It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

The federal government shutdown is affecting hundreds of thousands of employees and their families, but other victims stand to be harmed as well. While the government and its agencies handle the employees and continued services for the duration, criminals have been busy contacting consumers with plausible shutdown-related scams.

One law enforcement agency has already alerted area residents to a Medicare scam related to the shutdown. Callers posing as government employees contact random citizens and claim their Medicare (and conceivably Medicaid as well) coverage will be suspended during the shutdown unless the would-be victim signs up to have their information submitted manually. Faced with losing healthcare and prescription coverage, it’s easy to see why someone might willingly hand over all of their personally identifiable information.

Another variation related to the shutdown involves zero-interest temporary loans to “help” federal employees weather the weeks ahead without a paycheck. It sounds like the ideal solution to a terrifying problem, right? Just receive the loan and pay back the funds when work resumes and any back pay arrives? Unfortunately, this isn’t a government program or even one that’s backed by any financial institution. It’s entirely the product of a scammer’s imagination; providing your personal data and your bank account information—presumably for the loan to be directly deposited—only makes you their next victim.

Yet another confirmed instance involves phishing emails that appear to come from your bank. The subject line may actually be very comforting, something about skipping payments during the shutdown, but that’s only to get you to open the email. Like most phishing emails, you’re directed to click the link to sign up for the free payment forgiveness offer, but the link can install harmful software on your computer, redirect to a fake website that steals your information, or worse.

It’s sickening to think that anyone would be so cruel as to steal from federal employees or Medicare recipients at a time like this, and worse, would use a frightening scenario such as the shutdown to steal from the public. Sadly, scammers love nothing more than a widespread crisis to lure their victims into their net.

There are some steps that consumers can take to protect themselves. Fortunately, these are not only useful during this shutdown, but rather are good habits to develop to keep yourself safe at all times:

1. Do not confirm your identifying information for anyone who contacts you.

No matter what excuse they give, refuse then take down their information. Then, using only a verified contact method, contact their business or agency yourself and find out what is wrong with your account.

2. The government will not call you out of the blue, regardless of what agency they work for.

If you receive a call from someone claiming to work for the government, it’s probably a scam.

3. The same applies to financial institutions.

Legitimate offers from a bank will arrive via postal mail and will never expect you to provide personal information to a caller or via email.

4. The best offense is always a strong defense.

Become “suspicious by nature” when anyone contacts you and wants your information or account access.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

With more than 60 million reported cases of identity theft in the US to date, there is no single demographic that is immune from the threat. In fact, the opposite is true; some age groups or even residents in certain states are more likely than the rest of the population to face identity theft. Unfortunately, the more natural prey you appear to a criminal, the more of a target you become.

January is Braille Literacy Month in honor of Louis Braille’s birthday, so it’s a good time to understand how the threat of identity theft manifests among people with low-vision or vision loss, as well as share some ways to help reduce the risk of becoming a victim. Fortunately, many of the same steps are worthwhile for all consumers, not just a single risk group.

First, the Identity Theft Resource Center partnered with the Braille Institute on a highly informative session explicitly aimed at low-vision and vision-impaired people on how to reduce your risk and overcoming the aftermath of identity theft should it occur.

Also, Empish J Thomas of Vision Aware has shared a very insightful look at her own experiences with identity theft. The account includes key information about issues and obstacles that could make low-vision consumers more of a target for identity theft, as well as ways to overcome those problems. For example, junk mail and carrying extra credit cards could lead to theft without the owner’s knowledge, so Thomas recommends having a core group of trustworthy people who can intervene.

Unfortunately, common identity theft attempts can prove to be even more of a challenge for visually impaired people. Telemarketers and door-to-door salesmen, for example, can turn out not to be who you thought they were; there’s also the crime of opportunity in which the individual might not have set out to steal your data but seizes the chance after discovering your vision issues.

Here are some steps to protect any consumer, but especially those with visual impairments or low vision:

1. Do not take anything at surface value, whether it’s a phone call, letter, or email.

Those can easily be spoofed or falsified, so make it a good habit to never give out your personal data to someone who requests it.

