• Facebook and Instagram users are being targeted by cybercriminals promoting fake grants, particularly grants for COVID-19 relief. Recent grant scams reported to the Identity Theft Resource Center (ITRC) include requests for gift cards to “pay the taxes” if the grant is approved. 
  • The messages come from cloned accounts or hacked profiles of one of the user’s real Facebook or Instagram friends.  
  • Anyone receiving a message about a grant via Facebook, Instagram, phone, or text message should report it.  
  • If anyone wants to learn more about the Facebook grant scam or believes they are a victim, they should contact the ITRC toll-free at 888.400.5530 or by live-chat. Just visit www.idtheftcenter.org to get started. 

While Facebook grant scams have been around for a while, the Identity Theft Resource Center (ITRC) has seen a spike in calls and live-chats around this type of scam, particularly a new version that targets people in need of money due to hardships from the COVID-19 pandemic.  

The grant scam is not just circulating on Facebook. ITRC advisors have also received cases from victims who claim they were targeted on other social media platforms, including Instagram, owned by Facebook. 

Who is the Target 

Facebook users appear to be the primary target. However, other social media platforms like Instagram are beginning to see similar scams. The BBB reports that scammers are also creating versions of the Facebook grant scam to target people by phone and text message.   

What is the Scam 

Cybercriminals attack social media accounts or create lookalike accounts to target friends, family members, or other people trusted by the impacted account owner. Once the account has been compromised, the criminals message the friend telling them about a government grant. 

Some of the recent grant names the ITRC has seen are the Department of Homeland Security (DHS) grant, the RWCB grant, the Federal Government Empowerment grant and the Publisher’s Clearinghouse (PCH) Fee Government grant. The victims are then told to call a phone number about the grant and are asked to fill out a form that includes one’s Social Security number (SSN) and Driver’s License (DL) information before the grant is approved. The “friend” may claim they have already applied for the grant and received the funds. 

ITRC advisors say, right now, the most common reports of the Facebook grant scam evolve around phony grants for COVID-19 relief. The ITRC also continues to see Facebook grant scams where scammers ask for gift cards to “pay their taxes” associated with an approved grant. 

What They Want 

Scammers are looking to escape with the victim’s money, their personal information, or both to commit other identity crimes. 

How You Can Avoid Being Scammed 

  • If you receive a Facebook message from a friend regarding a grant opportunity, chances are it is a scam. Do not respond or provide any personal information. 
  • Inform your friend that their Facebook or Instagram account might be hacked or cloned. A big red flag is if you receive a new friend request from an existing friend and receive a direct or private message about a grant opportunity. 
  • Report the grant scam to FacebookInstagram, or other social media platforms where you receive the fraudulent grant message. Once you’ve reported the scam, delete the message. 
  • Never pay any money for a “free” government grant. A government entity will not ask you to pay a processing fee or taxes for a grant you were awarded, especially in a social media message. 

If you believe you are a victim of a Facebook grant scam or would like to learn more, contact the ITRC Center toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • In 2020, the Federal Trade Commission (FTC) received nearly 100,000 business or personal loan fraud reports, many of them related to Small Business Administration (SBA) loan identity fraud.
  • That’s more than double the number of loan fraud reports from a year earlier. The Identity Theft Resource Center (ITRC) has also seen a spike in SBA loan identity crime reports since the COVID-19 pandemic.
  • Identity thieves apply for SBA loans (primarily Economic Injury Disaster (EIDL) and Paycheck Protection Program (PPP) loans) using stolen Social Security numbers and business Employer Identification numbers (EINs).
  • Scammers are also targeting consumers through phishing schemes in an attempt to steal their Social Security Numbers and other personal information needed to commit SBA loan identity fraud.
  • If anyone believes they are the victim of an SBA loan identity crime or would like to learn how to protect themselves from becoming a victim, they can contact the ITRC to speak with an advisor toll-free at 888.400.5530 or via live-chat. Just go to www.idtheftcenter.org to get started.

Small Business Administration (SBA) loan identity fraud spiked in 2020 due to COVID-19, and it continues to be a growing issue in 2021. The Federal Trade Commission (FTC) says in 2019, they received 43,920 reports of fraud involving business or personal loans; the number more than doubled in 2020 as the FTC had 99,650 reports. The FTC acknowledges that not all of the reports are related to SBA loan identity fraud, but also notes many of them are.

The Identity Theft Resource Center (ITRC) has seen a spike in calls and live-chats around SBA loan-related identity theft. The contacts continue today as contact center advisors work to help victims. Here is a testimonial from one victim who turned to the ITRC regarding their SBA loan identity crime case:

“I want to thank you for all your suggestions. You are the third (organization) I have contacted and by far the most helpful. I received a form from the Small Business Administration, and after returning it with the police report and the Identity Theft Report, I was informed that my debt with them would be canceled. It is such a huge weight off me. I did everything you suggested, and our credit is frozen with all the CRA’s. Thank you again.”

