Phishing & identity theft

Methods and Types of Phishing Attacks

The internet can be a dangerous place no matter how tech-savvy you are. Massive
data breaches have become a part of the daily news cycle, mainly because of the vast
number of hackers out there looking for new ways to infiltrate systems and steal private
information.
But often the most damaging cyberattacks occur on a smaller scale through a form of
hacking known as phishing. With various types of phishing attacks, the criminal sends
a fraudulent communication (typically email) that claims to be from a reputable
organization. These can be hard to distinguish from legitimate messages, but if you
fall for it, the hacker may help themselves to your passwords, credit card numbers, or
other sensitive data.
When a phishing attack bypasses the large, generic group target strategy, and instead
pursues a specific person, organization, or company, it becomes classified as spear-
phishing. Typically, the message will contain the recipient's name or other identifying
information to lend a flavour of credibility.

Whaling is a specific type of spear-phishing that aims to target executive-level

employees at major companies. These fraud messages look more professional and
warn the recipient of issues with their technology accounts. If the upper-level person
divulges a password or piece of critical information, it can put the entire operation at
risk.

Clone Phishing
Clone phishing is a subtype of spear-phishing that aims to replicate another email
message that the recipient has previously received. For example, if the hacker can
determine that a person recently received a shipment tracking email notification, then
they may launch a clone phishing attack that sends a fraudulent message tailored to
look like the same thing.

Phishing Methods

Link Manipulation
The most common types of phishing attacks are designed to convince users to click
on a malicious link in a fraudulent email. It may redirect the person to a rogue website
that will urge the person to divulge a password, credit card number, or other pieces of
identifying information.

Phishing emails can be tricky to detect because of link manipulation. Hackers will
disguise their malicious URLs inside of an HTML hyperlink that will have a label that
looks to be harmless.
If you hover over the hyperlink in your mail application, you will be able to see the true
URL hiding.

Filter Evasion
Every top email provider or client application includes a junk mail filter tool that
automatically scans incoming messages and flag ones that have a high likelihood of
being malicious in nature. Hackers realize this and design their phishing attacks
to circumvent the blocks.
The most common tactic in filter evasion is for the hackers to embed links or text within
table cells instead of in plain HTML text. This makes it harder for the filter scans to
treat the text as a regular string of characters and may allow the message to slip
through the cracks.

Website Forgery
Links from these types of phishing emails often lead to suspicious websites that will
attempt to clone pages from a reputable company, including banks and retailers. The
hacker will design their website with forged content that may disguise the URL in the
browser or the SSL certificate.

Covert Redirect
Even if you verify that a link from an email points to the proper URL, it does not mean
that clicking on it is safe. Due to a vulnerability known as a covert redirect, hackers are
able to exploit an authentication method on certain websites and introduce a pop-up
window that is capable of stealing your username and password.
Social Engineering
The concept of social engineering covers a range of scenarios where a cybercriminal
tries to gain your trust in order to steal credentials or other identifying information. Such
an attack usually involves psychological manipulation, or even establish real-world
relationships built over time that carry over into the online space and result in the victim
developing trust of the attacker.

Voice Phishing
Voice phishing is a newer trend that is spreading across much of the world. During
these types of phishing attacks, you receive a series of calls to your mobile or landline
phone from a computerized or human source. The attacker will usually pose as a bank
or utility company notifying you about an issue with your account. This is a scheme to
gain your trust so that you will provide your credit card or social security number over
the phone.

Protection
Due Diligence: Educating yourself on the evolving particulars of different types of
phishing threats and staying vigilant are the two primary ways to avoid becoming a
victim. Every time you receive an email with a hyperlink, double-check the sender and
verify the URL. Laziness or complacency can lead to a costly mistake.
Secure the Connections: If you use a public wi-fi network, be even more careful
about how you connect online. Lurking near these spots, which are rarely secured, is
a favorite bad guy strategy that almost guarantees access to private information. The
best way to fight back is by installing a virtual private network (VPN). This service has
gained recent popularity as perhaps the best anonymity and security tool at your
disposal. Given the rising risk climate, consider a VPN mandatory any time you’re
online.
Hidden Risk in Data Center Downtime: You might think breach attempts on your
web host servers are their problem, but the reality is that purveyors of malware strains
like Venom bypass connections and trick your host into going into emergency
maintenance mode. During this downtime, malware is introduced that allows a hacker
to take over a data center and all the websites stored on servers. It’s the ultimate inside
job.

What Is Identity Theft? Definition, Types,

and Examples
What Is Identity Theft?
Identity theft is the crime of obtaining the personal or financial information of
another person to use their identity to commit fraud, such as making
unauthorized transactions or purchases. Identity theft is committed in many
different ways and its victims are typically left with damage to their credit,
finances, and reputation.

