Security Behaviour Database
/

Fraud & Identity Theft

Identity theft and fraud can occur when criminals use personal information for their own gain, or when they cause loss to another.


Behaviours

SB011: Uses a search engine to see what personal information is accessible online

SB011: Uses a search engine to see what personal information is accessible online

Personal information can be used during social engineering attacks. Search engines can show what personal data can ...

SB062: Locks SIM card to phone

SB062: Locks SIM card to phone

SIM cards can be locked to prevent them being used in other phones. Doing so protects against occasions SIM cards ...

SB071: Regularly reviews privacy settings on social media accounts

SB071: Regularly reviews privacy settings on social media accounts

Privacy settings on social media accounts should be reviewed regularly to make sure personal data is not exposed ...

SB073: Sets account passwords with network provider

SB073: Sets account passwords with network provider

Criminals with access to network providers can launch SIM swap or mobile phone number porting attacks. Agreeing a ...

SB075: Requests photos are removed if posted online without consent

SB075: Requests photos are removed if posted online without consent

Photos posted online without consent can increase digital exposure. Taking steps to remove sensitive photos posted ...

SB092: Returns allocated devices when no longer needed

SB092: Returns allocated devices when no longer needed

Returns allocated office equipment when no longer needed. This prevents idle devices from going into the wrong ...

SB093: Deletes old personal online accounts if no longer used

SB093: Deletes old personal online accounts if no longer used

Deleted online accounts and "zombie" apps that no longer used. These accounts are a security risk as they often ...

SB150: Does not use a password that has been compromised in a data breach

SB150: Does not use a password that has been compromised in a data breach

Passwords that have been compromised in data breaches are often shared or sold amongst cyber criminals. Other ...

SB151: Does not use weak passwords

SB151: Does not use weak passwords

Using a weak password puts an account at risk of data breaches, takeovers, and various cyberattacks. Some sites ...

SB156: Discloses credentials to a phishing site

SB156: Discloses credentials to a phishing site

Disclosing credentials to a phishing site places the individual and their organisation at risk of account ...

Case study

Millie Clark

In early 2020, Millie Clark received a seemingly innocent email asking her to make a payment via a fake-but-convincing “O2” website. Millie made the payment then carried on with her day.

Two weeks later, Millie’s scammers called her, this time posing as the HSBC fraud prevention team. The scammers “spoofed” HSBC’s telephone number to make the call seem real. They asked Millie to give them the security codes to one of her financial accounts. Millie complied.

While Millie was still on the phone, the scammers used the codes to take out a loan and overdraft in Millie’s name. Together, the debt totalled more than £10,000.

The scammers informed Millie their own illicit transactions indicated she was being targeted. They instructed her to divert funds into an “HSBC account” for safe-keeping. Millie agreed, and transferred £12,000 of her own money directly to the criminals.

When the real HSBC fraud prevention team called her the next day, Millie realised what had happened.

In a Facebook video narrating her ordeal, Millie cautions viewers that simple mistakes can lead to large losses. She regrets not verifying the authenticity of the link sent to her in the phishing scam, and she regrets revealing confidential information without first confirming who she was talking to.

Emily Xu

In June 2018, Emily Xu received a phone call from her “bank” informing her that someone had attempted to update her address. Both Emily and her bank deemed the incident a system error.

Over the next few months, Emily received numerous calls related to transactions she’d never made. The calls included a warning of disciplinary action following “tax evasion”, and a call about the repayment of a loan Emily had never taken out. Emily later discovered her contact details were posted to a third-party website without her consent.

Though unsure about how her details reached criminals, Emily needed to act. She contacted the Canadian Anti-Fraud Centre. After a series of investigations and remedial actions, the phone calls stopped.

Emily warns other people about the ordeal she faces following her identity theft. She recommends that people destroy sensitive documents before disposing of them and that people check credit accounts regularly for signs of foul play.

Southern Oregon University, 2017

In 2017, staff at Southern Oregon University sent $1.9 million to what they thought was a construction company they’d been working with.

It soon transpired fraudsters had spoofed the construction company’s email address and contacted the University requesting payment. University staff had complied with the request, transferring money directly to criminals.

The University’s busy accounting team missed the signs of fraud in the email. The team also failed to verify the sender’s authenticity. Such errors led to the SoU joining various other educational institutions fraudsters have scammed through business email compromise. All requests for payment or changes to accounts details should be verified independently using known contact details.

Abraham Abdallah

In 2001, Abraham Abdallah made global headlines after commiting a series of identity theft attacks against high-profile celebrities.

Working from a library in Brooklyn, USA, Abraham, used web-enabled mobile phones and virtual voicemail services to trick credit companies into providing credit reports on his victims. He then used the confidential information to clone their identities and gain access to their accounts at brokerages such as Goldman Sachs and Merrill Lynch.

His crimes were discovered when the police were alerted to a payment request of £7m from an account belonging to Thomas Siebel, founder of the electronics firm Siebel Systems. This was traced to email addresses that either belonged to multiple people or did not exist at all. After investigation, the police tracked Abraham, who was later arrested for his crimes.

Several measures can be taken to prevent identity theft which include regularly checking accounts and securing email addresses with passphrases and multi-factor authentication.

SebDB is brought to you byCybSafe| © 2023 CybSafe Ltd