Fraud schemes typically include three major elements; fraud objective, fraud method, and execution. Fraudsters will resort to various methods of identity theft in order to steal as many identity components as necessary to execute their plan and achieve the final and desired fraud objective. Sometimes, fraud schemes may require more than one identity component or piece of personal information in order to commit the specific and desired fraud. For example, if a fraud objective is to steal cash from a bank ATM, a debit card and its access code or PIN are needed to execute the fraud scheme. As such, the fraud scheme should include steps to steal a debit card (or reproduce the counterfeit) along with its ATM access code in order to take cash out of the ATM. In the past, when debit cards could only be used to withdraw cash from the bank machines, the risks were a lot lower than today since fraudsters can also go shopping with today’s debit cards which also display the Visa or MasterCard logos and then sell the items in the open market to the highest bidder.
Here are a few methods that fraud schemes can be executed to steal identities:
Physical theft - in this scenario, personal information may be stolen from home, office, car, luggage, purse, wallet, briefcase, pockets, and others with whom personal information is shared. Such personal items or identity components may include credit cards, debit cards, passport, birth certificate, ATM code, driver’s license, Social Security Number (SSN), account numbers, check books, and online account pass codes. The list of identity components which can be stolen to commit fraud is long and depending on the objectives of the fraud, only one or a few identity components may be needed to finalize the fraud schemes.
Spams – These are unwanted emails that we receive which are intended to accomplish certain goals. Spam emails might communicate certain information to the email recipient such as information about a product or service or include a link which will take the email recipient to a website or download a program on the user’s computer when clicked. Such emails must be deleted immediately and removed from the trash folder. They must never be opened and the link within must never be clicked as it might install a dangerous software on the computer for the purposes of stealing personal information.
Pretexting – This term which is also synonymous with spoofing, impersonating, masquerading or mimicking is used to pretend to be someone else in order to extract desired information for committing fraud. An example of a pretexting is a spam phishing email which appears to be sent by a legitimate company. Once a consumer trusts the source of the email (because it appears to be from a company the customer does business with such as a bank), desired information may be shared willingly as requested by the email instructions.
Spoofing – As mentioned, spoofing is also another term used for pretexting tom extract desired information from potential victims for the purposes of identity theft.
Phishing – Some emails may appear to come from someone or a company the recipient recognizes. Generally speaking, these emails are well drafted and include a company logo to appear coming from a legitimate company. Sometimes, they are very hard to detect and really appear to come from a friend or a company we do business with. Sometimes, these spam emails are designed to take us to a website which describe a product and other times, they ask for personal information or take us to an online form and ask us to complete the form and press send. These are called phishing spams which are designed to extract confidential and personal information from people. Some of them are actually very well done and use fear tactics to lure people into sharing their information immediately and without any hesitation. For example, the phishing email might appear to be coming from a bank which states that the bank account has been illegally accessed by hackers and therefore it has been frozen until the account holder provides additional information. It also states that all the scheduled payments and checks will be rejected pending the receipt of the additional information.
Some fraud schemes are used to put fear into people’s mind and make them believe that immediate sharing of whatever information the bank needs will resolve the issue. When someone receives such phishing email asking for personal information, it is recommended that the account holder logs into the account to make sure that the account is really frozen and not accessible. If the account can not be accessed, the bank must be contacted directly by calling the number listed on the monthly bank statement and not the number provided in the spam email. And if the account can be accessed, the email must be deleted and the account must be monitored for a few days.
Social Engineering - This is another fraud scheme designed to extract information directly from people. Most often, someone approaches a potential victim by phone, email or letter and pretends to be some authority figure that the victim recognizes such as a police officer, IRS agent, debt collector, or the security officer at the work place. These people again approach with a made up story and ask for certain information such as the Social Security Number or the account passcode. Such requests must be validated to ensure the individual and his requests are legitimate. To validate the legitimacy of such requests, an examination of a piece of identification and justifications for requested information must be completed. If the legitimacy of both the requestor and the request can not be fully and readily verified, the request must be rejected and no information must be shared.
Skimming – Card skimmers are devices which can read credit and debit card information in order to reproduce counterfeit cards. The skimming device can be placed on the ATMs where people inset their cards to withdraw cash, and while they do so, their card information is extracted and the entered PIN is either caught on an illegally installed camera or someone approaches the victim and uses the social engineering technique described above to offer help and extract the PIN from the victim. Also, the devices can be portable and used in public places such as restaurants. While the waiter carries the credit card away to charge the restaurant bill on the credit card, the device can be used to read all the card information in seconds which can then be used to produce counterfeit credit cards.
Shoulder Surfing - This is a casual fraud scheme used on unsuspecting people at the cash machines or on the computers. Fraudsters stand behind the victims while they enter their codes in the ATM machine or computer and observe the pass codes or other private information as they are entered or viewed on the screen. When entering or reading confidential information in public places such as at the airport, coffee shops, banks or on the airplanes, we must notice how closely a person is standing behind us and cover our hand as we enter the pass code. To protect the privacy of the information we read on a computer, we can use a computer privacy filter which will prevent someone from reading the information displayed on the computer screen from a side angle.
Piggybacking - This illegal act is used to follow a person into a restricted area without having the required and approved access to the area. When an authorized person enters a secure area, the unauthorized person attempts to follow them while the door is open. In such situations, the person’s business visit must be questioned and if the answers are unsatisfactory, the incident must be immediately reported to an appropriate person for follow up.
Spyware (key loggers) - Illegal and unauthorized software may be installed on computers in order to spy on the activities of people using the computer and steal information. Such software can capture passcodes as they are keyed onto the keyboard (also known as key logger) or screen shots of confidential online pages such as account information pages. There are many anti-spyware programs that can purchased and installed on computers to help prevent the installation of such software or detect previously installed software.
Learn about Identity Diet services and reduce your fraud schemes exposure and identity theft risk.