There are different forms of SBA loan-related identity theft of which  businesses and consumers should be aware:

Economic Injury Disaster Loans (EIDLs)

Economic Injury Disaster (EIDL) loans, loans for businesses that suffer substantial economic injury located within a disaster area, have always been available through the SBA. However, they have been expanded as part of the CARES Act to provide relief to businesses experiencing financial loss due to COVID-19. Identity fraud from an EIDL loan occurs when a threat actor applies for an EIDL loan using either a consumer’s Social Security Number (SSN) or a business’s Employer Identification Number (EIN).

Paycheck Protection Program Loans (PPPs)

Paycheck Protection Program (PPP) loans were designed to help businesses maintain their payroll and keep their workforce during COVID-19, and they are available through a lender. Identity fraud from a PPP loan occurs when an identity thief applies for a PPP loan using a stolen SSN, a business EIN or other stolen personal information needed to obtain a loan.

What to do if You Are a Victim of SBA Loan Identity Fraud

If a consumer or a business is the victim of an SBA loan identity crime (whether it’s from either an EIDL or PPP loan), they should take the following steps:

  1. Go back to the source of the loan to notify them of the identity fraud. If the identity fraud is from an EIDL loan, the victim should contact the SBA. If the fraud involves a PPP loan, the affected party should contact the lender that issued the loan. See below for more information on what the SBA requires people to submit, where to submit it, and details on their process.
  2. File an Identity Theft Report with the FTC at www.IdentityTheft.gov. An Identity Theft Report is one of the required documents by the SBA to cancel the loan debt as quickly as possible. Other documents needed include photo identification issued by a federal or state agency and a completed and signed Declaration of Identity Theft. For more information on the steps required by the SBA, click here.
  3. Place a credit freeze to lock credit files until they are needed.A credit freeze is the most effective way to ensure new loans or accounts are not opened.
  4. A less effective option is to place a fraud alert on credit files to alert potential creditors to take extra precautions before extending credit.
  5. Verify with the Secretary of State’s Office or another government agency where the business is registered to ensure the company’s ownership and registration status have not been changed.

Contact the ITRC

Anyone who believes they are a victim of SBA loan identity fraud should contact the ITRC for more information. People can speak to an advisor by phone (888.400.5530) or by live-chat to develop a resolution plan. Anyone who wants to document their steps can use the ITRC’s ID Theft Help app’s case log feature. Consumers who want to learn more can also check out our latest education resources at www.idtheftcenter.org.

  • Digital wallets, an electronic version of payment cards and accounts, and mobile payment apps have become more popular during the global pandemic. U.S. users jumped from 38 percent to 55 percent of smartphone owners in 2020 because they are more convenient and secure for many consumers. They also help serve an important population: the unbanked and underbanked
  • It can be difficult for some households (approximately 7.1 million) to get a bank account for an array of reasons. Digital wallets and mobile payment apps allow those households to make payments, store funds, transfer money to other financial accounts and even write checks depending on the app.  
  • Digital wallets and mobile payment apps can be less risky than traditional payment methods because there are security measures that are not available when someone pays with a physical card or cash. Because digital wallets are contactless, they also represent less of a health risk during the COVID-19 pandemic. 
  • To learn more about digital wallets, contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on our website www.idtheftcenter.org.  

Digital wallets and mobile payment apps continue to grow in popularity. In fact, U.S. users jumped from 38 percent to 55 percent of smartphone owners. A digital wallet allows people to carry much of what they would have in their physical wallet on a mobile device. Payment apps are also surging in popularity. According to an article in Newsday, a recent survey sponsored by SimpleTexting, a Miami Beach provider of text messaging software, shows that 81 percent of those polled use cash apps more often since the COVID-19 pandemic. Digital wallets provide people with more payment options and allow them to convert physical cash to an online account to then link to these services, especially those who are unbanked and underbanked

Digital Wallet vs. Mobile Payment App 

A digital wallet is a virtual version of payment cards and financial accounts that can be accessed on a computer or smart device. Some popular digital wallets include ApplePay, Google Pay, Samsung Pay and PayPal. Mobile payment apps are tied to purchases made at a single business such as Starbucks or Walmart, or an app like Venmo that transfers cash to other people as payment. 

The Benefits and Risks of a Digital Wallet and Mobile Payment App 

Digital wallets and mobile payment apps allow people to simplify how they make payments and what they have to carry with them to purchase items. Both kinds of apps enable consumers to complete transactions without using cash while protecting financial account information and passwords. Digital wallets use security protocols, like two-factor authentication and one-time-use PIN numbers. They also use advanced encryption and virtualization techniques that ensure people’s financial information never leaves their actual device.   

