Posts

It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

Ah, another year has passed and we’re ready to jump into the future of 2019. First, let’s take a look back at our predictions from 2018 that came true. We discussed the potential of AI to stop hacking, scammer’s new techniques to take advantage of social media users and transparency in IoT devices.  Of course with the emergence of technology and cybercriminals evolving their techniques, unanticipated challenges have arisen.

2019’s focus will be on data: Data breaches, data abuses, data privacy.  Even though ITRC is first and foremost a victim service and consumer education organization, we know that the thieves need our data in order to perpetrate their fraud and identity theft.

Data breaches: Consumers will gain more clarity (about how a specific breach actually effects them.  Breached entities will be pushed to be more transparent and less vague about the specifics of the type of data that has been breached.  Vague terms such as “and other data” or “client records”, that appear on data breach notification letter currently will no longer be tolerated by breach victims. Thieves are always looking to get their hands on our data and with a little technique called “credential cracking,” we think we’re going to be seeing more security notifications, not just breach notifications in 2019. Here’s what’s going on: following a large-scale data breach, and in order to gain access to your online accounts, a hacker simply uses a large database of usernames and allows the computer to “guess” the passwords for each account they are attempting to log into. We’re beginning to see companies send security notifications to their customers that their username/email credentials are being used – possibly by an unauthorized user – to login to their platform even if there is no account (i.e. Warby Parker & Dunkin Donuts).

Data Abuses: The public will gain more insights into data abuses, not just breaches.  More incidents, like the Facebook/Cambridge Analytica event will come to light.  As we as consumers demand more transparency, and as regulators probe deeper, the ongoing act of using our data for other than the purpose for which we have given consent will come out of the shadows.  Consumers will also start paying more attention to the notifications they receive from businesses that say their information was shared with third parties and what that means for them.

Data Privacy:  Consumer empowerment around privacy and data privacy is top of mind in a way that it has never been before.  Other states will follow California’s lead and pass their own data privacy legislation in the hopes of empowering consumers and keeping industry in check. Especially seeing as California, Florida, Texas, New York and Pennsylvania (in that order) had the highest numbers of cybercrime reports last year.  This will likely not provide the much needed long term solution, or the necessary cultural shift.  Just look at the condition of the state by state data breach notification laws, and the years-long discussion (that’s at a stalemate by the way) of a more universal regulation and process.  Will we start that cycle over again here?  Probably. Until the public has a concrete understanding of the complex relationship between data creators (consumers), data owners (the platform on which the data was created, generally) and data users (every industry currently operating in the US) these statewide measures will fall short of making any real headway into actually giving us more control over our data or more privacy.

Even though it has been discussed for over 13 years, there is a good chance that 2019 will be the year that a federal data breach notification law will become a reality.  Of course, predictions are just an educated guess based on previous events and information. Industry, policymakers and the public alike will have to wait and see how 2019 will be impacted by identity theft, cybercrime, hacking and data breaches. One thing we can be sure of though is that the ITRC will be here, working to fight back against the latest techniques to commit identity theft and scams.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

The Federal Trade Commission announced that it will be closed due to a lapse in its funding until the government shutdown ends. That means a number of critical services for consumers, businesses, law enforcement agencies, and other organizations will be temporarily unavailable. Some services—as outlined on the FTC’s website and the announcement on the shutdown—will still be in operation but with reduced staff numbers; this can have a big impact on those services and the timeliness of the support.

Consumers will not be able to file reports or notify the FTC of scams, fraud, or other similar issues during this time. Identity theft reports will also be on hold, as will the National Do Not Call Registry, the Consumer Sentinel Network for law enforcement, and other critical functions.

In the meantime, the non-profit partner Identity Theft Resource Center is ready and willing to help consumers in need and provide valuable insights to any law enforcement agencies or policymakers. The toll-free helpline (888) 400 – 5530 and live chat feature provide immediate answers to questions and concerns about your data, your privacy, and your first steps in the event of suspected identity theft.

ITRC resources can also help keep you informed about the latest scams, fraud, and cybersecurity trends, as well as provide you with actionable steps to avoid becoming a victim. Should you find yourself snared by this kind of criminal activity, our knowledgeable staff can help you take action. The website is also filled with helpful documents that are categorized by the type of consumer issue to assist you in finding the right resources. The Identity Theft Resource Center also has a free ID Theft Help app, which gives you access to resources and tips to protect your identity, a case log feature to help remediate your case as well as the ability to contact our call center advisors.

