Educational Newsletters

Don’t Be the Weak Link to Identity Theft

By Mark Pribish
Vice President and ID Theft Practice Leader

May 2022

Nearly eight years ago I wrote a December 2014 article for the Arizona Republic titled Read fine print when buying ID-theft protection services.

The premise of my article was that the core product offer to most identity theft protection service providers is credit bureau monitoring and that credit bureau monitoring offers a false sense of security.

The fact is credit bureau monitoring cannot monitor non-financial identity theft events, such as taxpayer ID-theft and refund fraud, unemployment ID theft and benefits fraud, medical ID theft and fraud, and credential (e.g. driver’s license and passport) ID theft and fraud.

While there are many reputable identity theft protection service providers, it is not uncommon for identity theft marketing campaigns to include deception, exaggerated threats, and flawed offers.

In addition, I encourage consumers to read the fine print for hidden “exclusions” when selecting an identity theft service provider. Hidden exclusions are commonly found in the “terms and conditions,” where marketing meets reality.

Talking about marketing versus reality, I find it interesting how more consumers are paying for ID theft protection services than ever before and yet there are more victims of ID theft than ever before.

For example and according to the March 2022 Javelin Strategy Annual Identity Fraud Study, identity theft and fraud losses totaled $52 billion affecting 42 million U.S. adults in 2021.

So how can consumers lower their risk of being a weak link to identity theft?

First, consumers need to stay up to date on the most recent data breach and identity theft trends such as Phishing (fraudulent emails), Vishing (fraudulent phone calls and voice mail messages) and Smishing (fraudulent text messages) tactics.

Second, consumers should be taking advantage of risk mitigation tools such as fraud alerts, credit freezes, credit/debit card alerts, and yes – even credit bureau monitoring – as long as you understand the limitations of credit bureau monitoring.

Third, consumers should consider using new and strong passwords every 90 days or use a password manager that can help create new and strong passwords along with scanning existing passwords to flag reused and weak passwords.

Lastly, consider using a Virtual Private Network (VPN) as VPN software scrambles your IP address, encrypts data sent between your computer and the websites you visit, and masks your true location and service provider. This is especially important if you use public Wi-Fi.

To conclude, I would like to reference Kevin Mitnick, the Chief Hacking Officer and part owner of security awareness training company KnowBe4 and convicted hacker turned paid security consultant, public speaker, and author.

Mr. Mitnick is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. He has said many times that "the weakest link in the security chain is the human element."

To add to Mr. Mitnick’s comments about the human element, I always say that hackers, social engineers and ID theft criminals depend on human nature, psychology and “trusting” consumers to let their guards down.

Do not let your guard down. Always be cautious in revealing information about yourself or your employer. Always “stop, look and think” about emails, texts and phone calls. Always slow down, be aware and be safe.

Sincerely,

Mark

Every Consumer Should Use a VPN to Protect Their Online Privacy

By Mark Pribish
Vice President and ID Theft Practice Leader

April 2022

On my work laptop, I use a VPN (Virtual Private Network) whenever I am working remotely, including in my home, my hotel room, or any other location away from the office.

However, I realized that I do not use a VPN on either my smartphone or personal computer. That said, I enlisted the assistance of Kent Lawson, President and CEO of Private Communications Corporation to learn more about VPNs in general and Private WiFi (www.privatewifi.com) in particular.

Private WiFi is the flagship product of Private Communications Corporation, founded by Kent Lawson in 2010. After reading a series of articles in The Wall Street Journal, Forbes, and The New York Times about the security vulnerabilities of WiFi hotspots, Lawson (a 40 year computer industry executive) was inspired to come out of retirement and work to resolve the problem.

According to Lawson, “your private information is an easy target on a public WiFi network such as hotels, coffee shops, and airports that are not secure. Anyone using the same hotspot can intercept and hack your communications. Your usernames, passwords, and other private information can be stolen out of the thin air.”

“We created Private WiFi to protect your identity and personal information by encrypting your WiFi signal. Everything you do online is protected with bank-level security, so you can surf, share, shop, and bank with confidence.”

Think about it, connecting to public WiFi hotspots has become a way of life. Millions of people connect to public WiFi every day without thinking – at coffee shops, hotels, restaurants or airports. It’s fast, it’s free, and it’s convenient.

But it’s not secure. Everything transmitted on your laptop, smartphone, or tablet over WiFi hotspots can be grabbed out of thin air – and many users don’t understand hotspot security risks. Roughly 39% have accessed sensitive information while on WiFi hotspots, according to a Nielsen/Harris Poll. That means their privacy and security is in danger every time they connect.

According to Lawson, “Private WiFi encrypts Internet traffic and protects hotspot users from hackers and identity thieves, creating a secure tunnel that is invisible to hackers.”

“In a world full of wireless security risks, Private WiFi puts the power to protect hotspot users’ information in their own hands,” said Lawson.

The New York Times calls Private WiFi the “VPN for the masses.” PC Magazine featured Private WiFi as one of the “Ten VPN Services You Should Know About” and it has been featured on CNN, Good Morning America among other news outlets.

To conclude, VPNs are easier to use than ever. My recommendation is to use a VPN on all your devices to search, shop, bank, read, and connect so that you will have the confidence your personal privacy is secure.

Sincerely,

Mark

Identity Theft Losses Totaled $52 Billion Affecting 42 million U.S. Adults

By Mark Pribish
Vice President and ID Theft Practice Leader

March 2022

The just released 2022 Javelin Strategy Annual Identity Fraud Study found that identity theft and fraud losses totaled $52 billion and affected 42 million U.S. adults in 2021.

The Javelin study also reported the following:

1 in 20 Americans were victims of fraud in 2021.
The average per-victim loss from traditional identity theft and fraud rose to $1,551.
The average per-victim loss from identity fraud scams was $1,029.
More than half (54%) of fraud victims want their financial institution to offer a fraud prevention resource center to help them resolve their identity theft and fraud event.
Consumers expressed an interest in receiving more fraud prevention education from their financial institutions as well as identity protection services.
The 2021 statistics show individuals and businesses are unprepared for the tactics criminals are deploying in our modern, digital-first world.

Since identity theft and fraud is constantly evolving, how does the 2022 Javelin Study reflecting 2021 statistics compare to the last two Javelin Studies in 2020 and 2019?

In 2020, identity theft and fraud losses totaled $56 billion and affected 49 million U.S. adults.
In 2019, identity theft and fraud losses totaled $16 billion and affected 14.4 million U.S. adults.

According to Javelin, “the trends observed were huge increases to account takeover fraud and new account fraud in which fraud operators deployed multiple tactics to steal victims’ personal information to drain them of billions of dollars” including:

New account fraud increased 109% enabling criminals in possession of consumer information to, at times, open multiple unauthorized accounts ranging from merchant accounts to credit cards.
Account takeover losses increased 90% as criminals highjacked victims’ online lives.
Fraud affecting existing credit cards rose 69%, while fraud on existing non-card accounts, including checking, savings, insurance or utilities, jumped 73%.

Javelin defines identity fraud as “the unauthorized use of another person’s personal information to achieve illicit financial gain. Identity fraud can range from simply using a stolen payment card account, to making a fraudulent purchase, to taking control of existing accounts or opening new accounts.”

In addition, Javelin defines identity fraud scams as “relatively easy to orchestrate and present an opportunity for criminals to bypass the fraud detection barriers maintained by financial services providers because they directly target the consumer.”

For example, an element of identity fraud scams is that consumers often remember the moment they experienced contact with an ID theft criminal or cyber thief relating to Phishing (fraudulent emails), Vishing (fraudulent phone calls and voice mail messages) and Smishing (fraudulent text messages).

For years, I have written and publicly spoken to consumers and small businesses on how education and awareness will help mitigate a consumer’s exposure to an identity theft event and an organization’s exposure to a data breach incident.

Since identity theft and fraud is constantly evolving, consumers and small businesses need to stay up to date on identity theft and fraud trends, such as the 2022 Javelin study, to make sure their online life and digital identity is safe!

Sincerely,

Mark

2022 FTC Report: Identity Theft Continues to Be a Monumental Problem

By Mark Pribish
Vice President and ID Theft Practice Leader

February 2022

Last month the Federal Trade Commission (FTC) released a report stating about one fourth of all fraud losses reported to the FTC stem from scams that consumers said originated on social media (please see here) where consumers said they lost about $770 million to fraud initiated on social media in 2021.

This month, the FTC released its annual identity theft and fraud report known as the Consumer Sentinel Network Data Book 2021, which shows once again that identity theft continues to be a monumental problem, with nearly 1.4 million reports last year.

The just released Consumer Sentinel Network Data Book said that consumers reported losing a record $5.8 billion to fraud in 2021 for a 70 percent year-over-year increase.

The report went on to say that the Top 7 Identity Theft Types included the following:

Government Documents or Benefits Fraud
Credit Card Fraud
Other Identity Theft
Loan or Lease Fraud
Bank Fraud
Employment or Tax-Related Fraud
Phone or Utilities Fraud

In addition, the elderly or senior demographic of 70 years of age and older experienced the highest loss of money due to identity theft based on the chart provided by the FTC titled ID Theft by Age in 2021.

But 2022 is going to get worse as cyber thieves are finding new ways to monetize Phishing (fraudulent emails), Vishing (fraudulent phone calls and voice mail messages) and Smishing (fraudulent text messages).

Consumers need to prepare for the unexpected as cyber thieves and ID theft criminals will be targeting unsuspecting individuals. That said, here is my identity theft and fraud list for consumers to be aware of in 2022:

Child ID Theft – as children and families are spending more time than ever on the internet.
Social Media Scams – such as LinkedIn where con artists pretend to be a new professional contact.
Fake Job Ads – as scammers post fake job ads on networking sites to steal your identity and money.
Cryptocurrency Fraud – as more money pours into cryptocurrency, scams are increasing everyday
Online Data Scams – romance scammers bilked Americans out of $1 billion in 2021, according to the FBI
Taxpayer ID Theft and Refund Fraud – as fraudsters use stolen PII to file a tax return claiming a fraudulent refund.

As the pandemic led to a surge in identity theft and fraud in 2021, cyber thieves and ID theft criminals are looking to elevate the cyber threat landscape to the next level in 2022.

Sincerely,

Mark

Hackers Are Coming After You in 2022

By Mark Pribish
Vice President and ID Theft Practice Leader

January 2022

Two years ago I wrote an article asking the question Is Your Digital Identity Safe?

Two days ago I read an Infosecurity Magazine article stating Identity Theft Will Get Worse.

Specific to your digital identity and today’s threat landscape for consumers and small businesses, cyber thieves and ID theft criminals have evolved to the point where hacking and data breaches can happen at any time and may affect anyone.

As for the statement “identity theft will get worse,” the fact is that 2021 surpassed the all-time record for data breaches exposing the Personally Identifiable Information (PII) of millions of Americans.

As a reminder, examples of PII include:

Name: full name, maiden name, mother’s maiden name, or alias
Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, employee or student identification number, financial account or credit card number
Personal address information: street address, or email address
Personal telephone numbers
Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: VIN number or title number
Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

And now our digital world, combined with a two-year pandemic, has both consumers and small businesses worried, weary and uncertain about cybercriminals and their new scams.

