Posts

Identity Theft Resource Center and Futurion unveil a new tool Breach Clarity for consumers impacted by data breaches 

LAS VEGAS, Mar 24, 2019 ­­– Today, the Identity Theft Resource Center® (ITRC), a national non-profit organization established to support victims of identity crime, and Futurion announced during the KNOW 2019 conference the launch of a new tool to empower victims of data breaches in decoding what breach notification means to them and how they can minimize the risk of identity theft and fraud. The ITRC, along with the tool’s creator Jim Van Dyke, announced Breach ClarityTM. Breach Clarity is the secret decoder that will allow consumers to decipher data breach risks, prioritize the right minimization actions and access ITRC advisors for additional help. Breach Clarity is a no-cost, online tool for consumers, meant to crack the often muddled and incomplete information that follows breach notification.

Consumers can utilize the tool at www.idtheftcenter.org/BreachClarity and begin decoding the effect of any data breach on their identity safety. Breach Clarity uses a proprietary algorithm to give a data breach a risk score based on unique variables, like amount and type of information exposed. The higher the risk score for a specific breach, the more negative consequences that breach can potentially have for an individual. Breach Clarity also unlocks the top potential harms and recommended action steps for a victim of each breach, eliminating confusion in a time-is-of-the-essence period for victims. Finally, the tool provides resources for consumers like risk minimization plans from ITRC for data breach and next steps toward remediation.

The most frequently asked question ITRC receives when assisting victims of data breach is, “But what does this actually mean to me?” The national non-profit strives to better assist and educate victims in determining if they should be worried and how the breach can affect them. Breach Clarity gives consumers the power to decode the harms of a data breach. After receiving a notification letter or getting information from a credible third-party like media sources, websites that provide security

information and other sources, a victim can enter the name of the breach they were affected by to decode what that breach means to his or her safety.

“Victims deserve answers, not vague language that covers up the true meaning of data breaches,” says president and CEO of ITRC Eva Velasquez. “We are thankful to have partners, like Jim Van Dyke, who are working to change the industry and bring clarity to victims. Breach Clarity is the first step toward empowering data breach victims and changing the scope of the industry.”

The Breach Clarity algorithm runs on the backbone of ITRC’s proprietary database of publicly available and notified breaches. Since data breaches – and fraud methods around them – often change quickly, Breach Clarity is a dynamic, evolving tool that updates as new information becomes available regarding breaches and fraud mechanisms.

“I’m delighted to work with the ITRC because we share a passion for protecting consumers,” says Jim Van Dyke, inventor of Breach Clarity. “In contrast with some who blame victims as being ‘apathetic’ or even ‘dumb’ when it comes to security, Breach Clarity is designed to empower every identity holder with the facts and help they need to minimize the risk of a data compromise leading to identity theft.”

Shortly following the launch of Breach Clarity, ITRC and Van Dyke will jointly offer webinars on how to use the tool and address questions from the public. Sign up for the first webinar about Breach Clarity at idtheft.center/BreachClarity. For financial institutions and employers, a premium version of Breach Clarity will be created to provide advanced capabilities such as an expanded list of risks and action steps for the consumer, integrated results from multiple breaches and methods for integrating to digital finance systems that further empower the consumer after a breach.

Attendees of the KNOW 2019 conference can join Eva Velasquez, president and CEO of ITRC (booth #121), Jim Van Dyke, founder of Futurion and creator of Breach Clarity, and James Ruotolo, director of product management and product marketing for the Fraud and Security Intelligence division at SAS, for a covert event Monday March 25th, 7-9pm. Register here or visit ITRC’s booth (#121) for more information, space is limited as this is a first come, first serve event. Thanks to SAS for their support of ITRC and underwriting the KNOW 2019 networking event.

###

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: http://www.idtheftcenter.org

About Futurion and Breach ClarityTM

Futurion is a research-based consultancy focused on consumer identity, digital commerce and financial services. Futurion’s CEO Jim Van Dyke formerly founded and led Javelin Strategy & Research and has also held various product management and board positions. Breach Clarity was created based on research of consumer identity crime victims and interviews with experts on the front line of fraud prevention at financial institutions, government agencies, payments networks and more. Breach Clarity’s basic outputs are free to all consumers at www.BreachClarity.com, with an upcoming premium version being designed for consumers who log into their secure personal account at licensing financial institutions and employers.