2. Shred all junk mail, health insurance statements, medical and credit card bills, and more.

If you need to rely on a volunteer or trusted friend to help you decide what needs to be shredded, make sure your items are in a safe place until you can seek that help.

3. Install a robust security suite on your computer and mobile devices.

Remember, antivirus isn’t enough anymore, but there are some very affordable products that protect you from a broader range of threats.

4. Request a free copy of your credit report each year. 

And be sure to study it carefully for suspicious activity. Take action immediately if something is uncertain or out of place.

5. If you do suspect you’ve been the victim of identity theft, get help immediately.

The ITRC and the Federal Trade Commission both have avenues for assistance, and specialty organizations like AARP and the Better Business Bureau can also start you in the right direction.

Again, these things and other security steps are good habits for any consumer, so make it a practice to protect yourself at all times.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

By ITRC CEO, Eva Velasquez

For victims of identity crimes there are emotional, physical and lost opportunity costs experienced even when resources are provided quickly and competently. The government shutdown will make the aftermath for these victims worse.  The Identity Theft Resource Center’s AftermathTM series sheds light on the less obvious but equally devastating effects of various identity crimes.  It also highlights the downstream impacts regularly faced by victims.  Right now, we are dealing with an obvious challenge on a national scale with the federal government shutdown. In keeping with our mission of advocating for victims, and increasing awareness of the complexity of the identity crime issue, I want to highlight some of the less obvious downstream effects our team is seeing impact not only victims but all citizens during this shutdown.

There is considerable attention being paid to the obvious consequences, and rightly so. Many folks, from federal employees to those that rely on government assistance to meet their basic needs, are certainly enduring hardship. However, there are other impacts, which are less obvious, and I feel compelled to share this perspective. This is not to make the point that these impacts are greater, or causing more harm than the ones previously mentioned, rather it is to shine some light on these less obvious consequences so that decision-makers and the public realize this is happening, and understand both the short term and long-term effects.

Currently, many departments of the federal government are shutdown. This includes the Federal Trade Commission.  The FTC and the ITRC share similar mission, and a strong collaborative relationship.  We have worked together on many initiatives to better the outcomes for identity crime victims. The individuals that we have worked with at the agency are amazing people, dedicated to helping victims and stopping the identity thieves. The resources that the FTC provides are an invaluable part of the remediation process.

What is notable about the shutdown for this department is that while ftc.gov remains fully functional, the identity theft assistance arm, identitytheft.gov and the associated call center are non-operational. That’s right; the website that victims go to for these invaluable resources is dark. Victims currently cannot obtain the FTC identity theft affidavit that is a critical first step for many, if not most, identity theft remediation plans.

Government shutdown advisory from identitytheft.gov

Until identitytheft.gov comes back online victims will need to go to their local police department and get a police report to move forward with proving their innocence. This is creating an increased workload for these local departments, a burden that was only recently lifted due to changes in the Fair Credit Reporting Act that allowed the FTC affidavit to serve as the report from a law enforcement agency in lieu of a police report.

If you believe that is not a big deal and at least there is some type of workaround, please realize that law enforcement agencies are not equipped to provide robust victim services for financial crimes victims (generally), which means they are not providing victims with remediation plans or helping them to put their lives back together.  Their job is to investigate, get the bad guy, and hopefully stop the thief from harming others. Those plans come from the FTC and the Identity Theft Resource Center. As second tier responder, the ITRC receives referrals from the FTC, but with them unavailable, we’re now in the position to have to assist those victims as a first responder.

If for some reason there’s a belief that identity crimes are not a big deal, listen to what the victims are saying to understand that is not the case. You can read our Aftermath study and hear it directly from them.

The ITRC and all its resources are here for victims. We can be reached through our website www.idtheftcenter.org and our call center at 888-400-5330. Bear in mind that the shutdown has created an increase in our call volume, so please be patient.