However, that does not mean criminals will not target users. Keeping a device secure by using screen locks and device passwords/biometrics is vitally important, along with the ability to remotely disable a smart device if it’s lost or stolen. If a thief gains access to someone’s digital wallet, they may have the ability to make purchases or steal someone’s fundslike one person from Grosse Pointe Farms. There is still the risk of also being tricked into old-fashioned product or service fraud, too. Users of digital wallets and payment apps need to be cautious and only engage in a transaction if it’s part of a purchase or fund transfer they initiate. 

Digital Wallets and Mobile Payment Apps Help the Unbanked and Underbanked 

The FDIC Survey of Household Use of Banking and Financial Services found that in 2019 approximately 7.1 million U.S. households were unbanked, meaning no one in the home had a bank account. The number of unbanked and underbanked people (U.S. residents with limited access to banking services) is on the decline, and the increased use of digital wallets and payment apps is part of the trend.  

Digital wallets and mobile payment apps are a great answer and a more secure way of making financial transactions for those who cannot or do not want to access a bank’s services. It is safer, there are fewer fees and easier access. Unbanked and underbanked households can make payments, store funds, transfer money to other financial accounts, and even have bill pay (check writing) features depending on the app.  

Digital wallets and mobile payment apps can also improve financial inclusion by reducing people’s dependency on cash and decreasing risks associated with handling money, such as health concerns, fraud, theft, and loss. 

What People Should do to Stay Safe 

  • Enable all the security features like screen lock/biometric lock and Find my iPhone to keep hackers from accessing the digital wallet, payment apps as well as stealing login credentials or money. 
  • Use a strong password and good cyber hygiene/security practices on all accounts to reduce the risk of hacking. The Identity Theft Resource Center (ITRC) encourages consumers to use a passphrase that is at least 12 characters long.  
  • Beware of phishing attacks because they could lead to a hacked account. Consumers should avoid unsolicited emails or text messages that ask the user to send money directly through a digital wallet or payment app. Criminals may send people an unsolicited payment request through a mobile app, so users should only use a digital wallet or mobile payment app if they initiate the transaction.  
  • Look for red flags like payments you did not make using your payment apps. If someone is victimized, they should report it to the app, change their account password and consider scanning their device with antivirus software. 

Contact the ITRC 

If anyone has questions about digital wallets, how to use them or how safe they are, they can contact the ITRC. Consumers can reach a live advisor for free by phone (888.400.5530) or live-chat and can get access to the ITRC’s latest information. All people have to do is visit www.idtheftcenter.org to get started. 

  • Changes are about to happen when it comes to mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out.  
  • In the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. 
  • Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers believe as few as five percent of Apple product owners will opt-in. 
  • The trend in marketing and advertising gives consumers more of a voice in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about personal data and its use, the more informed the consent. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look less at security and more at privacy, specifically about major changes that are about to happen to mobile device privacy and how that relates to our travels around the internet. 

Sir Walter Scott wrote in his epic poem – “Oh what a tangled web we weave when first we practice to deceive.” That gives us the title for this week’s episode: “A Tangled Web.” 

Cookies on the World Wide Web 

From the earliest days of the internet, when it was still called the “World Wide Web,” small pieces of code were added to websites that would attach to a website visitor’s browser. The code snippet was called a “magic cookie” because it would help websites remember someone already visited the website and provided information that personalized the experience. 

Privacy Concerns Around Tracking Cookies  

Over the next 20 years, the amount of data collected by cookies and how cookies were used to track movement around the web became a source of privacy concerns. In 2018, the European Union (EU) became the first government to regulate cookies to require website owners to get visitors to express permission to attach a tracking cookie – before the web content the user was trying to access could be delivered.  

The rule’s practical effect was to end the practice of using tracking cookies to collect consumer information to fuel online advertising – first in the EU and now globally. The major browser makers – Apple, Mozilla, Microsoft and Google – have all blocked third-party tracking cookies or will soon do so. 

Identifier for Advertisers (IDFA) on Apps 

Moving around the internet with a mobile device is a bit little different. Most people use an app rather than a browser to access the web. Instead of cookies, there is a different piece of code known as an Identifier for Advertisers (IDFA) that collects and reports who and how one uses an app.  

However, unlike a cookie, an IDFA can be managed easily in a phone or tablet’s settings if the device maker allows one to opt-out of app data collection. The default settings on all smartphones today are to enable data collection from apps.  

Opt-In and Opt-Out Requirements 

Here’s where we talk about the big changes on the horizon in mobile device privacy. Privacy advocates have long sought regulations in the U.S. to mandate opt-in requirements rather than opt-out. This is so consumers have the opportunity to make an informed decision about what data is collected, by whom, and how it is used. To date, most laws and regulations – if they mandate any consumer consent at all – require consumers to be offered the chance to opt-out of data collection. 

