CIMIP - Center for Identity Management and Information Protection
Identity Crimes

Most Common Schemes


TYPES OF IDENTITY CRIMES
 
Identity theft begins when someone takes your personally identifiable information such as your name, Social Security Number, date of birth, your mother’s maiden name, and your address to use it, without your knowledge or permission, for their personal financial gain.

There are many different types of schemes identity criminals use. This can range from non-technological to technological schemes. The following is a listing of just some of the most common methods identity criminals have been known to use to obtain your personal identifiable information. For each scheme, we provide recommendations on the methods you can use to thwart criminals from obtaining and using your information.

NON-TECHNOLOGICAL SCHEMES

Dumpster Diving

Dumpster diving occurs when someone goes through someone else’s garbage to obtain personal identifiable information off items found in the trash, such as credit card bills, utility bills, medical insurance, and bank statements.

To protect yourself, you should shred everything before disposing of it with a cross-cut paper shredder. Another method to use is to go paperless by receiving statements and making your payments online. Keep track of your credit report and report any discrepancies to your credit card company and credit bureaus. If you suspect you are a victim of identity theft, see the section What to Do If Your Identity Is Stolen.

Mail Theft

Mail theft occurs when someone targets your mailbox and removes mail that has pertinent information on it. As in dumpster diving, a thief can take your credit card bills, bank statements; anything that can be used to steal your identity. At times, identity theft criminals have been known to re-route your mail without your knowledge or permission by submitting a change of address to the post office.

To protect yourself, you should monitor your mail. If you suspect that someone has been taking mail out of your mailbox, contact the post office immediately. Other steps can be taken to protect yourself. For instance, do not leave your mail in the box for extended periods. Use a locking mailbox if possible, or rent a box at the post office.

Set up to receive your bills and make payments online. To read other recommendations see the section entitled Reduce Your Exposure to Mail Theft found on the Preventing Identity Theft web page.

Social Engineering

Social engineering is the practice of someone either in person, over the telephone, or computer, uses means to deceive someone else into divulging sensitive information. Usually, social engineers know some information that lead the victim to believe they are legitimate and give the information asked. Social engineering is commonly known as a “con game” and is perpetrated by “con-men.” See also Pretexting.

To prevent this, stay diligent. Do not give out any personal information to anyone you do not know. If in doubt, do not be afraid to obtain the person’s contact number; let him/her know that you will call him/her back. Verify the person’s identification. Also verify with others or verify with the company the person is representing that such information is really needed.

Shoulder Surfing

This attack may occur anytime you use a password or a device that stores PIN numbers, such as at an ATM. The identity thief attempts to get close enough to you so that when you enter password information, such as a PIN number, the thief records the password. Although this can typically occurs in a public setting, where the victim is and their credentials are in plain sight, it may also occur through a video camera setup by the criminal.

To prevent this from happening, you should be aware of your surroundings when you are accessing any accounts that require you to enter a password or PIN in public. If someone stands too close to you, do not be afraid to ask the person to move back. If he/she is not willing to do so, let the person go first. Remember, it is better to be safe than sorry. If you do not feel safe, try using another machine.

Another method you can use is to try to use cash for your transactions, or use a pre-paid credit card. Do not write down your passwords where someone can find them, such as your wallet or purse. Also, take advantage of credit reports, which will help you analyze whether anyone has stolen your identity to access your bank accounts.

Stealing Personal Items

Identity thieves can also obtain your personal information by stealing your wallet or purse. When this occurs, we recommend that you immediately contact credit card companies, bank, and credit bureaus to let them know of your situation.

To secure wallets or purses, we recommend women to make sure their purses are closed and secure at all times. Carry the purse close your body, with the bag in front so you can keep it within your sight. We also recommend men button up the back pocket where their wallet is located, if it has a button. If not, place the wallet in front pocket and stay vigilant and aware of your surroundings.

We also recommend that you limit the amount of personal information you carry with you. Do not carry your Social Security Number card and limit the number of credit cards you carry. Remove old deposit slips, blank checks, and any information that carries your login and password information. To read other recommendations see the section Protect Your Other Personal Information found on the Preventing Identity Theft web page. 