Fortunately, the FTC’s website and social media channels will still be available with past information, although these outlets will not continue to be updated during the shutdown. The ITRC will continue to post updates and new information at IDTheftCenter.org as well as on its Facebook and Twitter accounts.

During this time, it’s vital that consumers and businesses be extra vigilant about protecting themselves. There’s never a good time to let your guard down when it comes to your identity or your privacy, but at a time when the safeguards are suspended, it’s even more important that individuals use an air of caution when it comes to consumer interactions.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

With all of the high-tech hacking, malware attacks that cripple entire networks, and new ways to steal or fabricate someone’s complete identity, it’s easy to forget that some of the things that used to be problems in the past are, still a problem.

On Aug. 16, a data breach was discovered that affected multiple Cheddar’s Scratch Kitchen restaurants in numerous states. Investigators believe the operative first launched the breach in early November of 2017 and continued through Jan. 2. More than 500,000 payment cards were compromised in the breach.

The company has sent out notification letters to the victims and offered identity monitoring for the affected customers. They also revamped the payment card system in April of this year, but still advise all of their customers to monitor their account information very closely for any signs of suspicious activity.

This incident clearly demonstrates that “old-fashioned” methods of stealing identifying and financial information are still out there, even if they’re sometimes overshadowed by larger events like the or the cyber attack that hit last year. Even old tactics like dumpster diving for your junk mail or health insurance statements can lead to identity theft crimes, even if they’re on a much smaller scale than a data breach like this one.

To help minimize the risks associated with this kind of incident, there are steps that consumers can take:

1. Enable alerts on your payment cards – If your financial institution offers it, you can set up text or email alerts that tell you any time your card number is used without the physical card being present. If your account info is stolen in a breach like this one, you’ll know if someone uses your card fraudulently. One person who contacted the Identity Theft Resource Center was on her child’s school trip when she received an alert; a quick call to her credit card company showed that someone had used her account number to buy several iPhones at a cellular store. The transaction was promptly canceled and a new card sent to the victim.

2. Monitor your accounts closely – By taking even a quick peek at your account statements on a regular basis (something you can even set up to do online or on your mobile device), you can stay on top of any unusual activity.

3. Place a credit freeze – This event only compromised the customers’ payment card numbers, but in this climate of record-setting data breaches, some consumers are opting for preventive credit freezes. New legislation goes into effect next month that will remove the fee associated with freezing and unfreezing your credit, which helps prevent new accounts from being opened with your identifying information. If more sensitive information is stolen in other data breaches, you’ll be better prepared to fend off identity theft and fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

For quite some time, Social Security numbers have been called the “Holy Grail” of personally identifiable information. With access to your SSN and a few other key data points, an identity thief could open new lines of credit and run up bills for large purchases for years to come. If you discovered the fraudulent card and canceled it, they could simply open up another one.

In any data breach, it was almost a relief to find out that the victims’ SSNs had not been compromised… but that may not be the case anymore.

As a newly announced data breach of T-Mobile’s network shows, our phone numbers can be a hot commodity for hackers. Hackers made off with the names, email address, some of the accounts’ passwords, account numbers and phone numbers for . The cellular provider discovered the incident on Aug. 20 and shut down the hackers’ access, then began the process of investigating and sending out notification letters to affected customers.

You might think a thief can’t really do much for this information, but that’s not true. With just the data compromised, identity thieves can port the affected customers’ phone numbers to a new SIM card, install it in a new handheld device and access any accounts that the user has connected through that phone number.

For example, a hacker can get into your email account, Amazon account, online banking or PayPal account and more by having the password reset link sent to the phone number associated with the accounts, even if two-factor authentication was in place. The thief can then access the victims’ text messaging, receive the one-time-use verification code and use it to change the victims’ passwords on any accounts where they’ve entered their phone number.

T-Mobile has already begun notifying the victims and offered them some key instructions, namely to change their passwords on their accounts. However, it’s also a good idea to change the passwords on any other sensitive accounts—not just the T-Mobile accounts—and to be on the lookout for any unusual activity. This might include notifications of logins from new devices, contacts from your account providers telling you of suspicious activity, any unusual deductions from your financial accounts and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Parents instinctively protect their children from any danger that might come their way, but what do parents tend to overlook? Child identity theft.  Given the prevalence of this crime – more than one million cases of child identity theft cases were reported last year alone – it’s crucial that parents and legal guardians start taking the necessary steps to help minimize their children’s risks. To help encourage this thinking, Experian has deemed September 1 as Child Identity Theft Awareness Day to generate more attention around this prolific crime in hopes that it will reduce the amount of victims.

