Since 2005, the Identity Theft Resource Center (ITRC) has been tracking publicly notified breaches, building one of the most comprehensive repositories of data in the U.S. that is updated daily.

One of the most recent cybercrimes the ITRC reported involves a cybercrime ring, ShinyHunters, stealing the information of over 200 million customers from at least 13 different companies. In early May, ShinyHunters posted 15 million customer records on the dark web. Two days later, the hacking group began offering the entire database to buyers, which included 91 million user accounts from an Indonesian website.

Since then, ShinyHunters has offered more than 100 million users’ account information at popular websites like dating app Zoosk, meal kit company Home Chef, design-focused marketplace Minted, Minnesota’s Star Tribune newspaper, health and wellness website Mindful, photo printing service Chatbooks and online publication Chronicle of Higher Education.

While not all of those companies acknowledged ShinyHunters’ claims, more are recognizing the data breaches once they confirm there was data theft. One of the latest companies to confirm a data breach was Mathway, a popular education app for iPhone and Android devices. It is believed that the information stolen includes data about children who are the primary users of the app. The Mathway data has proven to be worth a lot on the dark web, going for $4,000 in bitcoin (or over $375 million U.S.) for 25 million stolen user accounts.

ShinyHunters has acknowledged its successful hacks. In fact, in an interview with WIRED magazine, a spokes-hacker said “it is not too hard” to breach so many organizations. They continued to say that “it’s just a way to make money.”

Groups that commit wholesale data theft are not amateurs like one might see in a TV show or a movie. These groups are professional threat actors that run their groups like any business. They have advertising campaigns, marketing campaigns, help desks and customer support – all to steal people’s information and convert it into cash.

Two other recent data breaches the ITRC has noted were of PaperlessPay, a third-party provider for personal information like W-2’s and paystubs, and Wishbone, a social media app that lets users compare products and then interact with other app users to find out what products are hot and what are not.

In February, federal law enforcement investigators found identity thieves selling PaperlessPay client data. The personal information compromised included the names, addresses, pay and withholdings, Social Security numbers and bank account numbers, in some cases.

In regards to Wishbone, hackers are selling 40 million account profiles, which includes names, email addresses, phone numbers, locations, genders, social media profiles and hashed accounts passwords of users. While hashed passwords are typically useless because the information is encrypted and has to be unlocked, Wishbone uses an outdated form of encryption that is easily cracked with a password breaking tool. This is the most recent breach for Wishbone that was also successfully attacked in 2017.

Businesses must keep their cybersecurity and data protection up-to-date. If not, it can lead to data breaches and a loss of revenue from customers who might not trust the business with their personal information. It is also important for consumers to make sure their apps, websites and businesses they share data with have strong security to protect their information. Consumers are encouraged to ask questions before sharing personal information so they can take their business to a company that takes data protection and privacy seriously.

If someone believes they have had their information exposed as part of a data breach, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them. Victims can also download the ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack

Some consumers have yet to receive their stimulus check, leaving many wondering why. The Identity Theft Resource Center has seen a sharp increase in “stolen stimulus check” cases. However, not everyone who believes they had their stimulus check stolen finds that to be the case. In fact, there are a handful of reasons why people could still be waiting. With that said, some are legitimately stolen.

The FTC reports that some stolen stimulus checks appear to be from nursing home residents. Nursing homes in several states have made residents sign over their stimulus checks. Other cases involve people committing physical mail theft, like this New York man who stole over $12,000 worth of stimulus checks. Some thieves are going as far as stealing stimulus checks from postal trucks. The Chicago metro saw multiple postal trucks get broken into in April.

No matter how stimulus checks are being stolen, it can be a headache for consumers and something law enforcement is working to stop. If someone believes they are the victim of a stolen stimulus check, they should report it to the Federal Trade Commission (FTC) and the IRS.

  • Victims of a stolen stimulus check can go to IDTheft.gov and click “Get Started”
  • On the next page, which is titled “Which statement best describes our situation,” victims should click the line that says “Someone filed a Federal tax return – or claimed an economic stimulus payment – using my information.”
  • After the victim answers the questions provided, the page will complete an IRS Identity Theft Affidavit for the victim to submit electronically to the IRS, which can also be downloaded for file keeping
  • The website will provide the victim with a recovery plan to follow that includes steps to prevent identity theft
  • The IRS and their “Get My Payment” tool is a way for consumers to learn the status of their payment, including where it was sent. For more information, consumers can visit the IRS’s Economic Impact Payment Information Center and Get My Payment Frequently Asked Questions pages for detailed, and frequently-updated, answers to questions. They also can find information here about payments that the IRS may have deposited to an account that is not recognized.

It is important for consumers to remember that the IRS will never call, email, text or reach out via social media to anyone about a stolen stimulus check or to receive a stimulus check. If someone does, it is probably a phishing scam looking to steal personal information and should be reported to the proper agency.

If someone had their stimulus check stolen, or had another form of government identity theft,  they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. ITRC advisors will walk victims through the process and tell them where they need to go, who they need to talk to, what they need to say and what they need to do.


You might also like…

Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack

Five State Unemployment Department Data Exposures Uncover System Flaws

Since 2005, the Identity Theft Resource Center has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. While our 2019 Data Breach Report revealed an annual 17 percent increase in data breaches compared to 2018, there has since been a data breach decrease reported during the first quarter of 2020, both in the number of incidents and individuals impacted.

In the first quarter of 2020, there were 337 publicly reported breaches and exposures. During the same time period in 2019, 520 data events were reported, which means there have been nearly 185 fewer breaches/exposures reported in 2020. In terms of people impacted, 131 million individuals were affected from January through March of 2020. While that might sound like a lot, 442 million people had their data compromised during that same timeframe in 2019. Overall, the number of data compromises decreased by nearly 35 percent, and the number of people affected by 66 percent in the first three months of 2020. Any decrease in data compromises is a good thing, but it’s important to understand what’s behind the numbers dropping due to the data breach decrease.

The ITRC tracks both publicly reported data breaches and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. While the ITRC has one of the most comprehensive repositories of data compromises, not all incidents are publicly reported; there can be significant delays between when a breach occurs and is publicly reported. The result of these factors can produce a reduction of publicly reported data events.

There are other reasons why the ITRC’s data could be different from other data breach reports – especially those that are reporting an increase in data compromises in Q1 2020. For example, the ITRC reports the number of records compromised based on the number of individuals impacted, not the number of records stolen or exposed. We believe this methodology gives a more accurate view of the human impact of a data breach or exposure since a single person may have multiple records involved in a single event.

The COVID-19 pandemic could have also played a role in the data breach decrease (particularly in March) as threat actors turned their attention to using the data they already had to launch phishing attacks and COVID-19 scams rather than launching new mass cyberattacks. However, there is no substantive proof of why there was such a drastic decline in the first quarter numbers. With that said, the ITRC believes data breaches could return to a more traditional trendline later in 2020.

If someone believes they have had their information exposed as part of a data breach, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them. Victims can also download the ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

Contact Tracing Scams Ramp Up as New Technology Evolves Amid COVID-19 Pandemic

Possible Nigerian Fraud Ring to Blame for Unemployment Identity Theft Attack

Five State Unemployment Department Data Exposures Uncover System Flaws

This post will be updated as more information becomes available

Contact tracing scams have begun to pick up steam with the evolving technology coming closer to becoming a reality. Some of those scams include hackers and fraudsters posing as contact tracers – both online and in person – trying to steal personally identifiable information (PII), personal health information (PHI) and other personal data.

The United States began the re-opening process after the COVID-19 pandemic closed many aspects of daily life. That is expected to include many precautions to keep people safe, including contact tracing – a method used to find the people who may have come into contact with someone infected with COVID-19. In fact, many people anticipate contact tracing will play a large part in keeping people informed of their risk of exposure until a vaccine is available.