###

Identity Theft Resource Center
Charity Lacey
VP of Communications
O: 858-634-6390
C: 619-368-4373
clacey@idtheftcenter.org

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

Fortunately, there are steps that consumers can take to minimize their risk. The Identity Theft Resource Center provides free victim remediation assistance through its call-center by dialing (888) 400-5530. The ITRC will host an informative Twitter chat with the Federal Trade Commission to provide insight into protecting yourself. The live event will take place on March 8, 2019, at 8 am PT/11 am ET, and will discuss the importance of protecting yourself against tax-related identity theft. Use #IDTheftChat to join!

If you can’t take part that day, you can still read all of the tweets later on by searching for the hashtag. For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…

In the age of the #selfie, there are millions of apps for users to apply teeth whitening, air brushing and the perfect filter for a flawless pic to be shared on social media. Unfortunately, downloading apps can also pose a security risk, depending on the app and the platform from which is was accessed.

Four million Android users who downloaded a popular app from the Google Play store are believed to have been infected with malware that has a variety of consequences. Some of these involve stealing access to your contacts list and pictures, while others actually redirect any popups to pornography websites. Trying to get rid of the app doesn’t work since the app remains hidden after deleting it, making it impossible to drag it to the delete garbage can icon.

The Google Play store for Android users and the App Store for iOS (Apple) users are two of the biggest app sources in the world, and they have two very different structures. Google believes in a more open-source approach, meaning any developer can list an app and users have a responsibility to read the reviews before downloading. Apple, on the other hand, has a reputation for being far more secure, but that comes at a price: listing an app on the iOS store can mean a lengthy wait while the app is tested and approved and a laundry list of requirements for developers to adhere to.

For better or worse, most of the affected apps in this case were downloaded in Asia. However, that doesn’t mean there aren’t malicious apps that are targeting US users with similar harmful tactics. Logically, Android users stand to be at a somewhat higher risk than Apple users due to the open nature of the Google Play store, but that doesn’t mean iPhone and iPad users are immune to this threat.

No matter which mobile operating system you use, you’ve got to be careful with your device. Read the user reviews before you download an app, and make sure there aren’t any specific privacy concerns mentioned. Also, read the app description itself and get a good idea of what kinds of access the app needs. If an app wants too much information or access that it shouldn’t need in order to function, then it’s best to skip it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Fortnite Bug Let Hackers Into Players Accounts

Sparking joy has taken on a whole new meaning thanks to the KonMari method of tidying up. Cleaning up your physical and digital life are some ways to minimize your risk of identity theft.

Marie Kondo is taking the world by storm with the premise of decluttering your life, tidying up your home and work spaces, and basically living by a simple principle: if it doesn’t “spark joy,” you don’t need it. The mindset behind the so-called KonMari method has proven so effective that second-hand stores and thrift shops are seeing record-setting levels of donations.

This decluttering concept can be applied to physical possessions, but you should also consider its ability to benefit other areas of life. You might clean up your email inbox or desktop for example. There’s another level of protection that consumers can take from this “spark joy” concept, and that’s keeping their identities out of a criminal’s hands.

Before You Begin

There are a number of steps that can help you organize your identity before you ever have to deal with cluttering consequences. These would include things like halting subscriptions to magazines and newspapers you don’t read, blocking credit card offers with your financial institutions, going “paperless” on bills and bank statements, and more. By ensuring these things don’t arrive at your home, you’ll have less clutter to deal with and fewer security pitfalls that a thief could exploit.

Another possible vulnerability is your email inbox. Adopt the good habit of not just deleting unwanted emails, but actively unsubscribing from them. This will require you to open them, scroll all the way down, and click unsubscribe. Do NOT follow this procedure for emails that appear to be scam attempts, as clicking a link can redirect you to a harmful website or install malicious software on your computer. Are you holding on to an old email address?

Physical Mail

As for identity tidying in your home or workplace, that can seem very daunting. Don’t worry, it’s not. Following commonly shared methods from organizational experts like Marie Kondo and others, you can start by creating “piles.” Establish a temporary spot for everything that could be linked back to your identity: a pile for bills, a pile for junk mail, a pile for important papers, and more.

The bills: your monthly bills must be accessible but protected, so find out where you are most likely to see them but keep others from coming across them. As you pay a bill, shred the remaining mailer portion so that you don’t end up with random piles of paper that will need to be addressed later.