Apple to Block Data Collection Unless Someone Opts-In 

However, in the spring, Apple will change their mobile operating system to automatically block data collection unless someone explicitly opts-in. In fact, the first time someone opens an app after the upgrade, they will be asked if they want to allow data collection. That’s a monumental change in mobile app privacy from today’s opt-out world. 

People may have read in the media that not everyone is happy about this change. Facebook and other large advertisers are concerned with the loss of consumer data that will result if a large number of iPhone and iPad users decline to opt-in to data sharing.  

Some advertising experts estimate that between 50 to 75 percent of iPhone users will pass on agreeing to share data based on experiences with other opt-in opportunities. Some researchers project as few as five percent of Apple product owners will opt-in. 

The clear trend in marketing and advertising is giving consumers more of a say in what information is collected about them and how it is used. It’s the core of modern privacy – informed consent. The more transparency that exists about how personal data is used, the more informed the consent. 

Informed consent includes understanding that there will be fewer targeted, personalized ads with less personal data available to marketers and advertisers. Also, there may be fewer free products and services as website owners add fees or subscriptions to make up for lost revenue from data sales. 

Apple has not announced when the update that includes the new mobile device privacy settings will be released, so consumers should stay tuned for more details. 

Contact the ITRC 

If anyone has questions about protecting their personal information, they can visit www.idtheftcenter.org, where they will find helpful tips on this and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and need help figuring out what to do next, they can contact us. Victims can speak with an expert advisor on the phone (888.400.5530), live-chat on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • The Identity Theft Resource Center’s (ITRC) 2020 Data Breach Report shows 62 percent of cyberattacks that led to data breaches in 2020 involved phishing and ransomware.  
  • Google and Stanford University study reveals that people with more than one device are more likely to be struck by a phishing attempt. It also says that Australia is the most targeted country for phishing attacks
  • Proofpoint Security study says people who had personal data exposed in a third-party breach were five times more likely to be targeted by phishing or malware. 
  • All three reports make the same point about the rise in phishing attacks – a data breach does not mean someone’s identity has been misused. It means people impacted are at increased risk of becoming an identity crime victim. 
  • For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 12, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we talk about what seems to be the average cybercriminals’ favorite pastime – phishing and the rise in phishing attacks. Phishing with a ph. In Troilus & Cressida, Shakespeare’s incredibly complex play about the Trojan War, the main character compares the great lengths some people go to deceive the search for the other kind of fishing that gives rise to our episode title: 

Whiles others fish with craft for great opinion, 

I with great truth catch mere simplicity 

ITRC 2020 Data Breach Report & the Rise in Phishing Attacks 

Two weeks ago, the ITRC released our annual data breach analysis, which pointed out that 62 percent of cyberattacks that led to data breaches in 2020 involved phishing and ransomware. Phishing was in the number one position because it is a simple attack to execute. 

Google and Stanford University Study Reveals New Phishing Attack Findings 

This week, Google and Stanford University released a new study that looked at the 1.2 billion phishing emails aimed at Gmail users during a five-month period in 2020. Among the findings: 

  • People are more at risk of a phishing attempt if they have more than one device. If someone only has a desktop or laptop, or only has a smartphone, they are less likely to be a target. The conclusion is if someone has multiple devices, they have more of an online presence. It is the same if someone sends a lot of emails – they are five times more likely to be phished if they do. 
  • Older users are targeted more frequently than younger people. Someone between the ages of 55-64-years-old is 1.6 times more likely to be the target of a phishing scheme than someone who is 18-24-years-old. One potential reason is that the older someone gets, the bigger their footprint, which makes them easier to find. 

People in Australia are More Likely to be Targeted by a Phishing Attack 

Who in the world do you think is the most targeted country? This will surprise you. While U.S. residents send more emails by volume than any other country, people in Australia are more likely to be targeted for a phishing attack than anyone else. In fact, the odds are nearly double that they will be phish bait down under.  

The U.S is number 16 when it comes to the likelihood of being targeted on a country adjusted basis. This is the point where we need to ask once again – why is there a rise in phishing attacks? 

Third-Party Breaches and Their Impact on the Rise in Phishing Attacks 

Proofpoint Security reported this week a 14 percent increase in malicious phishing emails in 2020 over the previous year. Here is the truly staggering statistic: People who had personal data exposed in a third-party breach were five times more likely to be targeted by phishing or malware, according to the report, which highlights just how damaging these types of data breaches can be, even in the long run. 

What the Reports Mean for Consumers  

The report comes on the heels of the announcement of the release in an identity marketplace of the largest set of logins and passwords ever compiled. Around 3.2 billion credentials were stolen in previous data breaches and bundled in a single file. All of these reports – from the ITRC, Google and Stanford University, and Proofpoint make the same point – a data breach does not mean someone’s identity has been misused. It means people those impacted are at increased risk of becoming an identity crime victim. 

