How to Protect Against Identity Theft

Imagine waking up one day and the organizations you deal with – your bank, your workplace, the tax office, your educational institution – don’t recognize you as you. Sounds like science fiction, right? In its extreme version, it is. But versions of this story are playing out for people and organizations daily as incidences of identity theft occur more frequently around the world.

In 2022, the United States Federal Trade Commission (FTC) website received over 1.1 million reports of identity theft. FTC data from the same year reported losses of nearly $8.8 billion to fraud – an increase of more than 30% from 2021. According to Canadian Anti-Fraud Centre data, Canadians have already lost $43.6 million to fraud in 2023 alone, with a portion deriving from identity scams.

The cards in your wallet, your employee ID, pictures of you on social media, your birthdate, even the address on your junk-mail are gold to criminal fraudsters. They’re what make you “you” to the organizations and agencies you rely on. To keep your personal information secure, read on to find out how criminals are using it, discover the top warning signs of identity theft, and get tips on prevention.

What is Identity Theft?

Identity theft is a growing threat for individuals and organizations. Just like it sounds, it’s the act of stealing personal information for criminal purposes. The theft itself can happen various ways, both simple and complex.

The low-tech method is when criminals steal mail in search of personal information. Some even search old hard drives for leftover information. More elaborate methods rely on computer techniques. Fraudsters publish fake websites, create duplicate Wi-fi networks, and send emails that impersonate colleagues and companies. In high-level attacks, criminals break into databases to steal information.

The intent of identity theft is to use that personal information to commit acts of fraud. For instance, a criminal can use someone’s name, address, and birthday to gain control of their bank account or take over their social media persona. When employees fall victim to identity theft, criminals can use their personal data to compromise company data, intellectual property, or steal more sensitive information.

Identity theft is a serious problem that is not just challenging and time-consuming to resolve. It can lead to years of emotional trauma. One identity theft often has a ripple effect that impacts many more people – from colleagues to family members. It can also do serious damage to business reputations.

Seven Types of Identity Theft

Whenever you have a relationship with an institution, organization, or platform, it’s a potential starting point for identity theft. Here are some of the main types of identity-related breach that can affect you and those close to you.

1. Credit Identity Theft

Criminals use your personal information, such as address, birthdate and Social Security Number (SSN), to apply for a new credit line.

2. Account Takeover

Scammers use your personal data to access your financial accounts, then change passwords to prevent your access and use or drain your funds.

3. Business Identity Theft

Fraudsters steal the identity of a business with the intent to harm it through financial fraud, tax fraud, trademark theft or ransom.

4. Child Identity Theft

Criminal wrongdoers steal a child’s identity and apply for credit or benefits in the child’s name. Parents often only discover the theft years later, when the child applies for loans or attempts to open accounts.

5. Synthetic Identity Theft

Identity thieves cobble together stolen identity details to create a fictitious “new” identity that has no record of previous credit. Using the newly formed identity to get cards and loans, they make payments to build credibility, then ultimately max out the cards – then vanish.

6. Taxpayer Identity Theft

Fraudsters obtain personal details and file tax returns containing falsified information to steal tax refunds.

7. Medical Identity Theft

Criminals steal personal information and pose as those individuals to obtain health care services.

Warning Signs of Identity Theft

Thankfully, several warning signs can point to an identity theft in process. The sooner you catch wind of an identity theft attempt, the sooner you can alert the authorities and start reversing its impact. Here are several tell-tale signs of identity theft underway.

Unexpected credit score or debt collection notices:  A surprising change in your credit rating or unfamiliar items or accounts on the report are signs of attempted identity theft. Put an immediate freeze on any credit lines or loans to put a stop to fraudulent activity.

Credit card offers or debt notices in your child’s name: Criminals use children’s names and SSNs to apply for credit cards, bank accounts, loans, and social benefits. Getting notices in your child’s name for things you haven’t applied for is a sure sign someone is using their name fraudulently.

Tax or insurance notices for filings or claims you didn’t make: One way criminals can benefit financially from identity theft is to file fraudulent tax forms and insurance claims to get refunds. If you receive notices of claims you didn’t submit, criminals might have control of your personal information.

Unexpected emails, letters, or phone calls from your financial institution: Most people get fairly frequent communications from their banks, but messages about transactions you didn’t initiate could be a sign of account takeover.

Denial of employment or promotion: If an employer denies your job application due to a background check, but you know you have a spotless record, it could be a sign of identity theft.

Ten Ways Identity Theft Can Happen

Preventing identity theft is made tougher due to the proliferation of potential attack vectors. Here are ten of the most common routes identity thieves use to gain access to your personal details.