Junk mail: it’s too easy to toss some junk mail on the counter and think you’ll deal with it later. It’s even easier to throw it in the trash unopened, but that could lead a dumpster-diving identity thief to pieces of your overall data puzzle. Keep a basket near your cross-cut shredder to stash these items until you’re ready to shred.

Important papers: a lot of people would agree that tax documents, health insurance statements, and other key papers don’t exactly “spark joy” and therefore should be done away with immediately. However, that’s not wise. What is useful, though, is investing in a small file cabinet or file box where important papers can be stored when not needed. It’s important that this file be accessible in an emergency but not left out in the open where anyone could rifle through it.

Digital Clutter

It’s easy to forget that your identity is vulnerable online, too, but the same principles behind decluttering can help you in the virtual space. Investing in an external hard drive or cloud-based storage subscription can protect the things you want to keep while getting them out of your physical space. Even better, if there’s a paper you might need at a later date, you can simply photograph it or scan it, then store it in these outside spaces. That way, you can discard the original but retain a protected printable copy if you need it.

Mobile Apps & Privacy Settings: First, take a look at all of the apps on your device – are there any you’re not using anymore? Delete those.

Second, visit your mobile device settings to see what information your applications are collecting from you and update them for increased privacy. For example, you might need to let a map app see your location for example, but does it need to be active all the time or just when in use? Same thing for photos, do all of your apps need access to your media library? Definitely not. It’s also a good time to run any updates for your phone software or apps. Read the descriptions carefully and note any cybersecurity language before choosing to update.

You should also be concerned about the permissions you allow (see trustjacking) the mobile apps on your device. Through these apps, third-parties might be tracking information about you that you might not realize like your location, search history and even your photos. Even if they aren’t actively using this collected data, they’re still storing it which can leave your personal information vulnerable to cyberattacks should the third-party fall victim to a breach.

Also, think twice before discarding that old device. Be sure to reset to your factory settings.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What’s the Latest Threat From Your Internet Connected Toys?

Valentine’s Day is just around the corner and many people are looking to swipe right on a match through a dating app in hopes of meeting their suitor in real life. In 2018, Tindr alone processed a record 1.6 billion swipes a day. With 40 percent of Americans switching to online dating, there’s now an app for every kind of user preference including dog lovers, foodies and celebrity look alikes. With love in the air, scammers are also upping their game on these platforms in order to get your money or personal information. Let’s talk about how to swipe left on a romance scam.

Many popular dating apps like Tinder and Zoosk have reported numerous incidents of romance scams taking place on their platforms. Scammers are becoming more advanced in their techniques including using chatbots to reach more people at a faster rate and evolving their messages to remain current. To avoid being caught, scammers might also try to lure you off the dating app by claiming they are canceling their account or some other excuse. Don’t go breaking your heart or your bank, read more about how to detect a romance scam here.

When using dating apps you should always be conscious of the information you disclose and who you choose to talk to. Be extra leery if someone gives you excessive compliments, reveals in-depth information about themselves immediately, is located outside your country, asks for money or expresses interest in marrying right away. If you come across a scammer, report their profile right away to the company they have an account with. Never send anyone from a dating app money, passwords or login info to your accounts or personal contact information.

Who would’ve thought that swiping right on a popular dating app could get you in the hands of an identity thief? Kerrie Roberts with sponsor, Experian and Eva Velasquez of Identity Theft Resource Center weighs in on the ever so popular, “romance scams”.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What’s the Latest Threat From Your Internet Connected Toys?

Malware is a growing threat, one that can impact everyone from a casual computer user to a Fortune 500 company. More than just a virus, malware is more like a catch-all term for any kind of malicious software that can infect a computer and be used for harm. Now, thanks to a new Swiss initiative and a team of volunteers, cybercriminals have a little less leverage for attacking computers.

The project, URLHaus, relied on volunteers within the cybersecurity company to seek out websites that distribute malware. These websites can infect your computer even if you don’t engage or if you visited by mistake, and it’s a common tactic that hackers use when they get you to fall for a phishing attempt. More than 100,000 of these websites have been identified and taken down in the last ten months.

A malicious website is just one of many different avenues for infecting your computer, but it’s a widely used method of attack. When a scammer sends out a phishing email that spoofs a known company, for example, the link within the email will often take the victim to a harmful website where the malware infection takes place. Common phishing emails include copycat messages from your bank telling you there’s a problem with your account, fake emails from known retailers like Amazon or PayPal, requests to verify your identity or account information, and many other believable messages.

