Secure Computing

Identity Theft and Phishing

Identity Protection

Identity theft.The Federal Trade Commission estimates that as many as 9.9 million Americans become victims of identity theft each year though hacking, phishing, physical theft, and other techniques.

Learn how protect yourself, identify threats, and take action if you believe your login credentials or personal information has been stolen.

What is identity theft?

Identity theft is unauthorized access to personally identifying information (PII), including:

  • Name and address
  • Social Security number
  • Credit card numbers
  • Email or other passwords

Many people associate such crimes with online scams such as phishing emails. However, most identities are stolen using low-tech methods. There are many ways thieves obtain your personal information:

  1. Phishing/spam: They send an email or pop-up message that looks like it came from a real bank or credit card company asking for identifying information. (This is called phishing.)
  2. Social engineering/pretexting: They pose as a legitimate business or government officials to obtain your personal information from financial institutions, telephone companies, and other sources.
  3. Shoulder surfing: They watch you from a nearby location as you type in your password or credit card number, or listen in on your telephone conversation.
  4. Hacking: They gain unauthorized access into computer networks where information is stored.
  5. Old-fashioned stealing: They steal wallets and purses; mail, computers not protected with passwords, mailed bank and credit card statements, pre-approved credit offers, and new checks or tax information sent through the U.S. Mail.
  6. Dumpster diving or trash rips: They rummage through communal or business trash to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, or telephone number.

What do thieves do with your personal information?

Thieves can use illegally obtained personal identity information in various ways:

  • Credit card or other financial/bank fraud
  • Phone or utilities fraud
  • Government documents fraud (obtain a drivers license, try to get government benefits, etc).
  • They may get a job using your Social Security number.
  • They may rent a house or get medical services using your name.
  • They may give your personal information to police during an arrest. If they don't show up for their court date, a warrant for arrest is issued in your name.

 

Guarding yourself against identity theft

Prevention is the best defense. Try following the suggested precautions below:

Securing data and electronic information

  • Don't give out personal information on the phone, through websites, or in email unless you are sure you know whom you are dealing with.
  • Never click on links sent in unsolicited emails.
  • Use one credit card for Internet purchases with a low maximum limit amount.
  • Do not give out your real name or other personal information in Internet chat rooms. Use a screen name.
  • Use strong passwords, and change your important passwords annually.

Securing physical documents

  • Don't carry your Social Security card or write your Social Security number on a check. Provide your Social Security number only if absolutely necessary; you can always ask to use another identifier like a Connecticut driver's license number.
  • Minimize the ID information and number of credit cards you carry.
  • Keep your personal information in a secure place at home.
  • Do not authorize others to use your credit cards.
  • Protect areas where your mail can be stolen. Secure mail receptacles and promptly remove your mail. Deposit outgoing mail in post office mail boxes.
  • Never leave receipts at bank machines, bank windows, trash receptacles, or gasoline pumps.
  • Sign all new credit cards with "Photo Identification Required."
  • Shred documents like pre-approved credit applications, receipts, bills, and other financial information.

 

"Phishing" schemes and protecting your identity

Phishing is a cyber crime where well designed and legitimate looking emails and pop up messages lure victims into revealing their username, password, credit card number, Social Security number, or other sensitive information.  Even though the problem is not new, there never seems to be a shortage of victims.  The Phishing messages used look authentic to the kind of communication you would expect to get from institutions you trust.  Messages used in Phishing scams often are identical from those used by the banks, schools, and merchants you deal with.

 
However, you should never trust email or pop up messages that ask you to confirm, validate, or update your information by responding to the email or by following a link. The Yale University community is not immune to Phishing attempts. 
 

What to do about phishing or other suspicious email messages:

  • Never reply to any message of email that asks for your NETID, password, account information, or anything else that would be considered sensitive information.
  • Immediately report any suspicious email to abuse@yale.edu with full header information.
  • Never click on a link in a message or pop up. Never call phone numbers that are provided in messages that ask for personnel information.
  • Keep your anti-virus software up to date and your firewall up to date. 
  • Even though anti-virus cannot stop you from simply telling someone your personal information, it may protect from malicious software installations.
  • Delete suspicious messages.
 
Yale University ITS will NEVER send a message to you asking you to validate, confirm, or update your personal information and passwords
 
Always be suspicious of requests for personal information that come via email, particularly requests for passwords, banking information, or wire transfers of money, even if the request seems to come from a good friend.

 

 

Official Yale University Messages

You can navigate to the official Yale University Message page to locate and verify the authenticity of official messages.

You can certify that the webpage to which you are directed is authentic by clicking on the "VeriSign Secured " logo on the top right corner of the screen.

Resources if you think your identity may be compromised

If you think your Yale University NetID password may be compromised, you can change your NetID password at any time. Contact Yale's Information Security Office if you have questions about a possible identity compromise or theft involving your personal or business information.

