Fraud and identity theft

Fraud and Identity Theft

As for anything related to cybersecurity at large, fraud types around personal data and identity theft are dizzyingly numerous and varied in types.

Here are the top 20 below. This list is non exhaustive, new are added every year, and each type of fraud itself also evolves in sophistication with time.

1. Phishing: We all know this one, an older historical type of personal data attack. Sending emails that mimic reputable sources to trick individuals into disclosing personal information. Typically, most users can see through those. See also:
   1. Smishing (SMS Phishing): Sending text messages that trick the recipient into providing personal information or downloading malware.
   2. Vishing (Voice Phishing): Using phone calls to trick individuals into revealing personal information or account details. This kind of attack has been at times popular but seems to be receding in prevalence as users become more aware of cyber risk and can typically detect the accent of the caller, or ask some validation questions back.
   
   
2. Spearphishing: The difficulty level rises! Spearphishing is mostly an evolution from basic phishing gone ineffective. Gone are the emails with typos, leading to funny URLs and visibly faked landing pages. Spearphishing may only target a specific job title in a company, with a very specific message, leading to a sophisticated landing page, virtually unrecognizable from whatever bank or application they are spoofing. Spearphishing also generally uses more, better personal information than phishing, all in order to make the attack more contextual, and in this way, more credible.
   
   
3. Session Hijacking: Extremely dangerous. Intercepting and exploiting a valid computer session to gain unauthorized access to information or services in a computer system, and/or take change credentials and completely kick out the valid user. If not identified early on by older cybersecurity protocols, a session hijacker will typically inflict severe damage to the valid account owner, and steal enough personal information to be able to easily log into other applications (keywords often repeat… addresses do not change… neither do emails…) Victims of session hijacking often do not realise what happened until an enormous damage has been done and they are already kicked out of multiple applications vital to their professional or personal life.
   
   
4. Man-in-the-Middle Attacks (MITM): Intercepting communications between two parties to steal or manipulate data.
   
   
5. Malware Attacks: Using software designed to harm or exploit any programmable device, service, or network to steal, encrypt, or delete data. This kind of attack is somewhat hybrid as it uses network exploits and general software issues to attack and inject malicious code, but the intent of the malicious code is not necessarily to destroy, rather, to gather, encrypt, steal, falsify and/or delete personal user data.
   
   
6. Web injections: A similar type of attack, here the attacker injects malicious code into the application (often through web forms) or legitimate website, which then allows them to intercept data entered by the user into webforms. This kind of attack is particularly dangerous to users and online banking / shopping platforms, as successful fraudsters can quickly gather hugely valuable data (bank details including security numbers… login credentials…)
   
   
7. Ransomware Attacks: A type of malware that encrypts the victim’s files, with the attacker then demanding a ransom to restore access. This is in essence, just a specific but common type of malware attack. By targeting known issues (unsafe plugins, network or software vulnerabilities) the cybercriminals disable access to the organization’s critical data and demand a ransom. Many of such attacks are from nation-states, and many are successful. These typically target organizations rather than individuals.
   
   Once they have these, they use specialist software that will try to log into any odd thousands of online applications simultaneously, until they find a match and go into your account, one account found at a time. Typically very dangerous as the fraudster immediately disables valid credentials and replaces them with their own leading occasionally to extensive identity theft across many digital platforms.
   
   
8. Credential Stuffing: Using stolen account credentials to gain unauthorized access to user accounts through large-scale automated login requests. The fraudster must begin here by stealing two core data sets typically your keyword, and your email address it is matched to.
   
   
9. Social Engineering: Manipulating people into performing actions or divulging confidential information.
   
   Social engineering exploits psychology rather than technological vulnerabilities.
   
   That great match on the dating site asking you your date of birth (for astrology) and your email only a few interactions in?... Might well be social engineering. That unrequested email inviting you to a glamorous conference all expenses paid, asking you to fill out the registration form? Maybe social engineering.
   
   
10. Reverse Social Engineering: A perverse evolution of the Social Engineering class of frauds. In this case the fraudster follows a slightly different but much more effective approach: He creates a scenario where the victim contacts them for assistance, lowering effectively most of their natural defiance and distrust with sharing important personal data online or strangers.
    1. E.g. The fraudster will somehow engineer a technical issue on the computer of the user and communicate/position themselves as the official/solution to fix it. This is a fraud commonly used by fraudsters with older people who are not up to date with online technology.
    
    
11. Identity Cloning: Extremely dangerous and traumatizing for the victims. Identity cloning is assuredly one of the most vicious types of cyber frauds. Here the fraudster does not only takeover accounts, he/she also now tries to assume entirely the identity of the victim in every day life. Using another person's information to assume his or her identity in daily life.
    
    Legislation has caught up dramatically with identity theft in the last few years, but it remains a substantial issue, leading to truly catastrophic cost to the user.
    
    How it works:
    • 1) Gathering/stealing personal data: Fraudsters involved in identity cloning start by gathering as much data as they can on their victim. This is not done online or digitally only, cybercriminals will often target mail boxes, dumpster dive or directly purchase some of the personal details on the dark web.
    • 2) Establishing a new identity: Using the information they already have, the fraudster now uses it to apply for new documents in the victim's name (driver’s license, social security card..) pretending to have lost them typically, voiding the previous identity in as many places as possible.
    • 3) Long term impersonation: Unlike most frauds which tend to be short-term, identity cloning can be a long game, with the fraudster living under the assumed identity for months or years.
    
    Identity cloning is a particularly terrifying type of fraud, leaving victims exposed to enormous financial, existential and psychological damage.
    
    Victims also often have to defend lawsuits when falsely implicated in crimes committed under their names by the fraudster.
    
    
12. Synthetic Identity Fraud: Combining real and fake information to create a new identity, often used to open fraudulent accounts.
    
    
13. Account Takeover: Unauthorized access and control of an online account belonging to someone else.
    
    
14. SIM Swapping: Convincing a mobile provider to switch a phone number to a new SIM card, gaining control of the victim’s mobile communications.
    
    SIM swapping is a highly deceptive type of fraud where the cybercriminal attempts to trick a mobile service provide into switching a victim’s phone number over to a SIM card he controls. The attacker poses as the victim and provides stolen personal information to pass identity checks.
    
    If the cybercriminal is successful he can immediately take control of the victim’s phone number (calls, SMS) which he uses to bypass 2FA/MFA type solutions.
    
    Since most users only use a few keyword variations and always the same email match, damage from SIM swapping can be extensive, as the fraudster will then try to hack other platforms and accounts of that user, takeover each, etc.
    
    
15. Keylogging: Using malware to record a user’s keystrokes to capture their login credentials and other sensitive information.
    
    
16. Wi-Fi Eavesdropping: Intercepting information sent over unprotected Wi-Fi networks.
    
    
17. Pretexting: Creating a false scenario to persuade a victim to release information or perform an action. This is in effect a sophisticated form of social engineering in most cases.
    
    The attacker may pose as a co-worker, police officer or bank official, do their best to mimic (by sharing some personal data they know, or context, to lower the suspicion level of the victim) the valid user.
    
    They invoke an urgent need or a pressing scenario, to get more information.
    
    “I’m locked out of our Cloud during the presentation to the CEO! Can you remind me the keyword just this one time so I can get back in?”
    
    A lot around the pretexting frauds hinges on the “chat” and charisma of the fraudster, and it is a technique used for many other separate but related frauds.
    
    
18. Dumpster Diving: Searching through trash to find bills or other paper containing personal information. This is not so much a fraud as such, as much a fraudulent way to acquire personal information for a variety of fraudulent goals.
    
    
19. Shoulder Surfing: A very simple one, but also underrated in its effectiveness: The direct observation, such as looking over someone's shoulder, to get information like ATM PINs.
    
    
20. USB Baiting: Dropping infected USB sticks in accessible areas, hoping individuals will use them on their computers, unwittingly installing malware.