Skip over navigation

Identity theft, phishing and proxy services

Identity theft, one of the fastest-growing crimes against consumers, victimizes more than ten million people each year.  Aside from attacking systems directly, information harvesters often attempt to glean information that can be used for identity theft purposes through phishing and Internet-based proxy services.

The threat of identity theft

In order to steal someone's identity, an identity thief needs to have some information about the prospective victim. Such information could include the victim's:

  • Social Security Number,
  • passwords,
  • date of birth,
  • place of birth,
  • mother's maiden name,
  • drivers license number,
  • credit card numbers,
  • bank account numbers.

Armed with this information, an identity thief can open credit card accounts, obtain loans, make purchases, etc., all in the victim's name.

The U.S. Department of Education has created a website to help college students avoid credit card fraud and other forms of identity theft. The site describes:

  • the identity theft threat,
  • steps to reduce your risk,
  • what you can do if you become a victim,
  • the school's responsibility in protecting identities, and
  • scholarship scams.

Visit the site by clicking the following link:

http://www.ed.gov/about/offices/list/oig/misused/index.html

What is phishing?

"Phishing" is a serious privacy threat that actually is quite simple in concept. The person doing the phishing ("phisher") contacts an individual by phone or e-mail, asking for personal information, such as social security number, date of birth, passwords, etc.  And, if any targeted individual provides such information, it could be used for identity theft purposes or to compromise system security. 

It is important to keep in mind that reputable organizations do not normally contact their customers asking for personal information.

Phishers are quite adept at gaining their victim's confidence.  The person making contact over the phone sounds official.  The phishing e-mail message has a corporate look and feel, including company logos.  A credible explanation as to why the information is needed is included in the communication.  For example, they may claim that they are verifying the organization's records, they need to reconstruct their database due to a computer system failure or upgrade, they are going to close your account unless you respond providing your personal information for verification, they are offering a new service and they want you to verify your identity to obtain it, and many others.

Most of today's attacks arrive via e-mail which gives the phisher broad coverage and a number of additional options for fooling intended victims.   Typically, the phisher sends an e-mail message to a large group of individuals whose addresses he or she has captured from address books and websites across the Internet.  The message, usually well-crafted and official-looking, may claim to be from a financial institution, a service provider, or any other organization known by the recipient. The e-mail message asks the recipient to confirm or provide some personal information. Often, the recipient is asked to provide the information by clicking a website link in the e-mail. But while the link to the website may look legitimate, e.g., www.princeton.edu, the link that is displayed is not necessarily the actual site you visit when you click on it.

Thus, a phisher can send you a link that appears to be to your bank's homepage (e.g., www.mybank.com) that actually points to a different site (e.g., www.nastyIDthieves.xyz) that he or she designed to look exactly like the official "mybank" website with spaces for you to enter whatever pieces of personal information they are hoping to obtain, e.g., your password, credit card number, PIN, social security number, date of birth, or other personal information. When you click the "submit" button, all the personal information that you entered is now exposed to individuals who can use that information to make purchases, open new credit accounts, take out loans, etc. - all in your name.

There have been other attacks using similar methods. A while ago, an e-mail message was sent by a malicious individual which looked like it came from a major software vendor. The e-mail asked the recipient to execute an attached file to apply an emergency patch to his or her system. When the recipient did, a virus was unleashed.

How to protect yourself against phishing

As a rule of thumb, if you ever receive an e-mail message or phone call from any organization asking you to provide them with personal information, such as your social security number, password, account numbers, etc., you should view any such contact as a potential fraud attempt - do not respond.

Phone contacts of this type should never occur and, while it is common for companies to send e-mail messages with links to their web sites, it is extremely rare and a bad practice for them to send you an e-mail message requesting that you enter, re-enter or confirm your personal information.

If you believe that the contact may be legitimate, or you need to update your personal information for any organization at any time, do not navigate to their website by clicking a link received in an e-mail. It is much safer to access the organization's website by typing its published web address directly into your browser.

Reminder about e-mail links and attachments

Always be a bit suspicious of the e-mail messages that you receive, especially those that include attachments and/or links. The sender's name can be forged, so it's not good enough to just know who the sender is. You should also determine if the content of the e-mail message is written in a manner that is consistent with what you would expect from that source. And even if the source looks legitimate, avoid clicking any attachment or link contained within the e-mail message unless you know what it is and why you received it.

Be wary of proxy services

Proxy services are Internet-based facilities that claim to improve their subscriber's Internet experience by directing all of the subscriber's bidirectional Internet traffic through the service provider's computers. Since the service provider's systems have been efficiently configured to manage and distribute large amounts of Internet content, one such improvement is the speeding up of the subscriber's web browsing.

Unfortunately, because these services can view the data held within your Internet transactions, proxy service providers have occasionally taken on a secondary, sometimes intentionally obscured, purpose - to collect and sell information about you - even information that you thought was encrypted!

One of the early proxy service offerings was a product called MarketScore, but many of these products currently exist and new products of this type are introduced regularly.