In the last article, I warned you that we  shouldn’t think that identity theft is always “high-tech”, because it can can happen to anyone, even if they don’t have a computer and don’t make use of social media or even own a cell-phone.

In this article I will concentrate on the “high-tech” methods of identity theft. The identity thief’s goal is always to obtain personal information about you, such as your ID Number, your bank or credit card account numbers, information contained in your credit report, or the existence and size of your savings and investment portfolios so they can use it for their own financial advantage.

The identity thief then contacts your financial institution pretending to be you or someone with authorized access to your account. (You have given the thief that information)  The thief may, for example, claim that they have forgotten their chequebook and needs information about their account…

šCredit/Debit Card Theft – Many people believe credit card fraud and identity theft are the same. In reality, they are different crimes. The main difference between credit card fraud and identity theft is that credit card fraud typically involves a single credit account, but if someone steals your identity, the potential for damaging your credit history can be much greater because someone can open numerous lines of credit in your name. Credit card fraud typically occurs when someone steals your credit card information and uses it to make unauthorized purchases. This can be done by stealing your purse or wallet or, if the criminal works at a retail store or in a restaurant, he or she may simply copy your credit card information during a transaction.

Pretexting – If you receive a phone call from someone from a reputable research firm asking you to participate in a survey, asking  seemingly harmless questions like the name of your cellphone provider, bank, and even your preferred shopping center, this is probably a pretexting scam. Pretexting is the practice of getting your personal information, such as telephone records, bank or credit card numbers, or any other information, under false pretenses. A pretexter pretends they are someone else to obtain your personal information claiming they are from a survey firm, and want to they ask you a few questions. Sometimes they will claim to be representatives from other types of organizations – not just survey firms –  but banks, SARS, insurance companies and ISPs.

Skimming – Identity thieves place small machines, or skimmers, in the card slots of ATMs in order to steal credit and debit card numbers and pin codes from their unsuspecting victims. This has also been reported to occur at some petrol stations where you can pay at the pump. It is not easy to look at a card reader and see that it has been altered in some way before you insert your debit or credit card, as some of the skimmers are so advanced that they are virtually undetectable. In some cases, a skimmer may remain in place for months at a time, unnoticed by employees of the “host” store, and it could take months before victims realize that an identity thief has stolen their card number and PIN. Most victims only find out after the thief starts starts making illegitimate purchases or withdrawals from their accounts, often to the tune of thousands of rands.

Man-in-the-middle attacks – Smartphones and tablets has become a major point of access to the internet. There are many WiFi networks that people can connect to from almost anywhere, (like public libraries, airports, shopping malls and government or municipal facilities), but it opens a massive “port of entry” for hackers. This has led to the increase of “Man-In-The-Middle” attacks. A Man-In-The-Middle attack, also known under the acronym MITM, happens when a communication between two parties is intercepted by an outside entity. The perpetrator either eavesdrops on the communication or impersonates one of the two parties, making it appear as a regular exchange of data. A MITM attack targets users of enterprise email accounts, financial applications, and e-commerce websites in order to steal account details, credentials, bank account or credit card numbers and to monitor password changes.

Phishing – The Internet scam known as “phishing” (the “ph” substitution distinguishes the activity from the real “fishing” but the activity is intrinsically the same) is a spam e-mail message that contains a link to what appears to be from a legitimate business, such as your bank, but it is actually a fake website. The e-mail often states that you must update your account information through a bogus link to a phisher’s website and the user, unknowingly, gives out personal information to the fake website.

Pharming – A relatively new Internet scam is “pharming”. Using a virus or malware, the victim’s Internet browser is hijacked without their knowledge. If the address of  a legitimate website is typed into the address bar of a browser the virus redirects the victim’s browser to a fake site.  All identifying information, such as bank passwords and credit card numbers, is collected by the scammers who steal the user’s identity.

Vishing – This is similar to “phishing” which uses e-mail. However “vishing” scams attempt to trick targets into divulging personal information such as credit card, bank account and social security numbers using new telephone technology. Typically, “vishing” targets will receive a phone call from what appears to be a legitimate business, such as their bank or credit card issuer, and the victim is informed the target that their account has been compromised. The “visher” usually requests that the caller enter their account or credit card number or even their social security number to secure their account, thereby compromising the victim’s identity.

SMiShing (SMS phishing) – This form of “phishing” specifically targets smartphones. Smishing, uses the scammers’ old favorite—phishing, to sending out email to entice their intended victims to click a link that actually downloads malicious software or virus on the smartphone. As its name implies, smishing comes from “SMS phishing”. A smishing attack goes after the smartphone via text message, and usually occurs when a message is received from an unknown number that offers some sort of incentive. It might be telling you about a free offer, a coupon, something wrong with your account, or even more likely, it might claim that “your friend” has sent you a “greeting card” or message. Unlike viruses of the “old days” that sought to lock up your computer or disable your files, smishing attacks remain hidden and continue to feed information back to the smisher. Information like contacts list, email address books, and passwords are sent to the scammers.

Spear-phishing – Our last method is spear phishing. That term is used because the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for. Spear-phishing is very successful (especially within environments like the university) because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from entities within the environment that you actually deal with. Scammers can pull off spear phishing attempts based on the information that you share about yourself, as well as other bad habits like using the same password for multiple websites. As soon as you post updates to social media, especially about accounts, people you interact with, purchases you’ve made, and more, you’re handing over vital information that a scammer can use to target you.

How to protect yourself from Identity Theft:

  • Don’t give out your personal information on the phone, via email or snailmail unless you’ve initiated the contact, or unless you are sure it’s safe. And don’t feel guilty about saying No.
  • Never use your pet’s name (or children’s name) or a nickname as a password.
  • Ask your financial companies about their policies for preventing identity theft.
  • Be VERY careful about answering surveys — and certainly don’t give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don’t give out any information that could be sold or used by identity thieves. In other words “control” the information that you give out.
  • Tell your colleagues, family and friends about the dangers of identity theft. Awareness and sensitization empowers even the most “non-technical” person.

In the next article I will be providing a bit of information about social engineering.










Keep safe out there,

David Wiles