2008 Javelin Strategy & Research Report

Identity theft happens when your personal information is accessed by someone else without your explicit permission. Identity fraud occurs when a criminal takes the illegally-obtained personal information to use it for financial gain. Personal data such as your Social Security number, bank or credit card account numbers, passwords, telephone calling card number, birth date, name, address and so on can be used by criminals to profit at your expense.

With even the most basic information, a criminal can either take over your existing financial accounts or use your identity to create new ones. Common fraudster activities include withdrawing funds from your accounts, charging purchases to your credit cards, opening up new telephone accounts or taking out loans in your name, all of which can have a damaging effect on your credit rating. In fact you may not even know that a fraud has been committed until you see an account that you did not open on your credit report, or until a debt collector contacts you for payment.

How Does Identity Theft Happen?

Although many people believe that most identity theft only occurs over the Internet and that hackers are responsible for all identity theft and fraud, Javelin’s research has found that many thefts occur in the physical world. In fact, among the 35% of victims who knew how their data was taken, lost or stolen wallets, checkbooks or credit cards accounted for more than twice as many instances of theft than all online channels put together.

Your personal or financial information can be stolen in a number of different ways:

• Through a lost or stolen wallet, checkbook or credit card
• Through information stolen in your own home, including by friends, relatives, and in-home employees
• Through mail theft from an unlocked mailbox
• Through eavesdropping by a criminal while you conduct a public transaction (“shoulder surfing”)
• By someone who e-mails, calls, or text messages you, pretending to be a bank or other trusted source to trick you into divulging private information
• By hacking, viruses, and spyware on a computer
• By a data breach at any agency that maintains access to your private information
• By retrieving your unshredded information from a trash can, a method known as “dumpster diving”
• Through new and different methods that criminals are continually developing Because theft can be committed through so many methods, consumers are advised to put into practice a variety of the most effective measures to protect themselves.

How Do Identity Thieves Steal Information?

Contrary to popular belief, in cases where victims knew how their data was stolen, online identity theft methods (phishing, hacking and spyware) only constituted 12% of fraud cases. The vast majority of known cases occur through traditional methods (79%), when a criminal can make direct contact with the consumer’s personal identification. These instances include stolen and lost wallets, checkbooks, or credit cards, “shoulder surfing” (when someone looks over your shoulder at the ATM or cash register), and stolen mail from unlocked mailboxes. “Friendly theft,” reported by 17% of victims, occurs when friends, family or in-home employees take your private data for their personal gain.

Although some fraud can occur despite your best efforts, practicing safe habits even in your own home, for example, can drastically reduce your individual risk. Using a secured mailbox, shielding your PIN number at the ATM or register, or reporting lost credit cards immediately are all considered basic precautionary measures.

This year Javelin is seeing increased attempts at identity theft over the telephone (“vishing”), whereby identity thieves are tricking victims into providing their personal or financial information over the phone. In a way, vishing is really just a phone based take on a scam with which you may already be familiar—phishing, which involves a fraudulent email asking you to resolve an account problem by redirecting you to a bogus Web site.

Vishing schemes are slightly different, and there are two main ways in which criminals use this technique. In one version, you get an e-mail that appears to be from your bank, like a traditional phishing scam. Instead of being directed to a fake Web site, you are prompted for your information over the phone and given a number to call. In the second variation, you are contacted over the phone instead of by e-mail. The call could either be a real person or a recorded message requesting that you solve a problem with your account.

A favorite ploy of vishers is to utilize VoIP1 to autodial credit card or bank customers with a security warning about possible fraudulent activity on your accounts. Customers are asked to call “the bank” back, and when you do, are told to input your account numbers and other private information.

It is crucial for consumers never to provide personal information over the phone, unless you have initiated the contact to a verified phone number. Do not click on a link to a Web site when responding to e-mails or text messages. Do not respond automatically to automated phone messages prompting you call a number to resolve a bank account issue, or to e-mails that ask you to contact a number. Instead, use contact addresses, sites or phone numbers that you have verified are legitimate.

 Source: Javelin Strategy & Research, 2008