Not all security incidents are created equal, but about 58% of data breaches compromise personal data. Every week brings reports of a new data breach. So, unless a significant amount of personally identifiable information (PII) is revealed — Social Security number, medical records, or bank account numbers — most people read the story and move on. What they don’t realize is that seemingly harmless personal data can be used as leverage in future highly targeted attacks, like phishing, to steal more valuable information.
The amount of consumer data compromised in data leaks and data breaches is staggering. In 2021 alone, there have been multiple breaches — from Facebook to T-Mobile to CVS — impacting millions, and many people aren’t even aware they happened.
You can’t change the data compromises that have happened already. However, you can protect against future fraud by understanding what information has been stolen and how scammers might use it. It’s well known that scammers frequently use stolen personal information to access even more data through phishing.
THREAT ACTORS PLAY A CRITICAL ROLE IN PHISHING ATTACKS
In a phishing attack, a scammer sends an email designed to trick a human victim into believing it’s coming from a reputable organization or someone they know. The criminal’s goal is to convince individuals to click on a malicious link, download malware, and/or reveal personal information. This compromise and sensitive data could include anything from passwords to Social Security numbers (SSNs) and/ or bank account and credit card numbers. Any type of leaked data can and will be used to infiltrate and compromise sensitive information — for example, the general settings you select when creating a new account online, the security questions you choose to protect those accounts, and so much more.
In the first three months of 2021, the number of malicious phishing sites increased 47% year-over-year from 2020, reaching upwards of 350,000 fake sites designed to steal PII. Twenty-two percent of data breaches stem from phishing, and a full 74% of phishing attacks involve credential phishing — or using stolen usernames and passwords.
THE LATEST REAL-WORLD BREACH PHISHING THREATS
If you’re a business professional, chances are you are on LinkedIn. The popular business networking site has also been a victim of impersonated emails. After 500 million LinkedIn records were exposed in April and most recently, 700 million records from the social network were offered for sale on the Dark Web, phishing emails claiming users were locked out of their account were delivered to inboxes worldwide.
Scammers love impersonating government agencies because the fear factor drives victim responses and thus success in their fraud campaigns. Phishing schemes designed to steal government credentials increased 67% in 2020. In July 2021, the Ontario Securities Commission (OSC) issued an alert to industry firms, warning them of a recent phishing attack impersonating OSC’s chair and CEO. Individuals who clicked on the email or opened attachments in these messages were advised to change their email passwords immediately.
The CVS Health data breach in June 2021 affected millions — even billions — of consumers, yet it didn’t receive strong coverage due to a low level of compromised PII. In this incident, a third-party vendor accidentally posted an unsecured database containing more than a billion search records of CVS Health customers. The 204GB leaked database was not password protected and included visitor and session IDs, device information, configuration data, as well as multiple records for medications, including COVID-19 vaccines and CVS products. In most cases, the search data could not be linked to a specific person. However, the data also contained email addresses linked to CVS accounts.
POTENTIAL RISK TO CONSUMERS FROM THE CVS DATA EXPOSURE
What risk does a breach like CVS pose to people whose information was exposed? We asked Al Pascual, Sontiq’s Senior Vice President of Data Breach Solutions, to put it into perspective. “The CVS breach received a 1 rating by the BreachIQ algorithm, but that is not to say this security incident is insignificant. One of the top risks related to the CVS data leak is targeted scams, which can include phishing attempts to commit fraud or simply solicit additional PII. A combination of two factors makes this data especially effective in phishing schemes: It is specifically tied to consumers’ past behaviors, and it is all seemingly benign. Affected consumers should be on the lookout for emails from CVS and/or brands they may have been searching for at CVS.com.”
Pascual continued, “Why? Well, it is not hard to imagine a consumer letting their guard down when they receive an email about the exact product they were just searching for — say, baby diapers. That’s especially true if that email only asks for the consumer’s phone number, address, baby’s name, and birthdate to send future discounts. Of course, criminals would be using the email as a cover for collecting personal information on the consumer and their family. Alternatively, the criminal could take a bolder tact and set up a checkout page for discounted bundles of baby diapers to collect card data. These are only a couple of examples, but at the end of the day, it is all about abusing the trust that consumers have in CVS to further acts of fraud.”
STEPS TO PROTECT AGAINST PHISHING SCHEMES
When sending phishing scams, hackers are after more sensitive information, such as logins and payment information, or can easily penetrate your devices by embedding malware in the email. Follow these four steps from the Federal Trade Commission (FTC) to safeguard your information from phishing:
- Use security software to protect your devices and set up automatic updates.
- Protect your mobile devices and tablets with mobile threat protection to defend against security threats.
- Set up two-factor authentication (2FA) on all online accounts, so an extra layer of validation with a one-time code is needed to gain access.
- Back up all data by copying your computer files and mobile device data to an external hard drive or cloud storage.
Consider these additional tips to protect against phishing scams:
- Set up criminal marketplace scanning to identify where your other sensitive data are already available — which could be combined with your breach records to conduct fraud in your name. These types of services may be included in an identity theft protection service.
- Keep a close eye on all emails you receive and never click on the link or call the phone numbers provided in the email. Instead, navigate directly to the organization’s website and call the customer service number listed there.
- Set up your email inbox to filter out spam and phishing mail.
- Hover your mouse over a link to verify that it is going where you expect it to before you click.