To quote Proofpoint: 

“Our results suggest that data breaches expose users to lasting harms due to the lack of viable remediation options.” 

Contact the ITRC 

If anyone has questions about protecting their information from data breaches and data exposures before they happen, visit www.idtheftcenter.org, where there are helpful tips on phishing attacks and many other topics – including the 2020 Data Breach Report

If someone believes they have already been the victim of an identity crime or a data breach and needs help figuring out what to do next, contact us to speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast – The Fraudian Slip – with a special guest from the Federal Trade Commission (FTC). We will be back next week for another Weekly Breach Breakdown. 

  • An Internal Revenue Service (IRS) text scam is circulating to get consumers’ personal information, which may put them at further risk of tax identity crimes. 
  • According to the Federal Trade Commission (FTC), imposter scams were the top reported fraud in 2020. The FTC had approximately 500,000 reports of the scam, leading to an estimated $1.2 billion in lost funds.  
  • People may receive text messages from their tax service but will never get a text message directly from the IRS. (People should still independently check with their filing service because scammers may also spoof tax filing entities.
  • If anyone receives a text claiming to be from the IRS, they should ignore it, not click on any links or attachments, forward the text and originating phone number to the IRS at 202.552.1226 and then delete the text message. 
  • For more information on IRS text scams or if someone believes they are a victim of tax identity theft, they can visit www.idtheftcenter.org for resources or speak with an advisor toll-free by phone (888.400.5530) or live-chat. 

IRS Text Scam Pops Up on First Day to File

February 12, 2021, is the first day for people to file their 2020 tax returns, and many consumers may receive an email or notification from their tax service that it is time to file. Scammers are trying to take advantage by posing as IRS agents to exploit tax filers. 

The Identity Theft Resource Center (ITRC) has received reports of a new Internal Revenue Service (IRS) text scam that claims “your federal tax return was rejected.” The IRS text scam is designed to get consumers’ personal information, which puts people at additional risk of tax identity theft. Here’s an example of the IRS text scam sent to the ITRC: 

Example of the IRS Text Scam sent to the Identity Theft Resource Center

Government Imposter Scams Continue to Spread 

The IRS text scam is not a new tactic for scammers. Government imposter scams were among the top frauds in 2020 reported by the Federal Trade Commission (FTC). The FTC says that they received nearly 500,000 reports of imposter scams that cost people $1.2 billion, with a median loss of $850. Government and business imposter scams were among the top categories of COVID-19 and stimulus-related reports. 

Cybercriminals Target Tax Season 

Criminals know they can take advantage of tax season by posing as an IRS representative, especially with more Americans likely to receive a Form 1099-G because their state employment office is providing documentation for receipt of unemployment benefits. However, many of those taxpayers may be victims of unemployment benefits fraud because identity thieves received benefits in their name.  

What You Should Do 

The IRS will not text anyone about their tax return. People may receive a text from their tax filer, but never from the IRS. (People should still independently check with their filing service because scammers may also spoof tax filing entities.)  

If anyone gets a text message claiming to be the IRS, they should do the following: 

  1. Do not respond, open any attachments or click on any links. An attachment or a link could contain a malicious code that has the ability to infect someone’s device. 
  1. The IRS asks people to forward the IRS text scam and the originating phone number as-is to  202.552.1226.  
  1. After forwarding the information to the IRS, the original text message should be deleted.  

It is also a good idea to never respond to any unsolicited messages. Instead, consumers should reach out directly to the company or person the message claims to be from to verify the message’s validity. People should also refrain from providing their personal information unless it is necessary or with a trusted organization. 

Contact the ITRC 

Anyone who believes they are the victim of an IRS text scam, tax identity theft, or wants to learn more can visit the ITRC website for additional resources. They can also contact an advisor toll-free by phone (888.400.5530) or by live-chat. All people have to do is visit www.idtheftcenter.org to get started. 

  • According to the Federal Trade Commission (FTC), imposter scams were the top reported fraud in 2020. The FTC had approximately 500,000 reports of the scam, leading to an estimated $1.2 billion in lost funds.  
  • The Identity Theft Resource Center (ITRC) saw many different forms of identity-related imposter scams in 2020, including scammers pretending to be healthcare workers with COVID-19 tests or vaccinesfamily members that needed help, and government officials so they could steal stimulus payments
  • Online shopping and negative reviews were the second most reported fraud to the FTC in 2020, and phone calls and text messages continued to be the top method for scammers to attack consumers. 
  • The ITRC also saw online shopping scams spike, particularly during the holiday season, and saw an array of phone scams, including utility scamsvoice cloning scams, and coronavirus testing scams linked to consumers’ identities. 
  • For more information on 2020 fraud trends or if someone believes they are a victim of fraud, they can visit www.idtheftcenter.org for resources or speak with an advisor toll-free by phone (888.400.5530) or live-chat. 