TECHNOLOGICAL SCHEMES

Credit/Debit Card Theft

Credit card fraud is an element of identity fraud. It can have far reaching effects, since the information on the card can be used to perpetrate other types of identity theft crimes. From using the signature on the back of a card that is stolen, to loaning a credit card to a friend or family member can cause someone to obtain what they need to open other credit card accounts or bank accounts in the victim’s name.

Steps you can take to protect this information include writing CID on the back of your signature panel instead of your signature on the back of your card. CID stands for “SEE ID” and requires merchants to request to see other forms of identification to verify the user of the card.

Another step you can take is to keep your card in plain sight when making payments. For instance, there are places such as restaurants where the waiter takes the credit or debit card away from you to make the payment. However, there have been instances when identity criminals have been known to take the victims card away to swipe it through the card reader, not only to make the legitimate payment but also to make a copy of the information on your card (see “Skimming” below).

It is recommended that you question if the merchant is using multiple swipes to approve a charge. This may indicate the card reader is electronically copying the information of the magnetic strip for use later.

Do not use a credit card on an unverified site. Make sure that a lock appears in the right hand corner of the web status bar. If none is there, do not purchase anything on the website. It is not recommended to give out your credit card (or any personal information) over your cell phone. You never know who is listening to your conversation. Consider the use of a pre-paid credit card for purchases. The only liability will be the amount on the card, not your identity.

Skimming

This can happen anytime you use your credit or debit card. The theft occurs when the device which reads your credit card information from the magnetic strip on the back of the card records you’re the information the card’s code numbers to another electronic storage device. This enables the criminal to make a copy of your card to make unauthorized purchases. Skimming can occur through a number of different ways, whether it is a recording device set up on an ATM machine or a salesman who secretly swipes your card onto his personal digital card reader.

To prevent skimming, make it a habit to periodically check your credit reports. This helps you discover if anyone made unauthorized purchases or has stolen your identity to access your bank accounts or open other lines of credit in your name.

To read more information on credit reports refer to Review Your Credit Reports found on the Preventing Identity Theft web page.

Try to minimize credit transactions and use cash. Consider using a pre-paid credit card so your liability and loss of identification is eliminated.

Pretexting

Pretexting occurs when a thief has done prior research on your personal information, and uses this information to bait you to release more sensitive information, such as a credit card number or Social Security Number. The schemer will call you on the telephone, and lead you to believe they are a business that requires this information. Most people tend to believe them, since they have their name, address, and telephone number.

To prevent this, verify who you are speaking to. Ask for a call back number, and question why they need this information. Look for the telephone number of the company the individual says he/she works for. Call the company. Ask for the legitimacy of the request.

If you learn you have become a victim of this type of scam or a victim of identity theft , file a complaint with the Federal Trade Commission at https://www.ftccomplaintassistant.gov/ Also read our section What to do if Your Identity is Stolen. To find other identity theft resources visit our Resources web page.

Man-in-the-Middle Attack

This type of theft involves criminally intercepting communication between two parties and recording the information without the two parties ever knowing about it. The criminal then uses this information to access accounts and possibly steal the user’s identity.

A common scenario consists of making an online search for the URL address of a company, such as a financial institution. Once found, you click on the link to access the website (for example http://www.financialinstitution.com.) However when the website appeared on your screen, you did not notice that the URL web address changed to http://www.atacker.com/http://www.server.com. This is a website that is actually re-directing you to another website that mirrors your financial institution’s website. All the information you enter on this website is rerouted to your financial institution and the information your financial institution sends you is re-routed to you. The schemer is recording all the transactions that are taking place between you and the institution. The objective is to obtain your personally identifiable information, your login and password numbers, or your credit and/or debit card number.

You should protect yourself by making the habit of periodically checking your credit reports, which will help you discover whether anyone has stolen your identity to access your bank accounts. To read more information on credit reports refer to Review Your Credit Reports found on the Preventing Identity Theft web page.
 
Become more diligent when you select to access a website off a web search. Make sure that the website address is legitimate by verifying the URL address in the web address bar located at the top of the page. If something looks suspicious close the browser.

Phishing Schemes

These are the most common types of computer identity theft schemes. In these types of frauds, the thief tricks you into giving your personal identifying information. These types of attacks occur through a number of different mediums including cell phone messages, Internet social networks, emails, text messages, and standard mail. The following explain several common schemes that are used.

