I was all set to write a piece about something entirely different, but an attempt at identity fraud this weekend and the fact that I have had to do a lot of online research to find out if I am at risk, has brought up the question
When it is your job to be found online, are the search and social fraternity at more of a risk when it comes to ID fraud?
Let’s start with the fraud
It all began while I was looking for a seasonal rental online as I do every year. I went to my dealer of choice Craigslist to look for potential accommodation. I always rent from there, and have never had any issues.
As with all Craigslist enquiries, you are required to send emails to owners, so out of (bad) habit I sent replies to anything I received from owners from my normal email address. I requested photos of the apartment and a phone call over the weekend, checked the address for any scams and the location of the address here and abroad. I was even sent the official Government approved application form.
Finally the photos arrived so I thought I would check them out using the Google search by image feature and this is what I found.
The same apartment photograph features in various locations with 24 results! I then checked the IP of the emails I had receieved using whois.domaintools.com which confirmed that the mails were being sent via yahoo and blackberry via Nigeria.
I didn’t send bank details, or ID, but it was very easy to just ask for my name, telephone number, and location in the UK (thankfully I lied about my age so my birth year will be harder to figure out). I did some digging, but instead of feeling better, I discovered that even with just a name, fraudsters can find out an awful lot about you. My weekend was spent finding out what steps to take and how easy it might be to take me (and anyone else that has information all over the internet) to the cleaners.
“I’m not at risk because I don’t give out my details”
Are you sure about that?
We all smile when we hear about victims being scammed by online Russian Brides, or anyone that sends their bank details to the Nigerian Lottery Authority, but it takes a surprisingly small amount of information for a thief to commit identity fraud. In some cases, all it takes is a name, your name – the one you post all over the internet without even thinking about it – next to your photo.
With the advent of over sharing, geo location, and the Facebook ‘timeline-of-everything’, it is going to be even easier to tie up historical data. ID Theft is on the up and according to the ‘National Fraud Prevention Week’ website (who knew?!), 88% of us share detailed personal information online, but only 18% of us are worried about that. With the average cost of ID theft being just over £1000, and the high season of Christmas Fraud, alcohol, photo sharing and lapse personal security around the corner, it’s at least worth a credit check.
Sometimes you are not given a choice before your information is distributed around the internet. Sites such as 192.com, 123people.co.uk scan electoral rolls then expect you to pay to be taken off. We voluntarily put legitimate information on Linked In, business directories and even if you haven’t been specific with your date of birth, you could have just enough information available for scammers to make an educated guess (Happy 40th birthday Dave Smith of 999 Letsbe Avenue!).
As an online professional or business, you are at risk by default given that your information is potentially more visible than most. Emails are often sent with website details and contact data in the footer as default, (and in some cases with corporate information). Linked In, Facebook, Twitter and G+ are used 24/7 while we actively give out as much information as we can. We also regularly make it public about where we are – I’ve even known colleagues to check in and become the mayor of their own home address.
It doesn’t matter how smart you think you are, anyone can be targeted – not that long ago a number of us were scammed and locked out of our Twitter accounts by clicking on links such as ‘those photos are hilarious’ from a Twitter DM after ThinkVis (you know who you are!). The fact is that you only have to hand out your business card to the wrong person and they can track you down and find out everything they need to know about you and your business.
Let’s do a little experiment.
Pick a Name, any name…
Use that name to complete an image search. Take that image and do a reverse search using the Google Search by image feature. The chances are you get something like this:
These listings give access to:
- A Person’s Name (practically everywhere if they work online, x 1000+ if they are an SEO)
- Photo (potentially good enough for fake ID)
- Address (192, 123people, electoral roll, birthday party invites on Facebook)
- Telephone Numbers / Mobiles (social networking, business cards, websites)
- Past & Present Employment details (LinkedIn, Facebook Timeline, online CV)
- Birthday Year (Facebook Comments, LinkedIn, anywhere that has an age option)
- Past History and all life Events for the rest of time (Facebook Timeline)
It gets better – if you are the Director of a Company, you have a legal obligation to keep your details at Companies House, stored online, where people can pay £1 to download it. Iin some cases, your signature may even be on some of the stored data and your VAT and Company Numbers are definitely on your website and paperwork. This leaves you at risk of company hijacking thanks to a loophole at Companies House allowing changes to be made simply by filling in a form without secondary checks being carried out (this is now changing). With corporate ID fraud costing over a billion every year, it is surprising that only 36% of businesses are covered by their insurance for losses that may be incurred by ID Theft.
ID Fraudsters work in teams and are skilled at getting past the gatekeepers at banks, the Post Office, and with the information above, they can divert your mail in order to try and get credit cards, bank statements and utility bills. They can come to your home and rummage through your bin for sensitive info that you have discarded. Once your credentials have been obtained, it is relatively easy to set up mobile phone contracts, bank accounts and apply for loans by post. Worst case scenario could be crimes being committed in your name, your business name, forged documentation and huge bills being run up while you are unaware of fraudulent activity at the very least your credit record could take a beating.
How to protect yourself
You can’t completely protect yourself, and it may also never happen to you, but there are steps you can take to monitor activity so that if you are a victim of ID fraud you can act quickly and limit any damage. Some of these may seem obvious but you would be surprised how easy it is to get lazy with shredding and leaving personal items around the workplace and not logging out of things.
Steps to take to avoid Identity Theft
- Shred information with signatures, names and addresses
- Check your credit online regularly to look for suspicious activity or credit checks against your address, or join Equifax, Experian, Callcredit or Privacy Guard. Most providers offer a free 30 Day trial
- Make sure you check the box on the electoral roll requesting that your data remain private. You have to do this every year.
- If you haven’t taken the above step, you may need to request for your data to be taken off 192 and 123people.
- Join CIFAS Protective Registration – for business and individuals to place protective warnings on credit files
- Avoid links in emails you don’t recognise (Phishy Phishing)
- Forward your mail for at least 6 months if you move or change premises – contact www.royalmail.com if mail starts disappearing
- Check everything on your credit card and bank statements
- Make sure you are ex-directory with your telephone provider
- Visit the UK Identity Theft website
- Sign up to the Companies House Webfiling, PROOF, and Monitor services for alerts regarding changes of details
- If you are away on business hold the mail, or consider a ‘scan my post’ service
- Stay indoors, lock the door, talk to no one, and never go online EVER AGAIN
If you are still not convinced it could happen to you, I have some factsheets and examples I could send out to you free of charge, simply forward me your full name, email, address, age, date of birth, contact number and a scan of your passport or driving license for verification purposes.