If you are a consumer, recent digital risk examples making today’s headline news include How to avoid buying fake Covid tests online and BBB warns consumers of hackers posing as apps like Paypal and Venmo to steal your money.

Cyber thieves and ID theft criminals depend on human nature and emotion such as an individual’s tendency to trust others (e.g. phishing and vishing) and desperation (e.g. the chaos of supply chain shortages such as Covid-19 tests). These phishing and vishing tactics and fake websites have gained attention in recent weeks over the increasing number of identity theft victims.

If you are a small business owner – trusting others and desperation are common risk factors just like a consumer – but it gets worse as Cyber risks top worldwide business concerns in 2022.

According to the just released 12^th Annual Allianz Risk Barometer Survey, cyber incidents top the Allianz Risk Barometer for only the second time in the survey’s history.

Cyber incidents rank as a top three peril as the threat of ransomware attacks, data breaches or major IT outages worries businesses even more than business interruption, supply chain disruption and the COVID-19 pandemic.

To conclude, cyber thieves and ID theft criminals continue to find new and innovative ways to steal your personal information.

Both consumers and small business owners need to increase their information security education and awareness to protect their digital identity as hackers are coming after you in 2022.

Sincerely,

Mark

2021 Surpasses All-Time Record for Data Breaches 

By Mark Pribish
Vice President and ID Theft Practice Leader

December 2021

According to the Identity Theft Resource Center or ITRC (https://www.idtheftcenter.org/), which has been tracking publicly reported data breaches and exposures since 2005 – the year 2021 surpassed the all-time number of data breaches.

“While the previous annual record for breaches was in 2017 with 1,529 data compromises, that total number was surpassed in November,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center.

“The ITRC has now tracked 1,580 compromises through November 30, 2021. Of the 164 data compromises reported in November, three stand out including Robinhood, a stock trading platform; GoDaddy, a web hosting company; and Costco, a popular retail corporation,” stated Velasquez.

Velazquez gave additional details on each of the three data breach incidents:

The Robinhood data breach affected seven million people and was due to a social engineering attack (when a criminal manipulates someone into giving them information). The information exposed in the breach includes full names, email addresses, phone numbers, birth dates and zip codes.

GoDaddy suffered a data breach due to a supply chain attack. The breach impacted a little more than one million users and exposed customer numbers, email addresses associated with the account, certain WordPress Admin logins, usernames, and passwords.

Costco suffered its first data breach in 2021 due to a card skimming device. While it is unknown how many shoppers’ payment card information may have been compromised, the retail corporation confirmed that it was found by company personnel during a routine check at one of their warehouses.

The irony and full significance to 2021 surpassing the all-time record for data breaches is that December is Identity Theft Protection Awareness Month (Protect yourself online: December is Identity Theft Protection Awareness Month | Round Rock ISD News).

Also and in March 2021, the U.S. Department of Defense released its annual U.S. Department of Defense Identity Awareness, Protection, and Management (IAPM) Guide to help consumers and small businesses keep their identities and the identities of their small business customers private and secure online.

The guide details “privacy considerations, recommendations, and step-by-step information to implement settings that maximize your online security.” It gives a great overview of rules, direction and guidance for online safety and security such as “dating services, mobile wallets, messaging apps, social networking services (Facebook, Instagram, LinkedIn, TikTok, Twitter), photo sharing and storage services, securing home Wi-Fi networks, health and fitness trackers, and more.”

To mitigate your risk of identity theft, Velasquez recommended four 2022 New Year resolutions for both consumers and small businesses:

Regularly update your security software
Be vigilant against email phishing scams
Use a password manager program or use strong password phrases
Use or turn on multi-factor authentication

As I said in my column last month, with the Holiday season upon us, consumers need to remember two important lessons in life including your personal information is not as personal as you think and cyber thieves and ID theft criminals do not take off during the holidays.

Sincerely,

Mark

Cyber Thieves Love Online Shoppers and the Holidays

By Mark Pribish
Vice President and ID Theft Practice Leader

November 2021

As the Covid-19 pandemic continues and the holiday season begins, cyber thieves and ID theft criminals will focus on the digital economy and online shoppers.

Consumers need to be aware of compromised or spoofed websites, phishing and vishing scams, fake shipping notifications, and fake holiday contests.

With the Holiday season upon us, consumers need to remember two important lessons in life:

Your personal information is not as personal as you think.
Cyber thieves do not take off during the holidays.

Now is the time to review your cyber and identity theft risks because cyber criminals are targeting you to steal your information and money during the holiday season.

That said, I have listed below my top 5 personal privacy tips and my top 5 online shopping tips to help reduce your risk of identity theft and fraud:

Top 5 Personal Privacy Tips

Security software - regularly update the security software (anti-virus, firewall and anti-malware) on your devices.
Password management - always create complex passwords using a combination of mixed-case letters, numbers, punctuation, and symbols with a minimum of 20 characters – typically an easy to remember sentence.
Privacy settings - learn, understand and use the privacy settings of the apps and social media sites you frequent, to understand how your information is stored and used.
Multi-factor authentication - provide an extra piece of information, beyond a login or password, to access an account or complete a transaction such as a short passcode sent by text message.
E-mails and attachments - do not open e-mails and attachments from individuals or organizations that you do not know and trust to mitigate your exposure to malware.

Top 5 Online Shopping Tips

Companies you know and trust - use only these companies, and use a credit card instead of a debit card or checking account, as your credit card is protected under the Fair Credit Billing Act.
Fake website domains – do not be fooled by false website domains that look like real ecommerce websites. Be careful that you are on the actual website for the retailer you are trying to shop at — not a “domain squatting” site with an added hyphen, or misspelled or incorrect URL.
Phishing and vishing scams - pay attention to e-mails from financial institutions, the Internal Revenue Service and retail businesses asking for personal information. No credible company or government agency will ask for your personal information via e-mail and/or phone calls.
Fake shipping notifications - fraudsters send phishing emails with links that could allow unwanted access to your private information or download malware onto your device.
Holiday contests - are a great way for retailers to support branding and marketing. Fake contests are a great way for fraudsters to collect your personal information and install malware.

To conclude, “if it is too good to be true, it probably is” and you can read more at this FBI Common Holiday Scams link.

Sincerely,

Mark

Do Healthcare Data Breaches Contribute to Medical Identity Theft?

By Mark Pribish
Vice President and ID Theft Practice Leader

October 2021

#BeCyberSmart

With Cybersecurity Awareness Month – now in its 18^th year – helping raise awareness about the importance of cybersecurity and encouraging individuals and organizations to take proactive steps to be cyber secure and to safeguard information, I am proud to promote the National Cyber Security Alliance (NCSA) theme: “Do Your Part. #BeCyberSmart.”

In writing this month’s column, I want to refer back to an article I wrote just over a year ago, Telehealth Creates New Cyber Medical ID Theft Risks, where I said “the COVID-19 pandemic has increased consumer risks through cyber scams and medical identity theft.”

Fast forward one year to this August 4, 2021 article, Healthcare Data Breaches Most-Common Threats to Date in 2021, which reports that the “healthcare sector is once again in the top position as the most breached economic sector” and “healthcare has been at or near the top of the [data breach] chart since at least 2017.”

A primary reason ID theft criminals and cyber thieves target healthcare providers is the Electronic Health Record (EHR) which is the collection of patient information into a digital record. EHRs significantly improve administrative efficiency and medical proficiency through shared networks and exchanges.

A typical EHR includes medical history, medications, allergies, immunizations, laboratory test results, and radiology images. Your EHR also includes your billing information such as personal information (e.g. date of birth, home address, and Social Security Number), insurance information and financial information (e.g. credit card number).

Unfortunately, the ID theft criminals and cyber thieves are mostly interested in your personal, insurance and billing information and that is why healthcare data breaches continue to be “in the top position as the most breached economic sector.”

So here is something to think about: every health insurance plan you have ever had through current and prior employers have your Social Security Number (SSN) along with the Social Security Number(s) of your spouse/partner and children.

Almost every healthcare provider (such as a doctor of medicine or osteopathy, podiatrist, dentist, chiropractor, clinical psychologist, optometrist, nurse practitioner, nurse-midwife, or a clinical social worker), that you or a family member have been to, has your Social Security Number.

So back to the title of this article – "Do Healthcare Data Breaches Contribute to Medical Identity Theft?" – the answer is a resounding, "Yes," based on the Personal Health Information (PHI) that is collected, stored and transferred through your Electronic Health Record.

To make matters worse, a just released October 26, 2021 article, Organization Wide PHI Access is Commonplace at Most Healthcare Orgs, reported that “nearly 20 percent of [PHI} files were open to every employee at a given healthcare organization starting on their first day of employment, pointing to troubling data security issues and poor PHI access controls.”

Based on the fact that the cyber thieves are stealing healthcare data and are finding new ways to monetize phishing (fraudulent emails), vishing (fraudulent phone calls and voice mail messages) and smishing (fraudulent text messages), consumers need to pay attention to data breach news in general and healthcare data breach news in particular.

To conclude, consumers can also reduce their risk of medical identity theft by safeguarding their health insurance cards, regularly reviewing credit reports, medical benefit explanations, medical bills, and prescription bills.

Sincerely,

Mark

Seniors Lose $1 Billion to Identity Theft and Fraud in 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

September 2021

On September 26, 2019 I authored an article on LinkedIn titled 2020 Prediction: Senior ID Theft to Get Significantly Worse. In that article I said that “based on the first half of this year – where 11 of the largest 13 data breach events occurred at medical or healthcare organizations affecting nearly 24 million healthcare related records – I believe senior identity theft and fraud will get significantly worse in 2020.”

In February of this year, the Federal Trade Commission (FTC) released its Consumer Sentinel Network Data Book 2020, reporting on 2020 identity theft and fraud statistics as reported by actual victims of identity theft. This year’s report stated that 34.7 percent of all identity theft victims in the United States in 2020 were 50 years of age or older.

On June 15, 2021, the FBI’s Internet Crime Complaint Center (IC3) released its 2020 IC3 Elder Fraud Report that stated “fraud victims over 60 years of age lost nearly $1 billion to scams, up nearly $300 million from the previous year.” This represented 28 percent of all losses reported to Internet Crime Complaint Center.

The FBI Elder Fraud Report also said the “average victim over 60 lost nearly $9,200 and that nearly 2,000 senior victims lost more than $100,000 each.”

In addition, the largest jump came in tech-support scams, which rocketed past $116 million in 2020 from less than $38.5 million in 2019.”

The FBI report included the most common types of identity theft and fraud scams encountered by individuals 60 years of age and over including:

Tech support scam: Criminals pose as technology support representatives and offer to fix computer issues. The scammers gain remote access to victims’ devices and sensitive information.
Romance scam: Criminals pose as interested romantic partners on social media or dating websites to capitalize on their elderly victims’ desire to find companions.
Investment fraud: Criminals create fake websites offering high return and risk free investments, free meal seminars with high-pressure sales.
Grandparent scam: Criminals pose as a relative—usually a child or grandchild—claiming to be in immediate financial need.
Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide funds or other payments.
Sweepstakes/charity/lottery scam: Criminals claim to work for legitimate charitable organizations to gain victims’ trust. Or they claim their targets have won a foreign lottery or sweepstake, which they can collect for a “fee.”
Home repair scam: Criminals appear in person and charge homeowners in advance for home improvement services that they never provide.
TV/radio scam: Criminals target potential victims using illegitimate advertisements about legitimate services, such as reverse mortgages or credit repair.
Family/caregiver scam: Relatives or acquaintances of the elderly victims take advantage of them or otherwise get their money.

