People today have not only an analog, but also a digital identity: You meet up with friends in social networks, work is much more digital in times of pandemics, and in the evening, you can join a watch party on the sofa at home – connected with friends over the worldwide Web. Each of these steps leaves its mark: they would all allow digital profiles to be created. And that is precisely what cybercriminals want: stealing personal data is at the expense of the victims and in favor of the cybercriminals.
Almost everything possible and impossible is conceivable: Ordering goods should be common knowledge, but the possession of personal data even allows the manipulation of share prices. So the effects are gigantic. Often data is collected first to use them for criminal “business models later.” Identity theft on the Internet is therefore becoming more and more relevant.
With today’s post, we’re starting a small series of articles that will tell you more about the ways cybercriminals can get hold of valuable data. If the future essays on these paths go in-depth, today, we will provide you with a general overview of identity theft on the Internet and show you how you can protect yourself.
Internet Identity Theft: How Does Data Get Into Criminals?
There are different ways that cybercriminals can get your digital data. We will present these paths to you in more detail in the coming blog posts. Today they are only briefly touched on:
Hackers can gain direct access to online accounts and databases in which personal user data is stored. In both cases, unfortunately, weak passwords are often the gateway through which cyber criminals enter. In 2019, security researchers Sebastian Neef and Tim Philipp Schäfers showed how they could even hack operators of critical infrastructures (KRITIS) using weak passwords.
It becomes hazardous if you use the same (weak) password for different services. This is how the cybercriminals get from the social media profile to the online shop, where bank details are often stored. However, it is not always a user’s weak password – even the most security-conscious user cannot do anything when companies or online services have gaping security gaps.
Ideally, both sides pay attention to optimal protection: Service providers keep their services as secure as possible, and users only log in with specific access data that differ from other benefits. This makes it difficult for hackers to steal data.
There are several types of phishing: email, website phishing, vishing, smishing, and social media phishing. Regardless of the phishing route, this type of data theft means that cybercriminals publish fraudulent content and seduce users into entering personal information such as login details. For example, in the case of email phishing, the victim receives an email with the knowledge that the user has to regulate something in his email account to restore functionality. The unsuspecting user believes this fraud and enters his access information. This information can then be processed further by cybercriminals.
In the vishing variant, phishing is verbal: Victims are verbally induced to take actions they believe are in their interests. In the background, the cybercriminals are working to extract the victim’s data. Phishing via SMS is called “smishing“; You can read more about this variant in our article “The danger of smishing: This is how phishing via SMS works.” Social media phishing, the variant that takes place via social networks, is also being used more and more frequently by criminals.
Users download software such as apps or freeware and information via their computers and mobile devices. If little attention is paid to the download source, downloaded files may be infected with Trojans. Trojans get onto the devices through the download – this software is then often used to intercept sensitive data sold to third parties. Files attached to emails can also contain malware such as Trojans.
Social engineering uses personal information to trick victims into trusting the attacker. For example, cybercriminals can use a fake social media profile to pretend to be a friend or a missing relative. Information such as login data or other private information should then be elicited from the victim through personal contact, which can then be converted back into cash for the cybercriminals.
This Is How You Can Protect Yourself Against Identity Theft On The Internet
As shown at the beginning, a comprehensive security strategy includes at least two parties: the provider of the services you use and you as the user. While you can’t protect your providers from security breaches, there is a lot you can do to keep them safe:
- Passwords: Choose secure passwords. Use a different password for each service. How to create secure passwords and what constitutes password security, in general, can be found in our article “Secure passwords: Strong passwords increase security.”
- 2FA: Two factors offer more protection than one – so far, so logical. Nevertheless, many users forego a second factor when logging in – unfortunately, often for the sake of convenience. Many service providers now allow login via two-factor authentication (2FA), so: Use this and always choose a second factor for your logins. This has become quite convenient: For example, you can receive one-off codes on your mobile phone that serve as an additional safety barrier to your profile.
- Updates: We never tire of stressing this: If providers make updates available, they must be installed as soon as possible. Because updates contain functional innovations and close security gaps that are either already being exploited or are known and then exploited at the latest when the update is published. Ideally, you configure automatic updates on your devices. In this way, you never miss an update, and there are no security gaps on your devices for longer than necessary.
- Public devices & networks: Please use publicly available devices and networks with caution – it is unnecessary to check your account balance on a public WLAN. Use only for general research and information in public networks or on public devices – such as the computer in your local library. Do not log in and surf the Web carefully: your data is no secret!