1. Phishing: Cyber criminals carefully compose emails designed to look like they come from trusted companies or individuals. Called "phishing" emails, they're used to trick you into providing personal information.
2. Smishing: Similar to phishing, but it happens via text message or SMS (hence "SMishing") instead of email. In smishing attacks, the fraudster impersonates a trusted organization, close friend, colleague, or boss. The friendliness and frequency of texts make these hard to detect.
3. Vishing: The "Voice" version of phishing and smishing. Phone scammers offer prizes or make threats to raise the stakes during the call and pressure you into sharing personal information.
4. Spoofing: A kind of vishing, in which phone fraudsters send false requests to caller IDs that look like they come from local or trusted sources.
5. Fake Websites: Scammers create replicas of corporate or retail websites using similar URLs to elicit personal information. When site visitors make inquiries or purchases through these fraudulent sites, fraudsters don't reply with information or products. Instead, they harvest the personal and financial data.
6. Impersonation Scams: Criminals invent elaborate stories that include real details about friends and relatives to trick you into sending money and providing personal information. With similar intent, they impersonate government agencies with knowledge of your tax situation.
7. Skimming: Fraudsters tamper with electronic card readers or place cameras at ATMs to steal data when shoppers or account holders swipe their credit and bank cards.
8. Dark Web Purchases: The Dark Web is a marketplace on the Internet that criminals use to purchase stolen sensitive information, including medical records, sensitive photos, and financial information.
9. Theft by Personal Acquaintance: Strangers are not behind every identity theft. Some are perpetrated by people familiar to you – friends, family, neighbours, and colleagues. Not only do they have easy access to your personal information, they usually also have your trust.
10. Mail, Wallet, or Trash Theft: Your mailbox and garbage cans are treasure troves for criminals looking for valuable personal information. Notices you don't shred before tossing – at work and at home – can include SSNs, tax information, account numbers, addresses, and birthdates.

Impacts of Identity Theft in Organizations

A recent report by IBM reveals that data breaches arising from identity theft and other techniques cost organizations an average of $4.35 million last year. Stolen and compromised credentials were the main attack vectors in the majority of those breaches. With 83% of organizations suffering more than one breach, it's critical to recognize the impacts of identity theft for organizations.

• Financial loss: Recovering from identity theft is expensive and funnels resources away from revenue generation. It may also involve ransomware payments, technical and specialist salaries, victim compensation, higher insurance premiums, and computer network repair costs.
• Reputational damage: After an identity theft incident, it can be challenging to regain the trust of employees and management teams, external partners, stakeholders, customers, and the media.
• Business impact: Some businesses rely entirely on intellectual property, trade secrets, and other confidential information. After the theft of these assets, it's expensive to build back or build again, given legal costs, R&D, reputational damage, and financial losses.
• Employee impact: Data breaches can lead to identity theft for you and your employees. Cyber criminals can use employee personal information and identities to obtain falsified documents, make fraudulent loan and credit card applications, submit fraudulent benefits and insurance claims, and enter into fraudulent contracts (e.g. leases, travel).

How to Report Identity Theft

Many governments have implemented anti-fraud programs to help citizens report identity theft and get started on a recovery plan. Here's where to go to get help:

• In Canada, contact the Canadian Anti-Fraud Call Centre at 1-888-495-8501.
• In the Unites States, contact the Federal Trade Commission at 1-877-438-4338.
• In other countries, check government websites for anti-fraud information and assistance.

How to Prevent Identity Theft

The first step to preventing identity theft in organizations is telling your employees it exists and encouraging them to recognize the warning signs. Here are several additional steps you can take to protect your organization against identity theft and fraud, both online and off.

• Use phishing simulations to monitor employee awareness of phishing and measure the effectiveness of cyber security awareness training and campaigns.
• Establish strong password policies and make sure employees update their passwords on a regular basis.
• Introduce employees to cyber security best practices and run assessments to make sure employees remember them and use them.
• Distribute newsletters, schedule micro-learnings, and run campaigns to raise employee awareness about identity theft. Remind them that identity theft hurts them, their colleagues, their clients, and the organization itself.
• Teach employees to use social networking sites with caution (e.g. LinkedIn, Twitter, Instagram, Facebook, TikTok). Explain how cyber criminals collect information from these sites through imposter emails and texts from the platform itself, Direct Messages (DMs) from people posing as network "friends," and other techniques.
• Provide cyber security awareness training that covers the latest cyber attack vectors for identity theft, including social engineering, vishing, and smishing.
• Make employee security policies on remote work, work-from-home, and Bring Your Own Device (BYOD) easily accessible.
• Include cyber security links and resources available in your company newsletter.

Stop Identity Theft in Its Tracks

The best way to prevent identity theft is to equip yourself and your employees with up-to-date cyber security information and train them in cyber security best practices. Given the increased prevalence of information breach and identity theft through phishing emails and social engineering, employee training should place extra emphasis on these vectors.  

Every cyber security training program needs reinforcement!

To test how well you and your employees recognize bogus messaging attempts that could kick off an identity theft attempt, try our free phishing simulation.