You can protect yourself by (1) recognizing scam attempts (2) resisting the pressure to act quickly, as scammers create a sense of urgency to pressure victims into immediate action (3) being cautious of unsolicited phone calls, mailings, and door-to-door services offers (4) protecting your identity by never sharing your personally identifiable information (PII) and (5) making sure your computer anti-virus, security software and malware protections are up to date.

Lastly, and according to Phoenix, Arizona based security consultant John Iannarelli (FBI Special Agent, Retired), “if you believe you or someone you know may have been a victim of elder fraud, contact your local FBI field office or submit a tip online. You can also file a complaint with the FBI’s Internet Crime Complaint Center.”

Sincerely,

Mark

Consumer Behavior Can Help Reduce the Threat of Hackers

By Mark Pribish
Vice President and ID Theft Practice Leader

August 2021

While the T-Mobile data breach event of more than 54 million accounts from two weeks ago (T-Mobile Hack: Everything You Need to Know) places millions of consumers at risk of identity theft, consumer behavior can help reduce the threat of hackers.

To support my above comment, I am sharing a great article titled 6 Things You Need to Do to Prevent Getting Hacked | WIRED which was published on August 29, 2021.

The author (Matt Burgess) of Wired UK Magazine recommends six action items for consumers to help protect themselves including (1) the use of multi-factor authentication (2) the use a password manager (3) to learn how to spot a phishing attack (4) to update/backup everything (5) to encrypt everything and (6) to wipe your digital footprint.

Nearly three years ago I published a similar article on January 18, 2019 titled 4 Personal Privacy Resolutions to Protect Yourself From ID Theft to help consumers with their privacy concerns, by writing about four resolutions including:

Social Media: you should reconsider the data you share on social media including Facebook, Twitter, Instagram, Snapchat, and even LinkedIn – as all five of these social media leaders have experienced one or more data breach events. Your resolution should be to stop using social media altogether, take a break from it, or to reduce how much time you spend on it.
Password Management: using new and strong passwords are one of the best ways to protect yourself from identity theft. A major weakness in using passwords is that there are always one or two basic passwords that are weak – and might even be used for multiple accounts, putting you at risk. Your resolution should be to use a password manager that can help create new and strong passwords along with scanning existing passwords to flag reused and weak passwords.
Terms & Conditions: whenever I speak on the topics of cybersecurity, data breach, identity theft and personal privacy – I always ask the audience “how many of you” have read the terms and conditions of your social media accounts or apps on your smart phones? The response is always zero. Your resolution should be to read the terms and conditions of all new and current accounts (and yes, I said it – “current accounts”) to help you understand the type of personal information that is being collected, used and sold for marketing purposes.
Virtual Private Network (VPN): VPN software scrambles your IP address, encrypts data sent between your computer and the websites you visit, and masks your true location and service provider. This is important if you use public Wi-Fi. Your resolution to use a VPN will prevent hackers from seeing your traffic and potential scraping sensitive information such as financial details.

While I agree that consumers should be concerned about the recent T-Mobile data breach event where current and former customers are at a high risk of identity theft, consumers should be equally concerned about their behavior relating to social media, the internet of things, human error, and bad habits.

Sincerely,

Mark

The Reality of Identity Theft: Emotional Loss, Psychological Pain, Helplessness, Anger, Isolation, and Betrayal

By Mark Pribish
Vice President and ID Theft Practice Leader

July 2021

The Aite Group (a financial services research firm) released a March 2021 report highlighting how Identity Theft Impacts Nearly Half of US Consumers.

The report uncovered acute “pervasiveness of identity fraud perpetrated against U.S. consumers” and found the following:

47 percent of U.S. consumers surveyed experienced identity theft
37 percent experienced application fraud (i.e. the unauthorized use of one’s identity to apply for an account)
38 percent of consumers experienced account takeover (i.e. unauthorized access to a consumer’s existing account).

The Aite Group report found an estimated 42 percent increase in identity-related losses from 2019 to 2020, showing that identity theft is “rapidly growing in severity and will continue to flourish.”

The report also found serious consumer dissatisfaction with the assistance provided to victims following an identity theft attack. Among those dissatisfied with assistance said they were unlikely to do business with the at-fault financial institution in the future.

But it gets worse, as the May 2021 Identity Theft Resource Center (ITRC) 2021 Consumer Aftermath Report highlights the reality of identity theft beyond the known financial events of identity fraud crimes and explores the emotional and psychological impact of identity theft including “an all-time high number of victims who say that they have contemplated suicide.”

While most consumers (and businesses) only view the financial impact of identity theft, very few consumers (and businesses) understand and have empathy for the emotional impact of an identity theft victim such as emotional loss, psychological pain, helplessness, anger, isolation, and betrayal.

Whether the perpetrator of an identity theft victim is a stranger, family member or friend (i.e. the insider threat), identity theft triggers deep emotions related to financial security, physical safety, the safety of family members, the ability to trust again, and the feeling of being violated – all of which can lead to extreme stress, sleepless nights and bouts of depression.

The ITRC Consumer Aftermath Report covers three years from 2018-2020 – and highlights how many of the survey respondents who were identity theft victims had “definable emotional impacts, physical consequences and lost opportunities” and reported that “10 percent of victims said they considered suicide.”

"The 2021 Consumer Aftermath Report shows that the effects of identity theft, particularly during COVID-19, are far-reaching and accelerating," said Eva Velasquez, president and CEO of the Identity Theft Resource Center.

Velazquez noted “in the report, you see the range of emotions – anger, frustration, fear, hopelessness – in their own words. It is crucial we share these findings so others can better understand the ramifications of identity crimes, as well as help force change to better support these victims."

And while the ITRC survey responses are somewhat of a surprise to me – I was really surprised by the comment from Dr. Brandn Green, a PhD Research Scientist at Bethesda, Maryland based Development Services Group.

Dr. Green, a Sociologist investigating the social and environmental determinants of behavioral health, stated "the risk of having one's identity stolen and used to perpetuate fraud may be the least studied, most common, criminal experience that individuals can encounter.”

Dr. Green also said that "the work done by the ITRC in their report to quantify and demonstrate the experiences of victims is invaluable."

For the sake of transparency, I serve on the Board of Directors of the Identity Theft Resource Center, which was founded in 1999 and is a nonprofit organization established to empower and guide consumers, victims, business, and government to minimize risk and mitigate the impact of identity compromise and crime.

Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530 and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.

Whether you are a consumer or a business and now have more understanding and empathy for victims of identity theft, I want to say thanks in advance for your consideration to Donate to the Identity Theft Resource Center.

Sincerely,

Mark

The Reality of Data Breaches: No One Company Can Ever Prevent Itself From Experiencing a Data Breach Event

By Mark Pribish
Vice President and ID Theft Practice Leader

June 2021

Earlier this month I was a guest speaker at the 2021 Nebraska Credit Union League Annual Meeting & Convention.

One of my talking points was about the reality of data breaches and how the final story for most data breach events rarely reflects the initial news report. The initial reports commonly speak of what is known at the moment, but never covers the long term impact of affected individuals and small businesses.

In case you missed it, some of the notable data breaches so far in 2021 include CNA, Experian, Facebook, GEICO, Instagram, LinkedIn, Tesla, and Microsoft.

The irony to these data breaches is that these businesses pride themselves on safeguarding PII (Personally Identifiable Information). Additional irony is that these businesses have more financial and information technology resources than most other business, and yet they still cannot prevent a data breach event from happening.

The reality of data breaches is that they occur almost every day – whether it is an accidental release (which is a polite phrase for carelessness, incompetence or simply stupidity) or malicious intent (with the insider threat a common focal point, although the media heavily focuses on hacking events).

To help add clarity to the above, the recently released 2021 Verizon Data Breach Investigations Report (Verizon 2021 Data Breach Investigations Report Released) provides the latest data breach related trends and statistics that can help both consumers and employees be proactive in mitigating their exposure to identity theft and data breaches.

This year’s Data Breach Investigations Report (DBIR) helps define words in an accurate and complete manner such as “incident” and “breach” and highlights the realty of data breaches that can support a cyber-risk management strategy for all businesses in general but small businesses in particular:

Social engineering is the most successful attack
The top hacking vector in breaches is web application servers
Denial of service is the most frequent way incidents occur
85 percent of breaches involved a human element
Financially-motivated attacks are the most common
Organized crime continues to be the number one attacker
External cloud assets were compromised more than on-premises assets
Older vulnerabilities that haven’t been patched are being exploited by attackers
Credentials remain one of the most sought-after data types, followed by personal information
Employees continue to make mistakes that cause incidents and breaches
Devices continue to be lost or stolen
Privileges are misused
Business Email Compromises were the second most common form of social engineering
The majority of social engineering incidents were discovered externally

The DBIR also states that “phishing continues to be one of the top causes of data breaches, followed by the use of stolen credentials and ransomware, with the notable change in the past year of how threat actors ‘will first exfiltrate the data they encrypt’ so that they can threaten to reveal it publicly if the victim does not pay the ransom.”

To conclude, while this year’s Verizon report highlights “the importance of building a culture of cybersecurity vigilance,” I believe that having a response and recovery program in place is just as important as having an information security and governance program in place.

Why? because I believe the reality of data breaches is that “no one company can ever prevent itself from experiencing a data breach event” – and this is something I have been writing and speaking about for the last 15 years.

Sincerely,

Mark

The Danger of Complacency Makes Hackers Successful at Phishing and Ransomware

By Mark Pribish
Vice President and ID Theft Practice Leader

May 2021

With the recent Colonial Pipeline cyberattack in the news – which forced Colonial to shut down and created widespread fuel shortages in 11 states and Washington, D.C. – I believe it’s important to highlight how complacency and phishing emails spreading malware are the main reason for the success of cybercriminals and their ransomware attacks.

According to a December 2020 Digital Guardian blog titled A History of Ransomware Attacks, “ransomware has been a prominent threat to enterprises, SMBs, and individuals alike since the mid-2000s.”

Separately, according to the National Cyber Investigative Joint Task Force (NCIJTF), crimes such as financial fraud and identity theft are being exploited via the internet and technology through “the global cyber domain” every day.

To address this “evolving cyber challenge,” the NCIJTF released this FBI-IC3 Ransomware PDF Fact Sheet to educate the public on the ransomware threat.

The FBI’s Internet Crime Complaint Center (IC3) defines ransomware as “a form of malware targeting both human and technical weaknesses in an effort to make critical data and/or systems inaccessible.

The irony to this evolving cyber challenge is that ransomware was originally intended to target individual consumers – and while consumers are still ransomware targets – consumers are now considered low-stakes opportunities.

Instead, cybercriminals have taken ransomware to a more lucrative level by targeting higher-stakes opportunities such as healthcare (hospitals, medical groups and dental groups), professional services (law firms, accounting firms and consulting firms), education (high schools, community colleges, and colleges), and government agencies (law enforcement, city and federal agencies).