 
Compromised credit cards
 
If your credit card information is compromised you should cancel any affected credit card number. The credit card provider can then take appropriate action, which will be to cancel the card and issue a new account number.
 
Compromised Social Security number
 
If your Social Security number has been compromised, call one of the National Credit Reporting agencies and ask them to place an alert on your account:
  • Trans Union – 800-680-7289
  • Experian (formerly TRW) – 888-397-3742
  • Equifax – 800-525-6285

The agency you call will automatically share the alert with the other national credit reporting agencies. This alert typically lasts 90 days, after which time you can review your credit report to determine if any other fraud has occurred.

You can also request a security freeze to block anyone from accessing your credit history. You must use a PIN to unblock the freeze prior to any application for credit.

When you send a complaint to the Federal Trade Commission (FTC) they will enter the Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide. The FTC maintains a site you can use as a starting point for identity theft information.

Useful links & resources on identity theft issues:

Nonprofit organizations committed to promoting prevention and recovery from identify theft

Social Security Administration

OptOutPrescreen service to avoid financial offers through junk mail

  • If you would like to reduce the number of pre-screened credit and insurance offers you are receiving, visit www.optoutprescreen.com or call 1-888-5OptOut (1-888-567-8688) to opt-out of these offers.

How to tell if a web page is secure

"Secure pages" are special web pages through which data can be sent in a coded or encrypted format (Secure Sockets Layer, or SSL). Secure pages are often used for transmitting passwords, credit card numbers, or other personal or financial information. Whenever a web page asks you to supply your password, credit card information, or other personal information, always check to be sure that the page is secure.

Secure pages are hosted by organizations and companies that have gone through a careful screening process by a third-party "certificate authority" like VeriSign to establish that the companies are legitimate, and receive an electronic certification that essentially verifies that the organization is who it says it is on their secure web pages.

There are two quick ways to tell if a web page is secure:

1. Look for the "https" in the URL address line at the top of the browser window.

HTTPS Indicator.

Security on social network sites like Facebook or MySpace
Social media icons for sites like Facebook and MySpace.

Social networking sites like Facebook, MySpace, Flickr, and Twitter that are rich with personal information are becoming targets for identity thieves and other cyber-criminal scams, according to the FBI and other cybersecurity experts. These accounts are often compromised through the result of phishing schemes.

If you use social networking sites, carefully review your "Profile" information with security in mind, particularly for information that might be useful for someone seeking to impersonate you. Home addresses, phone numbers, birth dates, pictures of yourself that might be used to fake an ID card, and other seemingly innocuous information could be very useful to an identity thief.

Even family information or pictures could be useful to a thief, as family-related questions like "What is your mother's maiden name?" are often used to verify your identity in banking and e-commerce sites. Sharing travel photos while you are on vacation is great, but consider: you are advertising that your house may be unoccupied while you are away.

Steps you can take to preserve your privacy in social networking:

  • Review your profile information, blog posts, Facebook "wall" comments, and even your family photos to see where you might have provided useful identity information to a potential thief.
  • Don't believe everything you read on Facebook or other social sites: Scammers who have broken the security of one of your friends accounts will quickly contact all other "friends" with phishing or other scam emails that seem to come from someone you know and trust. Be especially suspicious of requests for money or personal information, or links to web sites within the body of an email message.
  • Review your privacy settings to be sure that only people you choose to share information with have access to your detailed profile and pictures. But don't rely on privacy settings to protect highly sensitive information — they can't guarantee that if you post embarrassing pictures of yourself that the photos won't be distributed or viewed outside your carefully selected group of friends.
  • Never put anything truly sensitive on a social media site: Social Security numbers, your exact home address, phone numbers, credit card or banking information of any kind, or detailed information on close family members could all help a thief compromise your identity.

Instant messaging (IM) allows users to send each other text, voice messages and files. Examples of IM are AOL Messenger (AIM), MSN Messenger, ICQ, and Yahoo!Messenger. Most IM clients do not provide strong authentication, making it hard to know if you're really talking to someone you know. Also, IM clients are vulnerable to electronic eavesdropping. Many IM clients now also have file sharing capabilities, which can be used to send malicious files.

Reducing IM security threats:

  • Make sure you have a strong password, and don't allow the program to automatically sign-in to your IM program upon computer startup.
  • Don't allow auto-accept file transfers. This is the fastest way for viruses or malware to transfer among IM communities.
  • Free Internet IM programs generally do NOT encrypt your session or data, and at no time should you consider their IM conversations to be completely secure. Never discuss confidential information.
  • Do not accept incoming messages from sign-in names that are not on your contact list. If someone wants to begin to communicate with you via IM, they should email you or phone you to exchange IM sign-in names.
  • Most IM companies will contact you when a new upgrade or security patch is available. Install the upgrade or patch ASAP since often the company is addressing a security flaw.