- Security software & VPN: Security software and VPN are essential to protect your devices from dangers such as malware and to surf safely without leaving many personal traces. And that applies not only to stationary computers but also to mobile devices – across all operating systems.
Emails & Links: Messenger and Emails are – besides the secret word – the communication media of our time. Of course, cybercriminals have discovered this too, and it’s easy for them to impersonate someone you could trust. Therefore, please always open emails carefully – even if the email seems to come from a known sender. The same applies to links you reach via email or messenger: do not click on them without checking! First, check that the sender is who they claim to be and also preview links before clicking.
The Consequences Of Identity Theft On The Internet Are Diverse
As a rule, the consequences of identity theft on the Internet are financial: Cybercriminals gain access to online banking and can empty the account directly. Or they have access to the online shop, where they can place masses of orders in the name of the victim. However, there are also consequences outside of this financial damage:
- Spam: The criminals are not always after your payment information; sometimes, they are content with access to email accounts or other communication channels. In the background, the criminals set up so-called botnets. Usually unnoticed by the user, massive amounts of spam are sent via such bots. You can find out more about how botnets work in our article “Freely available botnet encyclopedia.”
- Cyberbullying & image damage: It is also possible that the data of others is used for cyberbullying. In the event of identity theft on social networks, for example, falsified facts could be disseminated via a hijacked account. That would damage your reputation: questionable views or fake news are published relatively quickly via the profile. Since hate-postings are now being prosecuted, this can have dire consequences: The actual victim becomes the perpetrator – and the perpetrator must first prove that he is a victim of criminal machinations. Such damage to reputation can ultimately have professional consequences.
- Fake shops: A very recent scam that has surfaced repeatedly in recent months is that of counterfeit shops: criminals set up such online shops in the names of those from whom they have previously stolen personal data. In the phony shop, for example, incorrect branded items can then be sold. In such a case, serious legal consequences can arise: The unsuspecting user to whom the online shop is running can be overwhelmed with lawsuits from manufacturers of the counterfeit items and those who may have already ordered in the shop however never received goods. Therefore, in such a severe case, victims must immediately file a criminal complaint and clarify that they have nothing to do with the fake shop. Unfortunately, the clearing-up rate is meager in all of the cases mentioned.
Act Quickly At The First Signs Of Identity Theft On The Internet
If you suspect that you have been the victim of identity theft on the Internet, you must act quickly. Particularly in the case of any financial transactions that the cybercriminals have carried out without authorization, the respective deadlines of the financial institutions must be observed – your bank will inform you about this. Please also file a criminal complaint. Even if the clearing-up rate for such crimes is still low, there will be no investigations if nobody files a criminal complaint. The following steps are also necessary:
- Reset all passwords – preventively, including those from unaffected providers.
- Inform the respective provider about the abuse of your account. As a rule, there are corresponding reporting forms.
- Have the individual accesses and accounts blocked? If your current version is affected, you can have your EC and credit cards secured by calling the emergency number 116 116. Of course, your bank will also support you, and the police also have a system for stopping.
- Educate friends and acquaintances and warn them. It could be that the cybercriminals stumbled upon your friends on their forays into your online profiles and are already choosing their next victims with them. If identity theft also has professional consequences, a discussion with the employer and with the staff is, of course, essential.
- Check your devices for malware such as viruses or Trojans. This includes not just your PC but all of your devices: your smartphone, your tablet, your TV stick, your IoT devices – everything you use. Good security software can usually do this for you, but you should investigate carefully if you suspect identity theft.
- Keep an eye on your bank accounts – including the payment service providers you use. So if you pay with PayPal as a priority, you can control any account movements as you would on your current account.
- Sometimes it can make sense to request SCHUFA information. Here you can see whether there were merchant credit inquiries that did not come from you. According to Art. 15 GDPR, you are entitled to a free copy of your data so that you do not have to pay anything for the SCHUFA information.
Identity Theft On The Internet: Don’t Worry, But Be Careful
We already indicated at the beginning: There is no such thing as 100 percent protection. Even if you have a strong focus on security, there is still the manufacturer side, which may not always give everything to protect your data. This is to be kept in mind. A healthy sense of caution emerges when you do that, which also seems more appropriate than fear and panic. Because with this healthy caution, you will no longer unsuspectingly click on every link; You will only enter data into the digital world with care. And that’s how it should be because a certain amount of mindfulness and skepticism, which we also display in the analog world, also make sense in the digital world.
Also Read: Smishing: The Newest Breed Of Online Fraud