Imagine getting a text message from your bank informing you that your credit card has been compromised and that you need to call the number provided.
Panicked at the thought of a stranger racking up huge purchases, you call the number which brings you to a voicemail from what sounds like a bank security department. You get another number to call along with a confirmation number on the recording.
You call the second number and speak to an operator who asks you for the confirmation number. After providing it you are asked to verify your Social Security number, birth date, address and the security code on your credit card… wait a minute. Shouldn't they have that information? Yes, they should—and you have just been "smished."
"Smishing" is just one new way identity thieves are getting their hands on ever-valuable personal identifiable information, according to Adam Levin, founder of IDT911, an identity and data risk management company. This scam is also occurring through voicemails, or "vishing," and started on the West Coast earlier this year and has spread across the country.
"They cajole you into giving them your information," Levin says. "If you get a call and they ask you to volunteer information and you don't know who they really are, never give it to them. Instead call the bank number on the back of your [credit or debit] card."
Despite identity fraud falling 28% in 2010 to 8.1 million from an estimated 11 million in 2009, according to Javelin Strategy &Research, thieves are becoming more creative in their methods of obtaining personal information. What's worse is that those who suffer from identity theft are facing higher consequences, with the average out-of-pocket costs nearly doubling in the same time period to $631from $387 per incident.
Dan Mohan, president and COO of ID Watchdog, based in Denver, admits there is no fool-proof way to completely protect yourself from identity theft, but having a strong offense is the best defense.
"You probably don't even think about the information you turn over to third parties, and have no idea how they secure it," Mohan says. "It's in places you don't think of as being vulnerable like hospitals, dentists' offices and schools—they may not have the latest IT protection or the budgets to dedicate to the best kind of data security."
For identity thieves, the name of the game is collecting the most information as possible in one fluid motion.
"It's a risk-versus-return game for them," Mohan says. "If you are a hacker out of Romania, [hacking someone in the U.S.], your chances of getting caught are slim, and if you do get the information, it has a long shelf life. That Social Security number can be used again and again."
Tax fraud is increasingly becoming a popular method for identity thieves to glean personal information. According to ID Watchdog, the tax fraud rate has increased by 500% since 2008.
"Basically someone is filing a tax return on your behalf before you do, and claiming a refund that is supposed to be yours. It is very difficult to prove you aren't filing it,” say Mohan.
This is not only putting personal information at risk, but is also costing the IRS a lot of money.
"The undertone is that I don't think they are finding a way to recover the money, so they are paying it out twice," he says.
Fraudsters can turn the tables and have the IRS come after you by using your Social Security number to get a job, but fail to file a tax return. You can then be accused of tax fraud until you can prove otherwise.
Another common tactic among thieves is stealing information from the elderly who do not use online banking, according to Levin. Scammers target individuals still receiving paper bank statements and use their account information to go online and create online accounts.
"They will switch [to their] phone number for a period of hours, and switch the address, and the consumer never knows the money has been stolen, until their statement comes in 30 days," Levin says.
Fraudsters are also infiltrating corporations through email attachments and communicating with others in the company under the guise of being another employee, Levin says. Scammers disguise a malicious code in an email that looks to be normal with terms like “compensation plan for 2011” in the email. From there, the malicious code is injected into the company's database and starts communication with people deep into the company's chain to access the codes used to create security clouds. According to Levin, an incident involving this type of scam occurred at RSA this past March.
Levin says the best thing consumers can do is treat their personal information like cash.
"People have to really think about the fact that if someone said, 'Open your wallet and give me all your money,' they'd throw them out of their house or worse, because your money is your asset. But people don’t seem to get the connection that their identity is an asset."