Amid all the news that hackers gave gotten their grubby little hands on millions of credit card numbers and contact information from at least 5 retailers – including Target and Neiman Marcus – many of you might be wondering what those thieves could really net from just an email address and a cancelled credit card. The answer depends on you, and what kind of “ish” you could get sucked in by.
On the one hand, you’re technically right – once a credit card is cancelled and without your Social Security number, there’s not much left for an identity thief to directly profit off of. But with a little extra work and some programming ingenuity, identity thieves can use this information to engage in what I like to call the pantheon of “ishing” – phishing, spear-phishing, vishing and smishing – and still turn a tidy profit off of their crimes with your inadvertent help.
So what are these four big Ishes? If you have an email account, you’re probably already familiar with phishing, which is when you (and thousands of other people) get an email claiming to be “your” financial company, email provider or best friend (among other identities) in an effort to get you to give them sensitive financial information or personal information (like your Social Security number), or even to click on a link that will collect that information or install a virus or malware onto your computer.
What you might not know is that phishermen’s trawling tactics are increasingly sophisticated and their emails look more and more like they’ve come from reputable sources, which is why you have to retrain yourself not to click, no matter how initially important or worrisome the email might appear to be. If you think you do need to be in touch with your financial institution, email provider or best buddy, type that email address directly in a new window, or web address in a new browser.
Spear-phishing is, as it sounds, just a more targeted form of phishing: hackers will go through lists of contact data looking for people that seem either more vulnerable to phishing tactics or more important – like people who work at financial services companies – and send them tailored emails that appear to come from specific, important people they know. They’re often asked to click on links or download seemingly innocuous files and – bam! – the hackers are in.
Vishing is how hackers take advantage of phone number databases – like the ones accessed in the SnapChat hack. They’ll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just confirm your Social Security number) or even Microsoft (just let them log into your PC remotely) to try to gain access to your personal or financial information or even install malware on your devices.
Perhaps the newest identity theft technique is smishing – and, no, this isn’t what Snooki and the gang were talking about on “Jersey Shore.” Actually, hackers use cell phone numbers they obtained – through everything from the SnapChat hack to the second part of the Target hack – to text people. They can disguise their numbers, pretend to be companies with which you are affiliated or simply encourage you to open a link which can install malware or viruses on your smartphone.
But all these techniques require one thing: that consumers fall for it! They require you to let your guard down, assume your spam filter will catch it, be distracted when so-and-so from “your bank” calls worried about your account security, or wondering who would text you a link to something and what it could all mean. They require you to think that Target’s offer of free credit monitoring is all you need to protect yourself, that a hacker having your email address isn’t a big deal, and that once your credit card is replaced, you need not closely monitor your accounts after that.
They want you to let your own issues overcome your healthy skepticism when it’s time for their “ish.” Don’t grant their wish.