We need to talk about identity theft and fraud, and how it is happening in 2020. This problem has been growing for years, and despite efforts on the part of banks and law enforcement, identity theft continues to flourish as a criminal industry. At this moment, gangs of organized criminals have 24 hours a day all around the world to try to steal sensitive information and scam consumers and companies. Meanwhile, each of us is only awake a certain number of hours in the day, and is only paying attention to issues of information security for a small amount of that time.
In this article, we’ll explore identity theft as an issue, and try to highlight how identity theft and related fraud are impacting the transportation industry.
What is Identity Theft?
Identity theft is the intentional, illegal use of someone else’s identifying information. It is often a means for illegal financial gain, such as unauthorized access to a victim’s bank or credit accounts, or obtaining credit instruments such as loans, utility accounts, or credit cards in the victim’s name. Sometimes, identity theft is used as a means of social engineering, to impersonate a victim for the purposes of gaining additional access to people or places associated with the victim.
Identifying information at risk for compromise includes anything that can be used to specifically identify a person. These are generally a name, date of birth, social security number, driver’s license number, and bank account or credit card numbers. Additionally, the modern prevalence of electronic means of identification presents additional vectors in the forms of PIN numbers, electronic signatures, fingerprints, passwords, cryptographic keys, or any other information that can be used to access a person’s online accounts.
A victim of identity theft may suffer adverse consequences, particularly in cases where they are held liable for criminal actions on the part of the perpetrator. In total, identity theft and related forms of fraud are estimated to have cost consumers over $16 billion in 2019. The cost to businesses is far greater, contributing largely to a total economic loss in the United States of over $50 billion annually.
How Does Identity Theft Affect the Transportation Industry?
All companies are potential targets for identity theft and related forms of fraud. Companies in the transportation industry are uniquely vulnerable in a number of ways:
- Licensing and registration requirements, as well as tools like load boards make public huge quantities of information that can be used to impersonate an employee or client.
- For a motor carrier, much of the workforce is perpetually mobile, which can introduce challenges in verifying the identity of employees.
- There is typically very little authentication required to authorize purchases on account with parts suppliers and other vendors, and fraud can be difficult to detect owing to the highly random timing and physical location of such requests.
- In some places, load-jacking is increasingly common, as fraudsters are able to use electronic means to completely fabricate documentation and make off with entire trailers full of freight, hooked up right in the yard or even loaded from the dock, before the theft is discovered.
Is Identity Theft a Serious Crime?
In the U.S., the prevalence of crimes of identity theft led to the creation of the Identity Theft and Assumption Deterrence Act. In 1998, The Federal Trade Commission (FTC) testified before the United States Senate, discussing crimes that exploit consumer credit to commit loan and mortgage fraud, lines-of-credit fraud, credit card fraud, and commodities and services frauds.
The Identity Theft Deterrence Act of 2003 (ITADA) amended U.S. Code, Title 18, § 1028 (“Fraud related to activity in connection with identification documents, authentication features, and information”). The statute now makes the possession of “means of identification” to “knowingly transfer, possess, or use without lawful authority” which travels in or affects interstate commerce a federal felony crime in the United States.
Different states have their own laws related to identity theft, and charges not brought by federal authorities will be determined by controlling statute in the jurisdiction where the theft occurs.
How Does Identity Theft Happen?
There are several ways a consumer can unwillingly lose control of their personally identifiable information (PII), and multiple ways in which people routinely share their PII, perhaps without being aware of the risk.
Members of a company’s senior leadership are high-value targets for identity theft. Their names and convenient contact information are typically highly conspicuous, and their positions within the company can make it more practical than average to target them via multiple attack vectors. Obtaining identifying information for, and assuming the identity of a corporate leader could yield high levels of access to company financial accounts, as well as treasure troves of sensitive information.
Bait and Switch
Online, a bait and switch can happen when a legitimate-seeming advertisement links to a website that is infected with malware which steals a victim’s PII. A fake website posing as a major retailer might offer hard-to-miss deals to entice consumers into parting with their personal information, and modern advertising platforms make it frighteningly simple to target likely victims based on a combination of personal interests and demographic data.
The old Nigerian Prince Scam is a classic because it has tremendous legs. Email is a cheap and easy way for scammers to cast a wide net, and they don’t need to trick a large number of people to make their investments pay huge dividends. One common tactic is using intentional misspellings and grammatical errors as a sort of self-authorizing tactic to weed out people who aren’t gullible.
Synthetic Identity Theft
As governments and businesses have ratcheted down on controlling personal information, the thieves have become increasingly creative, and have begun generating synthetic identities. A synthetic identity will include one or more kernels of genuine information, such as a social security number and a legal name, but will have other information that is fabricated to create a new consumer profile. This made-up identity can then be used for opening accounts or other fraudulent activities, and the victims may not even know that their information has been compromised until significant damage has been done.