In addition, digital money or cryptocurrencies such as Bitcoin and Ethereum – which are difficult to trace and can be transferred electronically without financial institutions that are regulated by governments – have made ransomware more profitable than stealing data and selling it on the Dark Web.

So what can be done? Consumers and employees – especially small business employees – should receive security training on a regular basis to learn about the latest security threats via online education and phishing simulation tests.

The reality is that cybercriminals depend on the phrase “breach fatigue” and for consumers and employees to be complacent and careless about cybersecurity.

Two good examples of email security threats that consumers and employees need to be aware of are (1) spoofing and phishing and (2) Business Email Compromise.

To conclude, the potential for cybercriminals to shut down your home computer, the company you work for or critical infrastructure such as gas pipelines, electric grids, and water supplies; along with mass transportation, railways, bridges, tunnels, and even airlines – should be enough motivation for consumers and employees to NOT be complacent.

Sincerely,

Mark

Synthetic Identity Theft And Fraud To Get Worse in 2021

By Mark Pribish
Vice President and ID Theft Practice Leader

April 2021

In August 2014, I wrote an article for the Arizona Republic titled Synthetic Identity Fraud Emerges As Growing Threat where I stated that “synthetic identity theft and fraud often include a combination of fake and real credentials using names, Social Security numbers, driver's licenses and employee identification numbers to create new ‘synthetic’ or fake identities.”

Fast forward to 2021 – nearly seven years later – and this April 26, 2021 Forbes article titled Identity Frauds That Might Pose A Threat To Your Company In 2021.

This Forbes article includes a brief summary of synthetic identity theft and fraud and made me think of how both small businesses and consumers need to increase their knowledge and awareness of their digital risk.

Think about it, both consumers and small businesses have entered the digital world where we are all at risk. Examples of digital risk include a phishing attack; a hacking attack; or when your personal privacy or data privacy is exposed; or when your cloud computing or cloud storage vendor is hacked.

And to be clear – digital services such as the internet, website marketing, Apple and Google apps, and more, make it possible for small businesses to deliver more new products and services. These same digital services also create more satisfying customer experiences.

However, with these great new digital services comes risk – or should I say "digital risk". As I mentioned above, digital risk means unwanted and often unexpected outcomes that stem from digital business processes and digital consumer services.

So what does all this mean? First, there was a significant increase in the number of identity theft cases in 2020 due to the Covid-19 pandemic with employees working from home and students studying remotely.

Second, as businesses and consumers try to mitigate their exposure to data breaches and identity theft, cybersecurity experts anticipate another significant increase in identity theft and fraud in 2021.

One of those expected trends and contributing factors in cybercrime in 2021 will be the use of synthetic identity theft and fraud.

With synthetic identity theft and fraud helping in the authentication of an unauthorized individual by combining real and fake information, ID theft criminals are creating a completely new identity that looks so real – both businesses and consumers cannot tell the difference.

So what can be done? Cybersecurity experts are working on new technologies so that banks and credit card companies can know that their customers are really who they say they are.

In addition, small businesses and consumers can help manage their digital risk by (1) using stronger passwords and passphrases and (2) implementing two-factor authentication to minimize the risk of identity theft and unauthorized login.

Sincerely,

Mark

The Cyber Threat Landscape Will Get Worse Before It Gets Better: Part 2

By Mark Pribish
Vice President and ID Theft Practice Leader

March 2021

Last November I wrote an article titled The Cyber Threat Landscape Will Get Worse Before It Gets Better.

I wrote that article based on how information security and governance experts were alarmed at a “broken cyber market” and how cybersecurity professionals believed they were “outnumbered by cybercriminals” as attacks surged during the Covid-19 pandemic.

Well just four months later I am writing the second part to my November article titled The Cyber Threat Landscape Will Get Worse Before It Gets Better: Part 2.

I am writing this month’s article based on the following news headlines from just the last two weeks:

Just when you think the cyber threat landscape cannot get any worse – CNA, the seventh largest commercial insurance company in the world – and one of the leading cyber liability insurance underwriters, experienced a ransomware attack that forced the company to disconnect its systems, shut down its website, and adversely affected its corporate email.

How does this happen to one of the largest insurance companies in the world with more financial and information technology resources than most companies?

Unfortunately, this cyber-attack may have allowed cybercriminals to gain access to the cyber insurance policyholder’s confidential and detailed information.

This type of information could help a cybercriminal be more successful in determining a ransomware price that reflects the cyber coverage. This type of information could also help cybercriminals with targeted phishing emails.

As most of my readers know, targeted phishing threats are an elevated form of phishing virus attacks that use social engineering to get a specific person – in this case a CNA policyholder – to reveal sensitive and confidential information.

But it gets worse, as Javelin Strategy & Research released its annual identity fraud study and reported that “while total combined fraud losses climbed to $56 billion in 2020, identity fraud scams accounted for $43 billion of that cost” compared to the average annual fraud loss of $13 billion to $16 billion.

And it gets worse again with the unemployment benefits fraud debacle costing nearly $300 Billion because states were unprepared for the wave of applications resulting from the Covid-19 pandemic.

Lastly, and yes, it continues to get worse, as the FBI released its annual report on cybercrime affecting victims in the U.S., reporting on a record number of complaints and financial losses totaling over $4.2 billion to cybercrime in 2020.

To conclude and this is a hunch, I believe the cyber threat landscape will get worse before it gets better.

Sincerely,

Mark

Tax Fraud and Unemployment Insurance Fraud at Epidemic Levels

By Mark Pribish
Vice President and ID Theft Practice Leader

February 2021

The Criminal Investigation Division of the Internal Revenue Service (IRS) announced in its annual report last November that the IRS “uncovered $2.3 billion in tax fraud during the 2020 fiscal year” (IRS Releases Annual Report Identifying $2.3 Billion in Tax Fraud).

The IRS said that its focus included Covid-19-related fraud, cybercrimes and other identity theft related tax-related crimes.

The IRS said they expanded their investigation into the Dark Web including “terrorist financing cyber-enabled campaigns” where U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal activity.

Then in January of this year, the Federal Trade Commission (FTC) released its annual identity theft and fraud report known as the “FTC Consumer Sentinel Network Data Book” (2020 FTC Consumer Sentinel Network Data Book).

The 2021 FTC report states that identity theft was once again the number one consumer complaint in the United States, with nearly twice as many identity theft victims in 2020 as there were in 2019.

The big story from this year’s FTC report is a 2,000 percent increase in government document or benefit fraud – such as unemployment insurance fraud – as the Covid-19 pandemic created a windfall for individual scam artists and international cybercrime rings.

And just when I thought the news of identity theft and fraud could not be any worse, a February report was published on how “billions of dollars of unemployment aid ended up in the wrong hands as fraudsters exploited overwhelmed state agencies” (How Fraudsters and Cyber Criminals Stole Billions of Dollars in Unemployment Aid).

While the Labor Department Inspector General is in the process of completing an investigation, there are estimates of at least $63 billion of unemployment aid, and possibly $100 billion of stolen taxpayer funds due to identity theft and fraud.

According to my work colleague at Merchants Information Solutions or MIS – Jeremy Villanueva, Manager of Customer Support Operations said that the MIS ID Theft Restoration Center “experienced a massive increase in government documents and benefits fraud cases since the pandemic started last year.”

Villanueva stated “the significant increase in unemployment insurance fraud is a direct result of ID theft criminals and fraudsters taking advantage of individual states willingness to quickly pay unemployment benefits without proper vetting of these claims.”

In the case of MIS, Villanueva said that “since March of 2020 when the country shut down for Covid-19 precautions, our restoration center realized a 1,600% increase over the previous year specific to unemployment insurance fraud cases.”

Villanueva said if you receive a 1099-G form in the mail showing benefits disbursed that you did not apply for or receive – your employer or you should take steps to make sure your personal information is secure by completing the following action items:

If you receive a 1099-G form, contact your state unemployment benefits agency as this form does not come from the IRS.
File an ID theft affidavit with the FTC and a local police report.
Review your credit reports at annualcreditreport.com.
Contact one of the reporting agencies and put a fraud alert on your account.

Lastly, if you are a member of a sponsoring organization that outsources their identity theft protection services with Merchants Information Solutions, call MIS to open a case with your professionally trained Recovery Advocate.

Sincerely,

Mark

Total Number of Breached Records Skyrocketed in 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

January 2021

According to a recently released report by Risk Based Security (2020 Sees Huge Increase in Records Exposed in Data Breaches), “the volume of publicly disclosed data breaches fell by 48% in 2020 compared with the previous year, leading to 3,932 in total.” That’s the good news.

“However, the volume of records that were compromised by these breaches jumped by 141% to a whopping 37 billion records, the largest number seen by Risk Based Security since 2005.” That’s the bad news.

Part of the reason for the staggering increase in breached records of our personally identifiable information (PII) can be attributed to the COVID-19 pandemic as numerous organizations relaxed their security policies for employees to work from home and students to study remotely and unwittingly exposed their networks to compromise.

As the pandemic and the threat to your personal information continues in 2021, here are some personal privacy tips to consider:

Cut your cyber and identity theft risks by learning about the Internet of Faking and Extortion occurring through social media, as it has become a new profit center for ID theft criminals.
The Internet of Things or “IoT” adds tremendous benefits through devices and apps, but these “things” also create opportunities for hackers and ID theft criminals to steal and use your information.
While IT and hacking are the sizzle that continues to create data-breach headlines, most data-breach events are caused by lost devices, human error and malicious intent. Only 50 percent of breaches are caused by IT and hacking.
As the use of Telehealth and health-related services and information via electronic information and telecommunication technologies increase, medical ID theft will continue to increase. Be more vigilant in securing and monitoring your medical information.
The use of apps and social media are priority targets for cybercriminals and you need to limit the information you share.
No password is "unbreakable," but do not make it easy for ID theft criminals to get a pass into your personal information with weak or overused passwords.

Lastly, The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts and credentials for network access and privilege escalation (FBI Warns of Vishing Attacks Stealing Corporate Accounts).

Vishing (also known as voice phishing) is a social engineering attack where attackers impersonate a trusted entity such as your bank or health care provider during a voice call to persuade their targets into revealing sensitive information such as banking or login credentials.

Based on the above, Happy New Year!

Is Your Digital Identity Safe?

By Mark Pribish
Vice President and ID Theft Practice Leader

December 2020

I was recently asked the question “Is Your Digital Identity Safe?” The short answer is “no.”

When you take a look at today’s threat landscape for businesses – there is a huge discrepancy between the marketing of information technology security and the reality of data breaches.

When you take a look at today’s threat landscape for consumers – there is a huge discrepancy between the marketing of identity theft protection services and the reality of ID theft victims.

Unfortunately, cyber criminals are evolving to the point where hacking and data breaches can happen to anyone based on the headline news in just the last week:

Think about it, a worldwide hacking campaign with ties to Russia have cybersecurity experts trying to figure out how much of the Unites States government may have been affected and how badly it may have been compromised.

The affected government agencies include the US Treasury Department, the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Health’s National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), and the US Department of State.

But there is more as Austin, Texas-based SolarWinds (an IT management company) reported that a compromise of its software update servers earlier this year (between March - June 2020) may have resulted in malicious code affecting nearly 18,000 business clients including Fortune 500 companies, healthcare providers along with multiple industry verticals.

The above is proof that cyber-attacks and data breach events can hit any organization and affect any individual anytime and anywhere.

What does this mean for individual consumers? It means that hospitals and telehealth companies that are on the front lines of the COVID-19 crisis could be compromised relating to the personal privacy of patients.

It means that the personal privacy of employees working from home and students studying remotely, could be at a higher risk of identity theft.

It means that the IT managers of any one of the 300,000 enterprise clients of SolarWinds are scrambling to understand the impact of the trojan hacking campaign from March through June of this year.

As we are about to enter the New Year, both consumers and businesses need to know that data breach events are inevitable.

I believe the number one lesson learned from 2020 is that cyber thieves and ID theft criminals are focused on leveraging social engineering tactics to steal personal and business credentials to gain access to personal and corporate networks (and data).

My 2021 recommendation is for both consumers and businesses to be more vigilant than ever as cyber thieves and ID theft criminals are taking advantage of fear and uncertainty during the COVID-19 crisis.

Sincerely,

Mark

The Cyber Threat Landscape Will Get Worse Before (and if) it Gets Better

By Mark Pribish
Vice President and ID Theft Practice Leader

November 2020

Based on the three “headline news” articles below, I believe no one organiztion can prevent itself from a data breach event:

To prove this point, while the total number of data breaches were down in the first six months of 2020, over 27 billion records have been exposed so far this year (please see here) which is more than four times higher than any previously reported equivalent time period.

This leads me to believe two things:

With all the financial and IT resources of the U.S. government and private industry – no one organization can ever prevent itself from experiencing a data breach event.
Cyber threats and attacks are no longer just a technology risk – but a business and consumer risk.

So what can be done? We need to create a new security culture with a new sense of urgency for both business and consumers.

If you are a business and you are not proactively monitoring the ongoing risk associated with cyber threats and attacks across your entire enterprise, including the Board/C-Suite level, you're putting the viability of your business in serious jeopardy and creating liability by not adequately protecting your business assets along with your customer information.

And if you are a consumer – especially with employees working from home and students studying remotely – and you are not proactively monitoring your and your family members’ Personally Identifiable Information (PII), then you are increasing your risk to hackers and online scammers especially during the COVID crisis.

As the world responds to the new COVID working environment and employers and consumers become more reliant on technology, having a plan to respond and recovery from a data breach and/or identity theft event is more important than ever.

When life is perfect and there are no data breach and identity theft events, we can take a deep breath and relax.

Unfortunately, life is not perfect based on recent FBI cybersecurity warnings, a broken cybersecurity market and a shortage of cybersecurity workers.

So an important question to ask the organization you work for is what is the formal response and recovery plan that is in place in the event of a data breach or hacking event?

And as an individual consumer, the question to ask yourself is are you doing everything you can to protect you and your family members against hackers and online scammers?

Sincerely,

Mark

Cybercriminals are not Stable and Cybersecurity is Unpredictable

By Mark Pribish
Vice President and ID Theft Practice Leader

October 2020

With October Cybersecurity Awareness Month at the halfway point, it is important to note that cyber-thieves and ID theft criminals never rest and continue to stay ahead of law enforcement, businesses and consumers.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004 – with a mission to educate consumers, small and medium-sized businesses, corporations, and colleges.

Based on the above, now is a great time for consumers and businesses to evaluate their cybersecurity posture – especially during the COVID-19 environment – with a focus on response and recovery.

Why response and recovery? Because consumers and employees continue to click on phishing emails and organizations continue to experience data breach events such as ransomware.

Two recent examples include Blackbaud (Blackbaud Ransomware Attack Gets Worse) and Twitter (Twitter Hackers Posed as Company IT Officials Making a Support Call).

Blackbaud – a cloud technology company confirmed in early October that “stolen data also included bank account data and Social Security numbers, far more personally identifiable information than the company first thought.”

Specific to Twitter, the New York State Department of Financial Services released its findings and concluded "the hack was relatively unsophisticated, caused by scammers who posed as members of Twitter's IT help desk and directed employees to a phishing website designed to look like a company site."

Blackbaud is your typical data breach example where their first statement on July 16, 2020 said while they were hacked, “that credit card information, bank account information, or Social Security numbers were not stolen.”

Fast forward 60 days later and Blackbaud now admits that their data breach “had access to more unencrypted data than previously disclosed, including bank account information, Social Security numbers, usernames and/or passwords.”

Unfortunately, the final story for most data breaches rarely reflect the initial news report and speak of what's known at the moment, but never discuss the long-term – which is exactly what happened to Blackbaud and Twitter.

The fact is that the threat of a data breach or an ID Theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven't even thought about.

In Blackbaud’s case, their data breach event has affected 6 million people so far, including my alma mater, The University of Dayton.

With all the education and resources – including October Cybersecurity Awareness Month – consumers and businesses continue to fail phishing tests (after cyber-awareness trainings) and still click on actual phishing emails.

My advice to consumers and small businesses is a heightened awareness of phishing emails, unfamiliar links and attachments, and to reconsider the information that is being shared on social media.

After all, cybercriminals are not stable and cybersecurity is unpredictable – especially during Cybersecurity Awareness Month.

Sincerely,

Mark

Protecting Yourself from the Internet of Things (IoT)

By Mark Pribish
Vice President and ID Theft Practice Leader
September 2020

After hearing the phrase “uncertain times” for the last six months, I am beginning to believe that it may be overused – as most consumers tune out the meaning of overused words and phrases relating to risk and danger.

Unfortunately, words and phrases such as cybersecurity, data breach, identity theft, personal privacy, and stolen credentials are still not understood by consumers.

At the same time, as consumers continue to read about weak passwords and phishing emails relating to common access points for hackers, I believe the new access point is the Internet of Things (IoT) as hackers are taking advantage of unsecure access to smart technology.

Two recent examples include Why the Garmin Data Breach Should Be a Wakeup Call for Every CEO (please see here) and Amazon Ring Leaks Thousands of Customer Data (please see here).

According to Chief Executive Magazine, “Garmin confirmed it had been the victim of a cyberattack that caused a days-long outage in late July, during which users worldwide were unable to upload their fitness data from the company’s sports devices. Garmin reportedly paid a sizable ransom to get its data back.”

And according to Threatpost – which is a leading source for IT and business security – “2019 saw an explosion of privacy issues and scandals for Amazon-owned Ring. Researchers found several flaws in the IoT device, including one that allowed attackers to spy on families, or one that exposed Wi-Fi network passwords.”

The IoT allows smart technology products such as gaming devices, home appliances, medical wearables, sports equipment, cars, and toys to send and receive data over the internet and to be controlled remotely.

The good news is that smart technology has the potential to improve our lives from home security, energy conservation, to physical fitness. The bad news is that smart technology can also increase our exposure to risk with poor security features and placing the responsibility of security on the consumer.

The fact is smart technology devices collect, store, process, and use personal information such as names, addresses, phone numbers, email addresses, payment account information, GPS-based location, and activity patterns.

A new security report from Palo Alto Networks states that “57% of IoT devices are vulnerable to cyberattacks of medium to high severity.”

The Palo Alto report offered best practices to protect IoT devices from cyberattacks including:

Always check your network to see which devices are online and connected. Monitoring your Wi-Fi network for intruders will protect every device connected to it. Tap or click here to see how to check all the devices on your Wi-Fi network.
Consider setting up a separate Wi-Fi network for your devices. Tap or click here to find out how to set this up.
Always use strong, complex passwords that aren’t easily guessed. Tap or click here to create stronger passwords.
Always check for and install the latest updates for every IoT device you own. This will keep you one step ahead of hackers and cybercriminals.

Based on the above, and the increase in IoT-related data breaches due to unsecured IoT devices – enjoy your smart technology devices – and stay safe and smart by changing your default passwords and staying up to date on the latest IoT updates.

Sincerely,

Mark

Online Students are New ID Theft and Fraud Targets

By Mark Pribish
Vice President and ID Theft Practice Leader

August 2020

With colleges and universities beginning the new school year, it reminded me of when I attended the University of Dayton for four great years and graduated in 1981.

I had the time of my life and made many lifetime friends. Student life was simple, no laptops, no smartphones, no social media, socializing at the library, and the music was fantastic.

However, with today’s laptops, smartphones, and social media – the risk of ID theft and fraud for students is higher than ever.

Now and to make matters worse, most students studying online and remotely are at a higher risk based on the COVID-19 pandemic – and this May 27, 2020 Federal Trade Commission (FTC) article titled COVID-19 scams targeting college students helps confirm it.

With a significant increase in phony LinkedIn, Facebook and other social media friend requests placing many students at risk – as this August 12, 2020 article titled COVID-19 is shattering cyberattack records highlights – the daily inundation of misinformation has given cybercriminals an endless resource of cyber-based ammo to implement their attacks.

But college students are not the only targets as colleges, universities and K-12 districts across the U.S. have become cyber targets for personal information and intellectual capital based on this July 1, 2020 article titled US schools leaked 24.5 million records in 1,327 data breaches since 2005.

California had the most educational data breaches accounting for 157 of the 1,328 breaches (11.8 percent). The list of worst-hit states include New York with 89, Texas with 79, Illinois and Ohio each with 60, and Florida with 58. Colleges account for 74% of education data breaches.

And not to sound like a broken record, please see this July 14, 2020 article titled FBI warning-cybercrimes are up and school districts could be the target.

So what can parents and students do to mitigate their exposure to cyber scams and identity theft?

The COVID-19 pandemic has new email phishing attacks that try to trick parents working from home and students studying remotely into giving away credentials for access to their employers' and college/university networks. You need to stay vigilant and be careful with every email.
A new voice phishing scam uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from again – both parents and students.
Limit what you share online, use and regularly change strong passwords on smartphones, tablets and laptops, and use a crosscut shredder.
Parents and students need to know “student rights” under FERPA. The Federal Educational Rights and Privacy Act (FERPA) protects the privacy of student records.

As ID theft criminals continue to use the Social Security Numbers of students to obtain employment, rent an apartment, open a utility, cell phone, bank account, or to access government benefits be ever vigilant of new and emerging scams.

Sincerely,

Mark

Telehealth Creates New Cyber and Medical ID Theft Risks

By Mark Pribish
Vice President and ID Theft Practice Leader

July 2020

I am following up on my June 2020 article titled “Medical ID Theft Risks Increase During the COVID-19 Crisis” where I said “we need to be more vigilant about cyber scams, phishing scams, hackers, and insider threats that are targeting our online presence – including Telehealth services.”

Based on reader response and this July 27, 2020 HealthITSecurity article titled Telehealth Is the New Normal, But So Is Online Fraud (please see here), I will continue the discussion on how the current COVID-19 pandemic has increased consumer risks through cyber scams and medical identity theft.

To place Telehealth services in perspective, HealthITSecurity, states that “before COVID-19, the United States telehealth market was estimated at about $3 billion with 11% of consumers using telehealth in 2019. Fast forward to pandemic-plagued 2020, the telehealth market is poised to grow to $250 billion with 46% of consumers now using telehealth, according to McKinsey & Company.”

“Unfortunately,” and according to HealthITSecurity, “these benefits are being offset by a variety of fraud schemes where healthcare fraud in the US is approaching $300 billion annually and while the Department of Health & Human Services and the Centers for Medicare & Medicaid Services eased their telehealth requirements to serve more patients during the pandemic, there could be an inadvertent wave of billing fraud and risk patient safety.”

The fact is, the COVID-19 pandemic has cyber scammers, phishing scammers, hackers and even the insider threat targeting healthcare professionals and consumers.

Examples of fraud scams, phishing scams, hacking, and insider threats include:

Fraud scams including fake or fraudulent COVID-19 cures through fraudulent phone calls, fake social media content, and door-to-door sales.
Phishing and Vishing Scams including fake emails, texts and phone calls to get you to share personal information like account numbers, Social Security numbers, or your login IDs and passwords.
Hacking / Malware where hackers use malicious software such as viruses, worms, Trojan viruses, spyware, adware, and ransomware.
Insider Threats including current and former employees like the careless worker, the disgruntled employee, the malicious insider, and the outside contractor or vendor.

While Telehealth is an emerging opportunity with great potential, Telehealth has great potential to contribute to medical identity theft.

According to this April 13, 2020 Association of Certified Fraud Examiners (ACFE) blog, “as Telehealth services proliferate, telehealth fraud schemes will continue to evolve (please see here).

Consumers need to be aware that the insider threat, hacker, phishing or vishing scammer, or fraudster stealing or using your personal information (e.g., name, Social Security number, Medicare number, etc.) can also originate with Telehealth services.

Consumers can also reduce their risk of medical identity theft by safeguarding their health insurance cards, regularly reviewing credit reports, medical benefit explanations, medical bills, and prescription bills.

Sincerely,

Mark

Medical ID Theft Risks Increase During the COVID-19 Crisis

By Mark Pribish
Vice President and ID Theft Practice Leader

June 2020

Since people started working from home due to the COVID-19 crisis, the risk of financial and non-financial identity theft, fraud and scams have significantly increased.

Keyword phrases such as cybercrime, cyber thieves, data breach, digital spying, identity theft, personal privacy, phishing, and reputational risk have been reported and written about relating to both individuals and businesses more than ever.

As if it was not enough to constantly fight hackers and scammers at the office, most American workers are now fighting the same hackers, scammers and ID theft criminals remotely, from our “private” homes.

Understanding that many people live their lives online through social media, dating websites, reading the news, and the use of smartphones – the COVID-19 crisis has increased access points to the American consumer and worker more than ever.

One example of a new access point for many consumers is Telehealth.

According to the Centers for Disease Control (CDC) June 10, 2020 update titled Using Telehealth to Expand Access to Essential Health Services during the COVID-19 Pandemic (please see here), “Telehealth services help provide necessary care to patients while minimizing the transmission risk of the COVID-19 virus to healthcare personnel (HCP) and patients” and “while telehealth technology and its use are not new, widespread adoption among Healthcare Providers and patients beyond simple telephone calls has been relatively slow.”

The CDC stated that recent policy changes during the COVID-19 pandemic have reduced barriers to telehealth access and have promoted the use of telehealth as a way to deliver acute, chronic, primary and specialty care that can help improve patient health outcomes.

However, and while Telehealth is a timely, valuable and useful tool, this June 22, 2020 article titled Security Experts Warn Of Elevated Threat Of Medical ID Theft During Coronavirus Pandemic (please see here) reported that “the coronavirus pandemic presents a greater threat for medical identity theft as patients interact with the health care system.”

One security expert, Randy Pargman, a former senior computer scientist with the Federal Bureau of Investigation (FBI) said that “companies across the board are more susceptible to theft of personal information during this pandemic because the attackers know they can take advantage of this situation.”

Pargman also said “patient files are rife with personal data ranging from social security numbers to insurance information.”

Whether it is a cybercriminal hacking medical files or the insider threat stealing medical files, I am certain that Telehealth services have just as many vulnerabilities as the many healthcare systems, hospitals and medical groups that have already experienced data breach events.

As we continue to work from home, we need to be more vigilant than ever about the cyber scams, phishing scams, hackers, and insider threats that are targeting our online presence – including Telehealth services.

Sincerely,

Mark

Credit Freezes Versus Credit Locks; What You Should Know

May 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

According to a May 22, 2020 ComputerWeekly.com article titled Covid-19 will leave organizations exposed to higher cyber risks (please see here https://www.computerweekly.com/news/252483503/Covid-19-will-leave-organisations-exposed-to-higher-cyber-risks), “hacking attacks and phishing emails could become the new norm.”

The fact is the risk of a data breach event is now higher than ever based on the “increase in phishing email attacks, malicious keylogger attacks and the distribution of password-stealing software.”

This means that individual consumers might not know for months or even years that their Personally Identifiable Information (PII) was stolen by cyber thieves and ID theft criminals.

Since the COVID-19 crisis began, state and federal law enforcement has reported on numerous cybersecurity attacks and phishing scams including:

Sophisticated COVID-19 related phishing attacks that use PDF attachments to bypass software security defenses
Fake shipping emails pretending to be from FedEx and UPS to trick customers into downloading malware
Phony LinkedIn “connect” and Facebook “friend” requests to trick users into downloading malware
Fraudulent small business lending emails targeting small business owners including small law firms
New and innovative “vishing” phone scams impersonating government organizations and charities to solicit donations

With an increase in cyber scams, data breach events and ID theft victims during the current COVID-19 crisis, consumers might consider placing a credit freeze on their credit report.

However, be careful as Consumer Reports Magazine states (please see here https://www.consumerreports.org/credit-protection-monitoring/why-a-free-credit-freeze-is-better-than-a-credit-lock/) that “even though credit freezes are now free, credit bureaus are pushing consumers to lock their credit instead.”

According to Consumer Reports, “credit locks and freezes are similar. They both prevent others from accessing your credit information, eliminating the possibility that a fraudster could open a new credit account in your name. To entice consumers to use credit locks, the credit bureaus cite convenience and may offer special deals.”

To conclude, a credit freeze – also known as a security freeze – is a free tool that lets consumers restrict access to their credit report, which in turn makes it more difficult for ID theft criminals to open new accounts in an individual consumer’s name. The reason is that most creditors need to see a consumer’s credit report before they approve a new account. If they cannot see an individual consumer credit report, they will not extend the credit.

Based on the COVID-19 Crisis, a credit or security freeze is another option you should consider to protect you and your family members.

Sincerely,

Mark

FBI, Secret Service and Homeland Security Continue to Issue COVID-19 Scam and Fraud Alerts

April 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

After working the last six weeks from home, along with most Americans in the United States, there has been no slowing down of COVID-19 alerts from the FBI, Secret Service and Homeland Security regarding the personal privacy and identity theft risks to every consumer in America.

The news headlines below are just a small example of the daily and weekly alerts released by law enforcement to help protect individuals from the numerous identity theft, phishing and cyber related fraud events:

FBI and Secret Service Working Against COVID-19 Threats

Homeland Security issues alert on cybercriminals increasingly exploiting COVID-19 pandemic

Secret Service Beware malware-laden emails offering COVID-19 information

Based on the above, consumers need to be aware of sophisticated COVID-19 related phishing attacks that use PDF attachments to bypass software security defenses.

Consumers also need to know about fake shipping emails pretending to be from FedEx and UPS along with new and innovative phone scams.

There has also been a significant increase in phony LinkedIn, Facebook and other social media friend requests that are putting many consumers at risk.

Lastly and according to my colleague Jeremy Villanueva, the Manager of Customer Support Operations for the Merchants Information Solutions Recovery Advocate Center – a new and emerging consumer risk is the “stimulus check scam and fraud.”

According to Jeremy, Forbes Magazine published an April 28 article titled Scammers have registered 150,000 fake stimulus check websites. Here’s how to protect yourself (please see here), where fraudsters create a copy of the IRS's official "Get My Payment" site and when a user goes to Google to search for the real stimulus check tracker, they might instead be lured to a fake site.

If a consumer submits their information, "scammers can then use the newly acquired credentials to try to beat the victim to their stimulus check. Then they can input another bank account to receive the money, or just use your personal information for identity theft.”

In just the month of April, Jeremy’s team of highly-trained Recovery Advocates has helped numerous victims of stimulus check fraud along with other consumers who have become victims of COVID-19 related scams return to pre-identity theft status.

To conclude, consumers need to stay up to date on the latest COVID-19 related scams and fraud events to protect themselves and family members.

Sincerely,

Mark

Coronavirus Fear and Anxiety drives Phishing Scams

March 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

I read a great article last week by Risk Based Security – a leader in vulnerability intelligence – about modern phishing attempts (please see here) and “how malicious attackers are targeting unsuspecting people on the web.”

This article said there was a “tendency to associate phishing with crude boilerplate emails, dubious attachments, and poor attention spans” but instead, sophisticated “attackers were spoofing system update prompts or redirecting users to pages with all sorts of dubious code.”

But it gets worse as cyber thieves and ID theft criminals did not take long to take advantage of fear and anxiety surrounding the global COVID-19 pandemic.

Risk Based Security then released another article titled Coronavirus Isn’t the Only Virus Going Around (please see here) reporting that “malicious attackers will always find new ways to target individuals and organizations. This time, hackers are installing malware on computers and harvesting user credentials by preying on people’s curiosity and fear of the coronavirus (COVID-19).”

One new phishing example is where “scammers pose as the Centers for Disease Control (CDC) advising that there are new COVID-19 cases reported in the user’s city and requesting that they follow a link to learn more. From there, clicking the provided URL covertly redirects the user to a spoofed login page. If the user completes the process by providing their credentials, they are now compromised.”

For years I have written and spoken on how IT and hacking are the sizzle that make the news headlines, however, the vast majority of data breach events are the result of phishing emails and not high technology hacking tools.

According to the FBI’s Internet Crime Complaint Center (IC3) 2019 Internet Crime Report (please see here), phishing scams were the most common type of internet crime last year where 114,000 U.S. consumers lost more than $57.8 million in 2019 as the result of phishing.

Consumers need to be reminded that cyber thieves and ID theft criminals pretend to be a trustworthy party to trick people into handing over personal details or account information and that COVID-19 related scams and frauds are showing up in multiple locations including the internet, your work email and your personal email.

Based on the severity of our national emergency concerning the Novel Coronavirus Disease (COVID-19) Outbreak – we need to be diligent and aware of the numerous phishing emails and scams in the foreseeable future.

Sincerely,

Mark

Business ID Theft Refund Fraud is a Growing Threat

February 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

Most people are aware of taxpayer identity theft refund fraud when the victim's Social Security Number is used to file a fraudulent return to claim a refund or credit.

However, most people are not familiar with business identity theft refund fraud.

According to a new January 2020 General Accounting Office (GAO) Identity Theft Report, identity theft criminals can claim a business’s tax refund by fraudulently using the business’s tax ID number and other identifying information.

The GAO report stated that between January 2017 and August 2019, the Internal Revenue Service (IRS) helped prevent $384 million in fraudulent business identity theft refunds.

The fact is identity theft criminals are constantly looking for ways to steal the identities of individuals, tax professionals and businesses in order to file fraudulent tax returns for refunds as consumers and businesses – especially small businesses – can be unsuspecting victims of tax fraud schemes.

The IRS states that business identity theft occurs when identity theft criminals “create, use, or try to use a business’s identifying information – such as an Employer Identification Number (EIN) – in an attempt to claim a tax refund.”

The IRS has recognized business identity theft is a growing threat and that identity thieves show a sophisticated knowledge of the tax code and filing practices as they attempt to file fraudulent returns with potentially large refunds.

Nearly one year ago (in April 2019), the IRS reported a 10 percent increase in the number of businesses notifying the IRS that they were victims of business identity theft (2,233 notifications in 2017 to 2,450 in 2018).

Business identity theft impacts both the government (e.g. loss of revenue) and small businesses, which can experience reputational risk, financial and credit risk along with other types of financial fraud.

To help both consumers and businesses, the IRS launched Identity Theft Central to improve online access to information on identity theft and data security protection for taxpayers, tax professionals and businesses.

I believe Identity Theft Central will be a great new resource on how to report identity theft and for providing taxpayers information to protect themselves including:

Taxpayer Guide to Identity Theft, including what to do if someone becomes a victim of identity theft
Identity Theft Information for Tax Professionals, including knowing responsibilities under the law
Identity Theft Information for Businesses, including how to recognize the signs of identity theft

For years, law enforcement in general and the FBI in particular have always stated that education, awareness and community outreach are critical in responding to identity theft criminals and cybersecurity thieves.

Stay vigilant this tax season and use the new Identity Theft Central FTC resource, especially if you have a small business.

Sincerely,

Mark

Make a Stronger Cybersecurity Commitment in 2020

December 2019

By Mark Pribish
Vice President and ID Theft Practice Leader

Every consumer and small business owner needs to make a commitment to do more to safeguard personal and business information in 2020.

To help with your cybersecurity commitment, I am highlighting three topics including identity theft terms, consumer need-to-knows and small business best practices.

First, Consumer Affairs has an identity theft glossary that serves as a great reminder to the current threat environment including:

Keylogger: A keylogger is a computer program that records a person’s keystrokes to obtain confidential data.
Phishing: Phishing is a popular type of internet scam in which fraudsters send emails claiming to be from a reputable company to trick individuals into revealing personal information.
Smishing: Similar to phishing, smishing (or SMS phishing) is when someone attempts to mine sensitive information under a fake identity through text messages.
Vishing: Like phishing or smishing, vishing is when an identity thief attempts to gain sensitive information over the phone.

Second, consumers need-to-know how to protect themselves from becoming a victim of ID theft during the holiday season such as:

The use of strong and up-to-date Wi-Fi security, strong password management, two-factor authentication, and the use of a VPN on public Wi-Fi.
Take the time to track credit and debit card transactions by regularly checking online banking activity for any suspicious activity.
Have a heightened awareness for phishing, smishing and vishing scams where fraudsters emails, texts and voicemails appear to originate from a reputable company, but do not.

Third, small business need to implement cybersecurity best practices to help mitigate their exposure from identity theft and data breach events:

Annual employee education should be the No. 1 priority. Talk to your employees about identity theft and data breach risks because the threat level is rising and you don't want it to sink your business.
Your small business needs to create, test and update a written information security and governance policy annually, including penetration testing and a simulated data-breach event.
Consider adding cyber liability insurance to help respond to evolving state and federal breach notification laws since most small businesses lack the financial and human resources to respond to a data breach.

Based on the above, ring in 2020 with a stronger cybersecurity commitment to help reduce your cybersecurity risks.

Sincerely,

Mark

Another Data Breach Letter: Another 12 Months of Credit Bureau Monitoring

November 2019

By Mark Pribish
Vice President and ID Theft Practice Leader

I just received a November 8, 2019 Notice of Data Privacy Incident letter from Delta Dental notifying me that “a data privacy incident may affect the security of my personal health information.”

Delta stated in my notification letter that “we take this incident very seriously and are providing you with information and access to resources so that you can protect your personal information, should you feel it is appropriate to do so.”

The notification letter went on to say that on July 8, 2019, Delta Dental of Arizona became aware of suspicious activity and learned that a Delta Dental employee fell victim to an “email phishing scheme” that allowed an unauthorized individual to gain access to said employee’s email account.

Delta Dental’s third party forensic investigation revealed that “the email account contained my first and last name and Social Security number, Member ID, or Subscriber ID, and data of birth.”

For those of you unaware, this is the type of information hackers and ID theft criminals use to open fraudulent credit card accounts and other lines of credit in your and my name.

The same hackers and ID theft criminals can also use this information to commit non-financial ID theft related opportunities by fraudulently creating a driver’s license, passport, health insurance card, or to commit taxpayer ID theft and refund fraud.

The letter went on to say “in an abundance of caution, we are offering you access to 12 months of credit monitoring and identity theft restoration services at no cost to you” and “we sincerely regret any concern or inconvenience that incident has caused.”

Well here is my concern: my Social Security number, thanks to Delta Dental (along with Equifax and Capital One) is out there forever.

Consumers need to be aware that a data breach or an ID Theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven't even thought about.

Consumers also to need to know that “free credit monitoring services” will not help much after 12 months or at all with non-financial ID theft, such as taxpayer ID theft and refund fraud, medical ID theft and credential (e.g. driver's license, passport, employee and student IDs) ID theft.

The final story for most data breaches rarely reflect the initial news report and speak of what's known at the moment, but rarely discuss the long-term threat that endures.

Instead of minimizing the potential impact of a data breach by telling affected individuals that there has been no evidence that your information is being misused - companies need to be more open in telling you about the long term risks associated with a data breach such as non-financial ID theft, the limitations of credit monitoring, and most importantly how you will be taken care of if you become an ID theft victim.

Sincerely,

Mark

Personal Privacy and the Internet of Things (IoT)

October 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

Keywords: #Personal Privacy, #Internet of Things, #Smart Devices, #Identity Theft

Have you ever thought about how installing smart or connected devices such as a residential doorbell or security camera using a Wi-Fi connection can put your personal or business data at risk of being hacked or sold to third parties like advertisers?

An October 1, 2019 article titled Smart Home Devices and Privacy Risk (please see here) states “while ‘smart home’ or internet of things (IoT) devices have become more prevalent and may make every day or business tasks more convenient, they also diminish consumers’ privacy and introduce serious risks, for both users and device developers and manufacturers.”

According to Statista, a leading provider of market and consumer data, there will be 75 billion connected devices worldwide by 2025 (please see here).

When I think of connected devices I think of business sectors such as Utilities (programmable thermostats), Residential Security (residential doorbells with surveillance cameras and microphones), Smart and Self-Driving Automobiles (onboard computers, infotainment/entertainment systems and apps) and Healthcare (medical devices such as a pacemaker and mobile apps) to name a few.

In each instance, these connected business sectors and devices help save money, increase efficiencies and improve our quality of life.

The same business sectors and devices can also give hackers and insider threats the opportunity to steal personally identifiable information (PII) leading to any consumer becoming a victim of identity theft.

Think about it, if you can unlock the front door of your house remotely – so can a hacker. If you can start your car or unlock the door locks of your car remotely – so can a hacker?

And if any of your devices or service providers are connected to the cloud to collect, store and/or transfer information – hackers and insider threats can collect, store and/or transfer the same information.

While consumers are excited to have a more connected lifestyle, consumers should also be concerned about the increased risk of identity theft and data breach events.

So what can you do about it? Consumers can protect themselves in a number of ways including:

By changing their default usernames and passwords
Setting strong passwords
Updating their security software regularly
Check the device for default privacy and security settings
Disabling remote access to your IoT devices (where applicable)

Every IoT device comes with a built-in web interface to configure the settings mentioned above. In addition to securing any new smart devices you may purchase, be sure to configure any existing IoT devices you already have.

Sincerely,

Mark

2020 Prediction: Senior ID Theft to Get Significantly Worse

September 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS: senior identity theft/ senior fraud / cybercrime / personal privacy

Whenever I speak publicly about cybersecurity and identity theft, I always share the latest research reports or identity theft trends to look for recent patterns that can help consumers and businesses mitigate their risks against identity theft.

Based on the first half of this year – where 11 of the largest 13 data breach events occurred at medical or healthcare organizations (please see here) affecting nearly 24 million healthcare related records, I believe senior identity theft and fraud will get significantly worse in 2020.

According to Protenus, a healthcare compliance analytics company, (please see here) this healthcare industry data breach pattern includes 503 incidents affecting nearly 15.1 million patient records in 2018 and 477 data breaches affecting 5.6 million patient records in 2017.

When you think about lost or stolen Personally Identifiable Information (PII), most people think about credit card information, bank account information, taxpayer identity theft and refund fraud, utilities identity theft and fraud, and credential identity theft such as driver’s license or passport fraud.

Very few people think about medical identity theft in general and senior identity theft in particular.

However, when the collections firm American Medical Collections Agency (AMCA) – which services laboratories, hospitals, physician groups, billing services and medical providers throughout the United States – experienced a data breach including Labcorp affecting 7.7 million patients and Quest Diagnostics affecting 11.9 million patients, I wondered how safe and secure all American consumer billing records really are?

Another interesting statistic comes from the 2019 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book where 39% of fraud complaints and 15.9% of identity theft complaints impacted seniors (60 years or older) in 2018 (please see here).

However and at first glance, if you add the mature market (50 – 59 years of age), the “Identity Theft Reports by Age” from the FTC Consumer Sentinel Network shows a three year average of 36% of identity theft victims were 50 years and older.

50 years of age and older – 31.3% in 2018
50 years of age and older – 36.6% in 2017
50 years of age and older – 40% in 2016

While there were “only” 14.4 million identity theft victims in 2018, which represented a drop from the record-breaking 16.7 million victims in 2017, it is estimated that out-of-pocket fraud costs for victims more than doubled in 2 Years to $1.7 billion.

The FTC report also showed that younger people reported losing money to fraud more often than older people – but older people lost nearly twice the amount to fraud.

To conclude, nearly 50 million health related records have been reported stolen from over 1,000 data breaches over the last 30 months.

With National Cybersecurity Awareness Month taking place in October, I believe senior identity theft and fraud will rise in 2020!

Who’s the Insider Threat at Your Company?

August 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS cybersecurity / cybercrime / insider threat / personal privacy

I just attended the Blackhat 2019 Conference – which is the largest information security event in the world – on August 7-8 and listened to a very informative presentation by John Grim Managing Principal – Americas, Verizon Threat Research Advisory Center or VTRAC on the recently released Verizon’s Insider Threat Report.

Grim began the presentation by highlighting Verizon’s five insider threat categories including the following:

The Careless Worker
The Inside Agent
The Disgruntled Employee
The Malicious Insider
The Feckless Third Party

As a side note, I had to look up the word “feckless” which has a number of meanings including irresponsible, incompetent, inept, and lacking character.

Grim defined insiders as “full- and part-time employees, independent contractors, interns, and other staff, as well as business partners and third parties with some level of privileged access.” He also said that “human resource controls, security access principles, training and third-party management controls can mitigate risks.”

