Most people have already been victims of the most basic forms of identity theft — having fraudulent charges on your credit card. Those even less lucky have been victimized in more aggressive ways, with criminals obtaining medical care, working, and flying in our names.
Unwinding that mess can take years and thousands of dollars. The effect is exacerbated by the fact that the crime doesn’t generally stop with the one person who stole your information. Credit card numbers, Social Security numbers, and other data gets packaged and sold on the underground Internet so that different people all over the world could be impersonating you at the same time.
“It’s a pain. It does cause a lot of stress,” said Lindsay Bartsh, of San Rafael, California, who said that straightening out a web of fraudulent medical bills, flights, job applications, and credit applications took every minute of her free time for a year.
How does it happen? Here’s a look at both the most common ways thieves steal our data, as well as some of the newest ploys to watch out for.
1. Mail Theft
Bartsh believes this time-honored tactic is how her personal information got out into the criminal underworld. An expected W-2 tax form never arrived. Assuming it was stolen, it would have given thieves a wealth of information, such as Social Security number and workplace.
2. Database Hacks
When a large corporation gets hacked, the effect can be widespread. When the U.S. government’s Office of Personnel Management was breached, some 22 million people had their personal information exposed. (I was one of the many who received a warning about this, because I had a writing contract with a government agency.)
3. Malicious Software
If you have a virus on your computer, you may suffer more than a slowdown or a system crash. Some malicious programs that spread as viruses record every keystroke you type, allowing thieves to find out your online banking username and password. These programs can infect your mobile phone as well as your computer.
4. Search Engine Poisoning
This is a sneaky way of tricking people into giving up their own personal data, or getting malicious software onto a person’s computer. The criminals create a fake website similar to a real one, or that could plausibly be a real one.
One tactic is for you to click through to the fake site and try to buy a product, entering your credit card or debit card number. Another way they try to get you is for you to unknowingly download information-stealing software onto your computer.
Where does the search engine part come in? These criminals manipulate Google and other search engines’ algorithms to get their phony sites ranked high in search listings, leading users to believe they must be legit. Fortunately, Google has made progress in preventing this in recent years, but it still happens.
Phishing is a term that broadly means “fishing” for personal information through a variety of common social interactions — so-called “social engineering.” The most common phishing attack happens when you get an email that looks like it came from your bank or another legitimate company. It may come with an alarming subject line, such as “overdraft warning” or “your order has shipped.” When you click a link in the email, you may see a login screen identical to your normal login, which will trick you into entering your username and password. You could also be asked for more identifying details, such as Social Security number and account number.
Fortunately, banks have put some countermeasures into place to fight phishing. You can also protect yourself by not responding directly to incoming messages. If you get an email that looks like it’s from your bank, type your bank address into your browser instead of clicking the link, sign in, and check your account’s message center. Or just call your bank’s customer service number.
6. Phone Attacks
The Internal Revenue Service has been warning for several years that scammers are calling people claiming to be the IRS, either claiming that they have a refund due or owe money. Fishing for information via the phone is also known as “vishing,” as in, “voice phishing.”
If they’re taking the refund tactic, they’ll probably ask for your bank account number or other personal info, supposedly in order to send you your refund. If they say you owe, they may ask for a credit or debit card number, or worse, try to get a payment in a way that’s not traceable or refundable, like through a prepaid debit card.
This kind of scam is also known as “pretexting,” and the really good scammers make it seem realistic by having some basic info about you on hand before they call, like your address and date of birth, which are pretty easy to find online.
7. Text Attacks
In another twist on phishing, “smishing,” or SMS phishing, sends you a text message encouraging you to click a link that will either trigger the download of malicious software or direct you to input personal information.
8. Fake Wi-Fi Hotspot
Also known as an “evil twin” hotspot, this is a Wi-Fi connection setup in a public place, like a cafe, with a name that leads you to believe it was provided by someone trustworthy, like the cafe owner. The evil twin Wi-Fi hotspot really connects you to the Internet, just like a legit connection. The difference is, the evil twin is provided by a hacker, who uses specialized software to eavesdrop on information you’re sending out — like your bank password or Social Security number — or to direct you to a malicious website like those described above.
When a hacker interrupts your attempt to access a legitimate website and steals the data you’re trying to send, it’s called a “man in the middle attack.”
9. Dumpster Diving
Another low-tech but very effective method is simply pawing through recycling bins, looking for discarded credit card offers, bills, medical records, and other paperwork that could have personal information on it. Not only can identity thieves hit you at home, they could also search dumpsters outside of medical offices, schools, and banks.
10. Workplace Theft
A U.S. Department of Justice survey of convicted identity thieves found that a third of them accessed victims’ information through their jobs. The criminals worked for mortgage companies or at government agencies such as the Department of Motor Vehicles, where they had access to treasure troves of client information. Others lifted information from job applications.
Back in 2000, just one guy was responsible for stealing 33,000 people’s credit reports at his credit industry help desk job. He sold the reports to thieves who, according to news reports, used the information to steal up to $100 million.
When someone breaks into your home or car, it may not be the loss of your jewelry, cash, or laptop that hurts the most. If they find your credit cards, Social security card, or tax returns — or get such information off a stolen computer — you could be in for severe identity theft.
Another old-fashioned crime that has thrived in the era of high-tech data theft, pickpocketing nowadays commonly leads directly to identity theft. In fact, a major ID theft ring busted 10 years ago targeted crowded events to steal wallets and convert the information inside to valuable dossiers of information, which they would later resell.
13. Mobile Phone Theft
If you have authorized your phone to make payments on your behalf, saved passwords for banking and retail sites, or saved other personal data on it, having the device stolen could cost you a lot more than the replacement cost. Phones that aren’t password- or fingerprint-protected are most vulnerable.
14. Mobile Phone Account Hijacking
Another form of ID theft targeting phones happens when someone gets ahold of your account information and uses it to order a new phone or line, with the bill going to you.