dinero_admin Corporate data breaches are one of the main avenues for identity theft, but they are not the only way. ESET explains that there are several ways personal information can fall into the wrong hands and be used to commit fraud.
Data breaches are a growing threat to businesses and a nightmare for their customers. According to the latest figures, there were 3,158 publicly reported incidents in the United States in 2024, just shy of the all-time high.
As a result, more than 1.3 billion data breach notification letters had to be sent to victims, more than 1 billion of which were affected by five mega-breaches involving more than 100 million records each.
ESET, a leading proactive threat detection company, comments that there are many other ways for personally identifiable information (PII) to fall into the wrong hands, but once it circulates in the cybercrime underground, it is only a matter of time before it is used in identity fraud attempts.
“Once your personal data has been stolen, whether in a massive breach or through one of the various methods available, this data is likely to be sold or transferred to others for use in various fraud schemes”.
This could range from illegal purchases to account takeovers (ATOs), new account fraud, or phishing schemes designed to obtain even more sensitive information. In some cases, real data is mixed with machine-generated data to create synthetic identities that are harder for anti-fraud filters to block”, says Camilo Gutiérrez Amaya, head of the ESET Latin America Computer Security Research Laboratory.
What data is at stake?
• Names and addresses
• Credit/payment card numbers
• Government-issued ID numbers
• Bank account numbers
• Healthcare credential data
• Passport or driver’s license
• Login information for personal and business online accounts
Identity fraud comes down to data, so it is important to understand how cybercriminals acquire information. If they are not stealing large amounts of data from third-party organizations, the main attack vectors targeting individuals are:
• PHISHING/SMISHING/VISHING: Classic social engineering attacks can occur through various channels, from traditional email phishing to text messages (smishing) and even phone calls (vishing).
The threat actor often uses well-known and proven techniques to deceive and get people to comply with their commands, which typically involve clicking on a malicious link, filling in personal information, or opening a malicious attachment.
These include using official branding to impersonate a well-known company or institution, and tricks such as caller ID or domain spoofing.
•DIGITAL THEFT: To obtain your card details, threat actors can insert malicious skimming code into the web pages of a popular e-commerce site or similar. The entire process is completely invisible to the victim.
•PUBLIC WI-FI: Unsecured public Wi-Fi networks can facilitate man-in-the-middle attacks that intercept personal information. Hackers can also set up rogue access points to collect data and redirect victims to malicious sites.
•MALWARE: Infostealer malware is a growing problem for both corporate and consumer users. It can be installed unintentionally through various mechanisms, such as phishing emails, drive-by downloads from infected websites, pirated games, Google ads, or even legitimate-looking applications, such as fake meeting programs. Most infostealers harvest files, data streams, card details, cryptoassets, passwords, and keystrokes.
•MALICIOUS ADVERTISING: Malicious ads can be programmed to steal information, sometimes without even requiring user interaction.
• MALICIOUS WEBSITES: Phishing sites can be spoofed to appear authentic, right down to the domain. In the case of drive-by downloads, a user simply visits a malicious page to initiate the stealth installation of the malware. Malicious websites often rise to the top of search rankings to gain greater exposure, thanks to nefarious SEO techniques.
• MALICIOUS APPS: Malicious programs, including banking Trojans and data stealers, can disguise themselves as legitimate apps, with a particularly high risk outside of official app stores like Google Play.
• LOST OR STOLEN DEVICES: If you lose your device and don’t have adequate protection, hackers could target it in search of personal and financial data.
ESET shares some good practices to implement together to prevent criminals from accessing personal and financial information:
• Strong and unique passwords: Choose a different password for each site, application, or account, and save them in a password manager. Enable two-factor authentication (2FA) on your accounts so that even if someone obtains your password, they will not be able to use it. The best option is an authenticator app or a security key.
• Install security software: This will scan and block malicious applications and downloads, detect and block phishing websites, and alert you to suspicious activity, among other things.
• Be skeptical: Pay attention to phishing warning signs: an unsolicited message urging quick action that contains links or attachments. Some excuses used to deceive include supposed prize draws with a time limit or warnings of fines if you do not respond quickly.
• Only use apps from legitimate sites: Apple’s App Store and Google Play, for example, to reduce the likelihood of downloading malicious apps. Check reviews and permissions before downloading.
• Be wary of public Wi-Fi networks: Stay away from public Wi-Fi networks or, if you must use one, avoid logging into sensitive accounts while connected. In all cases, use a VPN.
In the event of a data breach, there are some important measures to take quickly. The first step is to notify the bank to block the cards (this can be done through most banking apps), report the fraud, and request replacement cards.
Also, file a report with the authorities, primarily the police, and other relevant entities: for example, if your driver’s license was stolen, the report should be filed with the agency that issued it. Additionally, change your passwords and, if you have not done so before, activate two-factor authentication (2FA).
“Identity fraud remains a threat because it’s relatively easy to profit in the cybercriminal world. By reducing the avenues, they can use to extract personal information, we can inconvenience our adversaries and keep our own digital lives safe and secure”, concludes Gutiérrez Amaya of ESET.