According to Verizon’s Insider Threat Report, “twenty percent of cybersecurity incidents and 15 percent of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization, with financial gain (47.8 percent) and pure fun (23.4 percent) being the top motivators.”

In addition, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

To put all this in perspective, Capital One’s recent data breach was impacted by the very insider threat or “feckless third party” when an irresponsible, former Amazon employee lacking character and integrity is now being charged with computer fraud.

Just as I wrote in a recent LinkedIn post about Capital One’s data breach event that the question should be “who’s in your wallet?” – I believe every business and organization, based on Verizon’s Insider Report should be asking “who’s the insider threat at your company?”

To conclude, Verizon offers organizations an opportunity to “identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.”

You can go to this link to read Verizon’s Insider Threat Report.

Sincerely,

Mark

Apps Are a Bigger Personal Privacy Threat than Facebook

July 2019

KEYWORDS cybersecurity / cybercrime / social media / apps / personal privacy

Four years ago I wrote an article titled “Are apps and social media putting your privacy at risk?” (please see here) where I asked readers when was the last time they read the terms and conditions or adjusted the privacy settings of their smartphone apps or social-media accounts?

On Wednesday (July 24, 2019) the Federal Trade Commission (FTC) announced that Facebook “will pay a record-breaking $5 billion fine to resolve a government probe into its privacy practices and the social media giant will restructure its approach to privacy” (please see here).

The FTC also said that Facebook’s “data policy was deceptive to ‘tens of millions’ of people who used Facebook’s facial recognition tool and also violated its rules against deceptive practices when it did not disclose phone numbers collected to enable a security feature would be used for advertising.” I will get back to facial recognition in a moment.

So when you think about why consumers use apps and social media, you think about convenience, entertainment and networking opportunities. Common app examples include requesting transportation, adjusting our home thermostat, accepting a LinkedIn invite, posting on social media or playing a game. This is the reality of our evolving lifestyle and is the world that we live in today.

Another reality is that our everyday app use and access to social media increases our personal privacy risks. For example, while you are thinking about convenience, entertainment and networking opportunities – so are the cyber thieves and ID theft criminals who are leveraging your social networks and apps to do their dirty work. Common social media examples include fake LinkedIn invites, fake Facebook accounts, fake Twitter accounts, fake reviews, and even fake news.

Over the last few years, cybersecurity research has shown that most social media scams were manually shared, where the scam spread rapidly. These scams are lucrative for cybercriminals because people are more likely to click something “posted by a friend." The mobile threat, including mobile apps, have also been ripe for attacks, as many consumers associate cyber threats with their PCs and neglect even basic security precautions on their smartphones.

Consumers need to be reminded that apps and social media can track your search engine history, purchasing habits, geographical location, and even look into your files and contact list – all without your knowledge and sometimes without your permission. The type of personal information being collected and sold includes your smartphone's unique device ID, phone's location, phone number, your age, gender, likes, dislikes, search-engine habits, e-mails, usernames and more to third party marketers and data brokers.

So, returning to facial recognition and the extremely popular facial recognition app called FaceApp, you may want to read this article titled All your friends are posting aging selfies with FaceApp – a Russian app that's raising privacy concerns (please see here).

Essentially, FaceApp is a photo editing app where you can see what you would look like with a beard, gray hair, and even wrinkles. Unfortunately, to use FaceApp you have to give it permission to access all your photos along with access to Siri and Search. In addition, FaceApp has access to refreshing in the background – “even when you are not using it, it is using you,” according to Rob La Gesse, former vice president at Rackspace, who shared his FaceApp thoughts on Facebook on Wednesday, July 17, 2019.

Based on the above, here are my five tips to help you minimize your privacy risks:

Limit and/or eliminate sharing your personal information online.

Increase your privacy awareness by reviewing and adjusting your privacy settings.
Be aware that some apps reset your privacy settings during major upgrades.
Learn more on how the apps you have installed use your personal information and for what purposes.
Consider using "privacy assistant software" to help keep your privacy preferences current.

I will conclude by asking the same question again: when was the last time you read the terms and conditions or adjusted the privacy settings of your smartphone apps or social-media accounts?

Sincerely,

Mark

4 Data Breach Best Practice Tips for Small Businesses

June, 2019

According to a June 4, 2019 Security Magazine article titled Data Breaches Cost $654 Billion in 2018 (please see here https://www.securitymagazine.com/articles/90320-data-breaches-cost-654-billion-in-2018), “cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations.”

Personally identifiable information (PII) was the most targeted data, with 54 percent of stolen PII being date of birth and/or Social Security Numbers.

In addition, “name and physical address (49 percent) and personal health information (46 percent) were the second and third most commonly compromised type of PII in 2018.”

Based on the above, and the just released 2019 Verizon Data Breach Investigations Report (DBIR) where Verizon found that 43% of data breaches happened to small businesses, I have listed below my four data breach best practice tips to help small businesses prepare for and mitigate their exposure to a data breach event.

Best Practice #1 - every small business needs to understand the cybersecurity threat landscape.

Staying on top of all the security news and knowing the latest security trends is a time consuming and challenging task. I recommend regularly reading Brian Krebs (please see here https://krebsonsecurity.com/) who is the author of a daily blog covering cybersecurity, data breach and cybercrime trends.

Best Practice #2 - is to have a written information security and governance policy and to update this policy each year. Once complete, have every employee – even small businesses with two to five employees – sign this information security policy document acknowledging that they have read, understand and agree to the policy.

Best Practice #3 – is to have a data breach risk management plan in place. The lack of cybersecurity preparedness, the lack of data breach planning and the lack of employee privacy training have made small businesses a target for cyber criminals. Your data breach risk management plan should include pre-breach planning with a focus on an information security risk assessment and employee education and awareness. It should also include post-breach planning with a focus on state and federal breach notification laws and a list of incident response vendors such as your insurance broker, legal services, forensic services, and public relations.

Best Practice #4 - every small business owner should consider having a cyber liability insurance policy which can help protect your business from cybercrime and a data breach event. The CEOs and CIOs of Equifax and Target were not fired because they were hacked or breached, they were fired for their failed management response to their breach events. Cyber insurance can help your business be resilient and compromise ready.

With the threat environment changing so quickly, chances are your security policies and procedures (if your business has security policies and procedures) are not keeping up; just as state and federal laws are not keeping up with the newest technologies.

These four best practices will help your small business respond to new threats along with the changing regulatory environment.

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.

Your Cell Phone Number is a Threat to Your Personal Privacy

April, 2019

I read with great interest an article titled Phone numbers are the new Social Security numbers (please see here) that highlights how "cellphone numbers have become a primary way for tech companies like Facebook to uniquely identify users and secure accounts, in some ways becoming a proxy for a national ID."

The article goes on to say that cellphone numbers are becoming Americans' latest national identification number as Congress mandated that consumers could take their phone number from one provider to another.

This means that consumers can have a de facto "cellphone number for life" system.

Think about how your cell phone number / smartphone is used as a personal computer to do your banking, watch movies, and more including the following:

- Texting
- Email
- Social Media
- Camera
- Banking
- Reading news
- Online shopping
- Checking the weather
- WhatsApp
- Watching videos on YouTube

Now think about how your smartphone is also a potential threat to your personal privacy. While you can install some privacy related apps, you still give up most of your privacy.

Here are some examples of how your personal privacy can be at risk through your smartphone:

- Geotracking — a smartphone is able to locate itself via the integrated GPS chip. While disclosing location data may seem harmless, it is still an invasion of privacy. This data can be used to build a profile on you or a family member, which can subsequently be used for a phishing attack.

- Wi-Fi tracking — as cellular connections often falter indoors, retailers have offered free Wi-Fi to their shoppers. While consumers click to accept the terms of service, an invasion of privacy is taking place as retailers can determine which departments the shoppers have visited and how long they spent there.

- Microphone eavesdropping — every smartphone has a microphone, and it's another security risk. While the main concern for many of us may be someone eavesdropping on private conversations, microphones also can be used for data collection.

So let's conclude with your personal privacy risks related to your cell phone number.

The next time someone asks you for your cellphone number, remember that it is increasingly used to connect to private information maintained by all types of companies including financial institutions, retailers and social networks.

Your cell phone number can also be used to monitor and predict what you view and purchase online or even what you watch on television.

It is important to know that your cell phone number is not regulated and no companies are mandated to keep it private. Studies indicate that half the U.S. population no longer have a landline. Many consumers in the 20-30 year age bracket have never had a landline. Many young consumers have no credit history and therefore no link to their social security number.

On the other hand, most teenagers are equipped with a cell phone number at the average age of thirteen years old. That cell phone number often remains with them for decades providing a detailed digital identification system of information.

This detailed digital identification system of information applies to all of us, so be smart with your cell phone number and who you share it with.

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.

Educational Newsletters

Don’t Be the Weak Link to Identity Theft

Every Consumer Should Use a VPN to Protect Their Online Privacy

Identity Theft Losses Totaled $52 Billion Affecting 42 million U.S. Adults

2022 FTC Report: Identity Theft Continues to Be a Monumental Problem

Hackers Are Coming After You in 2022

2021 Surpasses All-Time Record for Data Breaches

Cyber Thieves Love Online Shoppers and the Holidays

Do Healthcare Data Breaches Contribute to Medical Identity Theft?

Seniors Lose $1 Billion to Identity Theft and Fraud in 2020

Consumer Behavior Can Help Reduce the Threat of Hackers

The Reality of Identity Theft: Emotional Loss, Psychological Pain, Helplessness, Anger, Isolation, and Betrayal

The Reality of Data Breaches: No One Company Can Ever Prevent Itself From Experiencing a Data Breach Event

The Danger of Complacency Makes Hackers Successful at Phishing and Ransomware

Synthetic Identity Theft And Fraud To Get Worse in 2021

The Cyber Threat Landscape Will Get Worse Before It Gets Better: Part 2

Tax Fraud and Unemployment Insurance Fraud at Epidemic Levels

Total Number of Breached Records Skyrocketed in 2020

Is Your Digital Identity Safe?

The Cyber Threat Landscape Will Get Worse Before (and if) it Gets Better

Cybercriminals are not Stable and Cybersecurity is Unpredictable

Protecting Yourself from the Internet of Things (IoT)

Online Students are New ID Theft and Fraud Targets

Telehealth Creates New Cyber and Medical ID Theft Risks

Medical ID Theft Risks Increase During the COVID-19 Crisis

Credit Freezes Versus Credit Locks; What You Should Know

FBI, Secret Service and Homeland Security Continue to Issue COVID-19 Scam and Fraud Alerts

Coronavirus Fear and Anxiety drives Phishing Scams

Business ID Theft Refund Fraud is a Growing Threat

Make a Stronger Cybersecurity Commitment in 2020

Another Data Breach Letter: Another 12 Months of Credit Bureau Monitoring

Personal Privacy and the Internet of Things (IoT)

2020 Prediction: Senior ID Theft to Get Significantly Worse

Who’s the Insider Threat at Your Company?

Apps Are a Bigger Personal Privacy Threat than Facebook

4 Data Breach Best Practice Tips for Small Businesses

Your Cell Phone Number is a Threat to Your Personal Privacy

2021 Surpasses All-Time Record for Data Breaches 