Children’s identities are seen as desirable because they are often left unmonitored for many years, giving thieves ample time to wreak havoc. For example, a recent survey conducted by Experian found that 45 percent of respondents didn’t discover they were a victim of identity theft until they were between the ages of 16 and 18.  Additionally, more than half of those surveyed didn’t discover they were a victim of child identity theft until they applied for credit as an adult or when they received a bill or credit card in the mail.

The emotional toll this crime takes on its victims is also worth noting. The survey discovered that 35 percent of the child identity theft victims surveyed sought professional help in dealing with related stress, anxiety, anger or depression related to the theft; 68 percent said they are fearful it could happen to them again; and 65 percent are angry about the credit roadblocks they have faced. Furthermore, 10 years later, 1 out of 4 victims surveyed are still dealing with the issues and 81 percent of them remain concerned about their ability to get approved for credit in the future.

As illustrated in the survey, the effects of child identity theft can be long lasting and although this crime is not completely unpreventable, parents and legal guardians can take the necessary steps to minimize their children’s risks. For starters, many parents/legal guardians don’t realize that they might be unintentionally putting their child at risk of identity theft by carrying their Social Security card, giving out this number to entities that don’t legally need it (doctor’s office/hospital) and by not being proactive.

Interestingly enough, the survey revealed that when the parents discovered the child identity theft, their children were 14 years old on average, whereas if the child found out about the theft themselves, they were 19 years old on average. What parents don’t often realize is that they might be able to discover this theft even sooner, which could potentially save their children years of headache.  First, parents need to be on the lookout for signs of child identity theft, which include the following: protecting their Social Security number, monitoring their children’s personal information, social media and online activity, paying attention to privacy policies and teaching them about identity theft risks. Second, they might consider doing Experian’s free Child ID Scan, which is a one-time service for parents or guardians to check if an Experian credit report exists for their child. If you do find out that your children’s information has been compromised, we recommend contacting the Identity Theft Resource’s toll-free number at 888-400-5530 to speak to an experienced advisor who can inform you about the necessary steps to take to resolve the issue. You can also use their live chat feature on their website at: www.idtheftcenter.org

Taking small steps to protect your child’s identity can not only greatly reduce their risk of becoming a victim but it can also help them in the long run.

Experian proudly provides financial support to the Identity Theft Resource Center.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Social media has changed the way people interact with each other in both good ways and bad ways. It’s amazing to connect with people all around the world or to find a long-lost classmate from seventh grade. It’s something else altogether, though, to find yourself in a compromising situation because of something you posted online.

One of the more recent features of different social media sites like Facebook, Instagram or Twitter is the ability to broadcast live video to your followers. This feature can be fun and entertaining or even educational, but if you’re not sure how the platform works or what kind of surroundings you’re broadcasting from, you may be unhappy with the results.

1. How long is my video accessible, and who can see it? – Those questions depend on the platform you’re using. Twitter’s Periscope or the Meerkat platform, for example, are available to anyone who chooses to click on your name. Facebook Live can be limited, meaning you can broadcast to everyone or just to your friend’s list. Instagram Live, though, is by default set to allow anyone to see your video; you have to adjust that setting yourself if you want to keep it private.

As far as how long the video is available, there are key differences you should know before you press the button to go live. Instagram Live videos are gone the moment the camera turns off, but Facebook Live videos can repeatedly be viewed and at a later time.

2. What’s going on around you? – You’ve probably seen some viral videos with hilarious background images, such as an adorable wedding couple sharing the first kiss during their beach ceremony only to have a man in a tiny swimsuit standing behind them. It’s not so funny when the visible area behind your video contains anything incriminating, illegal or simply embarrassing.

Remember, depending on the platform and the settings, you might not control who can see your video. If anything behind you is a dead giveaway for your location, any of your identifying information or even the answers to typical security questions (i.e., posting a video on your birthday and mentioning it), you might be sharing far more than you intended.

3. Is this content allowed? – Each platform has regulations for what is and isn’t permitted, and it’s up to you as the user to know what they are. Obviously, behavior that violates copyright—like broadcasting live from a concert, movie, or other ticket-holder events—is a no-no; even if you don’t necessarily get in trouble, it’s still theft, and it’s wrong. Broadcasting live for anything other than journalistic reasons from a crime in progress can also land you in hot water with both the platform and law enforcement.

If you want to go live on social media, you need to be smart. Know how your platform works, understand your privacy settings and surroundings, and make sure it’s approved, beneficial content… then smile for the camera and enjoy!


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.