Apple and Google are cooperating to ensure the different phone operating systems are compatible for contact tracing purposes. Apple and Google are also working with health departments across the country to figure out how to roll-out an effective contact tracing Bluetooth-based system that would allow public health departments to create their own contact tracing apps. Despite doubts from some health officials on how useful Apple and Google’s optional systems will be, the two tech companies have developed the digital contact tracing system, and have included it in their latest software updates. Contact tracing apps have already rolled out in other countries. According to MIT Technology Review, so far, there are 25 contact tracing efforts globally. However, none of those apps work in the U.S. Consumers should beware of any attempt to entice them or someone else to download and register for an app.

While app development efforts continue, scammers are tricking people into contact tracing scams using fake apps that steal their personal information. The Better Business Bureau of Connecticut warns people about text messages in their area that appear to be linked to COVID-19 contact tracing, alerting people that they were near someone who tested positive for coronavirus. Police in Washington state are alerting residents of contact tracing scams going around trying to steal sensitive information, including credit card information and Social Security numbers. The Champaign-Urbana Public Health District urges residents not to fall for contact tracing scams, adding that they will never alert people of a positive test via text.

In all of these scams, fraudsters are trying to steal people’s personal information, whether it is by trying to get them to click on unknown malicious links or simply asking for them to provide it. Hackers then have the ability to turn right around and sell the information, which could lead to identity theft. Even when legitimate apps are available, users should check to see if the data they share will be used for marketing purposes without their permission or sold for other purposes.

To avoid a contact tracing scam, people should stay informed on the latest contact tracing details, as well as the most up-to-date COVID-19 information from their state and local health departments. Local health departments will inform people of what a legitimate contact tracer will ask and any protocols they will follow. If anyone gets a text or notification they are not expecting that they were in contact with someone who tested positive for COVID-19, they should ignore it and call their local health department to confirm the validity of the message. They should not provide any information they are asked for, nor should they click any links, open any attachments or download any files.

If anyone believes they have fallen victim to a contact tracing scam or is a victim of identity theft, they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. An advisor can help victims create an action plan on the steps they need to take that are customized to their needs.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

Five State Unemployment Department Data Exposures Uncover System Flaws

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Unemployment identity theft, also known as unemployment fraud, continues to skyrocket across the United States during the COVID-19 pandemic; particularly hard-hit is Washington state. A possible Nigerian fraud ring could be to blame for many of the cases involved in the uptick. According to the New York Times, a group of international fraudsters from Nigeria are believed to be behind a sophisticated attack on the U.S. employment systems, an attack that has already led to millions of dollars being stolen. While the U.S. Secret Service is still working to identify everyone involved, Special Agent Roy Dotson believes the unemployment identity theft is being aided by mules (people who transfer illegally acquired money on behalf of or at the direction of another) being used for money laundering after making connections with fraudsters online.

According to a memo from the U.S. Secret Service in the New York Times article, investigators received information that suggested the scheme was coming from a Nigerian fraud ring, and that hundreds of millions of dollars could be lost. Washington state is believed to be the primary target for the unemployment identity theft and unemployment fraud attacks. However, there has also been evidence of attacks from this group in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island and Wyoming.

The Identity Theft Resource Center (ITRC) believes many fraudsters are trying to take advantage of more people, money and activity running through state employment offices due to the unusual lengths that government has gone to support Americans in light of the COVID-19 pandemic financial impacts. The ITRC has received reports from victims where workers have received notifications that their unemployment application was approved, even though they did not apply or are still working.

There are things consumers can do to prevent the likelihood of becoming a victim of identity theft as a result of an unemployment identity theft attack. If someone has an account with a government agency, they should upgrade to a passphrase and check to see if their information has been changed. If it has been changed, it should be reported to the state agency. It is also important for people affected to update all of their accounts to passphrases, to make sure their passphrases are not reused, or that a work passphrase is shared at home and vice versa. It is important to update passphrases and not use them across multiple accounts because identity thieves use stolen login information from data breaches to commit other crimes like unemployment benefits identity theft.

It is also a good idea for people to freeze their credit because it prevents new accounts and new obligations from being created that require a credit report. However, it will not stop the creation of an account with a state agency. To help protect personal information from being used in a cyberattack, it is a good idea for people to keep all of their software up-to-date, including their anti-virus software.

