Steven Spielberg’s “Catch me if you can” brought even more fame to one of the most renowned conmen in the USA’s history: Frank Abagnale Jr.
Last year on Fox News, Frank Abagnale stated that “Fraud is 4,000 times easier to commit today than 50 years ago”. If a master con man, who then became one of the leading security experts, believes that today impersonating someone is a relatively easy effort, you have to believe that you should be concerned about it.
In this article, we will review how identity theft and impersonation scams work, as well as how you can defend yourself from them. We will also have a look into how to prevent identity thieves from using your information to con other people.
What is Identity Theft?
Identity theft or impersonation scams are a case of fraud in which an attacker uses social engineering techniques to deceive the victim. By pretending to be someone else, the attacker gains directly by influencing the victim to do something or indirectly by obtaining sensitive information that can be misused later on.
Identity theft and impersonation usually require 3 elements:
- A vector: vectors are an essential element for impersonation, as they can help cover the fraudulent actor’s real identity and help him/her conceal the real identity. For example, phones and emails help the actor conceal their identity as the victim cannot immediately verify the identity of the person making contact. Vectors like personal contact, on the other side, can be used to further the scenario rather than conceal the identity, as meeting someone in person under disguised circumstances can help gain more trustworthiness in the eyes of the victim.
- A scenario: the scenario is the pretext for making contact. It is usually a situation concocted to inspire strong feelings or a sense of urgency that would make the victim think less rationally and more instinctively.
- A call for action: an action call is the exploit of an impersonation. The attacker uses the trust validation created through vector and scenario to have the victim perform an action that leads the attacker to his/her intended gain.
In the next section, I will outline an example of the use of these three elements in an identity theft scenario as well as the most common defence techniques against this kind of attack.
Most common scenarios and defences
A good example of an Identity Theft scenario could be the following:
You receive a phone call from a colleague. You don’t quite recognize the voice as the voice is muffled over the phone, and your colleague asserts he/she has been attacked and her working phone was stolen. She is in the hospital (you can hear sounds in the background confirming this statement), and she needs to review and submit to a client a very important document that he/she cannot access unless you send it to his/her personal e-mail. You don’t quite recognize the e-mail in the beginning, but being a combination of name and surname, you believe that it is legitimate and, considering the bad situation he/she is going through already, you would like to help as much as possible.
This is one of the many possible scenarios that you would have to be aware of by always applying the following logic pattern:
- Vector: in the example, a phone call was placed by an emergency room phone, so you wouldn’t immediately question the fact that the number is unknown, yet you can always check the country code (first digits) on the phone to verify from which country the phone call is coming in. Also some particular institution, such as hospitals, have recognizable phone prefix, while some other, such as big corporations, have their name displayed on call even if you didn’t add them to your phone book. Look for these hints to know who you are about to talk to before you pick up. On the other side, a combination of names and surnames can be easily adopted by people without legitimacy on the identity, especially on less used mail providers’ domains. Always check the mail provider domain (@google.com, @microsoft.com, @easymail.com) and always check with your mail contact history whether you are being contacted by the same person you previously talked with.
- Scenario: in the example, the scenario allowed the scammer to cover with legitimacy easily claims some suspicious aspects, like differences in the voice tone. A busy place and an injury can make communication less clear and distract you from incoherence in the story you are being fed with. If you suspect due to incongruences in the vector and/or scenario you are in contact with, never feel that it is inappropriate to ask for a confirmation. What hospital is the call placed from? What was the phone number of the stolen phone? What project are you working on, and who is managing it? Does the phone have a camera, and if yes, can it be turned on to verify the caller’s identity?
Remember that no urgency is urgent enough to prevent anyone from validating their identity. If establishing someone’s identity, without a doubt, is anything but easy, you are probably being scammed.
- Call for Action: you are being asked to do something against the rules, such as sending work-related information on personal channels. You are putting yourself at risk as well. Helping someone shouldn’t put you in danger, ever. Also, apply special scepticism when you are being requested with urgency money, and sensitive information, as whoever asks for one of these should know how important it is that you deal with them with precaution. If they deliberately ignore it, they are probably trying to scam you.
In the following section, a few tips so that your identity doesn’t serve anyone’s Identity Theft scheme.
What if I am the subject of Identity Theft?
If you believe someone is impersonating you, or if you know due to a report you received. Immediately proceed to contact authorities and try to gain control over your financial and personal data. Change all passwords and verify that multiple authentication methods are enforced on these platforms.
To avoid being a victim of Identity Theft, be particularly aware of the following threats:
- Phishing: Phishing scams are emails or messages that appear to come from legitimate sources.
- Vishing: Voice Phishing follows the same concept of Phishing but uses phone and voice calls as vectors to gain information.
- Public Wi-Fi: Public Wi-Fi networks, such as those found in coffee shops or airports, can be vulnerable to hackers who can intercept and steal personal information while you are connected to them, such as passwords and contacts usernames.
Also, you can always check how much exposure of your personal information you are giving by going to the privacy settings page of your social networks accounts.
To prevent identity theft online, it is important to take action to protect your personal information. It is also recommended to use modern apps and tools that allow you to check suspicious movements on your financial platforms quickly. If you are being scammed through Identity Theft scenarios, always try to mind the vector, the scenario and the call for action presented to you by always giving yourself the time to think twice about these elements.
Identity Theft and Impersonation are internet frauds in which a person disguise his/her identity using someone else’s by using or submitting information found online or through other illicit acts.
Several online tools allow you to check whether your information was leaked online. You can also search for yourself and your data through a common browser to see whether the results you are getting are coherent with your expectations.
Avoid submitting your personal and sensitive information to suspicious websites or to suspicious people that make contact with you through mail and/or phone.
Make immediate contact with the owner of the webpage/app that led you to suspect that your identity was stolen and express your concerns. Contact the police and other authorities in your country that are responsible for communication and IT crimes. Change passwords and enforce multi-factor authentication on websites you think are compromised. Review activity on accounts you think is the source of compromise and gather evidence (mail, chat, phone logs) if you think you were the victim of a scam.