Over a period of two months in 2017, attackers succeeded in exfiltrating PII belonging to 150 million Americans, over 15 million British citizens, and around 19 thousand Canadians from computer systems belonging to the American consumer credit reporting agency Equifax. This stands as one of the largest and most publicized data breaches in world history. Security researchers have yet to find data known to be from the breach available for sale on the black market or being traded on the dark web.
In this and many other cases, data breaches occur as the result of improperly configured security controls, or computer systems with outdated software which is inherently vulnerable to intrusion. There are many steps companies can take to ensure that their computer systems are as secure as possible, but for consumers, often the only choice we have is who we choose to share our information with, and how much we share.
Formjacking is a form of attack whereby cyber-criminals install malicious software into a website hosting a legitimate online form. The malicious software then steals the information entered into the form and forwards it to the attackers.
A sockpuppet account is an account someone uses to pretend to be someone else. They are a stock-in-trade for the modern online scam artist, who will use them to like, share, comment, review, and generally amplify a deceitful message. Sockpuppets can help lend an air credibility to scam bait, and help a scammer broaden their base of victims.
Physical Identity Theft
A thief with physical access to a person’s personal information doesn’t need to resort to fancy, electronic tricks. Drivers license numbers, credit card numbers, bank account numbers, social security numbers, passwords, all are susceptible to being physically stolen. Cards can be photocopied, imprinted with a scrap of receipt paper and the side of a pencil, or their numbers written down while they’re out of the victim’s control only briefly.
Shoulder surfing is another common form of identity theft requiring physical proximity to the victim. Thieves can steal information by literally looking over the shoulders of their victims as the victims use ATMs, smartphones, laptops, and other devices. HIgh-quality cameras are practically ubiquitous in the modern age, and so an attacker doesn’t even need to be close to zoom in and capture video of a password being typed.
Skimmers are electronic devices that alter a legitimate card reader to steal the card data when a victim swipes their card. They’re relatively simple to manufacture, and are freely available for sale on the dark web. While skimmers come in many shapes and sizes, the one characteristic they all have in common is that they should be hard to detect. The hardest part for an attacker is planting and retrieving the skimmer, during which time they must have physical access to the card reader.
What Kinds of Fraud are Linked to Identity Theft?
Having control of a person’s identity can give a criminal tremendous control over their resources. Most consumers tend to think in terms of financial fraud, such as theft from bank and credit card accounts, but a sufficiently motivated criminal with the ability to impersonate you can gain access to far more. Your skilled reputation, access to medical care, or criminal history could be at stake, and those are much harder to recover than a fraudulent purchase.
Account Takeover (ATO) Fraud
Obtaining the credentials to electronically manage a bank or credit account, or an online account with purchasing power can give the attacker the ability to modify the account details or otherwise extract monetary gain from the account. In the case of a bank or credit card account, mail can be re-routed, authorized users added, and new cards or other instruments issued. For an eCommerce account, fraudulent purchases can be made, or other financial details extracted.
Bank and Credit Card Fraud
Account numbers, or physical access to financial instruments such as credit cards or paper checks, can give perpetrators the ability to make fraudulent purchases or exercise unauthorized funds transfers. Additionally, sufficient access to PII could give the fraudster the ability to open new accounts with new lines of credit.
Loan or Lease Fraud
Given enough personal information, a criminal may obtain a loan or lease in the victim’s name. It can often take weeks or months to detect such fraud, and the process of untangling the deception and being relieved of responsibility for the debt can require substantial effort on the parts of victims and law enforcement.
The imposter scam is exactly what it sounds like: a criminal pretends to be someone the victim knows and trusts in order to commit fraud. The imposter may call on the phone pretending to be a relative in trouble or might reach out via email from a stolen account. Whatever the manner of contact, the bad actor only needs enough personal information to weave a plausible story.
A modern term for phone scams. Callers will impersonate bank employees, customers, government officials, law enforcement officers, managers from another department within your company, or whomever they need to in order to perpetrate their crime. Vishing scams will typically involve an urgent matter that carries some threat to the victim if immediate action is not taken over the phone.
How Can People Protect Themselves from Identity Theft?
By now, perhaps you’ve got the picture that this is a potentially huge problem with a lot of vectors for attack. It’s said that ‘evil never sleeps’, and while that’s true there’s plenty we can do as individuals to protect ourselves, our families, and our employers from identity theft and related fraud. Identity theft is overwhelmingly a crime of opportunity, and if you can deny a fraudster the opportunity to get the goods on you, you’ve won.