Scammers can also use social media to get their victims to visit a harmful website. Private messages that appear to come from someone you know, telling you to click here to get this incredible deal or see these unbelievable pictures they found of you, for example, are widespread. Of course, actually paid ads for interesting products and fantastic sales can also redirect users to a fake website.

Once you visit the website and interact with it, the malware is installed on your computer or mobile device. It might be ransomware that locks up your computer, spyware or adware that tracks your online activity, a keylogger that steals everything you type (including account logins), and more.

So how does the cybersecurity industry fight back? One website at a time, which is why the project and its volunteers are so crucial to protecting tech users. Unfortunately, finding these websites scattered across the vast world wide web is a slow and tedious process; of course, getting the companies who host the sites to take them down can take even longer, about an average of eight days from the date of notification.

While the volunteers continue this vital work, the next step for URLHaus is to help those web hosting companies take action more immediately. Some companies respond within a day, while others take as long as a month. The bigger the company and the more customers they have hosting websites through their platform, the longer it can take to investigate a site that’s been reported.

In the meantime, there are some behaviors that tech users can deploy that will help them avoid some of these sites…

1. Never click a link in an email, text message, or social media message unless you’ve verified it with the sender; don’t just trust that you know the sender, either, since accounts can be hacked or copycatted.

2. Avoid clicking on ads in social media posts unless you can explicitly trust the company and the link. When in doubt, simply do a quick internet search for the product and the seller in order to look at the item more closely.

3. Most important of all, make sure you have a reputable security suite installed and updated. Antivirus software isn’t enough anymore, not with so many different threats out there. A lot of great software developers even offer their products at “freemium” pricing, which means there’s a price plan for every budget. There’s literally no excuse to not protect your tech.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Getting the Most Out of Your Antivirus

Fans of the iPhone video chat feature FaceTime might be surprised to learn that a software bug may have been leaking their private calls. While the process took a number of steps to initiate—so it’s unlikely anyone accidentally eavesdropped, but instead chose to do so intentionally—there was also no way to know if someone was listening to you during your calls.

To make the glitch work in their favor, a user had to initiate a FaceTime call and then add their own phone number as another person in the group call. That way, even if the actual third-party never answered, the call remained connected and the user could listen in on the other person. Even worse, if the unaware third-party pressed their volume button or power button for some reason, the eavesdropping became a video monitoring call instead of just audio.

This kind of privacy flaw isn’t like Apple, a company known for its consumer-centric security. Several industry watchers like 9to5Mac and the Verge have reported on this bug, and Apple has temporarily disabled all group FaceTime function until a patch can be written and a software update released.

First, the immediate warning for consumers: situations like this one are why you must make it a priority to download new software updates when they become available. When companies release an update, it’s because they’ve found ways to make their product better. Many times, the update can actually resolve a serious security or privacy problem.

More importantly, this is a stark reminder that our technology is only as good as the level of human error behind it. Apple prides itself on producing great products and focusing on its users’ needs, but even the best can sometimes experience flaws. If you don’t put blind trust in your products or platforms, you’ll be less likely to feel the harmful effects of accidental issues.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Spring Cleaning for Your Mobile Device

SAN DIEGO – Jan 28, 2019 – The Identity Theft Resource Center®, a nationally recognized non-profit organization established to support victims of identity crime, and CyberScout®, a full-spectrum identity, privacy and data security services firm, released the 2018 End-of-Year Data Breach Report.

According to the report, the number of U.S. data breaches tracked in 2018 decreased from last year’s all-time high of 1,632 breaches by 23 percent (or 1,244 breaches), but the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 records this past year.

“The increased exposure of sensitive consumer data is serious,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Never has there been more information out there putting consumers in harm’s way. ITRC continues to help victims and consumers by providing guidance on the best ways to navigate the dangers of identity theft to which these exposures give rise.”

