Products & Services
Contact Us: 1-800-654-7757 (US) or 1-800-440-8857 (Canada)
5 Ways to Improve Your Family’s Cyber Security
It is easy to fall into bad habits or ignore cyber security at home. With a wide range of personal, financial and medical information stored online, taking time to strengthen your family’s online security could save you time, money and aggravation. This article includes basic tips that will provide peace of mind and help reduce risk.
Protect Your Network – Failing to protect your home wireless network is like leaving your door wide open. Password protecting your network is a good place to start, but there are other steps you
must take to truly protect your network. You should also change your security defaults and set up a firewall. Click here to learn more about how to secure your home network.
Protect Your Computer – Utilize antivirus software to protect your computer from viruses, malware and spyware. Update your antivirus software, operating system and other applications often. Software updates include important security patches that protect your computer from known flaws and threats. Be cautious when downloading email attachments. Many spam or fraudulent email attachments contain malicious software. You should also fully shutdown your computer when not in use for extended periods.
Protect Your Cellphone – Current smartphones are more powerful than many home computers were ten years ago. It is important to take similar precautions to protect your cellphone and your private data. This includes locking your phone when not in use, as well as using strong passwords and encryption. Click here to read our article, “8 Ways to Protect Your Smartphone”.
Protect Your Children – Child predators and scammers target children on social networks, gaming sites, message boards and via email. It is important to begin teaching children about online safety early but you should also keep an open dialogue with older children and teens. The National Children’s Advocacy Center offers helpful tips on teaching your children about online safety. You should also be aware of how the information you post online may put your children at risk. Click here to read our alert on the risks of posting GPS tagged photos of your children.
Protect Your Wallet – Each year hundreds of thousands of people fall victim to online scams. Familiarizing yourself with common schemes will help protect you and your family. The best rule of thumb to follow is that if something seems too good to be true, it probably is. Click here to read our article, “Avoid the 5 Most Common Scams”. You can also read more about online scams at OnGuardOnline.gov.
What Are Identity Thieves Really After? February 14, 2017
By Wayne Peterson and David Dunn
Prior to 2016, the majority of data breac
hes in the headlines involved the large-scale theft of credit card numbers from major retailers. As the theft of credit card data reaches an apex, however, data-focused thieves are targeting more than what is in your wallet — they are looking to exploit your identity in much deeper and sophisticated ways. We witnessed this sea change in 2016, when billions of pieces of personal and private information were stolen from commercial enterprises and governments alike. Some of these data breaches involved the theft of email addresses and associated passwords. Others involved the theft of significant amounts of individual health information. Still others involved the theft of credit reports and other valuable personal financial information. This kind of information enables data thieves to pursue what they believe will deliver more lucrative payoffs, such as tax return refunds, medical insurance reimbursements, and retirement account looting.
When compared with the loss of credit card data, identity-focused data theft can be much more damaging to consumers because it is more difficult to detect. In addition, the theft of such data can have a longer lifecycle that makes it harder to address early on, and remediating its impact can require a substantial time commitment and be more expensive. Similarly, businesses are also finding that the costs of investigating and responding to the loss of such highly personal information, as opposed to credit card data, often can be much higher.
Make no mistake, the theft of personal data is a lucrative criminal enterprise that is not going away. We anticipate that the targeting of individuals, businesses, and governments will become more pronounced in the coming years. This is not necessarily a product of the number of records potentially compromised, but rather that our lives have become so intertwined digitally that our personal and business “attack surfaces” continue to expand. Put simply, our personal data is increasingly scattered in a variety of ways, and this creates opportunities for motivated thieves to steal it.
Supporting this viewpoint are some key cyber security findings from Kroll’s recently released Global Fraud & Risk Report, which was based on a survey of executives and businesses worldwide.
85% of executives surveyed reported their company suffered at least one cyber incident over the past 12 months.
Email-based phishing attacks were reported among the top three types of cyber attacks, along with viruses and data deletion.
Cyber attacks most often targeted customer records (51%), followed by trade secrets (39%), and employee records (39%).
These developments demonstrate the changing digital environment in which we all live and the growing risks within it. Unfortunately, criminals see the situation clearly and have a bigger target for stealing and exploiting data for financial gain.
