Identity theft (or identity fraud) is a crime in which the attacker gains key identifiable information (such as a social security number or a driver's license number) in order to impersonate their intended victim. This can not only be used to attack an individual, but a company as well and can allow the attacker to have unauthorized access to an organization's network and its data. A common first step an attacker can take in stealing one’s identity is to gather their key personal information.
Dumpster diving is a popular technique used by attackers to gather information since most employees either fail to properly shred or do not shred sensitive documents at all. Shoulder surfing is another popular method used by attackers where they observe the intended victim in a public place and listen in on conversations for key or confidential information; usually when the intended victim is filing out a legal form or talking to a bank representative over the phone.
Phishing is arguably the most popular and common technique used by attackers to steal an individual's credentials via a fake yet convincing e-mail from a trusted source that is usually laces with some form of malware that can infect the victim's device and steal the data stored on it.
How is Identity Theft used?
Once key identification information is gained, there are several ways in which the cybercriminal can impersonate their target. One is called 'true-name identity theft' where a new account such as banking, credit, etc... is created by the attacker for financial theft. An attacker may also commit 'account takeover' identity theft where, as the name implies, the attacker simply gains access to existing accounts and blocks the legitimate owner's access.
Upon taking over existing accounts, attackers can add, change, or delete any and all data that the employee has access to like: HR records (e.g. social security numbers), network administration passwords, as well as but not limited to: financial records and accounts. There so many possibilities in which this type of attack can hurt a business and it remains crucial that there are measures in place to protect against such attacks.
Use prior information for impersonation
How is Identity Theft harmful to businesses?
Identity theft can be especially detrimental to your business because an attacker may gain access to the EIN (Employee Identification Number) and use it to submit false information to the IRS, apply for fake loans as well as change routing information to diver cash flow from an organization and into the attacker's pockets.
Attackers can also make false business transactions with vendors or give false information to the clients of a business to hurt the organization’s reputation and finances. It is especially important that small business is protected from attacks via identity theft as small businesses are the most common targets for fraudsters.
Identity Theft Statistics
people were victims of identity fraud in 2017 based on Javelin's 2018 Identity Fraud Report
- About 143 million Americans have found themselves at increased risk of identity theft after the infamous Equifax breach in 2017.
- $2.3 billion in losses occurred because of account takeovers
- In a 2016 survey conducted by CSID, 52% of small business don't invest in cyber risk mitigation because they do not believe they are storing highly sensitive private information not realizing that any e-mail address, phone number, billing and home address they interact with or store can be used to facilitate a catastrophic cyber breach.
How can Cyber Insurance protect against Identity Fraud?
CyberDot's cyber insurance plan offers protection against first and third-party risks. First-party risk protection covers a small business from monetary losses stemming from a cyber event. Third-party risk protection covers a small business from litigation stemming from any and all third parties if the breached organization's data is altered in any way by the attacker. The costs of handling first and third party litigation alone can financially destroy a small business as well as tank the business's reputation.
Small businesses are usually not regulated to the same standards as large corporations so it’s critical that you have a proper protection plan in place. Remember, you are 100% liable for your customers’ data and information regardless if you store it in the cloud or a third-party service.