State of the Union: Fraud Prevention

Reading Time: 4 mins

Fraud prevention: Why it is necessary

With the era of big data, data breaches are a part of everyday business. Whether you have a business that provides e-commerce or do your business online, assume your information is at risk. Some of the biggest names in businesses experienced the largest data breaches over the last decade, affecting billions worldwide, including eBay, LinkedIn, Myspace, Sony, Target, Yahoo, and more. Yahoo was the largest breach, compromising a total of approximately 1.5 billion between two breaches in 2016, only months apart.

Equifax, one of the largest credit-reporting agencies in United States, announced a significant breach in the company's database in September 2017, which exposed sensitive personal and account information of an estimated 143 million Americans. Approximately one-third of the U.S. population had their identity compromised from this incident alone, making it one of the largest data breaches to date in America.

According to Equifax, cyber criminals exploited a U.S. website application vulnerability to gain access to their database. As a result of the data breach, personal and account information, including names, social security numbers, birth dates, addresses and driver’s license numbers were accessed. In addition, Equifax reported that credit card information and certain dispute documents with personal identifying information for approximately 200,000 U.S consumers, as well as some UK and Canadian citizens, were compromised.

All major credit reporting bureaus have been breached

While Equifax reported being breached in September of 2017, the credit reporting company stated that it discovered "unauthorized access" to its systems on July 29, which means the incidence wasn't announced until months after the hack took place.

Similarly to the 2016 Yahoo hack, Equifax had a data breach months prior to the big one they were hit with. According to CBS news, in March 2017, months prior to the July incident, Equifax told Bloomberg the March 2017 breach of a business-services unit was not related to the hack in July. "The incident was reported to customers, affected individuals and regulators,” Equifax told CBS News in a follow-up report.

Equifax is not the only major Credit Reporting Bureau that has been breached. As a matter of fact, all major credit reporting bureaus have been hacked at some point over the last decade. In 2015, T-Mobile was hacked through Experian. According to T-Mobile’s CEO, John Legere, a "hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from Sept. 1, 2013 through Sept. 16, 2015." While Experian was encrypting stored Social Security numbers and identify numbers, T-Mobile claimed they believe the hacker cracked the encryption, leaving all the data it was storing at risk.

In 2013, Equifax, Experian and TransUnion all acknowledged a system breach after information pertaining to celebrities and high-profile figures were posted on a website called Exposed. Former First Lady and Secretary of State Hillary Clinton, former First Lady Michelle Obama, Paris Hilton and former FBI Director Robert Mueller ended up on the site after the attacker gained "fraudulent and unauthorized access" to their credit reports.

How were the individual credit reports hacked? They didn’t use malware or software vulnerabilities. It was more of a life hack. The criminals leveraged public information to bypass all three credit bureaus' authentication measures by answering all the necessary security questions.

How to identify fraudulent inquiries: Scam definitions

Phishing

Phishers send out fraudulent emails containing personal information relating to the victim in order to create the illusion of legitimate business activity and gain trust. The hope is that the victim will answer questions or open a link from the attached email. The link or attachment may contain malware or spyware used to steal account and personal information.

Pharming

Pharming is a form of phishing where scammers create a fake, malicious website that mimics the site of the institution they are mimicking. These hackers then use Domain Name Server (DNS) "poisoning" to redirect the target they are victimizing to their fake site, which appears legitimate. Believing they are visiting a safe website, the victims enter their personal account information such as a pin number or password.

Smishing

SMS phishing uses cell phone text messages or Short Message Service (SMS) to deliver a message "phishing" for your personal information. Delete any text message that asks you for your personal or account information. Do not respond to unsolicited text messages urging you to call a number provided for information about account discrepancies and solicits account information and pin numbers.

Vishing

Vishing is a form of phishing that exploits voice technology to reach voicemail, cellphone and landline telephone services. Messages generally indicate that suspicious activity has occurred in an account, and will direct the victim to call a specific telephone number and provide information to "verify" their identity. If the attack is carried out over telephone, Voice over Internet Protocol (VoIP) allows caller ID spoofing, providing anonymity for the fraudulent call. Often the ID spoofing will mimic a legitimate source such as a bank or government agency.

Take-home message

Hacking is inevitable; assume you will get hacked, and assume the businesses and financial institutes you do business with will get hacked. Be prepared, because once you find out you have been compromised, it is already too late.

Legitimate banks and financial institutions will not ask you to provide personal account and financial information. They already have your account information in an encrypted database if you are doing business with them. Criminals need this information in order to decrypt it.  It is important to report these incidences. Criminals that go out of their way to carry out these cyber crimes will do so on a large scale. You will not be the only one targeted. The more information an institute can collect on an identity scam, the quicker it can be stopped.  And the easier it will be for you to recover your loses or protect your identity.

As a business, the sooner a data breach is reported, the less damage is done to customers’ identities and ultimately to the business itself.  

For data breaches or identity theft contact the Federal Trade Commission (FTC) at 1-877-ID-THEFT (1-877-438-4338).