The Most Valuable Information for an Identity Thief
In this article, we describe why certain kinds of data — as well as certain targets — are increasingly attractive to identity thieves. We also provide practical steps that individuals and businesses can take to avoid or minimize the danger from these crimes.
Email and Personal Account Information
The theft of email account login information can occur a number of ways. One of the most common ways involves the use of phishing emails. The content and structure of a phishing email is designed to trick or socially engineer the unsuspecting recipient of the email into providing his/her email address and password. In other cases, hackers are able to obtain a list of usernames and passwords by breaching a website.
The potential danger:
Because email has become such an essential and trusted form of communication, when criminals gain access to an email account, there are several different ways that they can exploit the information. The same email addresses are often used across financial and banking accounts. Unfortunately, people often reuse passwords, so once hackers have accessed one email account and its password, they can exploit this generic information to gain access to other individual email or web accounts. From there, crimes can run the gamut from authorizing money transfers, to creating new online banking, brokerage, or retirement accounts, to ordering new credit and debit cards shipped to a new address. Depending on their tenacity and persistence, criminals with access to an email account — particularly one associated with an online financial account, social media account, or online shopping site — can do a significant amount of damage, which can be difficult and time-consuming to overcome.
Exacerbating the problem is the fact that data obtained from breaches of personal information provides an attacker with a much broader view of the targeted victim. With a more complete profile of a victim, attackers can pivot to gain more information and create greater damage. For example, a credit report can contain names, addresses, email accounts, and family member information. Oftentimes, these intimate details actually form the basis for account security questions that are used as part of many account password reset processes: What was your first car? The name of the street you grew up on? Your high school mascot? An attacker with access to an enriched view of personal and credit data can easily answer these questions through a few online searches or educated guesses.
Credit Report Information
Credit reports are an incredibly rich source of information. While most people are familiar with their “FICO” or credit score, a full credit report can include a tremendous amount of personal data about an individual consumer. Depending on the provider and the type of report, the report will contain varying types and degrees of information. These reports may include current as well as past addresses; bank accounts, including bank name and account balances; and information on outstanding loans and corresponding balances. Some providers also enrich these reports with data about relatives, email addresses, and even vehicles owned.
The potential danger:
The first move a criminal is likely to take with this information is to perpetrate “new account” fraud, i.e., taking the information to create new credit accounts. Very often, these are small online accounts that the attacker will use to purchase goods and services and never pay the bill. This can affect the consumer months or years down the road when they have negative credit marks or even collection requests for accounts they never even established.
One of the trends that we have seen lately is the establishment of new credit accounts with individual retailers. Many retail outlets offer a credit account that can only be used to purchase merchandise from that particular store. These accounts are typically easier to open than a major credit card, so it is not uncommon to see a single stolen identity used to open over a dozen such accounts.
Personal Health Information
Health care providers and insurance companies compile personal health information records that are rich in credit-related data as well as confidential or sensitive health-related data on patients and insureds. Because many families are insured under one family member’s health care plan, stolen personal health information may include Social Security numbers, names, birth dates, addresses, and other data of all family members, including children. Data related to flexible spending or health savings accounts (FSAs or HSAs) may also be linked to this information.
The potential danger:
Armed with this information, a criminal can try to exploit accounts that have already been created, such as an FSA or HSA, or the information could be used to create new accounts in the victim’s name. Children can be particularly impacted, because they typically do not have a credit file that is being monitored and one established using a child’s information can go undetected.
Personal health information may also include confidential data on illnesses, diseases, mental health, and various treatments. This information is very private and sensitive and is protected by law to prevent discrimination. As we have seen in cases involving several prominent celebrities, perpetrators can try to use the information for extortion or to embarrass the victim.
Businesses, particularly small and medium-sized (SME) ones, are ripe for targeting by sophisticated identity thieves. By taking over email accounts of executives or finance team members, or by creating fake email accounts intended to impersonate these people, criminals can socially engineer either the financial team or the company’s bank into sending out a bank transfer. Established businesses often have a routine for initiating these types of bank transfers, and those can be very basic. For example, a single person may be authorized to initiate transfers from an online account or via an email or phone call to the bank. While banks should verify the transfer, sometimes they do not in an effort to provide more personal customer service and to foster a relationship of trust. New businesses on the other hand, especially those that are growing quickly, can run into trouble when their sales outpace the back-end support. Defense regimes such as information security measures and financial controls are often not fully funded or fully developed to prevent fraud.
