The internet has given identity thieves a new lease of life. It has allowed them to fraudulently gather confidential information about people more easily from the vast data pool generated by the online world by exploiting the anonymity inherent in email, instant messaging (IM) and web-based communication. The below guide is all about recognition, prevention and protection against identity theft.
Identity thieves exploit basic psychology. Human beings want to be open, co-operative and trustful, which can prompt us to divulge confidential information about our organisations when we’re online, without really knowing who we’re sharing it with or who may ultimately end up in possession of that data.
Identity theft is conducted by well-organised, highly professional international gangs who devote enormous resources to identifying weak points in defences and developing ingenious ways of feeding the huge online black market in company information.
There are several ways identity theft is conducted in the business sector that one must be aware of:
Spear phishing
This involves an externally spoofed email purporting to come from an internal source being delivered to a recipient in a specific company. Sophisticated phishing scams are still targeting the business sector and phishers are devising increasingly clever ways of cloning the pages of companies’ bank accounts to capture their user verification data.
Targeted trojans
These are computer viruses designed to infiltrate a particular company, access sensitive data and leak it out to an external controller. Once it has installed itself, the trojan may await a chance to log the keystrokes used during the two-factor authentication that protects business bank accounts, or it may hook into the computer’s web browser, let its victim complete authentication on a banking website and then turn the session over to the external controller. Targeted trojans can pilfer confidential data on products, services and customers and may lurk in unsolicited emails or wait for the victim to download infected software or toolbars from a rogue website. They are often embedded in an email attachment apparently from a trustworthy source.
Social networking attacks
Today’s informal world of social networking poses another key source of danger as it requires only small nuggets of information to be effective and breach corporate defences. According to research by comScore, close to nine million Australians used social networking sites such as Facebook, MySpace and Twitter in June 2009, many of which exchanged details about their lives and their jobs – the kind of data that identity thieves hiding behind assumed identities are keen to access. According to a survey carried out by CMO Council and AVG in August 2009, less than a third of social networkers in Australia take actions to protect themselves online.
WiFi
This can create significant risks in terms of online identity theft. Unsecured systems and unencrypted communications give criminals the opportunity to hijack computers and steal information. Identity thieves also target public WiFi hotspots in places such as airports, hotels and railway stations. In some cases, fake WiFi routers and interfaces obtain victims’ user or credit card details; in others, a memory stick or computer disk accidentally left behind at a public hotspot can provide a criminal with confidential data.
Identity theft is a multi-billion dollar world of online crime that now outstrips the global drugs trade in scale. In October 2009, the Veda Advantage Identity Crimes Report revealed one in five Australians aged 16 or over have been victims of identity theft.
Online identity theft can have a devastating impact on an organisation. Bank accounts can be accessed or taken over with stolen data, corporate reputation and customer/investor relations may be irreparably harmed, credit ratings may be affected and a company’s registered details may even be changed without its knowledge.
For individual employees, online identity theft can lead to financial loss, profit erosion, lost orders and ultimately lower salaries. Employees found responsible for leaking confidential information online may find their own careers compromised.
Developing knowledge and awareness that enable employees to make the right decisions whenever using the internet is key to combating online identity theft. Alert IT departments, effective email/web security systems and fit-for-purpose acceptable use policies are only part of the solution – it is the vigilance of individual employees that will decide whether a company maintains the integrity of its key data.
Some steps your business can take to protect itself against the threats of online identity theft are:
- Check the privacy policy of any website where you submit confidential data and don’t submit unless it has a clear and comprehensive policy.
- Choose passwords that are unique mixtures of letters and numbers and remember to change them regularly.
- Dispose of data securely, whether in paper or electronic form.
- Discourage employees from including key company information in social networking profiles.
- Discourage employees from working on sensitive or highly confidential material in public WiFi hotspots.
– Andrew Gordon is the senior manager, enterprise & partner services, APAC for Symantec Hosted Services.
People who read this, also liked:
Understanding web-based attacks
