A Fraud with Your Name on It: The Use and Abuse of OSINT in Identity Fraud
Identity fraud is on the rise. The digital shift of the pandemic has affected virtually every activity and sector: including financial crime, and the malicious theft of personal information. This is a problem not just for individuals but for businesses too. Employees’ “personal” information often includes data used to access internal systems, company cards, documents, and accounts. And with bigger account balances, higher credit limits, the ability to make large payments without arousing suspicion, and vast amounts of identifying information openly available on the internet, corporations make an attractive target for identity predators.
For better and for worse, Open Source Intelligence (OSINT) is intrinsic to the modern “identity” framework. Fraudsters will use it offensively to identify, profile, and become their victims. Proactive individuals and organizations can use it defensively to identify their vulnerabilities and minimize exposure. Blind spots, on the other hand, give fraudsters the ability to act in your name for months, or even years, without your knowledge. The ability to employ protective OSINT is a survival skill for the Information Age.
What’s in a Name? More than you might think
There are many types of financial identity theft, but two, in particular, are worth a closer look: “application fraud” and “account takeover fraud.” Account takeover fraud is when someone takes over your existing bank account or credit card account. The consequences are quick and painful but finite: the Fair Credit Billing and Electronic Fund Transfer acts limit your liability, while banks and credit card companies typically have zero-liability policies that protect you from losing funds to fraud.
Application fraud, however, has long-term implications that can take a serious toll on your financial standing and reputation. This is when someone uses your identity to apply for a new account or lending facility, such as a credit card account or mortgage. They’ll typically use it as a vehicle for bad behavior: to launder money, for example, or rack up charges with no intention of paying them. By the time you become aware of the fraud, you’re likely to find damning credit ratings, charges, and even fraud markers against your name.
The longer the fraudster can operate without your knowledge or consent, the more complex and invasive the fraud can become: in some cases requiring months or even many years worth of time and money to repair the damage. Both businesses and individuals can fall prey to this kind of fraud.
Becoming You: A Beginner’s Guide
Identity fraud can and does happen to anyone. You may think that good password hygiene, cyber-security programs to guard against data breaches, and the odd check on your bank account transactions is enough to keep you safe from this kind of crime. You would be wrong. While data breaches are always a vulnerability to be wary of and protect against, there are far easier ways for fraudsters to get hold of your information and identity and act in your name entirely without your knowledge.
In an ever-increasingly digitized world, pieces of information about you, your personal data, and your lifestyle are everywhere. Not so long ago, people used to rip their addresses out of envelopes or shred them before recycling them: some still do, even though those addresses can now be found all over the internet, on company documents, electoral rolls, or telephone directories. And these online records can reveal not only addresses but ages, email addresses, mobile numbers, telecoms providers, employment history, family members, the names of the people you live with, and even exact dates of birth.
This type of basic data is an easy access route for a fraudster to get hold of more - and more dangerous - data. Many people use their date of birth, or a family member’s date of birth, as a passcode to unlock phones, laptops, applications, or accounts. Very basic data is used to substantiate credit applications: date of birth, address history, and current employer for example. The fraudster will sprinkle accurate details about you in with fabricated information for their own use: false bank accounts to receive funds or fake addresses that they can use to field communications and verifications. The more consistently these incorrect details are linked with your own, the more tightly their doppelgänger gets tangled up with your own identity.
The Personal Touch: Tailor-Made Fraud
Then, of course, there is social media. This means not just the usual suspects - Facebook, Twitter, Instagram, LinkedIn, TikTok, etc. - but any old accounts you may have forgotten about, or any comments on blogs, forums, or news sites. Social media is a rich source of information, for example, about your personal interests and activities; your close relationships, family and friends; your current and previous jobs, corporate affiliations, and plans for the future; your whereabouts now and your travel itineraries, past and future; your assets, such as houses or vehicles; preferred suppliers, vendors, or other third parties.
That’s all very well, but how - you might ask - would a fraudster use information about your mum, your passion for Deliveroo, the pet guinea pig you had when you were eight, or your college football team photo to do any serious damage? Consider just how easy it is to link this information to common “security” questions and passwords. Many people will use their mother’s maiden name, their first pet’s name, the name of their college, or the street they grew up on, for example, to access sensitive personal information.
What’s more, if someone is going to pick up the phone and pretend to be you, even the most trivial personal details can help them create the facade and pass basic security checks. They might then persuade a third party to send them more information or even send a new credit card to an address they can access. They can also use these details to get more information from you directly through tailor-made phishing scams. For example, if they note that you are currently seeking new employment, they might set up a fake interview: or if they work out which online retailers you have accounts with, they might tailor a phishing email to your account to get hold of your credit card data.
All of these risks to individuals are risks to the companies they work for. Once a thief gains control of an employee’s identity, they can begin to access business accounts and target co-workers, partners, clients, and customers through specified phishing scams.
Check Your Blind Spots: Protective Intelligence
Many companies, and indeed individuals, spend vast amounts of money on complex cybersecurity systems to prevent data breaches. While these are important, they often completely ignore the threat to security that comes from human exposure: that’s to say, their own, or their employees’, information exposure across the open source environment.
Protective OSINT in this context means a thorough and efficient audit of information exposure and vulnerability and the ability to consistently monitor the open source environment for new points of access or opportunity. Effective OSINT technologies should be able to rapidly scan the surface, deep, and dark web for data breaches - including credit card details, usernames, and passwords - but also for potential exposure of personal information through unwitting means such as social media or public directories. They should alert you, in real-time, to any potential vulnerabilities or suspicious activity, allowing you to take reparative or preventative action in a timely manner. Where data cannot be removed from the open source, it is important to be aware of its visibility and ensure that it does not form a part of your information security protocols.