type of information stolen, it could take months to years to get everything resolved (financial and credit) and restore the victim’s reputation. Another headache for victims is that even though the attack has been stopped, their information is now out there on lists for sale on the dark web, and other cybercriminals can use it. Victims are left always wondering who else has their information.

Victims of identity theft report getting angry initially, then having feelings of helplessness. They do not know who the cybercriminal is; they are faceless. This leads to a range of other emotions: feeling stressed, paranoid, feelings of fear related to personal financial safety, increased anxiety, fearing for the financial security of family members and some even feel suicidal.

Imagine getting calls from debt collectors and having to go through the hassle of trying to convince them it’s a case of identity theft. It would be stressful for anyone.

WHAT THE FUTURE HOLDS

How you identify someone online is going to change in the future. It is expected passwords will be replaced with simpler authentication methods like biometrics. Biometric authentication uses a unique biological characteristic of individuals (for example fingerprints, retinas, voices, facial characteristics) to confirm their identity. Gone will be the days of having to remember numerous passwords. This will present new opportunities for cybercriminals.

Expect cybercriminals to develop methods to spoof (fool) biometric security systems by using fake or copied biometrics information. An example of this is someone’s fingerprint that can be stolen, copied and moulded onto an artificial silicon finger. This could then be used to unlock someone’s phone or payment app.

Considering how many data breaches are continuing to occur, no one should feel too confident their biometric data will be safe. The more worrisome part is that you cannot replace your fingerprint or other biometric data. What happens when this gets stolen by cybercriminals and ends up on the dark web?

DEFENDING AGAINST CYBER IDENTITY THEFT

The key to defending against identity theft is two-fold. First, take steps to stop your identity from being stolen. Second, put in place controls and monitoring to detect when your identity is used without authorisation. It is vital to move as fast as possible to contain identity theft damage to limit its impact.

Preventative measures

Constantly monitoring your online identity is crucial to detecting identity theft. The longer your identity is used for illegal purposes, the harder it will be to correct. Here are some steps to follow:

• Sign up for an identity protection service. Find one that offers dark web monitoring services.
• Use multi-factor authentication where available. Text authentication can be problematic. Use apps like Google Authenticator instead.
• Stay diligent and alert for malicious email, text, phone and social media messages.
• Check often for malware or viruses on computers. Use cybersecurity tools like Malwarebytes or Intego software to detect and defend against them.
• Use a VPN to encrypt all traffic – essential if connecting to a public or insecured Wi-Fi.
• Create complex passwords and don’t use the same password for multiple accounts.
• Invest in a password manager or vault, like LastPass or 1Password.
• Some credit agencies offer alert services to notify you whenever there are changes to your credit file. Sign up for them.

Warnings signs

Unlike the previous cyber frauds discussed, it is fairly clear if your identity is being used by cybercriminals. You could find yourself unable to get loans because your credit score has suddenly crashed, for example. Here are some of the warning signs:

• Bills start arriving for items that were not purchased.
• Unrecognised items start appearing on bank or credit card statements.
• Debt collectors start calling for unknown accounts.
• Banks and credit card providers start denying account approvals where previously it was not an issue.

What to do if you are a victim of identity theft

• Take action immediately to limit its impact and seek help. This is crucial. Depending on your country, there will be credit reporting agencies, banks, law enforcement and government agencies that can assist you.

  

  Credit agencies offer identity theft victims a free fraud service. They will often liaise with each other to restore compromised personal credit records.

• Change all your passwords.
• Check credit files at the main credit agencies, such as Experian and Equifax. Make sure there are no other loans, mobile phone agreements or any other credit that has been taken out. Anything found on the credit report that isn’t right will need to be disputed. The company that put it on there will have to be contacted. Expect this to be a time-consuming process.
• Report the identity theft. Most countries have dedicated resources to help victims. For example, in the UK, go to https://www.actionfraud.police.uk/; in the US, go to https://www.identitytheft.gov. You will find further information to help you recover from identity theft.
• Place a security freeze (credit freeze). This means the credit agencies will lock down a credit file and stop loans from going through. It will prevent criminals from opening new accounts in your name. When applying for legitimate new lines of credit, the freeze can be temporarily lifted.
• Be prepared to constantly monitor your credit reports for suspicious activity. Make it a habit to check credit reports – at least yearly. (This should also be done for children to catch synthetic identity fraud.) Consider signing up for the Protective Registration service by Cifas (https://www.cifas.org.uk/pr). They will place a flag next to your name and personal details in their National Fraud Database. This will mean it is recognised you could be at risk and extra steps will be taken to protect you when your details are used for buying products or services.
• At some point during this process, take a step back and just breathe. The emotional impact of identity theft can take a toll on anyone. It can lead to sleep and eating disruption, along with anxiety and depression. It can take time to repair the damage, often taking weeks to months to sort out.