The potential danger:
These attacks have been successful with both well-established businesses as well as with new and fast-growing enterprises. The financial loss is immediate, often reaching into the millions of dollars, and such funds can be impossible to recover.
The Future of Big Data and Information in the World of Identity Theft
For years now, the mantra for everyone from the smallest company to the world’s largest enterprises has been: “More data is better.” Companies are sweeping up enormous amounts of user behavior data in order to figure out how to best target advertising dollars – but criminals are more than aware of the troves of data being collected and stored.
Nation-states are also aware of this trend, and when breaches have been attributed to nation-state actors, the situation gets more complicated. The generally accepted assumption is that the nation-states are looking to build vast databases on entire populations, which may later be used to target specific individuals. They may not use the information today, but they may decide to exploit it in the future. Compounding the problem is the tolerance for criminal cyber activity that has been demonstrated in some foreign countries. A criminal hacker today may be a nation-state’s hacker for a project next month, and then be back to criminal hacking next year.
Today, there is no single place or central online marketplace where a criminal can sell or buy all of the information on an individual from breaches. This data is sold off in different segments to various groups, where some of it eventually ends up for sale to individual fraudsters and some of it does not.
The ultimate concern is that large portions of hacked databases will be pieced together by criminal hackers, or released by nation-state actors, enabling the creation of a single marketplace where a very detailed individual profile can be pulled on an individual or a company. Combining all of this information into a single “super” profile could result in the launch of not just one of the risk scenarios mentioned above, but rather multiple ones at the same time.
Practical Steps to Help Avoid and Mitigate Harm from Personal Information Identity Theft
While the specter of super profiles can be daunting, the news is not all dire. In fact, armed with the knowledge of how and why identity thieves are targeting personal data beyond credit card numbers, individual consumers and businesses can take numerous steps to protect themselves.
If you use the same password for multiple accounts, you know from this article how that can be leaving you and your family open to serious harm. Using different passwords for different accounts creates an extra barrier for identity thieves. So, over the coming weeks, every time you log into an online account, take a few minutes to change your password. Here are additional tips to help protect yourself and your family:
Invest in ID theft protection. The number one thing that you can do to protect yourself is have ID theft protection. If you suffer an ID theft-related breach, the number of hours you may have to
dedicate to clearing your name and your credit can be incredible. A good ID theft protection service can guide you through this process and do a lot of the restoration work on your behalf.
Check your children’s credit. When you obtain a credit report for yourself annually, check to see if a credit file exists for your child. This is a good indication that fraud has occurred and that your identity may have been compromised as well.
Link a second email account to your primary account. This second account will receive alerts if someone tries to change the password to your primary email account.
Set up security alerts for your online bank accounts. These include for password changes, large dollar transactions, and others, depending on what your bank offers.
While many of these best practices may go against the idea of creating frictionless transactions and seamless customer service, a little bit of friction can often create enough time to catch criminal activity early.
Never send a wire transfer based on an email. If a wire needs to be sent, always employ out-of-band authorization to verify the transfer. For example, call the person on the phone who asked you to
send it, verifying that he or she actually made the request. Additionally, set up dual controls for business wires: one employee can initiate the wire, but a second employee needs to confirm that
transfer. Employee training is critical for reinforcing the need to follow established protocols and to recognize that requests that deviate from these protocols should raise red flags.
Implement two-factor authentication. Whenever anyone needs to access sensitive company resources, set up a second level of authentication before permitting account log-in.
Set up trip wires. Make sure that you have alerts set for any time someone changes your business online banking profile.
Do not let your business outgrow your security. Businesses of all sizes need to carefully weigh their exposure. Particularly with quick-growing enterprises, the team can overdrive technology, leaving some gaping security holes. If your business is growing rapidly, invest in deploying technical resources and dedicate in-house staff or contract with outside resources to help keep your business safe. These resources can be expensive, but the reputational damage in the event of a breach can be catastrophic.
