You should assume that your identity is not safe. There are just too many ways to compromise it. All it takes is to have a smart enough person trying to take your name. And that’s what social engineering identity theft is all about, as it’s a game where the smartest player wins.
Are you, the target, going to give up too much information?
If you so much as had a conversation with a cashier, signed a lease for an apartment, or received a gift through USPS, you could already be a victim.
If you are not yet a victim, it just takes one wrong conversation or a single lapse of trust for an identity thief to make you into one.
Of course, you can only guarantee your safety if you know what you are trying to stay safe from; the real risk of social engineering identity theft stems from the fact that you do not always recognize the threat!
What is Social Engineering Identity Theft?
In identity theft terms, ‘social engineering’ is the act of influencing one to become an identity theft victim through social tactics. Though complex methods are used, the goal remains the same; the identity thief is trying to trick you into giving up sensitive information about yourself.
There are few limits as to how an identity thief might try to fool you into giving up the goods. They could call you impersonating your credit card provider, your doctor, or another business or entity. You could get a message from your best friend’s hacked Facebook, sending you to a phishing website. Regardless, knowing about each of these types of tricks will help you to know what to trust and avoid in the future.
Types of Social Engineering Tactics
There are endless ways an identity thief could use social engineering to steal your personal information. The list below is just a scratch at the surface, but it covers the majority of common tactics used.
You walk into a random bank in Venezuela and pop in your debit card. If it fails to come back out, there might be a card stealer in the machine. If the entire transaction works, a camera and keypad reader could capture enough details to replicate the card for fraud. Of course, almost the whole world is aware of the potential risks of ATM skimming by now.
Now, imagine if your identity was stolen after buying Christmas gifts at Wal-Mart. It’s a big-box store, so you might assume using your credit card there is safe — as did the 80 million victims of the Target data breach. Of course, the signs should have been there — even back in 2007, there were 40 million Americans who had their payment information exposed after shopping at T.J. Maxx.
The problem is that you never know when a cashier is really skimming your credit card information. This is even more concerning when paying at a restaurant, where your server might take your credit card out of sight for a few minutes.
You cannot guarantee that a card skimming trick will not affect you. Yet, the social engineering aspect factors profiling customers to see who is worth making a victim. These fraudsters do not just steal the identity of every customer that interacts with them, as they would end up with the blame.
You might want to keep your high-dollar purchases off your credit cards. It would be a good idea to choose which credit card to use by payment size. As in, use your credit card with a $500 limit to pay for a $25 purchase instead of your $50,000 business card. If the cashier cannot profile the target on a personal level, they will base their choice of victim on the apparent value — this is determined by the type of card, such as by looking for terms like Business and Gold on the card name.
Put yourself in the shoes of Tom Cruise — between being crazy and rich, you have little time left to take out the garbage. As such, you might have a cleaning crew that comes in to dispose of the trash for you. As a random stranger walks by, watching the cleaner put the trash out, they have an epiphany. The trash ‘must’ have sensitive information about this famous homeowner, so they dig in the trash.
In most cases, an identity thief can ‘hop in a dumpster’ and ‘pull out an identity’. But, sometimes the criminal might find a bunch of shredded paper instead. The ‘social engineering’ identity thief will go a step further and apply for a job with the cleaning service. From there, they have access to inside of the home where the sensitive documents have yet to be shredded.
In any event, the only way to prevent dumpster diving is to manage the security of your paperwork yourself. You would have to avoid using cleaning services. The same is true for any other service providers that are home-based, and especially those that work outside of your supervision. Of course, everyone should follow the basic rule of thumb and shred any papers containing sensitive information when they are no longer needed.
While looking for a new job, you stumble upon an ad that sounds perfect. The pay is right, the job duties are simple enough, and you possess the one skill they truly need in an employee. The obvious thing to do is send your resume and hope that you get an interview. If you do, it’s all happiness and high-nerves from there so letting some personal information slip when you think you ‘got the job’ is understandable.
Except, it’s not always an actual employer (or recruiter) on the other side of the screen. Sometimes it’s just an identity thief running an elaborate social engineering ploy. This is why you need to be very careful about who gets your resume; after all, it immediately gives away a lot of information about you. The sad part, you can find thousands of real people’s resumes on Google Images by playing around with your search terms a bit.
Similar to fake employment, you could also find this approach used with fake loan offers. These are tailored towards those experiencing financial distress, as they are the most vulnerable individuals. They are made to believe that they will qualify for the loan they need, so long as they are able to verify their identity first.