2020 has come and gone, and scammers have left their mark. As Identity Theft Resource Center (ITRC) COO James E. Lee cited many times over the last year, 2020 was the Super Bowl, World Series, World Cup and NBA Finals all rolled into one for scammers. In April, ITRC CEO Eva Velasquez said she had never seen anything that would create a more massive scale of fraud than COVID-19. A recent report from the Federal Trade Commission (FTC) confirms that 2020 was a banner year for the bad guys. 2020 fraud trends reported by the FTC show 2.2 million people reported fraud, and $3.3 billion was lost to that fraud.  

Slide from the ITRC and FTC’s Identity Theft Awareness Week 2020

Watch now: Ripple Effects of COVID-19 Related Identity Theft & Tips to Protect Yourself in 2021

Imposter Scams Were the Top Reported Fraud in 2020 

Scammers acted as many different groups of people in 2020. Some of the threat actors pretended to be government officials to steal stimulus payments or Small Business Administration (SBA) loans. Others pretended to be healthcare workers with COVID-19 tests or vaccines, or family members that needed help. Some even acted as fake charities.  

The FTC reports that they received nearly 500,000 reports of imposter scams that cost people  $1.2 billion, with a median loss of $850. Government and business imposter scams were among the top categories of COVID-19 and stimulus-related reports. 

Online shopping and negative reviews were the second most reported fraud category of 2020, according to the FTC. The ITRC saw a spike in online shopping, particularly during the holiday season. Adobe Analytics reports U.S. consumers spent $188 billion shopping online during the holiday season, a 32 percent year-over-year increase. The U.S. Department of Commerce also validates the significance of the spike, showing online sales traditionally rise between one to two percent per year. 

COVID-19 brought an increase in online shopping and then a wave of reports about sellers failing to deliver on promises, or just failing to deliver. The FTC says they got more than 350,000 reports, with people claiming they lost a total of more than $245 million, with a median loss of approximately $100. 

Scams from phone calls and text messages continued to be the top method for scammers to target consumers. The ITRC saw numerous phone scams involving the misuse of personal information in 2020, like the utility scamvoice cloning scam and the coronavirus testing scam.  

The FTC says there was an increase in the number of reports saying that scammers contacted them by text message. The ITRC saw numerous text message scams in 2020, including COVID-19 contamination scamsstimulus checks scams and election scams. The FTC had reports of many of the same text message scams, including stimulus relief, economic relief or loans for small businesses or “waiting packages.”  

What Consumers Should Do  

While every scam is different, consumers should: 

  • Never respond to any unknown or unsolicited messages they receive. Instead, people should reach out directly to the company or person the message claims to be from to verify the message’s validity. 
  • Never voluntarily give out any personally identifiable information (PII). People should only provide PII when necessary and confirm the company or organization asking for it is legitimate. 
  • Never click on any links, attachments or files in an unexpected or unsolicited message. Many times, the links, attachments and files lead to malware. 

Anyone who wants more information on 2020 fraud trends, or believes they were a victim of fraud, can visit the ITRC website for additional resources. They can also contact an advisor toll-free by phone (888.400.5530) or by live-chat. All people have to do is visit www.idtheftcenter.org to get started.. 

1.6 Million people who filed for unemployment claims in 2020 in Washington state have had their personal information exposed in a data breach. The Washington State data breach was due to data stolen from a third-party company, Accellion.  

What Personal Information Was Exposed in the Washington State Data Breach?

· Names

· Social Security numbers

· Driver’s License or state identification numbers

· Bank information

· Place of Employment

Are You One of the 1.6 Million People Impacted by the Washington State Breach? Here’s What You Should Do.

1. A threat actor could attempt to take over existing accounts or open new ones using your information – now or in the future.

Read next: Info Sheet – Email Account Takeover: What to do When You Have Been Hacked

2. Your unemployment benefits could be stolen. Organized cybercriminals have already used stolen credentials and other identity information to apply for unemployment benefits through state websites, including Washington resulting in legitimate claims being denied or payments re-directed. State officials reported more than $500 million in fraudulent claims in 2020.

3. You could find yourself the victim of identity-related tax fraud. Taxpayers in have received Form 1099 G’s that report how much income a taxpayer received from government benefits like unemployment benefits – even though they did not apply for or receive benefits.

Read next: Info Sheet – What Consumers Need to Know About a Data Breach

Steps to Take Now

· Obtain a free credit report

· Freeze your credit for free.