Types of Identity Theft

There are several types of identity theft including:

Financial Identity Theft

In financial identity theft, someone uses another person's identity or information
to obtain credit, goods, services, or benefits. This is the most common form of
identity theft.

Social Security Identity Theft

If identity thieves obtain your Social Security Number, they can use it to apply for
credit cards and loans and then not pay outstanding balances. Fraudsters can also
use your number to receive medical, disability, and other benefits.

Medical Identity Theft

In medical identity theft, someone poses as another person to obtain free medical
care.

Synthetic Identity Theft

Synthetic identity theft is a type of fraud in which a criminal combines real (usually
stolen) and fake information to create a new identity, which is used to open
fraudulent accounts and make fraudulent purchases. Synthetic identity theft
allows the criminal to steal money from any credit card companies or lenders who
extend credit based on the fake identity.

Child Identity Theft

In child identity theft, someone uses a child's identity for various forms of personal
gain. This is common, as children typically do not have information associated with
them that could pose obstacles for the perpetrator.

The fraudster may use the child's name and Social Security Number to obtain a
residence, find employment, obtain loans, or avoid arrest on outstanding
warrants. Often, the victim is a family member, the child of a friend, or someone
else close to the perpetrator. Some people even steal the personal information of
deceased loved ones.

Tax Identity Theft

Tax identity theft occurs when someone uses your personal information, including
your Social Security Number, to file a bogus state or federal tax return in your
name and collect a refund.

Criminal Identity Theft

In criminal identity theft, a criminal poses as another person during an arrest to
try to avoid a summons, prevent the discovery of a warrant issued in their real
name or avoid an arrest or conviction record.

Warning Signs of Identity Theft

It can be difficult to know if you've been a victim of identity theft, especially if
you're not always checking your financial statements.

Some clear indicators of identity theft include bills for items that you didn't buy;
these can be seen on your credit card or received via email or other means, calls
from debt collectors regarding accounts that you didn't open, and your loan
applications being denied when you believed your credit is in good standing.

Other warning signs include bounced checks, a warrant for your arrest,
unexplainable medical bills, utilities being shut off, inability to sign into accounts,
hard inquiries into your credit report not caused by your actions, and new credit
cards in your name that you didn't apply for.

Potential Victims of Identity Theft

Anyone can be a victim of identity theft. Children and aging adults are particularly
vulnerable to identity theft as they may not understand specific situations, bills,
and their care and finances are handled by others.
Children may be victims of identity theft but not aware of it until they are adults.
Seniors often provide a lot of information to hospitals, caregivers, and doctor's
officers, where information can be obtained by those seeking to commit fraud.

Identity Theft Protection

Many types of identity theft can be prevented. One way is to continually check the
accuracy of personal documents and promptly deal with any discrepancies.

There are several identity theft protection services that help people avoid and
mitigate the effects of identity theft. Typically, such services provide information
helping people to safeguard their personal information; monitor public records
and private records, such as credit reports, to alert their clients of certain
transactions and status changes; and provide assistance to victims to help them
resolve problems associated with identity theft.

In addition, some government agencies and nonprofit organizations provide

similar assistance, typically with websites that have information and tools to help
people avoid, remedy, and report incidents of identity theft. Many of the best
credit monitoring services also provide identity protection tools and services.

Recovering From Identity Theft

Managing identity theft can be a painstaking and long process. Once you have
determined that you have been a victim of identity theft and filed a report with
the FTC, there are other steps that you need to take.

You can start by placing fraud alerts on all of your credit reports as well as freezing
your credit reports. Fraud alerts are an added layer of protection in that lenders
must confirm your identity before opening an account, usually via phone. Freezing
your reports prevents access to any credit information. Your credit report is
removed from circulation so that a lender will not have access to it. If they don't
have access to your report, they cannot open an account in your name.

Once you've managed the above, you need to contact all of the companies
involved. Demonstrate to companies that you are a victim of identity theft, that
you did not open these accounts, and that your accounts should be frozen.

You can demonstrate that you are a victim of fraud by filing complaints, disputing
charges, and showing any other reports you have filed, such as police reports or
reports with the FTC. The Fair Credit Billing Act and the Electronic Funds Transfer
Act work in your favor. You must also dispute any incorrect charges and
information on your credit reports as well.
This should be done once you have the report that you filed with the FTC. Banks
and credit card companies should close your old cards and send you new ones,
and you should change all of your login and password information.

From there, continue monitoring your reports to ensure that your information is
no longer available for thieves to use.

What Do You Do If Someone Has Stolen Your Identity?

