Tue, Feb 14, 2017

What Are Identity Thieves Really After?

Prior to 2016, the majority of data breaches in the headlines involved the large-scale theft of credit card numbers from major retailers. As the theft of credit card data reaches an apex, however, data-focused thieves are targeting more than what is in your wallet they are looking to exploit your identity in much deeper and sophisticated ways. We witnessed this sea change in 2016, when billions of pieces of personal and private information were stolen from commercial enterprises and governments alike. Some of these data breaches involved the theft of email addresses and associated passwords. Others involved the theft of significant amounts of individual health information. Still others involved the theft of credit reports and other valuable personal financial information. This kind of information enables data thieves to pursue what they believe will deliver more lucrative payoffs, such as tax return refunds, medical insurance reimbursements, and retirement account looting.

When compared with the loss of credit card data, identity-focused data theft can be much more damaging to consumers because it is more difficult to detect.  In addition, the theft of such data can have a longer lifecycle that makes it harder to address early on, and remediating its impact can require a substantial time commitment and be more expensive. Similarly, businesses are also finding that the costs of investigating and responding to the loss of such highly personal information, as opposed to credit card data, often can be much higher.

Make no mistake, the theft of personal data is a lucrative criminal enterprise that is not going away. We anticipate that the targeting of individuals, businesses, and governments will become more pronounced in the coming years. This is not necessarily a product of the number of records potentially compromised, but rather that our lives have become so intertwined digitally that our personal and business “attack surfaces” continue to expand. Put simply, our personal data is increasingly scattered in a variety of ways, and this creates opportunities for motivated thieves to steal it.

Supporting this viewpoint are some key cyber security findings from Kroll’s recently released Global Fraud & Risk Report, which was based on a survey of executives and businesses worldwide.
85% of executives surveyed reported their company suffered at least one cyber incident over the past 12 months.

Email-based phishing attacks were reported among the top three types of cyber attacks, along with viruses and data deletion.

Cyber attacks most often targeted customer records (51%), followed by trade secrets (39%), and employee records (39%).

These developments demonstrate the changing digital environment in which we all live and the growing risks within it. Unfortunately, criminals see the situation clearly and have a bigger target for stealing and exploiting data for financial gain.

The Most Valuable Information for an Identity Thief

In this article, we describe why certain kinds of data as well as certain targets are increasingly attractive to identity thieves. We also provide practical steps that individuals and businesses can take to avoid or minimize the danger from these crimes.

Email and personal account information

The theft of email account login information can occur a number of ways. One of the most common ways involves the use of phishing emails. The content and structure of a phishing email is designed to trick or socially engineer the unsuspecting recipient of the email into providing his/her email address and password. In other cases, hackers are able to obtain a list of usernames and passwords by breaching a website.

The potential danger: Because email has become such an essential and trusted form of communication, when criminals gain access to an email account, there are several different ways that they can exploit the information. The same email addresses are often used across financial and banking accounts. Unfortunately, people often reuse passwords, so once hackers have accessed one email account and its password, they can exploit this generic information to gain access to other individual email or web accounts. From there, crimes can run the gamut from authorizing money transfers, to creating new online banking, brokerage, or retirement accounts, to ordering new credit and debit cards shipped to a new address. Depending on their tenacity and persistence, criminals with access to an email account particularly one associated with an online financial account, social media account, or online shopping site — can do a significant amount of damage, which can be difficult and time-consuming to overcome.

Exacerbating the problem is the fact that data obtained from breaches of personal information provides an attacker with a much broader view of the targeted victim. With a more complete profile of a victim, attackers can pivot to gain more information and create greater damage. For example, a credit report can contain names, addresses, email accounts, and family member information.

Oftentimes, these intimate details actually form the basis for account security questions that are used as part of many account password reset processes: What was your first car? The name of the street you grew up on? Your high school mascot? An attacker with access to an enriched view of personal and credit data can easily answer these questions through a few online searches or educated guesses.

Credit report information

Credit reports are an incredibly rich source of information. While most people are familiar with their “FICO” or credit score, a full credit report can include a tremendous amount of personal data about an individual consumer. Depending on the provider and the type of report, the report will contain varying types and degrees of information. These reports may include current as well as past addresses; bank accounts, including bank name and account balances; and information on outstanding loans and corresponding balances. Some providers also enrich these reports with data about relatives, email addresses, and even vehicles owned.

The potential danger: The first move a criminal is likely to take with this information is to perpetrate “new account” fraud, i.e., taking the information to create new credit accounts. Very often, these are small online accounts that the attacker will use to purchase goods and services and never pay the bill. This can affect the consumer months or years down the road when they have negative credit marks or even collection requests for accounts they never even established.

One of the trends that we have seen lately is the establishment of new credit accounts with individual retailers. Many retail outlets offer a credit account that can only be used to purchase merchandise from that particular store. These accounts are typically easier to open than a major credit card, so it is not uncommon to see a single stolen identity used to open over a dozen such accounts.

Personal health information

Health care providers and insurance companies compile personal health information records that are rich in credit-related data as well as confidential or sensitive health-related data on patients and insureds. Because many families are insured under one family member’s health care plan, stolen personal health information may include Social Security numbers, names, birth dates, addresses, and other data of all family members, including children. Data related to flexible spending or health savings accounts (FSAs or HSAs) may also be linked to this information.

