Pin Me

The Painful World of Phishing and Identity Theft: What Can You Do About It?

written by: Robert Faustus•edited by: Michele McDonough•updated: 6/8/2011

Identity theft is a serious issue affecting an estimated 9 million Americans every year. Phishing is a major tool used to perform identity theft on unsuspecting victims. Get a better understanding of what identity theft is, how phishing techniques are used and how to protect yourself.

  • slide 1 of 5

    What is Identity Theft?

    The Federal Trade Commission has reported that around 9 million Americans have their identities targeted and stolen every year, and those are only reported cases. Identity theft is a term thrown around by many news stories and commercials, but what exactly is it?

    Identity theft is the act of stealing another person's information and using as if it were their own information, whether it be for financial gain or any other fraudulent activity. A common misconception is that identity theft is used to steal only certain types of information such as social security numbers or credit card numbers. Identity theft actually covers many different items.

    Someone who commits identity theft can create a open a new credit line, rent an apartment, sign up for utilities, open a bank account, or even get a job, all under your name. The room for fraud is tremendous as they are essentially becoming you, via your information. Most people don't know their identity has been stolen until they're called by a debt collector.

    Identity theft can occur via many methods. Phishing, pretexting, dumpster diving, social network engineering, skimming, and of course, just outright stealing. Listed below are some other methods to perform identity theft:

  • slide 2 of 5

    What Does Phishing Have to Do With Identity Theft?

    Phishing Phishing is a popular tool in an identity thief's arsenal. Phishing is the act of extracting information from someone by tricking them.into thinking an official source asked for their information. The simplest way of understanding the basics behind phishing is to think of it as the word sounds, fishing. To go fishing you put bait on a stick and send it out into a lake for a fish to hook onto.

    Phishing is the same idea, a hacker or social engineer throws out "bait" in the form of e-mails, and instant messages, to "hook" unsuspecting victims. Like a fisherman, a phisher attempts many, many times because at the end of the day, all a phisher needs is to hook in one victim. If hundreds of e-mails are sent and two or three people fall victim, the phisher now has a source to steal an identity from.

    Just like real fishing, a phishing attack takes many failed attempts and long hours of no responses, but the more attempts are tried, the more chance there is to hook in a victim. Once information – such as social security numbers, credit card numbers, bank account numbers, and even names and addresses – is captured, a phisher can use the information to steal the victim's identity.

  • slide 3 of 5

    Phishing - How Does It Work to Steal My Identity?

    There are various methods to phish an identity. The most popular and most reported are usually the phishing attempts made via e-mail. Many people, even news articles mistake the act of spoofing with phishing, or believe them to be one and the same. It's a common misconception, but to understand the differences, you can read up on my article about phishing versus spoofing. Remember, the main objective of a phishing attack is to steal something from a user, usually financial.

    E-Mail

    A phishing attack via e-mail is fairly simple. A fake website is created to look like an authentic company's website. For instance, a bank's website could be mirrored and made into a website. The phisher then spoofs a fake e-mail and writes an authentic looking e-mail. Within the e-mail contents, there's a link to the fake website, with a message stating that the victim's social security number must be updated for account purposes. The victim clicks on the link, enters their login information, enters their social security number and leaves, thinking that the update is all that was needed. The phishing attack has succeeded, and the victim's identity can easily be stolen via their social security number.

    Instant Messaging

    A phishing attack via instant messaging is just as simple as well. The phisher Google Talk sends out an instant message, claiming to be a representative of the victim's internet subscription company. They claim that the only way to contact the victim was via instant message and ask the victim to update their account details, and send a link. The victim clicks the link, enters in details which include their social security number and another phishing attack has succeeded.

  • slide 4 of 5

    Preventing Identity Theft - How Can I Not be Hooked by Phishers?

    Preventing identity theft is not as easy as it seems. Even the most cautious of people can be victims. Your information is everywhere. Think of the forms you fill out, the bills with your information that you throw in the trash, and the websites you visit. It's extremely easy to leave traces of your identity behind. The best way to prevent identity theft is to be conservative with the information you give out or throw out.

    A phishing attack will only succeed if they manage to gain information from you. If you receive an e-mail asking for any type of information, take a step back and imagine yourself as that company. Ask yourself, would a company that large not have some sort of backup or disaster recovery procedure in place? Why would the company try to verify your identity by asking for an entire social security number when just the last 4 should suffice? If there truly was a compromise that required you to update your information, where's the corresponding phone call or physical mail?

    In addition, signing up for a credit report service to ensure that there is no suspicious activity under your name is a great detective measure to add to your arsenal of defense. If you do not want to pay for a monthly service, remember that by law, the credit reporting companies must let you check your credit report for free at least once a year. So at the very least, try to check your credit report for free once a year.

  • slide 5 of 5

    References

    • Source: Author's experience
    • Source: United States Computer Emergency Readiness Team, http://www.us-cert.gov/cas/tips/ST04-014.html
    • Source: Reuters, http://www.reuters.com/article/2009/05/14/us-facebook-hackers-idUSTRE54D6BN20090514
    • Image Credit: Itshacked, http://www.itshacked.com/wp-content/uploads/2011/01/phishing.jpg
    • Image Credit: Androinica, http://androinica.com/wp-content/uploads/2010/03/Google-Talk.png

Phishing - Hook, Line and Sinker

Phishing is a constant thorn in security's side and a constant reminder of how trusting people are, even to anonymous sources. Understand how phishers take advantage by learning their attack techniques and learn how to prevent and protect yourself from being a victim.
  1. Phishing Versus Spoofing
  2. The Painful World of Phishing and Identity Theft: What Can You Do About It?
  3. Facebook Phishing - The Tactics
  4. Phishing Prevention and Protection