Identity Theft vs. Identity Fraud - Cyber Criminals Now Focus on the Latter

Identity theft and identity fraud may sound similar, but they aren’t the same thing at all. The difference matters, especially since criminals have shifted their emphasis to identity fraud-based crime. Now, threat actors focus more on businesses and organizations rather than individuals. Let’s look at the difference between identity theft vs. identity fraud, the trends for these cyberattacks, and how your can reduce your organization’s risks.

Evidence for this shift appears in a recent report from the Identity Theft Resource Center (ITRC). As per the ITRC, in 2021 there were more data compromises reported in the US than in any year since the first state data breach notice law became effective in 2003. The report also concludes that individuals were not the primary target for most identity crimes committed in 2021. Instead, consumer information was often the means to the end of attacking businesses through stolen credentials or social engineering campaigns.

So why the shift to identity fraud, and how does it impact your organization? It’s because the payouts are much higher—criminals are looking for larger paydays from organizations. Let’s take a closer look at how this change can impact your cybersecurity strategy.

Identity Theft Vs. Identity Fraud – What’s the Difference?

What’s the difference between identity theft vs. identity fraud? Let’s say a criminal steals your credit card or credentials to access your bank account. The thief then steals funds or makes charges against your existing account. That’s identity theft. In comparison, identity fraud could be when someone fraudulently opens a new credit card account in your name. We can also think of identity fraud as a crime of impersonation.

Typically, the objective of identity theft is to hack the existing assets of an individual. Meanwhile, identity fraud can target an individual or an organization. For example, someone might submit a fraudulent loan application in the victim’s name. In this case, identity fraud affects a single person as well as the loan provider.

Now imagine someone creates a fraudulent social media account that mimics the CEO of a company. From there, they could attempt to contact employees to trick them into giving up sensitive data, initiate financial transactions, download malware, or provide network access. This example highlights one of the key differences between identity theft vs. identity fraud. In the latter, the company and its assets are typically the final target.

How Impersonation Scams Work 

Impersonation attacks can imitate a brand or an individual. For example, cyber gangs might set up a fake Facebook account that looks exactly like a legitimate company account. Everything including the logo looks genuine. The imposters will even publish posts to generate interest and interaction to improve credibility. From there they convince victims to visit fake websites or enter personal information.

C-level executives can be impersonated as well, however, the tactics vary somewhat. Initially, the fake account will have the same name as the executive but not the same face. The criminals gradually populate the account with posts and other data to make it look like a run-of-the-mill social media profile.

Upon weaponization, the false profile is quickly modified (add the executive’s photo, change ‘about’ data, etc.) to mimic the target of impersonation. The criminals then reach out to employees, partners, and colleagues to gain access to critical information and systems or to fool them into executing false transactions.

Even email, messaging app, or text message phishing can be considered a form of identity fraud, as the sender attempts to impersonate a trusted brand or person. Phishers love to pose as corporate executives and ask team members to ask them to purchase gift cards as a surprise for the team (and reminds them not to tell anyone since it’s a surprise), send them a list of overdue accounts for review (including the amount owed and contact information for easy follow-up), and more! Make sure your team knows how to spot these attacks. You can download our tip sheet that shows common ways to identify phishing emails and share it with your team.

How Common is Identity Fraud?

How often are executives imitated? In one report, 55% of cybersecurity pros said that executives at their company have been spoofed or impersonated between Q1 2020 and Q1 2021.

CEOs aren’t the only victims of identity fraud attacks. Any employee could be targeted. The success of the attack is built on trust. If what appears to be a fellow co-worker reaches out to you on social media, you might be tempted to respond. How common are fake social media accounts? In the fourth quarter of 2021 alone, Facebook took down 1.7 billion fake accounts.

Bad Customer Service

Customer service imitation is another form of identity fraud. Here, imposter webpages, forums, chatbots, social media, email, contact pages, and phone calls fool consumers into thinking they are in contact with an actual customer service representative.

Even the NFT universe has been a victim of these types of attacks. In one case, the largest NFT marketplace, OpenSea, had its Discord server infiltrated by rogue actors posing as customer service staff. The hackers then lured targets into a process that ended up emptying the victims’ crypto wallets.

Impersonation Attack Objectives

What do criminals want when they imitate an individual or company? Some common motivations are:

• Illegitimate fund transfer: The criminals try to trick customers, employees, or business partners into transferring funds, paying fake invoices, or exposing their bank or crypto accounts.
• Personal information access: Criminals try to steal user credentials, credit card numbers, social security numbers, phone numbers, addresses, or other personally identifiable information (PII) to sell on the dark web.
• Network access: Threat actors posing as executives or staff gain access to company networks to install malware, expand privileges, and exfiltrate valuable data.
• Fraudulent sales: Imposters can sell fake or unauthorized goods and services. Phony websites, stores, and marketplaces can sell imitation goods or sell legitimate goods from unauthorized distributors.

How To Prevent Identity Fraud

These tactics can help reduce the risk of identity fraud:

• Email threat detection: Use automated email scanning programs to check messages for viruses, malware, and spam. More advanced solutions can evaluate links and attachments for possible malware, prevent confidential information from leaving the network, detect suspicious addresses, identify false domains, and spot other signs of email spoofing.
• Be vigilant and take action: When a fraudulent social media, website, or other platform is detected, it must be reported immediately, and you should request its removal. Both legal and technical teams with takedown expertise should be involved in this effort.
• Team training: Regularly educate and remind your teams about identity fraud threats. For example, only approved company channels of communication should be allowed. Train your employees on how to spot phishing emails and fake social media accounts.
• AI based threat mapping: This involves tracking social media profiles, websites, forums, and other online environments to identify suspicious activity. Given the massive amount of data to process, AI-driven solutions are the most effective threat mapping methods.

Identity Theft Vs. Identity Fraud – Both Are Harmful 

When it comes to identity theft vs. identity fraud, both are harmful and disruptive. With a keen eye, employee training and the right security tools, you can significantly reduce the risk. Get started by contacting us for monthly cybersecurity awareness training for your entire team or a risk assessment to help you find and close your security gaps.