Identity theft on the internet has reached alarming levels, catching even financial institutions unaware of this criminal activity. Security experts continuously emphasize the importance of vigilance in both online and offline activities to prevent financial losses and protect one’s reputation.

Migs, an employee at a creative tech company, reported his own encounter with identity theft when he realized scammers had used his identity to defraud him. His story began when he sought concert tickets for a performance by Korean idols in the Philippines. In search of tickets, he encountered individual resellers on social media, a common practice due to high demand. Unfortunately, Migs ended up paying for a non-existent concert ticket.

“I was scammed via Coins.ph,” Migs said. “But later, I discovered that others had fallen victim through CIMB (as a payment gateway) as well.”

AI in cybersecurity: Friend or foe?
New age of data privacy regulation: How businesses can prepare

(Back End News reached out to CIMB for comment. The email was acknowledged but has not received a response regarding Migs’ complaint.)

Migs contacted the digital bank, which confirmed that the account number he provided was correct but under a different name. However, they could not take action unless a monitored transaction occurred. Migs discovered that the scammers had created fake Facebook profiles using his identity to deceive more victims.

“Each time I reported a fraudulent Facebook profile and it was taken down, another would quickly emerge,” Migs said.

Though Migs has not yet filed a formal complaint with the Department of Justice’s cybercrime division, he has alerted them to the ongoing scams.

The prevalence of identity theft

According to Adrian Hia, managing director for Asia Pacific at Kaspersky, identity theft should not be taken lightly due to its severe consequences. Beyond financial loss, it can cause reputational damage.

“Identity theft is like opening Pandora’s box,” Hia warned. “It can lead to financial loss as cybercriminals gain access to victims’ bank accounts, take out loans in their name, or request money while impersonating the victim.”

In addition to monetary theft, identity theft is also used for deceptive purposes, such as catfishing people on dating apps, causing emotional distress.

“Identity theft can occur in situations such as phishing attacks, in which cybercriminals construct persuasive messages to deceive victims into divulging more sensitive details or granting unauthorized access to their accounts,” Sherif El Nabawi, VP of Systems Engineering at CrowdStrike, said in an email interview with Back End News. “Such scenarios can result in financial losses, harm to personal reputation, and emotional distress.” 

CrowdStrike’s 2023 Threat Hunting Report revealed a staggering 583% year-over-year increase in Keberoasting attacks, a form of identity-based threat, and a 147% rise in access broker advertisements on the dark web. El Nabawi said that 80% of breaches are identity-driven, where attackers gain access using valid credentials, making detection challenging.

“These types of attacks have impacted organizations and government entities in the Philippines and are difficult to detect because they do not follow the usual cyber kill chains, but instead use compromised identities to launch even more destructive attacks,” he said.

El Nabawi also noted that senior citizens are particularly vulnerable to phishing attacks due to their unfamiliarity with the digital world. In 2021, scam losses for this demographic in the Philippines ranged from P1 million to P17 million, as per data from the National Bureau of Investigation cited by CrowdStrike.

“Identity theft also extends to broader societal consequences, contributing to a decline in digital trust and hindering the advancement of the digital economy,” El Nabawi said. “A resulting attack can also lead to a decline in trust for breached organizations.” 

Social Media: A breeding ground for identity theft

Social media platforms have become prime sources of information for identity theft. Individuals often underestimate the dangers of oversharing personal information, neglecting the risks associated with providing excessive details.

“The human factor stands out as a significant cybersecurity threat, and yet it remains to be one of the most overlooked points,” El Nabawi said. “Attackers often create strategies based on OSINT (open-source intelligence), which refers to publicly accessible information or data about individuals or organizations.”

Hia urged people to be cautious about sharing any personal information online, including their address, birthdate, current location, likes, and even tags. Cybercriminals can use this information to build profiles of potential victims and scam people.

“Remember that the more information you have online, the greater your risk is,” he said.

Reporting identity theft

El Nabawi highlighted that under the Philippine Anti-Cybercrime Law (Republic Act No. 10175), victims of identity theft can seek compensation for damages. To initiate this process, victims must file a civil lawsuit against the perpetrator. The court will then review the evidence presented to determine the awarded damages. The law also empowers law enforcement agencies to freeze the assets of cybercrime offenders, including those involved in identity theft.

“At CrowdStrike, the rule-of-thumb approach we provide to victim organizations is to minimize the attack surface, detect and respond quickly, and mitigate an incident so it doesn’t turn into a breach,” he said.

Hia advised individuals who discover they have fallen victim to identity theft to report it immediately to authorities or relevant platforms. Identifying the source is crucial for further action. He also stressed the importance of changing all passwords for online accounts promptly.

If all else fails…

Hia emphasized the importance of caution and mindfulness when engaging in online activities, especially when sharing personal information and financial credentials on websites or social media.

“When using social media, it is essential to familiarize yourself with security settings and adjust them to your comfort level,” Hia advised. “Control who can see your posts, and limit the visibility of your profile in public searches, among other precautions.”

CrowdStrike recommended multi-factor authentication (MFA) as a robust defense against identity theft, as it requires multiple forms of verification. However, it’s not foolproof, as threat actors can sometimes bypass MFA, especially when self-enrollment or exceptions are involved.

“For organizations, implementing a Zero Trust strategy can provide effective defense, safeguarding both assets and employees,” El Nabawi said. This framework requires continuous authentication and validation of all users before granting access to applications and data, regardless of their location. Also, a comprehensive cybersecurity strategy should encompass endpoint security, IT security, cloud workload protection, and container security.”

Avoid becoming a victim

Kaspersky and CrowdStrike provided a list of reminders for individuals and organizations to prevent identity theft:

For individuals:

• Install reputable security solutions on devices to detect threats and protect against identity theft and malware.
• Exercise caution when downloading files or attachments, as they may contain hidden malware.
• Avoid saving credit card information on devices.
• Refrain from using public Wi-Fi, as hackers can intercept your data.

For organizations:

• Prioritize identity protection, recognizing that adversaries often exploit identity vulnerabilities.
• Stay vigilant with patching and updates to address vulnerabilities promptly.
• Continuously hunt for suspicious behaviors, as they can indicate potential threats.
• Implement multifactor authentication (MFA) wherever possible to enhance security.
• Stay informed about adversarial tactics through up-to-date threat intelligence.
• Promote user awareness to mitigate social engineering tactics.

Migs advises individuals to exercise extreme caution when making online purchases. While buying from unofficial sources may be inevitable, it’s crucial to double-check the legitimacy of transactions, conduct thorough research on sellers, and avoid making large down payments impulsively.

“Don’t rush into buying things,” he said. “Don’t let your emotions get in the way and do your research on your seller and don’t ever do a 50% down payment.”

By staying informed and practicing these precautions, individuals and organizations can reduce the risk of falling victim to identity theft in the digital age.