Another critical finding was the number of non-sensitive records compromised, not included in the above totals, an additional 1.68 billion exposed records. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers use the same username/email and password combinations across multiple platforms creating serious vulnerability.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” said CyberScout founder and chair, Adam Levin. “There are many strategies consumers can use to minimize their exposure, but the takeaway from this year’s report is clear: Breaches are the third certainty in life, and constant vigilance is the only solution.”
To download the 2018 End-of-Year Data Breach Report, visit: idtheftcenter.org/2018-end-of-year-data-breach-report/

###

About the Identity Theft Resource Center:

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help. For more information, visit: http://www.idtheftcenter.org

About CyberScout:
Since 2003, CyberScout® has set the standard for full-spectrum identity, privacy and data security services, offering proactive protection, employee benefits, education, resolution, identity management and consulting as well as breach preparedness and response programs.

CyberScout products and services are offered globally by 660 client partners to more than 17.5 million households worldwide, and CyberScout is the designated identity theft services provider for more than 750,000 businesses through cyber insurance policies. CyberScout combines extensive experience with high-touch service to help individuals, government, nonprofit and commercial clients minimize risk and maximize recovery.

###

Identity Theft Resource Center
Charity Lacey
VP of Communications
O: 858-634-6390
C: 619-368-4373
clacey@idtheftcenter.org

CyberScout
Lelani Clark
VP of Communications
O: 646-649-5766
C: 347-204-9297
lelani@adamlevin.com

From doctor’s offices and financial institutions to college university admittance applications and summer camp registrations, the request for your Social Security number (SSN) has become commonplace. In fact, it’s become such a standard request that many individuals willingly provide this number without hesitation and without really thinking about the consequences behind this, one of which being an increased risk of identity theft.

Social Security numbers hold one of the keys to your identity. With it, you can open a new line of credit, gain employment, receive health insurance and file taxes. Thieves also know the power behind this nine-digit number, which is why it’s one of the most highly sought after pieces of personal information. There are a variety of ways that thieves attempt to obtain SSNs, and they include more low-tech methods like sifting through your trash, stealing a wallet, purse or laptop; or using more sophisticated ways like phishing emails and texts, scam calls and via data breaches. For example, there were nearly 158 million social security numbers exposed in 2017 due to data breaches.

While the exposure of your SSN is not entirely preventable – data breaches are a perfect example of this – consumers should refrain from giving it out unnecessarily to minimize their risks of identity theft. Basically, the frequency at which the number is exposed – whether intentional or unintentional, the higher the probability that it will be compromised. Here are some tips to help you protect your SSN and become a better steward of your identity:

Be in the Know – Educate yourself on the types of scenarios that require you to provide your Social Security number so that you can decide ahead of time whether or not you should provide it. Here is a list of situations that require your SSN:

  • Internal Revenue Service for tax returns and federal loans
  • Employers for wage and tax reporting purposes
  • Financial institutions for monetary and credit transactions
  • Veterans Administration as a hospital admission number
  • Department of Labor for workers’ compensation
  • Department of Education for student loans
  • Entities that administer any tax, general public assistance, motor vehicle or driver’s license law
  • Child support enforcement
  • Food Stamps
  • Medicaid
  • Unemployment Compensation

Don’t be afraid to ask – When your Social Security number is requested it’s best to ask the requestor some additional information to better understand whether you absolutely need to provide your SSN and if so, how they plan to protect it. In some instances, you may be able to provide an alternative like a driver’s license. Keep in mind that if you don’t provide your SSN, some entities may refuse to provide the services requested. Some questions to consider asking are:

  • Why does the company need this information (what law or reason make this a requirement)?
  • How do you protect this information?
  • What will happen if I don’t provide it?
  • Is there is an alternative to providing my SSN (driver’s license, etc.)?

Protect your physical card, too – It’s crucial to not only correctly safeguard your social security number but to also protect the physical card to the best of your ability. This includes storing it in a secure place (like a locked safe) and by not carrying it around in your wallet or purse.

Be leery of scammers – Scammers may pose as the IRS, the Social Security Administration and others to attempt to gain access to your SSN and they may do so over the phone, through email, text or even through social media platforms. To stay safe, never provide your SSN or other sensitive information on a call that you didn’t initiate. Also, don’t automatically give out your Social Security number via email, text or social media messages, even if it looks like a legitimate business requesting it. Instead, call the entity directly by locating their number on their official website, on the back of your card or even on a recent bill.

If you know your social security number has been compromised, contact our advisors using our toll-free number (888-400-5530) and they can inform you about the necessary steps to take to resolve the issue. You can also reach us using our live chat feature.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What Can a Thief Do With Your Driver’s License?

It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims