By Steve Earls, a seasoned cybersecurity leader who has innovated cybersecurity and risk management strategies at the CIA, Verizon Wireless, and Trane Technologies, is the Chief Information Security Officer overseeing LegalShield’s cybersecurity programs and teams.
Identity theft is a distressing crime for anyone to deal with. Sometimes, it can even have catastrophic consequences on your life. But even in the best scenarios, dealing with a stolen identity involves lots of time, effort, and money. It helps to know what kind of attacks to look out for so you can avoid falling victim in the first place. We’ve laid out several key elements to watch out for, as well as countermeasures you can take to reduce your risk of identity theft.
Why attack you?
When bad actors unlawfully utilize your identity for gain, you must wonder how the bad actor obtained enough of your personal information to successfully exploit you and why they chose you in the first place. The truth is, in many cases, you are simply the victim of chance. Your email address or phone number was wrapped up in a cyberattack, or they got your information as a result of attacking a third party with which you do business.
Cases where an individual is specifically attacked can involve corporate officers who have access to lots of sensitive information and/or money. These attacks are better constructed, and corporations have processes and technology to combat a bad outcome. Whether you are a senior executive or simply a concerned consumer, you can be better prepared with knowledge and tools to reduce risk.
How does it happen?
There are two main categories of attacks that people should understand:
Attacking the person (you)
This occurs when the bad actor is attacking you directly. Attacking the Person involves:
· Phishing – bad actor utilizes Email as the attack vector.
· Smishing – bad actor utilizes Texting as the attack vector.
· Vishing – bad actor utilizes a voice call as the attack vector.
· Direct mail – bad actor utilizes snail mail (USPS etc.) as the attack vector.
Attacking a third party
This occurs when a third party (companies that have your personal information) is attacked. This one is more difficult to influence, but there are a few things you can do.
Attacking a third party includes the same methods used to attack the person, but also includes attacks on a company’s technology. The attacker is trying to gain access to information that provides value (to them) and usually consists of personal information like names, addresses, date of birth, social security numbers, etc., or credit card and banking information. Your ability to prevent these types of attacks is limited because the bad actor isn’t attacking you directly. That said, there are some things you can do.
What can you do about it?
Attacking the person
Ensure you NEVER immediately react/respond to emails/text messages/phone calls inquiring about personal information or payment information. A few minutes of research can save you weeks or months (or years) to reconstruct your identity and credit relationships.
These rules need to be followed, without fail:
· Email – Never click links within emails unless you’re certain they are legitimate. Always confirm with the supposed source of the email by contacting a verifiable telephone number (or email) and confirming whatever is being asked. Never use the information within the suspect email as a confirmation method. Use known, good contact methods.
· Websites (treat them like email) – Never enter personal or financial information into a website unless you navigated there yourself, via known good links. Never enter anything into unsolicited or strangely timed/looking web popups!
· Text messages – Never respond to text messages with personal or financial information. No reputable company will ever ask for this info via text messaging. If in doubt, contact the alleged “text sender” via a known good contact method and ask them if they texted you.
· Phone call – Never provide personal or financial information over the phone unless you have verified who has called you, or unless you initiated and intended to contact a company (your bank etc.) and contacted them via a known good phone number. Never call a phone number that comes in via suspect email, text message, or phone call. This could sound like an unknown speaker saying a variation of, “Go ahead and call this other number…” But that other number will be fraudulent!
Attacking a third party (companies that have your information)
To reduce the risk of a third party losing your personal or banking information, you should do the following:
· Don’t save your credit card or banking information on third-party websites (allowing them to store this information). If they get hacked, you don’t want your credit card or banking information involved! It’s a bit more work to type this information in every time you purchase something, but this effort goes a long way toward preventing identity theft.
· Be conscious of who you’re doing business with because they probably have information that can lead to the theft of your identity. Do not share your personal or banking information with companies you feel are risky. Your gut feeling can play a very big part in reducing risk.
Move forward with confidence and empowerment.
It is essential for you to know the key elements associated with identity theft and what you can do to help prevent it.
Pre-Paid Legal Services, Inc. (“PPLSI”) provides access to identity theft services through membership-based participation. IDShield is a product of PPLSI. All Licensed Private Investigators are licensed in the state of Oklahoma. The information made available in this blog is meant to provide general information and is not intended to provide professional advice, render an opinion, or provide a recommendation as to a specific matter. The blog post is not a substitute for competent and professional advice. Information contained in the blog may be provided by authors who could be third-party paid contributors. All information by authors is accepted in good faith; however, PPLSI makes no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of such information.