What is Identity theft?

Identity theft (or identity fraud) is a crime in which the attacker gains key identifiable information (such as a social security number or a driver's license number) in order to impersonate their intended victim. This can not only be used to attack an individual, but a company as well and can allow the attacker to have unauthorized access to an organization's network and its data. A common first step an attacker can take in stealing one’s identity is to gather their key personal information.

Dumpster diving is a popular technique used by attackers to gather information since most employees either fail to properly shred or do not shred sensitive documents at all. Shoulder surfing is another popular method used by attackers where they observe the intended victim in a public place and listen in on conversations for key or confidential information; usually when the intended victim is filing out a legal form or talking to a bank representative over the phone.

Phishing is arguably the most popular and common technique used by attackers to steal an individual's credentials via a fake yet convincing e-mail from a trusted source that is usually laces with some form of malware that can infect the victim's device and steal the data stored on it.

How is Identity Theft used?

Once key identification information is gained, there are several ways in which the cybercriminal can impersonate their target. One is called 'true-name identity theft' where a new account such as banking, credit, etc... is created by the attacker for financial theft. An attacker may also commit 'account takeover' identity theft where, as the name implies, the attacker simply gains access to existing accounts and blocks the legitimate owner's access.

Upon taking over existing accounts, attackers can add, change, or delete any and all data that the employee has access to like: HR records (e.g. social security numbers), network administration passwords, as well as but not limited to: financial records and accounts. There so many possibilities in which this type of attack can hurt a business and it remains crucial that there are measures in place to protect against such attacks.

Dumpster Diving

This is the act of physically going into a trash site near the victim’s location to search for valuable documents such as old bills and employee HR documents to gain critical data to steal the victim’s identity. It’s crucial that companies enforce strict guidelines to ensure such documents are properly disposed of and shredded.

Stealing Mail

Attackers may also attempt to steal the mail of their victim to gain critical data and steal their identity.


A popular technique for attackers to acquire credit card information is to insert a “skimmer” which is a device put on an ATM over the credit card slot which captures and stores the data associated with their credit card swipe.

Use prior information for impersonation

There have been plenty of massive breaches that have revealed millions of records of personal data and it’s usually not too hard to find such information on the dark web. Hackers may also uses the information they have about the company and/or the victim to impersonate them and gain even more confidential data. An example could be calling HR with an employee number and using social engineering techniques to trick an employee to revealing such valuable information.

How is Identity Theft harmful to businesses?

Identity theft can be especially detrimental to your business because an attacker may gain access to the EIN (Employee Identification Number) and use it to submit false information to the IRS, apply for fake loans as well as change routing information to diver cash flow from an organization and into the attacker's pockets.

Attackers can also make false business transactions with vendors or give false information to the clients of a business to hurt the organization’s reputation and finances. It is especially important that small business is protected from attacks via identity theft as small businesses are the most common targets for fraudsters.

Identity Theft Statistics

Identity fraud

16.7 Million

people were victims of identity fraud in 2017 based on Javelin's 2018 Identity Fraud Report

  • About 143 million Americans have found themselves at increased risk of identity theft after the infamous Equifax breach in 2017.
  • $2.3 billion in losses occurred because of account takeovers

  • In a 2016 survey conducted by CSID, 52% of small business don't invest in cyber risk mitigation because they do not believe they are storing highly sensitive private information not realizing that any e-mail address, phone number, billing and home address they interact with or store can be used to facilitate a catastrophic cyber breach.

How can Cyber Insurance protect against Identity Fraud?

CyberDot's cyber insurance plan offers protection against first and third-party risks. First-party risk protection covers a small business from monetary losses stemming from a cyber event. Third-party risk protection covers a small business from litigation stemming from any and all third parties if the breached organization's data is altered in any way by the attacker. The costs of handling first and third party litigation alone can financially destroy a small business as well as tank the business's reputation.

Small businesses are usually not regulated to the same standards as large corporations so it’s critical that you have a proper protection plan in place. Remember, you are 100% liable for your customers’ data and information regardless if you store it in the cloud or a third-party service.

Get coverage

Running a business is challenging enough without having to worry about cyber liabilities and lawsuits. You are one click away from getting the vital coverage your business needs.