While there are many things that can expose your personal information (like data breaches), there are precautions you can take to prevent others that are more in your control. But how do you avoid the common identity theft scams that are out there? Today, we’ll be showing you what to look out for, and how to protect yourself.
A 2018 study by Javelin Strategy and Research found that there were 16.7 million reported victims of identity fraud in 2017 – that’s a record high from the previous year – and all things point to a continued trend upward. That same year, the American public was defrauded as much as $16.8 billion dollars. Criminals are engaging in complex identity fraud schemes, leaving trails of victims in their wake. That means that now, more than ever before, you need to be keeping an eye out for scams that would steal your personal information. Read on to learn how.
Common identity theft scams
Since scams are a more-or-less avoidable source of identity theft, you can put a stop to many of them more easily – if you know what to watch for. That said, scams take many forms, and some are more common. From Phishing, hacking over public Wi-Fi, and skimming at gas pumps, to fake phone calls and job scams – there are many. Let’s take a closer look at each.
1. Credit/debit card skimming
“Skimmers” are devices that thieves add to machines that you swipe your credit or debit card through – ATMs, gas pumps, and even fast food payment stations. Each time a card is swiped through, its information is stolen from its magnet strip and stored away for the criminal to create a cloned card later. Some even add a camera to the machine to see watch you enter your PIN – that way, they’ve got both your card numbers and your PIN number and can completely drain your account.
2. Public Wi-Fi
Public Wi-Fi, like found at an airport for example, tends to be unsecured. That means that when you connect to it, any activities you perform can be watched by the network’s owner, and hackers. That means any sensitive accounts you visit – like your bank account – can give hackers your username and password with relative ease.
Phishing schemes are the most common computer-based identity theft schemes. They occur through many different mediums, like text messages, emails, phone calls, and social media – but they all have the same goal: to get you to disclose your personal identifying information. Each of these has a different name, so we’ll break each one down separately:
This happens when a hacker tamper with a website’s host file or domain name, so that when you click on the site or type in the URL and hit “enter”, you’re rerouted to a fake “spoof” website that looks exactly like the one you wanted to visit. Then, when you input your personally identifying information — credit card numbers, SSN, addresses, etc. — you’ve willingly given away your identity to the hacker to use as he or she sees fit.
This is a clever play on the words “voice phishing.” A thief contacts you by phone, pretending to be an individual working at a legitimate organization, like the IRS or another government agency, a financial institution, payment services organization, or other well-known company. Another method of vishing are robo-calls, which are prerecorded messages that urge you to call the contact number, citing an emergency that requires you provide personal information or credit card numbers.
Some more examples of companies and lines they might use:
- Tech support companies calling about a problem with your computer/tablet/etc.
- That you owe money to the IRS
- You won a prize, but need to pay fees to get it
- A friend is in trouble and needs your help
- A utility company
- Charities asking for donations
- “We just need to confirm” your personal information
6. Search engine phishing
In this type of phishing, thieves create websites that have “too good to be true” offers on them. They get these sites ranked in Google so that users will find them in the course of their normal internet searches. Once on the site, you become susceptible to losing your personal information if you try to take advantage of their offers.
For example, a tech store might be advertising a 55” 4K TV for $429.99, and you find a site that advertises the same TV for $99.99.
This type of phishing poses as a text message that appears to be from a financial institution or other legitimate organization. It will look urgent and try to scare you into thinking you’ll suffer financial damage or other fees if you don’t reply. There’s usually a link included to click on, and in that link you’ll be asked for personally identifying information.
8. Malware-based phishing
Phishing through malware occurs when a thief attaches a harmful computer program onto emails, websites, or electronic documents that otherwise appear helpful and harmless. Once you’ve opened the attachment, however, the malware uses key logger and screen loggers to track and record everything you do on your computer or device – from keyboard strokes to website visits and everything in between. The malware then sends this information to the thief, who can watch your every move in real-time and take usernames and passwords from it.
One serious example is an email that appears to come from Norton Anti-Virus, the internet security company. You’re prompted to install an updated web browser – but in reality, if you click the link and download the updated browser, you’re just downloading malware.
9. Spam-based phishing
Everyone has gotten spam at some point. If you have an email account, you’ve gotten spam, whether you realize it or not. In this scheme, you’re sent repeated spam emails offering opportunities for scholarships, business partnerships, free products, “matches” from supposed dating websites, and more. They may pretend to be an organization you belong to. Again, as always, the goal is to prompt you to provide your personal identifying information.
10. Spear phishing
Spear phishing is like email or spam phishing, with a notable difference: they target businesses. Each email is sent to just about every employee in an organization and written to look like it comes from a division within the organization, like IT or HR. It may request that every employee send their username and password in reply for “verification purposes.”
11. Man-in-the-middle attacks
This type of scam involves intercepting the communication between you and another party without either party knowing. The thief records the information and uses it to access your accounts. One common example is accessing an online website, like your bank or credit account. When you click on the link, you’re taken to the website – except not really: the website is actually redirecting you to another website that looks just like the one you’re trying to visit. If you were to look at the URL, it would say something like:
Any information (username, password, verifying information) that you enter on this website is rerouted to the financial institution’s website, and the information from the financial institution’s website is rerouted back to you.