The potential danger: Armed with this information, a criminal can try to exploit accounts that have already been created, such as an FSA or HSA, or the information could be used to create new accounts in the victim’s name. Children can be particularly impacted, because they typically do not have a credit file that is being monitored and one established using a child’s information can go undetected.

Personal health information may also include confidential data on illnesses, diseases, mental health, and various treatments. This information is very private and sensitive and is protected by law to prevent discrimination. As we have seen in cases involving several prominent celebrities, perpetrators can try to use the information for extortion or to embarrass the victim.

Business information

Businesses, particularly small and medium-sized (SME) ones, are ripe for targeting by sophisticated identity thieves. By taking over email accounts of executives or finance team members, or by creating fake email accounts intended to impersonate these people, criminals can socially engineer either the financial team or the company’s bank into sending out a bank transfer. Established businesses often have a routine for initiating these types of bank transfers, and those can be very basic. For example, a single person may be authorized to initiate transfers from an online account or via an email or phone call to the bank. While banks should verify the transfer, sometimes they do not in an effort to provide more personal customer service and to foster a relationship of trust. New businesses on the other hand, especially those that are growing quickly, can run into trouble when their sales outpace the back-end support. Defense regimes such as information security measures and financial controls are often not fully funded or fully developed to prevent fraud.

The potential danger: These attacks have been successful with both well-established businesses as well as with new and fast-growing enterprises. The financial loss is immediate, often reaching into the millions of dollars, and such funds can be impossible to recover.

The Future of Big Data and Information in the World of Identity Theft

For years now, the mantra for everyone from the smallest company to the world’s largest enterprises has been:  “More data is better.” Companies are sweeping up enormous amounts of user behavior data in order to figure out how to best target advertising dollars – but criminals are more than aware of the troves of data being collected and stored.

Nation-states are also aware of this trend, and when breaches have been attributed to nation-state actors, the situation gets more complicated. The generally accepted assumption is that the nation-states are looking to build vast databases on entire populations, which may later be used to target specific individuals. They may not use the information today, but they may decide to exploit it in the future. Compounding the problem is the tolerance for criminal cyber activity that has been demonstrated in some foreign countries. A criminal hacker today may be a nation-state’s hacker for a project next month, and then be back to criminal hacking next year.

Today, there is no single place or central online marketplace where a criminal can sell or buy all of the information on an individual from breaches. This data is sold off in different segments to various groups, where some of it eventually ends up for sale to individual fraudsters and some of it does not.

The ultimate concern is that large portions of hacked databases will be pieced together by criminal hackers, or released by nation-state actors, enabling the creation of a single marketplace where a very detailed individual profile can be pulled on an individual or a company. Combining all of this information into a single “super” profile could result in the launch of not just one of the risk scenarios mentioned above, but rather multiple ones at the same time.

Practical Steps to Help Avoid and Mitigate Harm from Personal Information Identity Theft

While the specter of super profiles can be daunting, the news is not all dire. In fact, armed with the knowledge of how and why identity thieves are targeting personal data beyond credit card numbers, individual consumers and businesses can take numerous steps to protect themselves.


If you use the same password for multiple accounts, you know from this article how that can be leaving you and your family open to serious harm. Using different passwords for different accounts creates an extra barrier for identity thieves. So, over the coming weeks, every time you log into an online account, take a few minutes to change your password. Here are additional tips to help protect yourself and your family:

  • Invest in ID theft protection. The number one thing that you can do to protect yourself is have ID theft protection. If you suffer an ID theft-related breach, the number of hours you may have to dedicate to clearing your name and your credit can be incredible. A good ID theft protection service can guide you through this process and do a lot of the restoration work on your behalf.
  • Check your children’s credit. When you obtain a credit report for yourself annually, check to see if a credit file exists for your child. This is a good indication that fraud has occurred and that your identity may have been compromised as well.
  • Link a second email account to your primary account. This second account will receive alerts if someone tries to change the password to your primary email account.
  • Set up security alerts for your online bank accounts. These include for password changes, large dollar transactions, and others, depending on what your bank offers.


While many of these best practices may go against the idea of creating frictionless transactions and seamless customer service, a little bit of friction can often create enough time to catch criminal activity early.

  • Never send a wire transfer based on an email. If a wire needs to be sent, always employ out-of-band authorization to verify the transfer. For example, call the person on the phone who asked you to send it, verifying that he or she actually made the request. Additionally, set up dual controls for business wires: one employee can initiate the wire, but a second employee needs to confirm that transfer. Employee training is critical for reinforcing the need to follow established protocols and to recognize that requests that deviate from these protocols should raise red flags.
  • Implement two-factor authentication. Whenever anyone needs to access sensitive company resources, set up a second level of authentication before permitting account log-in.
  • Set up trip wires. Make sure that you have alerts set for any time someone changes your business online banking profile.
  • Do not let your business outgrow your security. Businesses of all sizes need to carefully weigh their exposure. Particularly with quick-growing enterprises, the team can overdrive technology, leaving some gaping security holes. If your business is growing rapidly, invest in deploying technical resources and dedicate in-house staff or contract with outside resources to help keep your business safe. These resources can be expensive, but the reputational damage in the event of a breach can be catastrophic.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.