If someone believes they are a victim of unemployment identity theft or unemployment fraud, they are urged to live-chat with an ITRC expert advisor. Victims can also call toll-free at 888.400.5530 to leave a message for an advisor to return the call. Advisors will help guide victims and walk them through the process by creating an action plan that is tailored to their needs.


You might also like…

Five State Unemployment Department Data Exposures Uncover System Flaws

Key Ring Data Leak Exposes 14 Million Users Sensitive Information

Online Shopping Safety a Priority During COVID-19 Pandemic

This blog will be updated as more information becomes available

Reports of accidental exposures and data leaks from six different states’ unemployment websites have some consumers concerned. Illinois, Arkansas, Colorado, Ohio, Florida, and most recently, Kentucky have all suffered recent unemployment department data exposures due to their quick response in setting up convenient, DIY websites for those seeking unemployment benefits due to closures from the coronavirus.

Pandemic Unemployment Assistance, or PUA, offers federal assistance to those who are affected by the quarantine. The PUA can be especially helpful as self-employed people, independent contractors and other “gig economy” workers can receive assistance during this time.

In an effort to expedite the submission and processing of these applications, many states have relied on outside vendors to establish their PUA application web portals. Unfortunately, in the rush to help consumers, some of those websites launched before they could be thoroughly quality tested and reviewed for security. The multiple unemployment department data exposures left tens of thousands of users’ complete identities exposed, leading to even more cause for concern.

In each of the six states, the PUA application sites were taken down until they could be secured. Two states, Colorado and Ohio, were notified by Deloitte, their vendor, as to the exposure. One state is already offering credit monitoring to all 72,000 of its PUA recipients, while the others are still investigating and could offer support as their findings unfold.

Also, due to the difficulties surrounding quarantine and employment at this time, the Identity Theft Resource Center has seen cases where workers received notifications that their unemployment application was approved, even though they had not applied for assistance or were still working. However, there is no known link between those cases and the current issues with the Pandemic Unemployment Assistance sites.

All consumers should remain aware of the threat, regardless of their current employment status. If anyone suspects that their personally identifiable information has been exposed or compromised, they are encouraged to place a freeze on their credit reports with the three major credit reporting agencies. They are also encouraged to use anti-virus solutions to secure their devices and protect their online accounts, update their old passwords to a stronger passphrase and make sure none of those passphrases on their personal accounts are also used on their work accounts.

Anyone who has questions or believes they have been affected by an unemployment department data exposure is urged to live-chat with an Identity Theft Resource Center expert advisor. Victims can also call the ITRC toll-free at 888.400.5530. Another tool for victims of a data breach or data exposure is the ID Theft Help App. The app can serve as a “breach activity” case manager for those impacted.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

The Evolution of Password Advice

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Fourteen million Key Ring customers, mostly across North America, may have had their personally identifiable information exposed in a Key Ring data leak that affected the company’s Amazon S3 web storage buckets. The buckets can hold vast databases of information. However, they are not configured as fully secured by default when they are created. Rather, it is the client’s (in this case Key Ring) responsibility to secure their storage buckets.

The Key Ring data leak was discovered in January 2020 by security researchers, Noam Rotem and Ran Locar, from vpnMentor who reached out to both Amazon Web Services and Key Ring with their findings. They confirmed that the databases were secured sometime after February 18 when they first contacted the company.

The purpose of Key Ring, a digital storage app that holds uploaded images of its customers’ loyalty and gift cards, is to make shopping and mobile payments more streamlined by storing images of users’ customer loyalty account cards and gift cards. While Key Ring is not intended to be used to store more sensitive information like driver’s licenses, ID cards and other types of payment cards, some users have used it to save images of these sensitive documents. Affected users’ uploaded card images were unprotected in the Key Ring storage buckets, leading to the accidental Key Ring data leak.