In addition to the short term consequences, there are several long-term impacts that one will only be able to measure fully when this crisis has passed and we can unpack it using hindsight and data. One of the questions is has there been an increase in the actual number of incidents during this time period. The temporary closure of the investigative bodies that act as a deterrent will have some impact and decades of personal experience working with law enforcement and observing criminal behavior leads me to the conclusion: “Of course there will.” Identity thieves are opportunistic. Who actually believes they are not talking with each other and managing their efforts to capitalize on LESS oversight?

Another question: how much worse will the impact be for those that fall victim to identity crime during this window of closure? The ITRC knows from experience that early detection of this crime leads to quicker remediation and lessens the trauma, not to mention the total impact. We also know that consumers experience intense fear upon discovery of being a victim of identity theft. The availability of a plan of action allows them to feel empowered; giving them the ability to fight back against the powerlessness they might be feeling. Some will minimize this reaction and continue to see victims of economic crimes as overreacting, but I assure you that it’s not an overreaction. Those feelings are real. Moreover, when they cannot access the assistance they need, when they need it, it increases that feeling of powerlessness. Imagine that you come home to find that your home burglarized. It is obvious that the burglars are long gone, but all of your belongings have been touched and gone through, and many are missing. You feel violated. You need help and you need to get this reported and resolved. You call the police to get that help and are told they are closed, until further notice, so you just have to wait and try to wade through it. You think, can I clean things up? Do I have to take pictures? What if I mess something up and it creates more problems down the road. That’s exactly what identity crime victims are feeling when they get to the inoperable FTC website. Powerless.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Ah, another year has passed and we’re ready to jump into the future of 2019. First, let’s take a look back at our predictions from 2018 that came true. We discussed the potential of AI to stop hacking, scammer’s new techniques to take advantage of social media users and transparency in IoT devices.  Of course with the emergence of technology and cybercriminals evolving their techniques, unanticipated challenges have arisen.

2019’s focus will be on data: Data breaches, data abuses, data privacy.  Even though ITRC is first and foremost a victim service and consumer education organization, we know that the thieves need our data in order to perpetrate their fraud and identity theft.

Data breaches: Consumers will gain more clarity (about how a specific breach actually effects them.  Breached entities will be pushed to be more transparent and less vague about the specifics of the type of data that has been breached.  Vague terms such as “and other data” or “client records”, that appear on data breach notification letter currently will no longer be tolerated by breach victims. Thieves are always looking to get their hands on our data and with a little technique called “credential cracking,” we think we’re going to be seeing more security notifications, not just breach notifications in 2019. Here’s what’s going on: following a large-scale data breach, and in order to gain access to your online accounts, a hacker simply uses a large database of usernames and allows the computer to “guess” the passwords for each account they are attempting to log into. We’re beginning to see companies send security notifications to their customers that their username/email credentials are being used – possibly by an unauthorized user – to login to their platform even if there is no account (i.e. Warby Parker & Dunkin Donuts).

Data Abuses: The public will gain more insights into data abuses, not just breaches.  More incidents, like the Facebook/Cambridge Analytica event will come to light.  As we as consumers demand more transparency, and as regulators probe deeper, the ongoing act of using our data for other than the purpose for which we have given consent will come out of the shadows.  Consumers will also start paying more attention to the notifications they receive from businesses that say their information was shared with third parties and what that means for them.

Data Privacy:  Consumer empowerment around privacy and data privacy is top of mind in a way that it has never been before.  Other states will follow California’s lead and pass their own data privacy legislation in the hopes of empowering consumers and keeping industry in check. Especially seeing as California, Florida, Texas, New York and Pennsylvania (in that order) had the highest numbers of cybercrime reports last year.  This will likely not provide the much needed long term solution, or the necessary cultural shift.  Just look at the condition of the state by state data breach notification laws, and the years-long discussion (that’s at a stalemate by the way) of a more universal regulation and process.  Will we start that cycle over again here?  Probably. Until the public has a concrete understanding of the complex relationship between data creators (consumers), data owners (the platform on which the data was created, generally) and data users (every industry currently operating in the US) these statewide measures will fall short of making any real headway into actually giving us more control over our data or more privacy.