The first step to take if someone has stolen your identity is to report the theft to
the Federal Trade Commission (FTC) at IdentityTheft.gov. You can also call them
at 1-877-438-4338. From there, you can freeze your credit reports, file a police
report, and change all your login and password information. It would also be wise
to close your current credit and debit cards and receive new ones. Check your
credit reports for false accounts and dispute these with the credit agencies once
you have a report from the FTC.

Identity Verification Methods

Identity is a person’s most essential and most used asset. Identity
Verification is to prove that the identity of the person they claim to have is
matched with their truth. It measures whether a person is really behind the
identity he claims to be.

6 Identity Verification Methods

Identity verification has various methods and systems. This process may
consist of different approaches. Know Your Customer (KYC), and Anti-
Money Laundering (AML) rules drive identity verification techniques
worldwide. However, each country has its regulations and organizations to
impose these rules. For example, the Financial Crimes Enforcement
Network (FinCEN) is one of the various agencies responsible for regulating
identity verification methods in the United States. These techniques
commonly fall into one of the following six categories;

 Knowledge-based authentication
 Two-factor authentication
 Credit bureau-based authentication
 Database methods
 Online verification
 Biometric verification
1) Knowledge-Based Authentication
Knowledge-based authentication (KBA) verifies a person’s identity by
requiring a response to security questions. These questions are generally
designed to be simple for that person to answer but difficult for anyone to
answer. Like “How many pets do you have?” or “Who was your favorite
teacher?”. Additional safeguards for KBA include a requirement to answer
the questions within a limited time. The most significant benefit of KBA is that
it’s the easiest verification method for users to understand. Its most
significant disadvantage is that it’s getting increasingly easy to discover the
answers via social networking and other more traditional forms of social
engineering.

2) Two-Factor Authentication
Two-factor or Multi-Factor Authentication requires your customer to enter a
code sent to their email or mobile phone. Because the verification method is
common, the process is very recognizable and simple for consumers to
understand and apply. Using 2FA or MFA, you can easily verify a consumer’s
email address and phone number. This can be important if you need to make
sure your customer did not type in their data incorrectly.

Two-factor or multi-factor authentication generally requires users to provide

a form of personal identification, also known as a token, in addition to the
usual username and password before they can access an account. The
token should be something users have memorized, or in their possession,
such as a code they have received from the authentication agency. The need
for a token creates a powerful deterrence for fraudulent activity. Two-factor
authentication is especially useful for creating accounts and resetting
passwords. However, this method typically requires users to have their
mobile phones with them during the authentication process.

3)Credit Bureau-Based Authentication

A credit bureau-based authentication method relies on data from one or more
of the credit bureaus. These companies store a massive amount of credit
information on consumers, including name, address, and social security
number. Credit-based authentication uses a score to create a definite match
without compromising the user’s experience. However, it may not match thin
credit files, such as young people and recent immigrants.

4)Database Methods
Database ID methods use data from a variety of sources to verify someone’s
identity card. Database methods are generally used to assess the level of
risk a user poses because they significantly reduce the need for manual
reviews. The most significant disadvantage of these methods is that they
don’t ensure that the person providing the information is the person
conducting the transaction, mostly due to the proliferation of false online
identities.

5)Online Verification
Online verification uses techniques to determine if a government-issued id
relates to the users, including artificial intelligence, computer vision, and
human review. This verification method typically requires users to give a
picture of themselves holding an ID, thus ensuring the person on the ID is
the same person holding the ID. Online verification is very secure, but some
users find submitting an image of their face and ID inconvenient or intrusive.

6)Biometric Verification
Biometrics can be used to identify and authenticate people based on physical
characteristics. Biometric techniques are; facial recognition, voice
recognition, iris, and retina scanning and fingerprinting. These methods offer
a high level of convenience to customers (after the initial setup has occurred)
as no passwords need to be remembered, no questions need to be
answered, etc.

However, biometrics has some flaws. Biometrics can be stolen. Think about
it, your pictures are all over social media. Your voice can be recorded
unknowingly. Databases can be hacked to retrieve fingerprints. And once
these types of assets are in the hands of a bad person, it can be even easier
to defraud some institutions.

Where It Is Necessary To Verify Identity?

Identity verification services are used both online and in-person to verify
national identity cards. These services are used in financial services, e-
commerce platforms, social networking websites, and forums to curb illegal
activities such as money laundering and identity fraud. For example, in a
bank, you need to verify your identity to open a bank account. This process
is required and provides complete security in the following cases and
situations:

 Finance sector: Especially banks are using identity verification a lot.

For example, opening new accounts needs identity verification.
Financial procedures of any kind or online sales and purchases also
need identity verification.
 Telecommunications and insurance industries
 Apps and platforms
 Government and administration