Ahileos - Fotolia
Businesses are being urged to take action after a record 89,000 identity fraud cases were reported in the first six months of this year, up 5% on 2016, according to the latest report by fraud prevention service Cifas.
In fact, identify fraud accounted for more than half of all fraud recorded in the first half of 2017, with 83% of offences committed online.
The Cifas data shows a sharp rise in identity fraudsters applying for loans, online retail, telecoms and insurance products. Although the number of identity fraud attempts against bank accounts and plastic cards has fallen, these still account for more than half of all identity fraud cases.
The vast majority of identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or their credit rating falls, said Cifas.
To carry out this kind of fraud, criminals need access to victims’ personal information, such as name, date of birth, address, their bank and who they hold accounts with. This is obtained in a variety of ways, including stealing mail, hacking accounts, obtaining data on the “dark web”, exploiting personal information on social media, and though social engineering aimed at tricking people into providing personal information to someone pretending to be from their bank, the police or a trusted retailer.
Cifas chief executive Simon Dukes said identity fraud has now reached “epidemic levels”, with identities being stolen at a rate of almost 500 a day.
“These frauds are taking place almost exclusively online,” he said. “The vast amount of personal data that is available either online or through data breaches is only making it easier for the fraudster.
“Criminals are relentlessly targeting consumers and businesses and we must all be alert to this threat and do more to protect personal information.
“Smaller and medium-sized businesses in particular must focus on educating staff on good cyber security behaviours and raise awareness of the social engineering techniques employed by fraudsters. Relying solely on new fraud prevention technology is not enough.”
Glenn Maleary, head of the City of London Police economic crime directorate, said identify fraud continues to be a significant issue in law enforcement.
“The new figures that Cifas has released come as no surprise,” he said. “The more our lives move online, the easier it becomes for fraudsters to steal our identity. It has become normal for people to publish personal details about themselves on social media and on other online platforms, which makes it easier than ever for a fraudster to steal someone’s identity.
“The figures show that both businesses and consumers are targeted and it is therefore important that people commit to protecting themselves in all aspects of their lives. Be careful who you give your information to, and always consider whether it is necessary to part with those details. Cyber security is becoming increasingly important and we urge everyone, both at home and at work, to ensure that they have the right security settings on all their devices.
“We urge consumers and businesses to be conscious of identify fraudsters and to use our protection advice to help stop them in their tracks. We continue to work with banks, retailers and other members of industry to disrupt fraudsters’ activity. However, we also realise it is our responsibility to help advise consumers and businesses around these types of issues.”
Phil Beckett, managing director of global disputes and investigations at business consultancy Alvarez and Marsal, said organisations store vast amounts of personal data that can be used in identity crimes and act as a “rich” target as one attack can yield thousands, if not millions, of individuals’ data, as opposed to an attack on a single person, which yields only their data. “To combat this growing risk, organisations should ensure they have appropriate cyber safeguards and processes in place,” he said.
These measures include:
- Using application whitelisting on their systems;
- Ensuring that systems are patched efficiently;
- Disabling Microsoft Office macros by default;
- Restricting administration privileges to only those who truly need them;
- Using multi-factor authentication;
- Backing up data regularly; and
- Actively managing applications installed on user systems.
The most important thing is not to be complacent or ignorant about the threat, said Beckett. “A good starting point on this is to perform a holistic vulnerability assessment based on one of the well-defined frameworks that provides an organisation with a benchmarked assessment of its controls and readiness, as well as a path to improvement,” he said.
“These risks are not going away and with regulatory oversight increasing, for example with the upcoming GDPR [General Data Protection Regulation], they are going to become more and more important.”
The ID theft epidemic needs to be addressed from multiple angles, said Beckett. A lot can be done by individuals, but there is also a lot that organisations can do, and should do, to protected personal information, he said.
Read more about fraud
- The UK fraud prevention service is calling for better education about fraud and financial crime as identity fraud, which is often cyber-enabled, hits the highest levels ever recorded.
- Banking malware, DDoS, ransomware and CEO fraud top UK cyber threats.
- Tesco Bank halts online banking after weekend hacker fraud.
- UK fraud prevention service Cifas is calling on the government to make tackling cyber and other financial crime a priority.
Paco Garcia, CTO of digital identity company Yoti, said that although people’s desire for convenience often trumps security concerns, it is clear that individuals need greater support to operate both conveniently and securely in an increasingly digital world.
“Websites need to protect customers by giving them a better, safer way to create and access online accounts,” he said. “Once websites overcome this secure login challenge, we will be on the way to overcoming the threat of ID fraud.
“In future, far more websites will use biometric authentication – a selfie, fingerprint or heartbeat – to verify the identity of users. Biometrics introduce better fraud detection, better identity management, better audit trails, better internal controls and, as a result of all that, more trust from consumers.”
According to Nuance Communications, one top UK bank saw a 59% decrease in account takeover within 30 days of introducing intelligent biometric authentication.
“More businesses need to put customers’ security first and improve authentication methods to combat fraud,” said Brett Beranek, director of product strategy, biometrics and security at Nuance.