Even though it has been discussed for over 13 years, there is a good chance that 2019 will be the year that a federal data breach notification law will become a reality.  Of course, predictions are just an educated guess based on previous events and information. Industry, policymakers and the public alike will have to wait and see how 2019 will be impacted by identity theft, cybercrime, hacking and data breaches. One thing we can be sure of though is that the ITRC will be here, working to fight back against the latest techniques to commit identity theft and scams.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Better than any Oscar nominations or National Basketball Association (NBA) rankings, there’s a different kind list that keeps cybersecurity experts and consumer advocates on the edge of their seats each year. This list, compiled from actual, intentional user mistakes, ranks the worst—make that “least secure”—passwords by how frequently they’re used.

Note: Why do far too many consumers continue to use ridiculously weak passwords? Because of a misunderstanding of how passwords are “guessed” by hackers. Despite what people might think, no one sits at a computer and types in one attempt after another. Instead, they deploy software that is capable of “guessing” random words, phrases and character combinations at literally billions of guesses per second.

(As one tech user said to the Identity Theft Resource Center when justifying the use of “password” as his online banking password, “It’s so easy no one would think to guess that one.” Unfortunately, that’s not how this works.)

This year’s list of worst passwords not only includes some that have been haunting the security industry for years, it also includes a few newcomers.

Taking the number one spot once again was “123456.” Interestingly, after the #2 spot went to “password,” the remaining top seven most commonly used passwords were the number variations “1234566789,” “12345678,” “12345,” “111111,” and “1234567.”

There were some odd choices this year, as the #8 spot went to “sunshine” and #10 was “iloveyou.” Number 9 was no surprise, unfortunately, as the ever-popular “qwerty” landed there.

“Admin” and “football” made the list again this year, as did “123123.” A shockingly high number of tech users thought they could beat the bots by holding down the shift key while hitting those number keys, which means “!@#$%^&*” was the 20th most commonly used password this year. Not to be outdone by the qwerty fans, a few more people tried to outwit the hackers by running their passwords straight up the bottom row of keys: “zxcvbnm” took spot #26.

People’s first names were surprisingly common passwords. Jordan, Joshua, George, Harley, Summer, Thomas, Buster, Hannah, Daniel and more were all in the top fifty.

The complete list of 100 most commonly used passwords is available by clicking here, but remember—it’s a guide of what not to do, not a list of passwords that are so simple no one would think you’d ever use them. So what kind of password should you use?

A strong, unique password is one that you only use on one account (not repeating it on multiple accounts), and that contains a long, virtually unguessable combination of letters, numbers, and symbols. Eight characters is typically considered the bare minimum for security but the longer the password, the harder it is for hacking software to guess it. While you’re creating this hopefully-foolproof password, remember to avoid common words, phrases, variations on your name, or the name of the website where the account was created.

So how are you supposed to remember a really long, secure password and make a separate one for each account? You could use a widely-respected password manager software, but there’s always a risk of those companies’ servers being hacked. If you’re really struggling to protect yourself, you can come up with your own cheat.

For example, pick a song or a book title that you will always remember, such as, “These Boots Were Made for Walking.” Now, pick a long number combination, like your childhood phone number. You can weave together the first letter of each word in the title (alternating uppercase and lowercase) and each digit in the phone number so that you end up with something that looks like “?T2b5W6m1F9w67!” Note the extra symbols at the beginning and end.

This fairly strong password is only good for one of your accounts, though. So here are a couple of things to try:

1. You can also weave in the name of the website, like PayPal or Amazon, by putting one of the letters at the beginning and one of the letters at the end. That way, you only have to remember two letters for each account and your strong password in the middle. This is NOT ideal from a security standpoint, but it’s far better than reusing your dog’s name on every account you own.

