October is known for cinnamon roll day (Oct. 4), changing foliage, Major League Baseball’s World Series, corn mazes, pumpkins and, of course, Halloween, but if the holiday isn’t scary enough it’s time to be reminded that identity-related crimes rose dramatically over the last two years.
“There were 4.8 million identity theft and fraud reports received by the FTC in 2020, up 45 percent from 3.3 million in 2019, mostly due to the 113 percent increase in identity theft complaints” according to The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC). “In 2020, 1.4 million complaints were for identity theft, up from 651,000 in 2019. Identity theft complaints accounted for 29 percent of all complaints received by the FTC, up from 20 percent in 2019. About 2.2 million reports were fraud complaints and 1.2 million involved other complaints.”
With more businesses operating virtually, the increase in online shopping and the number of data breaches on track to break a record, ramping up online security is more important than ever.
The Identity Theft Resource Center® (ITRC) reported in early 2021 “that cyber criminals continue to be less interested in stealing large amounts of personal information directly from consumers but instead are taking advantage of bad consumer behaviors to commit identity-related crimes against businesses using stolen credentials like logins and passwords. Criminals use these credentials to make ransomware and phishing attacks against businesses.”
To combat this rising trend, October is also known as National Cybersecurity Awareness Month.
In the 2021 campaign, Do Your Part #BeCyberSmart, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) join together to share information on how to keep online activity safe:
• Double your login protection. Enable multi-factor authentication (MFA) for all accounts and devices to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
• Shake up your password protocol. According to National Institute of Standards and Technology (NIST) guidance, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites, which can prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passwords for each of your accounts.
• If you connect, you must protect. Whether it’s your computer, smartphone, game device, or other network devices, the best defense against viruses and malware is to update to the latest security software, web browser, and operating systems. Sign up for automatic updates, if you can, and protect your devices with anti-virus software.
• Play hard to get with strangers. Cyber criminals use phishing tactics, hoping to fool their victims. If you’re unsure who an email is from—even if the details appear accurate—or if the email looks “phishy,” do not respond and do not click on any links or attachments found in that email. When available use the “report phish” or “report” option to help your organization or email provider block other suspicious emails before they arrive in your inbox.
• Never click and tell. Limit what information you post on social media—from personal addresses to where you like to grab coffee. What many people don’t realize is that these seemingly random details are all criminals need to know to target you, your loved ones, and your physical belongings—online and in the real world. Keep Social Security numbers, account numbers, and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even vacation plans. Disable location services that allow anyone to see where you are—and where you aren’t—at any given time.
• Keep tabs on your apps. Most connected appliances, toys and devices are supported by a mobile application. Your mobile device could be filled with suspicious apps running in the background or using default permissions you never realized you approved—gathering your personal information without your knowledge while also putting your identity and privacy at risk. Check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use. Learn to just say “no” to privilege requests that don’t make sense. Only download apps from trusted vendors and sources.
• Stay protected while connected. Before you connect to any public wireless hotspot—like at an airport, hotel, or café—be sure to confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate. If you do use an unsecured public access point, practice good internet hygiene by avoiding sensitive activities (e.g., banking) that require passwords or credit cards. Your personal hotspot is often a safer alternative to free Wi-Fi. Only use sites that begin with “https://” when online shopping or banking.
The work of cyber criminals negatively impacts everyone. The Insurance information Institute reported that last year’s “high-profile data breaches continue to threaten business with losses and consumers with exposure of their personal data. In 2021 more than 280 million Microsoft customer records were left unprotected on the web in January. By March, the U.S. Cybersecurity and Infrastructure Security Agency, a standalone United States federal agency in the Department of Homeland Security, advised all organizations across all sectors follow its guidance to address Microsoft’s email server vulnerabilities. According to the Triple-I, the number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. Other notable breaches in 2021 involved Colonial Pipeline Co., an East Coast gas utility that suffered a ransomware attack that shut down the company for six days, along with Facebook and Volkswagen of America breaches. A breach at Marriott Hotels in March 2020 reached a data system containing the personal information of about 5.2 million customers and MGM Resorts was hit by a February 2020 data breach that exposed the personal information of more than 10.6 million guests. Also of note, in late 2020 criminals believed to originate outside the United States breached as many as 18,000 government agencies through software from SolarWinds, a software service company. The breach went undetected for months and was caused by changes made to a software program update. The information targeted appears to be corporate and government intellectual property rather than consumer information. In 2019 the worst data breaches were the Capital One Financial Corp. breach in July that exposed 100 million records and the October Adobe Creative Cloud breach that exposed 7-million users. In 2017 the largest U.S. credit bureau, Equifax Inc., suffered a breach that exposed the personal data, including Social Security numbers, of 145 million people. It was among the worst breaches on record because of the amount of sensitive information stolen. In 2019 ransomware attacks—a type of malware that denies access to an organization’s system—more than doubled from 2018. In 2019 an organization fell victim to ransomware every 14 seconds on average. Also troubling is that while more organizations purchase insurance to protect against the risk, ransom demands grow larger as attackers realize that companies can meet these demands.”
The U.S. Department of Homeland Security “Be Cyber Smart” campaign teaches cybersecurity basics, common scams, and how to report cybersecurity incidents. Find out how to prevent cyber attacks at www.dhs.gov/be-cyber-smart/campaign.