Our digital identity is linked to our accounts with various online services. Email, banking, social media, merchant and airline accounts are among the most coveted by cybercriminals, who can use them to commit fraud. Making money is typically the main purpose, which can be achieved directly or indirectly.
Any online account contains personal and sensitive data that can be used for fraud. Passwords and usernames are obviously the keys to the kingdom, but other information is important too, including your social security, phone, credit or debit card numbers or your name, email and postal addresses, or date of birth in official documents.
Account takeover (ATO)
Account takeover (ATO) attacks let fraudsters with login credentials for your online services manage them for their profit. The advantages of ATO fraud vary according to the type of account but are significant for the perpetrator, either in the short or long run.
They can use an account at an online store, for instance, to buy goods in your name and have them delivered to a pick up point. Illegal access to your airline account can strip you of your frequent flyer miles, which have a market of their own on underground forums.
Obviously, a compromised bank account is the most valuable of the online services for fraudsters as it is a direct source of cash. They know your exact balance and can send money to accounts they control or pay for services they need for illegal activities.
Cybercriminals can use illicit access to your accounts to apply for bank credit and loans, initiate transactions, make purchases, get payment or gift cards, withdraw from bank accounts, get services or privileges and more, all while you foot the bill.
In addition to these rewards, they can use your personal information for other types of fraud, some of it related to identity theft, such as names, addresses, phone numbers or medical data.
New Account fraud
The moment they have enough personal information, cybercriminals can engage in financial identity theft by creating new accounts under your name. This is commonly referred to as ‘new account fraud’ and financial losses are a direct consequence.
Setting up new accounts in your name requires valid information, which is mostly collected from data breaches. Personal details like names, addresses (physical and digital), phone numbers, bank account numbers and social security numbers (SSNs) number in the billions on the dark market and are often used for identity theft.
With enough data, fraudsters can create fake companies, contract utility services, or get phone subscriptions. They can also take advantage of your good credit score and apply for bank loans or credit cards. Although this will not last, everything looks legitimate long enough for the crook to turn a profit.
In new account fraud, the victim most often learns their identity has been stolen and used to purchase services when they receive calls or letters about the money they owe.
Synthetic identity fraud
Synthetic identity fraud is another risk of getting your personal information stolen. Unlike new account fraud, this does not require all the details about you to be correct as crooks can create a new identity with bits and pieces of valid personal data. The end goal is to fool financial companies into approving credit.
Synthetic identities combine real social security numbers with false names, addresses and dates of birth. There is no strict formula dictating how much data can be fake, as this typically depends on the details demanded by the victim and how much of it they can verify.
Because of the mix of fake and valid data, this type of fraud can go unnoticed for longer periods. All the more if fraudsters decide to hold on to the synthetic identity and use it responsibly to build a higher credit score and create some history that will eventually permit them to cash in big.
It is worth highlighting the importance of protecting your SSN, name, date of birth and postal addresses as this mix can be used for tax return fraud. This long-standing scam cheats taxpayers of the refunds they are owed by the IRS.