2. Use your very strong password for your email and simply click “forgot my password” every time you log into a different sensitive account. You’ll get an email to change your password on that site, and you can change it to anything you like—even just mashing keys on your keyboard—since you’re going to change it again the next time you log in.

There’s something else to consider about password security. Changing your passwords from time to time is important for keeping hackers out of your accounts. The ability to steal or purchase databases of old login credentials means someone could get your current password by stealing information that’s several years old. Protect yourself with regular updates to your password.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

The Federal Trade Commission announced that it will be closed due to a lapse in its funding until the government shutdown ends. That means a number of critical services for consumers, businesses, law enforcement agencies, and other organizations will be temporarily unavailable. Some services—as outlined on the FTC’s website and the announcement on the shutdown—will still be in operation but with reduced staff numbers; this can have a big impact on those services and the timeliness of the support.

Consumers will not be able to file reports or notify the FTC of scams, fraud, or other similar issues during this time. Identity theft reports will also be on hold, as will the National Do Not Call Registry, the Consumer Sentinel Network for law enforcement, and other critical functions.

In the meantime, the non-profit partner Identity Theft Resource Center is ready and willing to help consumers in need and provide valuable insights to any law enforcement agencies or policymakers. The toll-free helpline (888) 400 – 5530 and live chat feature provide immediate answers to questions and concerns about your data, your privacy, and your first steps in the event of suspected identity theft.

ITRC resources can also help keep you informed about the latest scams, fraud, and cybersecurity trends, as well as provide you with actionable steps to avoid becoming a victim. Should you find yourself snared by this kind of criminal activity, our knowledgeable staff can help you take action. The website is also filled with helpful documents that are categorized by the type of consumer issue to assist you in finding the right resources. The Identity Theft Resource Center also has a free ID Theft Help app, which gives you access to resources and tips to protect your identity, a case log feature to help remediate your case as well as the ability to contact our call center advisors.

Fortunately, the FTC’s website and social media channels will still be available with past information, although these outlets will not continue to be updated during the shutdown. The ITRC will continue to post updates and new information at IDTheftCenter.org as well as on its Facebook and Twitter accounts.

During this time, it’s vital that consumers and businesses be extra vigilant about protecting themselves. There’s never a good time to let your guard down when it comes to your identity or your privacy, but at a time when the safeguards are suspended, it’s even more important that individuals use an air of caution when it comes to consumer interactions.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

The term “honeypot” is actually an old word with a lot of different connotations. Besides the obvious container for honey, it also refers to any kind of “lure,” whether it’s an attractive person, a lucrative business deal or even a criminal’s bait to snare a victim.

The tech sector has long been flipping the script on honeypots and using them to lure the criminals. Whether it’s an unsecured cache of sensitive information, a website that purposely contains vulnerabilities or some other cyberbait, the result is the honeypot can help security researchers track down cybercriminals and grab their identifying information.

Now, researchers at one university have taken the crime-fighting a step further with the invention of the HoneyBot. This robotic security guard doesn’t patrol the hallways of a building to keep an eye out for intruders, though. Instead, it serves as a connected device that hackers would want to go after, a kind of data honeypot on wheels.

You might already be wondering, “Why does a data trap need to move around?” It’s so simple that it’s genius. One of the ways hackers know they’ve hit on useful data and not a trap is by having the ability to interact with the secret honeypot in a very sophisticated, higher-level way. If there’s nothing really interactive about it, then it could actually warn away cybercriminals. Worse, it could give them a portal to infiltrate a network (the opposite function of a honeypot).

When they’re able to interact with the HoneyBot and send it around the building, they’ll think they’re actually on to something. This makes the robot ideal for factories, manufacturing plants, and even a large-scale infrastructure like a power grid. While the hackers are toying around with the robot and trying to get access to other parts of the network, the HoneyBot is scooping up all of their information and reporting it to the cybersecurity team.

University researchers are expected to share the results of extensive testing in the near future, but this kind of innovation is already an exciting new tool for fighting back against cybercrime.


Read next: “Block the Wi-Fi Nabbers”