Who among us hasn’t bemoaned the series of security questions on the phone as we try to talk to representatives about our accounts or access them online? Date of birth, the last four digits of our social security number, secret words and answers to seemingly ridiculous questions that can all be recited in our sleep. Is all that necessary?
In a word, yes.
Identity theft continues to be a common type of fraud in the U.S. The rise of social engineering has allowed criminals to become more sophisticated with their methods. But you can help protect yourself by staying aware, and taking extra precautions when verifying your identity.
What is identity theft and how does it happen?
Identity theft occurs when one person uses another person’s identifying information to assume their identity for the purpose of committing fraud or other crimes.
This type of fraud can be executed in person, verbally, or electronically, and can be familial (attempted by a family member) or external (attempted by an unknown party). Electronic channels are the most common paths for identity theft, and fraudsters can use several different methods to steal a victim’s credentials, such as phishing or via malware.Identity theft falls into two categories:
1. Low-tech methods: These may include posing as a trusted person for the purpose of financial gain, or to access information. For example, the identity thief may contact a call center or call your advisor directly, posing as you, their client.
Other low-tech approaches include taking physical possession of devices, ATM cards, financial statements, and other materials that contain your financial information.
2. High-tech methods: Once identity thieves have the information they need, they may log into your account to gain additional data, intercept verification codes, redirect devices, initiate withdrawals, change account details, and more.
Identity theft is a broad topic, so these examples are not all-inclusive, and may overlap with other methods that also result in a loss or theft of personal information.
Identity theft may be one of the oldest techniques in the fraud book, but it remains prevalent, especially in a world where much more information is shared than in the past. In 2017, the number of identity theft victims in the U.S. reached 16.7 million—an 8% increase from the previous year.
Contrary to what some may believe, not all fraudsters are geniuses who can outsmart advanced technology. Some are more unassuming, but know how to take advantage of people’s natural inclination to trust others. Meanwhile, these criminals are getting more sophisticated in their attacks by using stealthier, more complex schemes.
Recently, brokerage firm Charles Schwab has seen an uptick in impersonation calls, with fraudsters becoming more sophisticated in their attempts to gain access to client accounts through social engineering. Social engineering is the use of deception to manipulate others into divulging personal information or transacting on a client account. Typically, an unauthorized individual assumes the identity of a client, or tricks another person into believing they are a trustworthy source.
Schwab is noticing that criminals are leveraging stolen client information gathered from other companies’ breaches, purchased from the dark web, or gleaned from social media to pose as clients. Impersonators use these details—in combination with other tactics—to appear more legitimate. For example, they may spoof the client’s phone number on caller ID, or use a voice changer to sound like the client. These imposters often are calling to update account information such as email address, password, or phone number, or to initiate or approve money movements.
Social engineering is swiftly becoming a universal threat—one that can have big impacts. It is a clever, often misunderstood, and overlooked form of identity theft because, while it still requires a certain amount of finesse and skill, it doesn’t require the technical expertise necessary to hack into a major bank’s computer network and reroute funds. Think of the con artist on the street whom you never really see.
Social engineering may occur via phone, email, or social media. Often, the scammer will use skills such as charm, friendliness, wit, or urgency to build a sense of trust with the victim. This is intended to convince the victim to either release unauthorized information, or perform actions that benefit the scammer, such as sending money. It is also very common for the scammer to visit social media sites to obtain identifying information to bolster their credibility.
Fraudsters will sometimes rely on human error to obtain additional information. For example, while answering a security question about previous employers, they may rely on a LinkedIn profile. If their first answer is incorrect, the fraudster will guess again and dismiss the incorrect answer by quickly saying something like, “Oh, I only worked there for three months, so I didn’t think that was the correct answer.” Despite receiving an incorrect answer initially, a customer service representative might not press further or ask additional security questions.
Fraudsters will also try empathy, such as pleading, “My daughter, Susan, was celebrating her birthday at the park today and is seriously injured. I’m calling from the doctor’s office, and they are requiring that I pay cash before she can be seen. It’s urgent that I access my account right now, but I locked myself out. Can you please help?”
Additionally, they may employ distraction techniques, such as a crying baby or other background noises, and ask the professional to repeat questions, claiming that they cannot hear or that there’s a poor connection. Usually, they’re hoping that the customer service representative gets frustrated or loses concentration.
9 Tips to Help Prevent Identity Theft
Knowledge and awareness can help you protect yourself against cyber-crimes such as identity theft or social engineering. Here are some best practices:
- Safeguard your financial information and your personal data with physical locking devices or strong electronic password protection.
- Limit whom you trust or share your personal information with.
- Use caution when sharing information and personal details on social media.
- Consider how you interact with others via email or phone, and be selective about disclosing details.
- Be aware of your surroundings when talking on the phone. Do not hold conversations regarding your finances in public places, and don’t use public WiFi to access financial accounts.
- Regularly review your account statements for transactions that are outside of your normal spending patterns or places.
- Employ strict authentication protocols that you follow with every account—no exceptions. For example, you may choose to require a verbal password or security questions for all accounts. Enable two-factor authentication on your e-mail accounts and all other accounts that allow it.
- Educate and train your family members to ensure that they understand social engineering, so they’re not the weak link in your security protocols. Kids should not advertise that their family is on vacation by posting photos or disclosing their location before they return home. That invites burglars to your home.
- Report your phone as lost or stolen to your cell phone company as soon as you realize it is missing, and ask them to suspend all services immediately to prevent interception of validation codes. Be sure to have an auto-lock password on your phone
Identity theft is often linked to hackers. Not all hackers use their skills for criminal activity though. A growing group of hackers help companies detect flaws in their cybersecurity systems or test employee training. The companies who hire these hackers are often shocked at how quickly their systems can be breached. Watch this video from CNN to see how it works.
As an investment advisory firm, our guard is constantly up for hucksters attempting to trick us into revealing information about our clients, or worse, initiating unauthorized transfers from their accounts. Insist that your own advisor verbally approve any non-conventional transfer request (especially wire transfers) that come via e-mail or other means that are not normal for him or her.
If you would like to review your current investment portfolio or discuss any other financial planning matters, please don’t hesitate to contact us or visit our website at http://www.ydfs.com. We are a fee-only fiduciary financial planning firm that always puts your interests first. If you are not a client yet, an initial consultation is complimentary and there is never any pressure or hidden sales pitch. We start with a specific assessment of your personal situation. There is no rush and no cookie-cutter approach. Each client is different, and so is your financial plan and investment objectives.