SUMMARY

There is no silver bullet in combating identity theft. There was not one in the past, and there will probably not be one in the future. As explained in this chapter, identity fraud is the most common cyber fraud. It is also the toughest one to defend against. Once an individual’s PII is on the dark web, it is there to stay. It will always be at risk again in the future.

As you have read, there is an identity theft ecosystem. Millions of individuals’ PII is getting stolen in data breaches. Combined with how simple it is to buy fraudulent IDs and learn how to use them on the dark web, this should be alarming to every individual and organisation.

It isn’t a question of if you will be an identity fraud victim, but when. It’s essential to put in place identity monitoring tools so you can detect it as quickly as possible. By detecting identity fraud quickly, you can block the suspicious activity and take further steps to protect yourself.

REFERENCES

Action Fraud (no date) Identity fraud and identity theft. Available from https://www.actionfraud.police.uk/a-z-of-fraud/identity-fraud-and-identity-theft

Arthurson, Ian (2009) The Perkin Warbeck Conspiracy. Cheltenham: The History Press.

Bekker, Eugene (2021) 2021 data breaches | The worst so far. IdentityForce. Available from https://www.identityforce.com/blog/2021-data-breaches

Bernard, Tara Siegel (2020) Equifax breach affected 147 million, but most sit out settlement. New York Times. Available from https://www.nytimes.com/2020/01/22/business/
equifax-breach-settlement.html

Better Business Bureau (2020) BBB scam alert: Bored? Think twice before taking that Facebook quiz. Better Business Bureau. Available from https://www.bbb.org/article/news-releases/16992-scam-alert-
that-facebook-quiz-might-be-a-big-data-company-
mining-your-personal-information

Brignall, Miles (2019) Criminals learning how to commit card fraud from dark web. The Guardian. Available from https://www.theguardian.com/money/2019/jun/01/now-there-
are-online-classes-in-how-to-use-stolen-cards

Brignall, Miles (2020) ‘It’s a nightmare’: Woman faces £1,300 demand due to Universal Credit fraud. The Guardian. Available from https://www.theguardian.com/money/2020/nov/14/universal-
credit-fraud-scam

Browne, Ryan (2021) ‘Facebook is closing the door on us being able to act’, whistleblower says in UK hearing. cnbc.com. Available from https://www.cnbc.com/2021/10/25/facebook-whistleblower-
frances-haugen-testifies-in-uk-parliament.html

Cadwalladr, Carole and Campbell, Duncan (2019) Revealed: Facebook’s global lobbying against data privacy laws. The Guardian. Available from https://www.theguardian.com/technology/2019/mar/02/
facebook-global-lobbying-campaign-against-data-
privacy-laws-investment

Cadwalladr, Carole and Graham-Harrison, Emma (2018) Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian. Available from https://www.theguardian.com/news/2018/mar/17/cambridge-
analytica-facebook-influence-us-election

Chan, Michelle and Singhal, Anthony (2015) ‘Emotion matters: Implications for distracted driving’. Safety Science, 72 (February). 302–309.

Cifas (2020) Fraudscape 2020. Available from https://www.fraudscape.co.uk

Davis, Natalie Zemon (1983) Return of Martin Guerre. Cambridge, MA: Harvard University Press.

Dean, Brian (2021) Social network usage and growth statistics: How many people use social media in 2021. Backlinko. Available from https://backlinko.com/social-media-users#how-many-
people-use-social-media

FTC (2011) Facebook settles FTC charges that it deceived consumers by failing to keep privacy promises. Available from https://www.ftc.gov/news-events/press-releases/
2011/11/facebook-settles-ftc-charges-it-deceived-
consumers-failing-keep

FTC (2019) FTC imposes $5 billion penalty and sweeping new privacy restrictions on Facebook. Available from https://www.ftc.gov/news-events/press-releases/2019/
07/ftc-imposes-5-billion-penalty-sweeping-new-
privacy-restrictions

FTC (2022) Consumer sentinel network 2021. Available from https://www.ftc.gov/system/files/ftc_gov/pdf/CSN%20Annual%
20Data%20Book%202021%20Final%20PDF.pdf

Gomez, Miguel (2022) Dark web price index 2020. Privacy Affairs. Available from https://www.privacyaffairs.com/dark-web-
price-index-2020/

Hardin, John Wesley (1896) The Life of John Wesley Hardin: As Written By Himself. Seguin, TX: Smith & Moore.