There is no way of knowing whether this information was accessed by malicious actors; the data was discovered by researchers who uncover these unsecured databases to inform the owners. However, if hackers were able to get a hold of the information that was leaked, they could target the customers with spam or phishing attempts, takeover the customers’ accounts, potentially use their payment methods for online shopping and more. Any customer who feels their data may have been compromised from the Key Ring data leak can contact Key Ring for more information about what protection is being offered. Those potentially affected should immediately change the passwords on their loyalty accounts, as well as monitor their bank accounts to look for any suspicious transactions, consider credit monitoring services and a credit freeze, and be on the lookout for phishing emails.

If anyone who believes they have been affected by the Key Ring data leak, they can live-chat with an Identity Theft Resource Center expert advisor or call them toll-free at 888.400.5530. They can also download the ID Theft Help App, which allows victims to track their steps in a customized case log.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

The Evolution of Password Advice

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

From groceries and household goods to medicine and clothes, the coronavirus pandemic has forced people to do a fair bit of their shopping online. According to data from ACI Worldwide, in March 2020, online retail shopping saw a rise in sales as high 74 percent year over year. While online shopping is playing an important role in allowing people to stay home and safely shop during COVID-19, hackers are taking note as well. That could be part of the reason why retail and manufacturing companies are seeing the most attacks. It is also why it is so important for consumers to exercise online shopping safety to not expose their personally identifiable information (PII) unwittingly.

Online shopping has grown in popularity and ease of use over the years. The increase of its use due to COVID-19 could lead to a heightened risk of formjacking, when cybercriminals insert malicious code to an existing, reputable website and gain access to its sensitive user information. While shopping the site, the user data is sent to hackers even as the user’s cart is processing as it should with the retailer. According to CNBC, e-skimming attacks intended to steal people’s personal information while shopping online were already increasing before COVID-19. Online shopping amid the pandemic has also led to an increase in fake goods being sold online, like fake cures, vaccines and tests.

Fraudsters understand the consumers’ needs to buy essential and nonessential goods during COVID-19 and are taking advantage. Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number. While the flaw was patched, hackers could have exploited it with malicious links.

Despite some of the risks of shopping online, there are things consumers can do to practice online shopping safety. People should make sure all of their transactions are at legitimate business websites that they visit directly. If someone comes across any fake products, they should report it to the National IPR Center or the Consumer Product Safety Commission. Finally, when creating an account to shop online, consumers should exercise online shopping safety by using strong security questions and answers.

To reduce the likelihood of falling victim to a phishing attempt while trying to shop online, consumers should protect their computers and devices by using security software, multi-factor authentication and backing up their data. These tips could help reduce the likelihood of a consumer falling for a scam or victim of identity theft. If someone believes they are a victim of identity theft or has any questions regarding online shopping safety, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

COVID-19 COULD LEAD TO INCREASE IN TRAVEL LOYALTY ACCOUNT TAKEOVER

COVID-19 CATFISHING SCAMS MAKE A REBOUND AMID PANDEMIC

CAM4 DATA EXPOSURE LEAKS BILLIONS OF RECORDS FROM ADULT STREAMING WEBSITE

Password security has been a hot topic for a long time. That is because passwords stand as the most commonly used tool to keep unauthorized individuals out of accounts and files. However, as technology changes and hackers adapt their methods to keep up, what was once considered best practices can change as well. That is why users need to keep up with the latest password advice. Today’s recommendations may evolve again in the near future, so staying up-to-date with the latest best practices is key to ensuring data is safe.

New password advice from top experts in cybersecurity updates how individuals should manage their password practices. For example, the “password” has fallen out of favor with some major corporations, like Microsoft, and law enforcement agencies, like the FBI. Instead, using the more descriptive and secure “passphrase” is recommended. Also, the once “golden rule” of changing passwords frequently—and requiring routine forced resets—has now been updated to reflect why this is not necessarily the best security habit.

First, a passphrase is a much longer security tool. Studies have found that a password’s “guessability” by hacking software decreases exponentially with every additional character. The six-to-eight characters guideline for passwords has been replaced with the recommendation of a nine-to-ten character passphrase. A passphrase, unlike a single word or acronym, is a short combination of words that mean something to the user. It can make the user more likely to create unique logins for every account they own instead of reusing a single password on multiple accounts. Common, strong passphrases could be things like the name of a favorite song, a movie quote or a favorite team cheer, such as “BoddaGettaBoddaGetta” or “HookEmHorns.”