Wayne Peterson, Kroll
Wayne Peterson is a recognized industry expert on data breach and identity theft. He joined Kroll following a distinguished 20-year career in the U.S. Secret Service. While with the Secret Service, Peterson rose to senior positions in the agency. He was appointed to serve as the agency’s representative to the Computer Emergency Response Team (CERT) Coordination Center located at Carnegie Mellon University. He remained in that role for three years, where he had responsibility for coordinating the Federal Government’s response to data breaches that impacted the nation’s critical infrastructure and financial systems. He also led the Secret Service’s Cyber Intelligence Team, which had the sole responsibility for conducting investigations aimed at disrupting and thwarting international identity theft and hacking organizations operating in the Dark Web underground. The work performed by Peterson and his cyber squad led to the arrest and conviction of some of the world’s most notorious hackers and identity thieves. Peterson achieved these results by working closely with law enforcement partners situated across the globe and he developed deep and lasting relationships with his global counterparts. Indeed, Peterson served as the Secret Service’s main contact with international law enforcement agencies for the coordination of cross-border and multi-jurisdictional cybercrime investigations and prosecutions. Peterson brings his exceptional experience every day to the task of helping Kroll and its many clients manage and reduce the risks that flow from data breaches and the theft of personal identifying information.
David Dunn, Kroll
David Dunn is a recognized identity theft and cyber security expert at Kroll. During the course of his more than 15-year career in law enforcement, Dunn was assigned to the U.S. Secret Service Electronic Crimes Task Force, where he worked numerous international cases aimed at identifying and disrupting the activities of global cyber criminals. Dunn's investigative efforts resulted in multiple international arrests, including the arrest and 2016 prosecution and conviction of the world's largest vendor of stolen credit card data. Due to his deep expertise, Dunn is frequently invited to present on the techniques utilized by hackers to steal, sell, and exploit consumer data. In the course of his investigations, Dunn has witnessed firsthand the devastating impacts this type of crime can have on innocent victims. He has worked directly with both large and small businesses as well as with individual victims and their families to help them recover and to understand the steps they can take to prevent such incidents from impacting them in the future. As part of the Kroll team, on a daily basis, Dunn utilizes his knowledge of the Dark Web and the methods employed by cyber thieves to protect the interests of Kroll and the clients that it serves.
Read More Stories Like This
No related items or featured insights found.
General questions or inquiries?
Need help right away?
Send us a message and we'll get back to you.
Send an email
Talk to an Expert
Want to talk to an expert directly?
Find an Expert
Sign up for our email newsletters
Email Address Submit
How We Help
What We Do
Who We Are
Code of Conduct
Copyright © 2017 Kroll All Rights Reserved.
Contact Us: 1-800-654-7757 (US) or 1-800-440-8857 (Canada)
Top 6 Tips from Your LegalShield Lawyers
Your LegalShield membership gives you access to a wide network of experienced attorneys. Using your LegalShield membership helps you make informed decisions about all manner of legal matters from the trivial to the traumatic. We surveyed some of our top LegalShield provider attorneys and asked, “What is the most important advice you can give our LegalShield members?” Here is what they said:
No problem is too small. If it is important to you, it is important to us. LegalShield provider law firms deal with everything from personal injury and bankruptcy to parking tickets and utility
bill disputes. No matter what type of issue you are dealing with your provider law firm can offer practical legal advice.
There are no dumb questions, but many mistakes are made by not asking a question. If you have a question, never hesitate to ask. Your LegalShield provider law firm can help demystify even the most complex legal problems.
Lawyers cannot change the past; NEVER sign a contract, lease or other agreement before you call your LegalShield attorney for review and advice. Contracts and other written agreements are often written to intentionally obscure the true meaning. Your LegalShield attorney can help you make sense of a contract, lease or other agreement to ensure you fully understand your obligations.
Call your LegalShield Provider law firm to learn ALL of your available legal options before making an important decision. Sometimes even the best option is not ideal, but it is important to weigh all of the possible legal remedies. Making an informed decision early on can make all the difference.
If you are arrested or detained, tell the police officer clearly and unequivocally that you will not answer any questions until you talk with your lawyer. Always remain calm and respectful in your interactions with law enforcement. Save any objections or arguments you may have for court.
Program your LegalShield provider law firm's phone number into your cell phone. The new MyLegalShield member app makes it easier then ever to call your provider law firm. Once you are signed in, the app knows what number to dial. The same is true when you want to call your Identity Theft Advisor or member services team. In addition, if you have an emergency, you can use the app to call 24/7/365 and speak to a lawyer.