Harris, Sophia (2020) Canadian passengers from virus-stricken Zaandam cruise ship hit by federal gov’t privacy breach. CBC. Available from https://www.cbc.ca/news/business/zaandam-cruise-
privacy-breach-canadians-1.5531124

Holy Bible (2021) Genesis 27. King James Version. Glasgow: Collins.

IBM (2021) How much does a data breach cost? Cost of a data breach report 2021. Available from https://www.ibm.com/security/data-breach

ID Theft Center (2020) 2019 End-of-year data breach report. Available from https://www.idtheftcenter.org/wp-content/
uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-
Breach-Report_FINAL_Highres-Appendix.pdf

Kurtz, Justine (2019) Hook, line and sinker. Webroot and Wakefield. Available from https://www.webroot.com/ie/en/about/press-room/
releases/employees-click-phishing-emails-atwork

Martinez, Catherine (2020) My identity theft story: Six lessons from my SIM port hacking experience. Smart Women Smart Money. Available from https://swsmmagazine.com/2020/10/my-identity-theft-
story-six-lessons-from-my-sim-port-hacking-experience/

NCSC (2021) Data breaches: Guidance for individuals and families. Available from https://www.ncsc.gov.uk/guidance/data-breaches

NCSC (no date) Social media: How to use it safely. Available from https://www.ncsc.gov.uk/guidance/social-media-
how-to-use-it-safely

NordPass (2021) Top 200 most common passwords of the year 2020. Available from https://nordpass.com/most-common-passwords-list/?utm_medium=
affiliate&utm_term&utm_content=
100051831&utm_campaign=off490&utm_
source=aff34741&aff_free&url=
https%3A%2F%2Fnordpass.com%2Fmost-common-
passwords-list%2F

Ofcom (2020) Online nation 2020 summary report. Available from https://www.ofcom.org.uk/__data/assets/pdf_file/0028/
196408/online-nation-2020-summary.pdf

Peters, Kathleen (2021) Experian launches 2021 future of fraud forecast. Available from https://www.experian.com/blogs/news/2021/01/11/
experian-launches-2021-future-fraud-forecast/

Ponemon Institute (2016) 2016 cost of data breach study: Global analysis. Available from https://www.cloudmask.com/hubfs/IBMstudy.pdf

Reuters Staff (2018) Facebook loses Belgian privacy case, faces fine of up to $125 million. Reuters. Available from https://www.reuters.com/article/us-facebook-belgium/
facebook-loses-belgian-privacy-case-faces-fine-
of-up-to-125-million-idUSKCN1G01LG

Richardson, Bryan and Waldron, Derek (2019) Fighting back against synthetic identity fraud. McKinsey. Available from https://www.mckinsey.com/business-functions/
risk/our-insights/fighting-back-against-synthetic-
identity-fraud#

Schechner, Sam and Secada, Mark (2019) You give apps sensitive personal information. Then they tell Facebook. Wall Street Journal. Available from https://www.wsj.com/articles/you-give-apps-sensitive-personal-
information-then-they-tell-facebook-11550851636

Seetharaman, Deepa and Grind, Kirsten (2018) Facebook’s lax data policies led to Cambridge Analytica crisis. Wall Street Journal. Available from https://www.wsj.com/articles/facebooks-lax-data-policies-led-
to-cambridge-analytica-crisis-1521590720

Siegel, Bernard, et al. (2017) Equifax says cyberattack may have affected 143 million in the U.S. New York Times. Available from https://www.nytimes.com/2017/09/07/business/equifax-
cyberattack.html

Team Guild (2019) A timeline of trouble: Facebook’s privacy record and regulatory fines. Available from https://guild.co/blog/complete-list-timeline-of-
facebook-scandals/

Tessian (2020) Psychology of human error: Understand the mistakes that compromise your company’s security. Available from https://www.tessian.com/research/the-psychology-
of-human-error/

TOR (no date) TOR project. Available from https://www.torproject.org

Waqas (2017) 1 million decrypted Gmail and Yahoo accounts being sold on dark web. Hackread. Available from https://www.hackread.com/1-million-gmail-yahoo-
accounts-on-dark-web/

Zhao, Qingchuan, et al. (2020) Automatic uncovering of hidden behaviors from input validation in mobile apps. Ohio State University and the Helmholtz Centre for Information Security. Available from https://web.cse.ohio-state.edu/~lin.3021/
file/SP20.pdf