The information that’s gathered could be obtained personally, or through a honey-pot website built for the scam. The latter is more convincing, while the former is easy to spot — after all, what legitimate lender searches for borrowers through Yahoo Answers?
Ghosting is a term used to describe the act of stealing the identity of someone who is already deceased. This tactic is used because there is no victim around to report the crime. Most cases of ghosting identity theft go unnoticed for many years, and some never get caught as the ‘victim’ has no surviving family to look out for them.
The problem is that the borrower might be dead, but their Social Security Number is still active. This means the person’s identity could get used to rack up new debt. If the individual has not ever had an open credit report, it becomes much easier as the fraudster can defraud the deceased victim through synthetic identity theft techniques.
Most identity thieves strike this way after first finding their deceased targets. This often starts with a scan of the obituaries, or by pressing for information through the funeral home. An identity thief might be able to start up a conversation, in person or by phone, to get the information they need.
Either way, many funeral homes do not handle sensitive information about their clients as well as they should and it just takes one loophole for an identity thief to stumble upon a gold mine. The attacker might need to catch the details in the first few days after the victim’s death. If a family member is left in charge, they will be responsible for requesting a ‘deceased’ note on their relative’s credit report.
Hacking is an identity theft subject that could run on for years. This is because the hacking approach opens the doors to many different opportunities. An identity thief could hack into their target’s accounts to steal information, which is later used to defraud them. Or, they can hack into a website and breach their security to gain information about a multitude of potential victims.
Regardless of the hacker’s target, the goal is always to obtain sensitive information about them. This is done through the Internet, where many cyber criminals have joined together to work better. A lot of personal information that gets exposed through major hacks is later leaked in these hacker-based Web communities. It could be given for free, or sold at a small cost to another criminal looking to commit identity fraud.
It just takes a single instance of having your information exposed to a hacker for you to become an identity theft victim. You never know when they are going to attack, so you need to leave as little trace as possible.
For example, most people do not delete their Facebook messages very often. Ask yourself now — if your Facebook gets compromised, would there be any messages (now or years ago) that mention your address, credit card details, or any other sensitive information? What about your e-mail account? Do you have any old messages that will help the hacker steal other accounts, which could lead to sensitive data?
The point is, so long as a hacker lacks the will to quit, that there will always be the possibility that a hacker gets your information and steals your identity.
Pharming is the same as phishing, except it gets kicked up a couple notches. In most cases, it involves the same tactic of sticking links to phishing websites in e-mail messages. The attacker might even go as far as to compromise an e-mail account, and then forward the phishing page to their peers. The landing page appears as it normally would, and the domain URL even reads right, but the IP behind it is different.
In another type of pharming attack, a computer could get redirected to the phishing page when the user types a specific domain URL. This way the victim went to the right domain; but, again, the website is backed by a fraudulent IP. As such, the same results as you would expect from a real phishing scam happen — the visitor enters their login credentials, and the attacker records it.
Pharming is a technique that is most commonly used to break into financial accounts. This method involves creating a fake landing page and coding it to record specific information that visitors enter. Some examples of websites that could get used in pharming scams include popular online banking sites and your PayPal log-in.
Phishing is the process of luring an Internet user to a fraudulent website, where their keystrokes get tracked and recorded. This is a method that most are aware of now, as almost everyone has received a phishing attack at one point. In fact, thousands of phishing sites have been set up over the years to steal user credentials for various websites, such as eBay, Facebook, and PayPal.
Anything can get phished, so long as you are gullible enough to trust the landing page. Though, it is getting harder to fool people as they are becoming more aware of these schemes. Corporate level employees used to be easily phished, but now fraudsters take a new approach.
Phishing could be just a part of the scam; if the fraud can phish an e-mail account in a trusted network, much more damage could follow. The phishing tactic could get used just to steal the log-in, or to steal more information from that person’s connections. Or, the e-mail account could get phished for the purpose of ‘pharming’ to steal sensitive information from people in the victim’s circle.
By now, you should know how phishing works. You are directed to a website disguised to be that of a legitimate company or service. The actual page is just a mask, and the information captured is later used by the attacker to commit fraud.
There are countless examples of phishing attacks that have happened over the years. For the most part, they can be classified into one of the three following groups:
- Attacks deployed through e-mail,
- Forging the legitimacy of a website, and,
- Running a ‘man in the middle’ style attack.
