Playing on Doubts and Fears
While the scale of the data loss by theUK’s Revenue and Customs is indeed stunning, there is still noindication that the missing disks containing information from 25million UK residents has actually fallen into unfriendly hands.However, this is now almost irrelevant as we in the security industrysit and wait for the first scam or phishing attack that plays onpeople’s doubts and fears.
For those unaware of this issue, on November 20th Her Majesty’sRevenue & Customs (HMRC - the UK's tax and excise agency)acknowledged that it had lost two computer disks containing largeamounts of confidential information, including names, addresses, datesof birth, and in some cases bank account information. The missing disks— apparently lost while being transported — may include information onas many as 25 million individuals, including recipients of childbenefits.
HMRC believe the disks are still within one of their sites, butafter an exhaustive search, they have failed to materialize. So,imagine if you or your family receive an email purporting to be fromthe Child Benefit Helpline, asking you to visit a certain Web site toinput your name, address, national insurance number, and even bankaccount details so that they can be checked against records to see ifyour details have been compromised. Or, just think if you receive anemail asking you to call a helpline number for advice and guidance onhow to protect your details – and this turns out to be a premium linewhich will rack up huge call charges.
Unfortunately these are just two of many scams and attacks we canexpect to see in the coming days and months – just as it happens everytime there is a major breach of customer data security. Fraudsters andInternet criminals regularly employ social engineering methods toextort money while playing on people’s genuine doubts and fears.
If you receive an email from your bank, HMRC, or similar, do not betempted to click on the link or call the number. No genuinecommunication would ever come to you this way and is in all probabilitya spam email using criminal gang-controlled botnets to send them out.
Our top-line advice to anyone concerned about identity fraud is:
1. Monitor your bank and credit card statements and alert your bankimmediately if you see a transaction in your account that you did notauthorize.
2. Reset your passwords if you chose a child’s name or date ofbirth. Select complex passwords containing numbers, letters and symbols.
3. On the Internet, don’t give away personal details or credit carddetails to unsecured sites. Always look for the padlock symbol in thebottom of your Internet browser screen and for https:// in the URLaddress of the Web site you are visiting.
4. Be careful how much personal information you disclose onWebsites, especially social networking sites. Avoid giving out youremail address, mobile phone number, or other sensitive information thatcyber criminals could use to clone your identity online.
5. Do not click on URL links in emails or instant messages (IMs)from unknown or suspicious sources, especially not those requesting youto verify personal information to a bank or retailer. These arephishing attempts.
6. Install a solid Internet security software suite to protect youfrom hackers, viruses, and spyware. Always select a product thatincludes identity protection features to verify the Web sites youvisit.
7. Watch out for unexpected emails, particularly those purporting tobe from HMRC or government agencies requesting you verify personaldetails. These are phishing attempts.