Pharming

This can happen when a hacker tampers with a website host file or domain name system so that URL address requests are rerouted to a fake or spoofed website created by the hacker to capture personal identifying information from victims. The victim then thinks that they are on a trusted website, and are more willing to enter their personal information, such as credit card numbers, social security numbers, and addresses. The hacker then uses that information to commit identity theft.

Protect yourself from this type of theft by checking for the padlock symbol in the right-hand bottom of the website scroll bar if it is a merchant website. If it is an organization or an affiliation, contact the website administrator or the organization via phone or email to verify that such information is actually needed before entering in any information.

If you entered your credentials without questioning the request and later hear that there’s a phishing scheme going on, request that your account be terminated. Review your credit report to verify that there’s no unauthorized activity. For more information see  Review Your Credit Reports found on the Preventing Identity Theft web page.

Vishing

This scheme is also known as “voice phishing.” It occurs when the thief contacts an individual over the telephone. In this instance, the schemer posses as an individual working for a legitimate organization such as a government agency, a financial institution, a payment services organization, or another well-known company. The goal is to get you to disclose your personal identifying information.

Another tactic used is to make robo-calls (pre-recorded messages) urging you to contact a certain phone number, stating that you either won a prize, or an emergency has occurred that requires you to disclose your personally identifiable information or credit card / debit card numbers.

Always be suspicious when receiving any unsolicited telephone call. Use your telephone service caller ID function. Look up the company information on the Internet using the call-back number on the caller ID through a reverse telephone search. You can do that through this URL http://www.whitepages.com/reverse_phone. Call the organization back, but do not dial the number that appears on the caller ID function, instead look for the number from a phone book or the internet. This way you prevent the schemer or someone else working with the schemer from lying to you by telling you that the company is legitimate. When you call the legitimate company, question them to verify if the request is legitimate. If it is a legitimate company, tell them you have been solicited and verify the legitimacy of the call.

If the legitimate company tells you that the message is not legitimate, report the Vishing attack to the Internet Crime Complaint Center (IC3) at www.ic3.gov or file a complaint with the Federal Trade Commission at https://www.ftccomplaintassistant.gov/.

Register with the “National Do Not Call Registry.” If you receive calls from an unknown source and you suspect Vishing, then file a report on the website.

If you have received these calls and would like them to stop, most State Attorney Office’s recommend that you first send a letter to the company telling them to stop calling you and to remove you from their list. The letter that you send to the company calling you must be certified so that you can send it as proof to your State Attorney’s Office. If you still get calls after the letter was sent, you can file a complaint with your State Attorney’s Office.

If you lose money from a Vishing scam, you should contact your State Attorney General’s Office immediately.

Search Engine Phishing

This type of phishing occurs when thieves create websites that contain “too good to be true” offers, services, and other incentives. The website is legitimately indexed into search engines such as yahoo or Google so that during the normal course of searching for products or services individuals can find these offers. Once the individual access the website the user is given incentives and persuaded in such a way that the individual becomes susceptible to give up his or her personal identifying information to take advantage of the offer being given.

An example of this would be when you are purchasing a normally high priced item over the internet, such as a video game system, and you find a website that has a much lower price. You may be tempted to purchase this item at a lower price but you do not realize that you are accessing a fake website. The schemer is just trying to obtain personal and credit card/debit card information from individuals.

Another example is a job website that may offer a higher salary than the same job by other companies in that industry. The schemer’s website may require you to put in your Social Security number in addition to other personal identifiable information.

To protect yourself, before submitting any information or downloading any attachments, research the company. If you have never heard of the company or the offer, contact competitors and question the legitimacy of what is being offered. If you are purchasing something, make sure the padlock is visible in the right hand corner of the website scrollbar.

Another resource to verify if a website is legitimate is www.scambusters.org/. This website contains reviews of websites along with message boards for up to date phishing and identification scams going on.

SMiShing

In this scheme, the identity thief sends spam text messages posing as a financial institution or other legitimate entity. The text message has a sense of urgency, and can scare you into thinking there is a serious emergency by leading you to believe you will suffer financial losses or fees if there is no response. This may lead you to disclose personal identifying information by clicking on the link that appears on the text message.

