Our lives are increasingly digital. We shop, socialize, communicate, watch TV and play games — all from the comfort of our desktop, laptop, or mobile device. But to access most of these services we need to hand over some of our personal data. Whether it’s just our name and email address or more sensitive information like Social Security and credit card numbers, this sharing of what’s known as personally identifiable information (PII) exposes us to risk. Why? Because hackers are looking for ways to steal and monetize it.
The latest FBI Internet Crime Complaint Center (IC3) report, recently released, paints an accurate picture of the scale of these online threats. Personal data leaks were among the top the reported cybercrimes in 2018, with 50,642 victims listed. They were linked to losses of over $148.8m. This is likely just the tip of the iceberg, as many incidents aren’t reported. Identity theft, which usually results from data theft, cost victims over $100m last year. And phishing attacks, which are commonly used to trick victims into handing over sensitive PII and passwords, accounted for over $48m in losses.
The message is clear: consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers. That’s why Trend Micro has produced this guide, to help you identify where your most sensitive data is stored, how attackers might try to steal it and how best to secure it.
What is at risk?
The bottom line is that hackers are out to make money. Although they can do this via online extortion and ransomware, it is most commonly done via data theft. Once they have your PII and financial details they sell it on dark web sites for fraudsters to use in follow-on identity fraud. They could use banking log-ins to hijack your bank account and drain it of funds. Or they could open new credit cards in your name and run up huge debts.
Identity fraud is a growing threat to US consumers. It affected 14.4m of us in 2018, leading to losses of $1.7bn — more than double the 2016 figure.
As we’ve mentioned, the hackers are after as much PII as they can get their hands on. The more they have, the easier it is for them to stitch together a convincing version of your identity to trick the organizations you interact with online. It could range from names, addresses and dates of birth at one end to more serious details like Social Security numbers, bank account details, card numbers, and health insurance details at the other.
Most of this information is stored in your online accounts, protected by a password, so they will often put a great deal of effort into guessing or stealing the all-important log-ins. Even accounts you might not think would be of interest to a hacker can be monetized. Access to your Uber account, for example, could be hijacked and sold online to offer free trips to the buyer. Or your Netflix account log-ins may be sold to provide free streaming services to whoever pays for them.
Now, hackers may go after the firms directly to steal your personal data. In the past we’ve seen mega leaks at the likes of Uber (affecting 57m global users) and Yahoo (affecting 3bn users). But they might also target you individually. Sometimes they may use information they already know about you to trick you via phishing into handing over more, as with tax fraud and sextortion blackmail attempts, and sometimes they might use already leaked passwords to try and hack into your accounts, hoping you reuse the same log-ins across multiple sites.
While you’re most likely to get reimbursed by your bank eventually for financial losses stemming from identity fraud, there’s a major impact beyond this. Online data theft and the fraud that follows could lead to:
- Out-of-pocket costs to recover your identity
- Emotional distress: 75% of victims report suffering severe distress
- Lower credit scores
- Time and effort disputing charges/recouping money: it’s estimated to take an average of six months and 200 hours of work to recover your identity following an attack.
How do they steal it?
There are plenty techniques the bad guys have at their disposal to part you from your data and money. They’re supported in this by a vast underground cybercrime economy, facilitated by those dark web sites. This not only offers a readymade platform for them to sell their stolen data to fraudsters, but also provides them with hacking tools, advice and cybercrime services. This black market economy could be worth as much as $1.5tr per year.
The hackers may choose to:
- Target you with a phishing scam, spoofing an email to appear as if sent from an official company (the IRS, your bank, insurer, ISP etc.)
- Launch automated attacks, either using your log-ins from other sites that have been stolen, or else using online tools to try multiple combinations of easy-to-guess passwords like “passw0rd”
- Exploit vulnerabilities on the websites you visit to gain access to your account
- Infect legitimate-looking mobile apps with malware and wait until you unwittingly download
- Intercept your private data sent over public Wi-Fi: for example, if you log-in to your online banking account on public Wi-Fi, a hacker may be able to monitor everything you do.
How can I secure it?
The good news is that there are plenty of simple things you can do to keep your data safe and secure — most of them free of charge. Consider the following:
- Use a long, strong and unique password for each website and application. To help you do this, use an online password manager to store and recall these log-ins when needed.
- Change your passwords immediately if a provider tells you your account may have been leaked
- Use two-factor or multi-factor authentication (2FA/MFA) MFA if available for added log-in security.
- Only enter PII into sites which start with “HTTPS” in the address bar.
- Don’t click on links or open attachments in unsolicited emails or texts.
- Be careful about over-sharing personal and financial details on social media.
- Only download apps from official app stores like the Apple App Store or Google Play.
- Don’t access any sensitive accounts (banking, email etc) on public Wi-Fi without using a VPN.
- Invest in good AV from a trusted provider for all your PCs and mobile devices. It should include anti-phishing and anti-spam.
- Keep all operating systems and apps on the latest versions to minimize the number of vulnerabilities hackers could target.
- Keep tabs on your financial transactions so you can quickly spot if an identity fraudster has been impersonating you.
- In the advent of a leak involving your credit (aka Equifax), check your credit report and security status from Equifax, TransUnion, Experian, and Innovis and put a security freeze on it if necessary.
How can Trend Micro help?
Trend Micro has been protecting customers from data theft for decades. We have a comprehensive range of powerful, easy-to-use solutions to protect your home PCs, devices and personal data from the major threats listed above.
Here’s a quick breakdown:
Trend Micro Maximum Security for PC and Mac:
- Web threat protection
- Anti-spam/phishing protection
- Pay Guard (secure banking)
- Trend Micro Vault (data encryption)
- Privacy Scanner for social networks
- Social Networking Protection (against bad URLs on social networks)
- Data theft prevention (against data exfiltration)
- Secure Erase (for secure data deletion)
- Email Defender (to protect your Gmail and Outlook webmail from scams)
Trend Micro Mobile Security for Android and iOS:
- App security (with pre-install scans on Android)
- Fake banking/financial app protection
- SafeSurfing
- Wi-Fi checker
- Pay Guard Mobile
- Social Network Privacy
- Lost Device Protection
- Device Access Status (Two-Factor Authentication checker, iOS)
Trend Micro Password Manager (also bundled with TMS Max) on all 4 platforms (WIN, Mac, Android and iOS.):
- Strong, synced password management across all your devices
Trend Micro Trend Micro VPN on all 4 platforms: WIN, Mac, Android and iOS:
- VPN for public WiFi hotspots
- Data Encryption
- Web Threat Protection
Email Defender online, (also now incorporated into Trend Micro Security’s Toolbar, for Gmail and Outlook webmail):
- Check emails or chat messages for phishing scams and identity fraud
To find out more, go to our 2019 Trend Micro Security for Home YouTube playlist for brief overviews and how-to videos of our end user solutions. Go to Security Products Overview on the Trend Micro Security Home page for more details on all our end user products.