· If you do not want to freeze your credit, consider a fraud alert on your credit report

· Review your accounts and account statement for any suspicious activity

· For free guidance and assistance from the Washington state data breach, call and speak to an ITRC Victim Advisor at 888.400.5530 or click “Chat now.”

· Stay up to date on the latest news about this breach on the Washington State Auditors page: https://sao.wa.gov/breach2021/

Access our free Help Center with more than 50 Info Sheets and Action Plans.

More About Data Breaches & Resources

While data breaches do not automatically mean your identity will be misused, you are at increased risk of an identity crime. The online publication Threat Post pointed out in a Feb 10, 2021 report that “Users who had personal data exposed in a third-party breach were five-times more likely to be targeted by phishing or malware, which highlights just how damaging these types of data breaches can be, even in the long run.”

As noted in the ITRC’s 2020 Data Breach Report, phishing is the most common form of a cyberattack that results in a data breach today, usually in connection with ransomware. Together these attacks represent 62 percent of attacks in 2020 that resulted in the release of consumer information. 

More about Identity Theft

The use of your Social Security number can result in many different forms of identity crimes. Below is information so you know what to look for and what to do if you become a victim. You can call and speak to an ITRC Advisor at any time for active tips and victim assistance at 888.400.5530 or click “Chat now.”

Data Breach Notifications

Tax Identity Theft

  • Bonobos suffered a data breach when the hacking group, ShinyHunters, downloaded and posted a database on a free hacker forum, compromising close to three million accounts.  
  • ShinyHunters also stole a database from online dating website MeetMindful.com, compromising 1.4 million accounts and exposing 2.28 million user’s information. Data in the database included IP addresses, encrypted account passwords and Facebook information. 
  • A U.S. Cellular data breach occurred after hackers were able to scam employees to gain access to one retail store’s computer, affecting 276 people.  
  • For more information about January data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website. 

Notable January Data Breaches in 2021 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in January, three stood out: Bonobos, MeetMindful.com and U.S. Cellular. All three data events are notable for unique reasons. One compromised close to three million accounts; another includes a compromised dating website, leading to the attacker leaking millions of user’s data; the third event happened when criminals successfully targeted a handful of retail store employees, leading to malware being added to the company’s point-of-sale system.  

Bonobos Breach

The E-commerce apparel company, Bonobos recently suffered a data compromise after Black-hat hacker group, ShinyHunters, downloaded a cloud backup of a database and then posted the full database to a free hacker forum, compromising 2.8 million accounts. 

According to bleepingcomputer.com, the 70 GB database consisted of addresses and phone numbers for seven million shipping addresses, account information for 1.8 million registered customers and 3.5 million partial credit card records. The article says that one threat actor claims to have already cracked the passwords for 158,000 accounts. The hacker turned the cracked passwords into a ‘combolist’ used in credential stuffing attacks to log in using the stolen credentials at other sites. 

Bonobos is emailing data breach notification letters to people who may have been affected. 

MeetMindful.com 

Online dating company, MeetMindful, had more than 1.4 million user accounts compromised and 2.28 million user details exposed after the same hacker group, ShinyHunters, struck the dating site by leaking a 1.2 GB file on a publicly accessible hacking forum. 

According to ZDNet, some of the most sensitive information in the file includes names, email addresses, locations, IP addresses, encrypted account passwords and Facebook information. Not all of the leaked accounts have full details included in them. However, for many of the MeetMindful users, the provided data can be used to trace their dating profiles back to their real-world identities.  

U.S. Cellular 

Mobile wireless carrier, U.S. Cellular, recently suffered a data breach after hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store. According to Forbes, hackers targeted multiple U.S. Cellular retail store employees who had access to the company’s customer relationship management (CRM) software.

The Office of the Vermont Attorney General reports that hackers may have gained access to a wireless customer account and wireless phone number. Employees were successfully scammed by unauthorized individuals and downloaded software onto a store computer. Since the employees were already logged into the CRM, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee’s credentials.  

The U.S. Cellular data breach affected 276 people and exposed names, addresses, PIN codes and mobile phone numbers, as well as information about wireless services, including service plan, usage and billing statements known as Customer Proprietary Network Information (CPNI). 

What to Do If These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager, and keeping an eye out for phishing attempts claiming to be from the breached company.

If you receive a suspicious email, especially if it asks to click on a link, download a file, or verify your login & password, ignore it. Victims of the U.S. Cellular data breach should contact U.S. Cellular to establish a new PIN, reset their password, and contact U.S. Cellular at 888.944.9400 with any questions or concerns 

notified  

For more information about January data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.

Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • The Internal Revenue Service (IRS) and the Identity Theft Resource Center (ITRC) expect to see an increased number of Americans who are victims of 1099-G form fraud due to unemployment benefits obtained in their name. In fact, the ITRC has already received calls and like-chats about the fraud. 
  • Unemployment benefits fraud has led to a large spike in identity-related fraud cases recorded at the ITRC. Also, the Department of Labor Inspector General estimates that as much as $26 billion in pandemic-related unemployment benefits were obtained by fraud. 
  • The IRS says anyone who receives a 1099-G form related to unemployment benefits that were not received should contact the state (or states) that paid the benefits to request an amended 1099-G form that can be sent to the IRS as proof they did not receive the funds.  
  • The IRS also encourages people to file their taxes early and use direct deposit for the quickest refunds. The IRS will begin accepting and processing 2020 tax returns on February 12. 
  • Anyone who believes they are a victim of 1099-G form fraud or unemployment benefits fraud should contact the ITRC toll-free by phone (888.400.5530) or live-chat on the ITRC’s website 

Tax season is right around the corner. On February 12, the Internal Revenue Service (IRS) will begin accepting and processing 2020 tax returns. While consumers look for their W-2 forms for wages and 1099 forms for non-wage income, some consumers may find themselves victims of 1099-G form fraud from an identity crime that started to spike in the spring of 2020.  

The Identity Theft Resource Center (ITRC) has already begun to receive phone calls and live-chats from victims stating they received a 1099-G form, wondering what to do next. According to The Vermont Labor Commissioner Mike Harrington, in Vermont, 1099-G forms for nearly 44,000 people were sent to the wrong address after a likely mix-up. 

These are issues the ITRC and IRS recently discussed on the Fraudian Slip, the ITRC’s podcast, where we talk about all-things identity compromise, crime and fraud, including the impact identity issues have on people and businesses. 

Unemployment Benefits Fraud 

People have been falling victim to unemployment benefits fraud since the COVID-19 pandemic began, leading to a rise in unemployment. In an average year, the Identity Theft Resource Center (ITRC) is contacted by fewer than 20 unemployment benefit fraud victims. However, in 2020, more than 700 victims of unemployment benefits fraud reached out to the ITRC, and more than 6,000 consumers visited the company website idtheftcenter.org to find information about unemployment benefits fraud.  

Also, the Department of Labor Inspector Generalhas informed Congress that as much as $26 billion or more in fraudulent pandemic-related unemployment benefits have been paid. California officials say the amount of fraud in the state is at least $11 billion.   

1099-G Form Fraud due to Unemployment Benefits Fraud 

As staggering as the numbers for unemployment benefits fraud were in 2020, the number of people who found out they were impacted by the fraud could rise even more once tax season begins. More Americans than ever are likely to receive 1099-G forms that report how much government benefit income a taxpayer received. If an identity criminal used someone else’s information to file for unemployment benefits, the benefits are considered taxable income that will be reported to the IRS by the state paying the benefit. While states are aware of many fraudulent payments, some fraudulent unemployment benefits may have gone undetected. The IRS expects to see a rise in taxpayers that contest their 1099-G forms claiming they did not receive any unreported income from government benefits 

What Consumers Should Do 

There are several steps that consumers should take if they receive an inaccurate 1099-G form. 

  • Contact the state(s) that issued the 1099-G The IRS advises taxpayers who receive an incorrect Form 1099-G for unemployment benefits they did not receive to contact the issuing state agency and request a revised Form 1099-G showing they did not receive these benefits. Taxpayers who cannot obtain a timely, corrected form from states should still file an accurate tax return, reporting only the income they actually received. A corrected Form 1099-G showing zero unemployment benefits in cases of identity theft will help taxpayers avoid being hit with an unexpected federal tax bill for unreported income. Taxpayers do not need to file a Form 14039, Identity Theft Affidavit, with the IRS regarding an incorrect Form 1099-G. The identity theft affidavit should be filed only if the taxpayer’s e-filed return is rejected because a return using the same Social Security number already has been filed. 
  • Apply for the IP PIN– The IRS now allows any taxpayer who can verify their identity to seek an “Identity Protection PIN.” The IP PIN can be used when filing an income tax return to help prevent cybercriminals from filing fake tax returns.Consumers can visit IRS.gov and click on the Identity Theft Protection link at the bottom of the home page to apply for the IP PIN. While it does not prevent unemployment benefits fraud that already occurred from impacting their tax return, it can still protect them from tax identity theft. 
  • File taxes early While this tip does not apply to unemployment benefits fraud, it is always a good idea for people to file their taxes as soon as possible to reduce the likelihood of a criminal beating them to it. The IRS says consumers should file electronically and use direct deposit for the quickest refunds.  

If anyone believes they are the victim of 1099-G form fraud, unemployment benefits fraud or both, they can contact the ITRC toll-free for help. Victims can call to speak with an advisor (888.400.5530), live-chat with an expert or send an email during business hours. All people have to do is visit idtheftcenter.org to get started.