Monitor and Control Your Information
- U.S. consumers are entitled by law to a free copy of their credit report. Get yours by going to www.annualcreditreport.com or calling 1-877-322-8228. Check your credit report often, and review it for errors or unexpected activity. Report any surprises to the credit reporting agency furnishing the report, and freeze your credit file if necessary.
- Go to OptOutPrescreen.com or call 1-888-5-OPTOUT to stop receiving prescreened credit offers by mail.
- Add your number to the FTC’s do-not-call list by adding your name to the National Do Not Call Registry.
- DMAchoice is a mail preference service offered by the DMA. Use this tool to opt-out of receiving unwanted catalogs and other forms of marketing mail.
- Shred credit card, bank statements, bills, etc. to avoid putting your personal information in the trash. Dumpster diving is a common means of stealing information.
Control Your Interactions
Trust your gut, and don’t be pressured into taking action you’re unsure of. If you’re feeling like a caller or an email correspondent is demanding too much, take control of the interaction. “I’m going to place you on a brief hold while I check a couple of things here,” puts you in control of the tempo long enough to verify information or filter a request through someone you trust. No legitimate caller will be unduly upset, and you may thwart a scam.
Know Who You’re Dealing With
Just because someone is calling from a number you seem to recognize or emailing from an address that’s in your contacts list doesn’t mean they’re who they claim to be. Phone impersonation and email hacking are common tools of the identity thief and are frequently used as jumping-off points for additional identity theft or other forms of fraud.
We’ve talked about this before in our article on Personal Brand & Social Media DOs and DON’Ts: the majority of the responsibility for the information you share online is yours. Here are the main components of identity theft:
- Date of Birth
- Physical Address
- Address History
- Vehicle Ownership History
- Social Security Number
Many, many people have shared most of these things online on social media. So, if an attacker has purchased a stolen database containing the rest of the information, all they have to do is look you up on Facebook to have everything they need to impersonate you.
Be Aware of Your Surroundings
Many ATMs now have warning stickers urging users to be aware of their surroundings when accessing the machine. The same level of caution should be used when entering a password to check your bank account while at the mall, working on documents that might contain proprietary information while seated in a coffee shop, or calling your phone provider and reciting your call-in PIN to make account changes while in Best Buy shopping for a phone. You don’t know who could be watching or listening, and a little bit of information is sometimes all a criminal needs to victimize you.
- Make sure you’re writing, typing, and reciting account numbers, passwords, and PIN numbers in privacy.
- In busy places like airports, truck stops, and restaurants, insist upon keeping your documents in sight. It might feel strange or impolite to not let a stranger walk away with your driver’s license or credit card, but if they want your money don’t give them a choice.
- Don’t carry your smartphone in your hand. Law enforcement agencies have recorded an increasing incidence of snatch thieves yanking phones directly out of owners’ hands.
Report Suspicious Activity
Identity theft and fraud are against the law. If you believe someone is trying to scam you out of your personal information, here what to do:
- At work, report suspicious emails to the IT department or the security office for proper handling.
- Tell a supervisor about suspicious phone calls so that information can be shared with the appropriate parties.
- In public, if you see people lurking, apparently eavesdropping, or digging through trash containers, inform the management or call law enforcement.
If it sounds too good to be true, it almost certainly is. Conversely, no legitimate business or government entity will call to make a demand which must be satisfied immediately over the phone. Think critically and evaluate logically to avoid getting scammed.
- Your bank will not call you and ask you to tell them your social security number – they already have it, and it’s actually against the law for a business to use an SSN in that manner.
- Nobody legitimately representing an IT department needs your personal password.
- The IRS will not insist that you settle your tax bill by purchasing gift cards at Walmart.
- Law enforcement will not call you on the phone and threaten to arrest you if you don’t pay an overdue fine immediately over the phone.
As absurd as these situations might sound, they’re actual scams that routinely make money for criminal scam artists. Remember to control the tempo of the interaction, and insist on seeing things in writing. Offer to take down the caller’s number and call back after you’ve had a chance to verify things on your end. If they threaten legal action if you don’t acquiesce immediately, tell them with a smile that you’ll be happy to see them in court.
What Should I Do if I Believe My Identity Has Been Stolen?
What if the worst happens and you find yourself a victim of ID theft? Now is not the time for embarassment, but for action. Moving swiftly can help limit damage, and might even help catch a crook.
- The Federal Trade Commission has established a website to help victims of identity theft: https://www.identitytheft.gov/. Here you can report identity theft and get help putting together a plan to recover.
- Contact the credit bureaus to place a freeze on your credit files. This will prevent accounts being opened in your name.