Sometimes an attack will fall under more than one group. For instance, a phishing attack could be made through an e-mail to those who have installed browser exploits already. The exploits will make the landing page appear even more trusted, as it forges authenticity; by combining the two, it’s a lot harder for the average Joe to pick up on the con.
A complex phishing attack paired with ‘pharming’ techniques is how employees of large corporations often end up with their e-mail accounts hacked and their company’s website servers compromised.
SMiShing is the act of ‘phishing’ for information by SMS message. The sender on the other end of the text message is merely a criminal. They often impersonate a business or entity that the potential victim knows or has an account with. The message is written in such a way that it builds anxiety, and in most cases leads to the recipient clicking a hyperlink and landing on a phishing website.
Some common SMiShing message tactics include:
- Pretending unauthorized charges were made on the victim’s account,
- Suggesting a reason for shock, such as, “Look at this image of you online,”
- Acting like the victim won a prize or is entitled to something, and,
- Spoofing a trusted phone number to ask the victim directly for sensitive information.
It’s easy to stay safe from SMiShing scams because most are obvious from the get-go. Few trusted businesses contact through text messages and no sensitive information is ever requested from you this way. Further, you can examine the URL of the link in the text message for any signs of suspicion. Worst case scenario, enter the exact URL into the address bar of your computer to make sure it’s legitimate.
Vishing is the act of ‘phishing’ for information over the phone. The voice on the other end is nothing more than that of a criminal. In most cases, they impersonate a business or entity that you trust — such as, your bank or credit card provider. You are sold on a story that is actually believable to build rapport; in the end, the person on the phone is just trying to guide you into giving up a specific piece of information.
Here’s an example of a vishing phone call:
Fraudster: “Hello, this is Cindy from ‘Credit Card Company’ calling. We are reaching out in regards to a suspicious transaction that just showed up on your account. We see you are from ‘Your State’ and used your card recently, but this new transaction is on the other side of the country. Did you authorize a payment at ‘Business Name’ in ‘Another State’ this morning?”
As the cardholder is oblivious to the transaction, their obvious response is as follows:
Victim: “Of course not. There’s no way I managed to fly across the country while I was sleeping! The last transaction I authorized was on ‘Previous Date’ at ‘Name of Retailer’ as far as I can remember.”
Fraudster: “No worries, by law you are not held liable if any unauthorized charges were made. We are going to flag your account for now — any new transactions or changes to your account will trigger a verification call to this number. Now, to unlock your account and allow you to use your card with us again, I just need to verify your identity.”
This is when you might get a little suspicious, but it’s true that even legitimate entities might need information about you at times. The appropriate thing to do is to request that you call them back at their extension number before providing sensitive information. If you fail to do so, you might fall for the scam.
Victim: “Sure, what do you need to know?”
Fraudster: “Alright, so we see that you have a ‘Credit Card Company Name’ credit card, issued by ‘Issuing Bank Name’ and we have you listed as the sole cardholder. To verify your identity, we just need to confirm a few details about you. First, would I be able to get your Date of Birth?” … and you know where that leads!
If you are worried about vishing attacks, read up on Elite Personal Finance’s guide to vishing to better understand how it works and how you can stay safe!
Other Social Engineering Tactics
This is just a scratch at the surface of the different ways a fraudster could commit identity fraud through social engineering practices. It would be impossible to compile all the different methods into a single list. For an identity thief, these tactics are always up for interpretation; by knowing a bit about a target and understanding the information you need, it’s easier to plan out a way to weasel the data out of them.
You can get a better idea on the range of social engineering threats that exist by reading up on Social Engineering Framework. From there, you can learn more about the lesser-known social engineering identity theft tactics. You can also explore the material on other social engineering practices, such as impersonating a delivery person or committing corporate espionage.
Is Your Identity Really Safe?
After reading about the many different ways an individual could social engineer themselves into your shoes, do you have a new-found appreciation for the safety of your identity? It really is something you need to cherish, because the moment it’s tainted it will always be that way. This is why so many are adamant on following the typical identity theft advice, such as locking up your Social Security card, because they value their identity.
Failing to protect yourself could lead to hundreds of hours of restoration work and years of building your credit score back up. It’s not a position that anyone wants to be in, so save yourself from an ignorant perspective and take action today. For more advice on how to keep your identity safe, check out ‘The 100 Best Ways to Prevent Identity Theft’ by Elite Personal Finance and consider investing in identity theft protection.