As you go about your business as normal, the thief is quietly watching and obtaining your personal identifying information from the “man-in-the-middle” website they slipped between you and the legitimate site you’re visiting. It’s similar to pharming, except that information actually passes between you and the website you intended to visit.
How to avoid these scams
Avoiding these scams really isn’t complicated, once you know what to look for. Avoid giving out personal information online, by phone, or otherwise unless you can verify that they’re legitimate. But it’s in that part – the verifying – that takes some practice and a little advice on what to check for. But before we get into that, a piece of general advice: even if you follow the suggestions in this section, check your credit reports regularly. That way, you can see if there’s any wrongful activity on them and take action fast. Each of the 3 major credit bureaus (Experian, TransUnion, and Equifax) offer one free annual credit report. Space them out across the year and you can get a free report every 4 months.
That said, let’s dive into how to avoid each of the above scams.
The most obvious way to avoid credit and debit card skimming is to just not use your credit or debit card. Instead, use cash or prepaid cards. But we recognize that that’s just not always practical. So, keep an eye out for a few things: if any part of the machine looks different in color or material than the other parts, it may be a skimmer. If it looks looser or poorly tacked-on, it may be a skimmer. Some gas stations even include a sticker that crosses a seam near the card reader. They might advise that if that sticker is broken, to report it, as there may be a skimmer. To see some examples, check out this gallery. Oh, and cover up the keypad – if there are any cameras, you’ll obstruct their view of your PIN.
If you can’t avoid using public Wi-Fi, when you do, don’t share personal information or visit sites that contain important information – like your bank or credit accounts. Make sure you have good anti-virus and anti-malware software on your device, and consider investing in a good VPN. It’ll encrypt your information and help you stay safe and secure from potential identity thieves.
For preventing phishing scams, there are 2 general threads you may have picked up on: pay attention to your URL, and never give your personal information without having verification of the entity contacting you. Alongside that, here are specific tips for each phishing scheme:
Check for the “padlock” symbol in the right-hand bottom of the website scroll bar if it’s a merchant website. This indicates that it’s secure and not fake. If you’re visiting an organization or affiliation, contact the website’s administrator by phone or email to check that such info is actually needed.
Always be suspicious of any unsolicited phone calls. Use their call-back number through your caller-ID to do a reverse phone search (you can that here). Once you’ve found the company that called you, call back from the number you found online, not the number that called you. This way, you bypass the potential scammer and speak to someone at the legitimate company. Ask the company if the request was legitimate.
You can also register with the “Do Not Call Registry”, which can help reduce the number of calls you receive.
- Search engine phishing
Before providing any information or downloading anything from the site, research the company. If you’ve never heard of them before, consider contacting competitors to question the legitimacy of the offers being made. Again, if you’re considering purchasing something, check for the padlock symbol at the bottom right corner of the scrollbar. You can also use org to verify if a website is legitimate.
First, do not dial back. This just provides the scammer with more information for the future. Instead, follow the same steps for “vishing.”
- Malware-based phishing
Use caution before downloading or installing any programs from the web. Consider contacting the company or organization through normal means. If you received the offer by email, do not reply; again, you’re giving more information to the attacker.
- Spam-based phishing
Google search the opportunity or offer advertised, or contact the company to verify. You can also check out org and spamhaus.org to see if a website is suspected of sending phishing offers.
- Spear phishing
Do not reply; contact your network administrator or the individual supposedly sending the email. Also notify the head of your division and other colleagues.
- Man-in-the-middle attacks
This one’s fairly simple: verify the URL of the website you’re on. If it looks suspicious, close the browser immediately.
How to tell if you’ve been scammed
There are some easy-to-watch-for things that indicate that you’ve fallen victim to an identity theft scam:
- There are unexpected popups on your device asking if you want to allow software to run;
- You are unable to log into your social media, email, or other accounts, or your profile has been logged into from an unusual location;
- Money disappears form your bank account randomly;
- You receive charges on your credit cards that you didn’t purchase;
- You’re refused a financial service or loan application, or your credit card is declined;
- You receive bills, invoices, receipts, or other pieces of mail for products or services you didn’t
- You’re receiving new inquiries on your credit report from businesses that you didn’t give permission to.
What to do if you’ve been scammed
If you think you’ve given out your account details or any personal identifying information to a scammer, or you notice some of the warning signs in the previous section you should act fast. Contact any relevant agencies immediately – i.e. your bank, the financial institution, and any other agencies who can be accessed by the information you gave out. Another thing you can do is contact iDcare. They’re a government-funded service that work with you to form a plan of attack specific to your situation and provide support. You can visit their website or call them by phone at 1300 IDCARE (432273).
Unfortunately, scams are everywhere. Stories abound of people falling for seemingly legitimate offers and having their personal information stolen as a result. Luckily, there are some fairly simple methods that can help you to avoid the many types of common scams that are out there. Don’t be a part of the nearly $17 billion identity theft industry – keep an eye out for the scams we discussed here and stay safe.
Have you or someone you know been a victim of one of these identity theft scams? Which one? What happened? Share you experiences with us in the comments section.