Do not dial back the unknown number, you would only be providing the spammer some of the information they need from you. Look through the phone book or the internet for a number to contact the organization that is supposedly contacting you. Verify that your information is actually needed because you have been solicited for information through text messaging. If you find that the request is not legitimate, contact your cell phone provider and alert them of the scheme.

If you provided your credentials without questioning the request and later find out there’s a phishing scheme going on, review your credit report to verify that there’s no unauthorized activity. For more information see Review Your Credit Reports found on the Preventing Identity Theft web page.

Whether you entered your personal identifying information or not, report the SMiShing attack to the Internet Crime Complaint Center (IC3) at www.ic3.gov or file a complaint with the Federal Trade Commission at https://www.ftccomplaintassistant.gov/ For more information on identity theft visit our Resources web page.

If you find you have become a victim of identity theft, read our What To Do If Your Identity Is Stolen web page for steps to follow that can help you restore your credit.

Malware Based Phishing

This scheme occurs when the thief attaches a harmful computer program made to look helpful onto emails, websites, and other electronic documents on the Internet. This type of computer program is called malware. The malware uses key loggers and screen loggers to record your keyboard strokes and sites that you visit on the Internet. The malware sends the information to the schemer who is located at another location using the Internet.

An example of this type of phishing is an email disguised as coming from Norton Anti-Virus. The message prompts you to install an updated web browser to increase your computer security. You, click on the link and download the supposed updated browser but in reality you have just downloaded malware.

To protect yourself from this type of scheme, use caution before downloading or installing any program on the web. Contact the organization that supposedly sent the email message through your “normal means” of communication, whether that is the internet or phone. Tell the legitimate company that you have received an email requesting that you download a specific file, and that you would like to know if there was any legitimacy to it.

Do not reply the email message; the attacker could trick you into believing that the email is authentic. Moreover, by replying to the email message, you would be giving some of your information to the attacker.

If the company tells you that email is not legitimate, report the phishing attack to the Internet Crime Complaint Center (IC3) at www.ic3.gov or file a complaint with the Federal Trade Commission at https://www.ftccomplaintassistant.gov/ 
 
Phishing through Spam

In this scheme, the thief, also known as a spammer, sends repeated spam emails to you. These email messages offer you opportunities for scholarships, business partnerships, or free products. In some instances, the spammer pretends to be a financial institution or organization you might belong to. The spam is sent to prompt you to provide your personal identifying information.

Research the company and the opportunity or offer advertised. This can be done through a search on the internet or by contacting the company directly. Be extremely cautious of bogus offers. You can Google the offer given to see if others have received the same offer, or check www.scambusters.org/. Usually people post messages declaring the Promotion as a scam or verifying it as being legitimate.

Check out the website www.antiphishing.org, or www.spamhaus.org, which contains an active list of phishing schemes or allows you to check to see if the website is suspected of phishing.

If you find that the company is illegitimate, report the phishing attack to the Internet Crime Complaint Center (IC3) at www.ic3.gov or file a complaint with the Federal Trade Commission at https://www.ftccomplaintassistant.gov/, or you can forward all spam to spam@uce.gov.

Spear Phishing

This scheme is very similar to the email phishing scam, except it attacks businesses. Spear phishers send emails to almost every employee of an organization and can be written to look like it has been sent by a division within the organization such as the IT or the human resources department. For instance, the email might state that every employee must send their user name and password for verification purposes. This potentially not only gives the attacker access to your personally identifiable information but also the company’s private information.

You should protect yourself by contacting the network administrator or the individual that supposedly sent the email to verify that such information is needed. Do not reply back the email. Notify the head of the division or individual that supposedly sent you the email that you and other colleagues have been solicited for information.

If you believe that you have fallen victim to Identity Theft as result of any type of scheme, file a complaint with the Federal Trade Commission (FTC) at https://www.ftccomplaintassistant.gov/.

You can also find more information on what to do through the section on this website entitled Preventing Identity Theft or visit the U.S. Department of Justice website at www.usdoj.gov/criminal/fraud/websites/idtheft.html

Top of Page
 

Contact Information

Center for Identity Management and
Information Protection
Dr. Donald Rebovich,
Executive Director
315.792.3231
drebovich@utica.edu
Utica College
1600 Burrstone Road
Utica, NY 13502