Replacing a password/passphrase routinely has also been shown to have a downside. When users are forced to change a password/passphrase, they often simply alter just one character. For example, passwords such as “doghouse1” become “doghouse2,” which makes it easier to guess during attacks like credential stuffing.

Experts warn that passwords/passphrases should contain a combination of uppercase and lowercase letters, numbers and symbols. However, that password advice has also been re-examined. The likelihood of a user establishing and remembering a complex combination for every single account is not very high. However, creating a unique passphrase for every account is both more secure and a more likely practice.

Some of the password/passphrase advice has not changed. It is still important to create different passphrases for every account—meaning a separate phrase for every account—and to enable multi-factor authentication when possible. It is also important to avoid any passphrase similarities between work and personal accounts and not share login credentials with any unauthorized users.

As with all technology-related practices, the most important thing for users is being adaptable and able to evolve as the ecosystems change to address exploits. Microsoft, for example, has introduced three different methods for a no-password logon and has reported a lot of success. Keeping up with security findings and fitting them into daily use is a valuable way to protect valuable data and users’ identities.

If anyone has questions related to cybersecurity or password best practices, they can talk to one of our advisors via LiveChat by visiting our website, www.idtheftcenter.org.


You might also like…

COVID-19 COULD LEAD TO INCREASE IN TRAVEL LOYALTY ACCOUNT TAKEOVER

COVID-19 CATFISHING SCAMS MAKE A REBOUND AMID PANDEMIC

CAM4 DATA EXPOSURE LEAKS BILLIONS OF RECORDS FROM ADULT STREAMING WEBSITE

During the COVID-19 pandemic, people are not traveling much – if at all. As a result, people could be more susceptible to travel loyalty account takeover (accounts that may include large amounts of personally identifiable information like driver’s license and passport numbers). They could also be more vulnerable to attacks because of past breaches and exposures like MGM, Marriott, Choice Hotels and Carnival Cruise Line, to name a few. Many experts are predicting a long, slow recovery to reach a sense of normalcy, while others believe “normal” will never be quite the same. One of the most impacted areas where that is expected is the travel industry.

With a 95 percent drop in passenger travel and most air passengers flying only in emergency situations, it could be hard for some to envision a speedy recovery for the travel and hospitality industries. For that reason, there is another precaution that consumers need to take in this time of quarantine: monitoring their travel loyalty accounts.

COVID-19 could make it easier for fraudsters to steal consumers’ credit card information, passport information, names, dates of birth, along with any other information included in a travel loyalty account. It could also allow scammers to steal credits and travel funds. In fact, one source cited an estimated fourteen trillion flight and hotel miles already go unused each year. That means a lot of travelers are saving up their bonuses or banking credits for unused trips but not cashing them in at the moment, which could attract hackers to travel loyalty accounts as a means to get their hands on PII as well as cash equivalent benefits.

Travel loyalty account takeover has been a problem for a long time. However, with people putting a halt to their travel plans for the immediate future, identity theft advocates like the Identity Theft Resource Center worry that those unmonitored accounts could be vulnerable to an attack due to lack of use or oversight. Account-holders need to protect themselves, and their accounts, in a variety of ways.

Fortunately, the steps that can help people protect their travel loyalty accounts are identical to the actions that users can take to secure any account type. First, people should monitor their account routinely for any signs of suspicious activity and report the activity immediately. Next, people need to be very cautious about clicking any links in emails, even ones that appear to pertain to travel loyalty credits or funds. Finally, people should secure their account with a strong, unique passphrase—one that is not easily guessed by hacking software and that is not reused on other accounts. It is also advised to change the account passphrase from time to time to prevent credential stuffing.

Anyone who believes they have fallen victim to travel loyalty account takeover is encouraged to live-chat with an expert advisor from the Identity Theft Resource Center. Victims can also call toll-free at 888.400.5530.


You might also be interested in…

COVID-19 Catfishing Scams Make a Rebound Amid Pandemic

CashApp Scams See a Rise Due to COVID-19