Recently, we helped a company recover from a cybersecurity incident. They were the target of a sophisticated and targeted attack that combined business email compromise (BEC) with a wire transfer fraud scheme that cost them nearly $100,000. This is a large amount by any measure, but as a small business with fewer than 10 employees, it was particularly significant for our client. They were able to recover thanks to a quick response from their bank and involvement from the FBI and US Secret Service. We came in after the incident to help them preserve digital forensic evidence, clean up their system, and implement safeguards to protect against future attacks. The lessons learned from this incident were nothing new; we see them in corporate environments all the time. But because of the frequency of this type of attack, it is worth repeating here.
Here are 6 steps any company can take to secure itself against cybersecurity attacks:
- Have an incident response plan that includes contact information of executives, technical personnel, your bank, major suppliers/customers, and law enforcement to alert involved parties as soon as possible to minimize damage in the event of a breach.
- Implement spam/phishing filters for your corporate email (Office 365, Google Apps, etc.) and monitor for suspicious activity.
- Implement strong password policies, single sign-on (SSO), multi-factor authentication (MFA), and Password Manager.
- Implement endpoint protection tools against viruses, malware, and advanced attacks.
- Implement regular scanning and patching for your systems and applications.
- Implement a security monitoring, alerting, and incident response process.
With these controls in place, we are confident that our client’s corporate systems will be protected, and we can monitor and respond to any future attack attempts. But beyond the steps taken to protect corporate security infrastructure, our client raised a different question: The CEO had his own and his family members’ sensitive data like name, email, SSN, address on his laptop; this information was in the hands of bad actors and potentially already sold in the dark web marketplaces. So, what should you do to protect yourself and your family members in this situation? The bad actors have one goal: to make money. They don’t care if they accomplish this by taking over your corporate servers or using your SSN to create a fraudulent credit card to buy goods online.
Although the tactics and results may vary, the basics of Identity Theft are well understood. The Federal Trade Commission (FTC) has a handy site that can guide you through the process of what to do if you are a victim of Identity Theft and related fraud. However, we want to focus on the cases where you had a data breach, but you are not aware of any fraudulent activity with your personal information. Here is a short guide that will help you if you ever find yourself in this situation, with links to resources and further reading:
Start with the FTC Identify Theft site which provides a checklist of personal data items that might have been compromised with steps to take for each if you suspect theft
Sign-up with an Identify Theft Protection Service. Although you can do almost all of the tasks to protect yourself from Identity Theft on your own, some services do it for you for a fee. If you do not have time to monitor it yourself, consider using one of these services. Besides saving you time and hassle, some of these services also provide monetary guarantees and legal assistance in case you fall victim to Identity Theft fraud. Again, the FTC provides a great resource to understand these services. You can also check out comparison sites like NerdWallet and SafeHome to learn more about different providers and pick one that fits your needs.
If you want to be extra safe, you can place a credit freeze with one of the three major credit card monitoring bureaus. Be aware that this will make it harder for fraudsters to open accounts with your information, but it will also be harder for you to open a new credit card next time you are shopping at the mall. It can be worth the extra effort though, especially if you suspect your data is already exposed. A credit freeze will last for one year. If you experience Identity Theft, you are eligible to request an extended alert or freeze which will last for seven years. Consult this FTC page for instructions on placing a credit freeze.
The Internal Revenue Service launched Identity Theft Central, designed to improve online access to information on identity theft and data security protection for taxpayers, tax professionals, and businesses. The site is full of useful resources, especially how to contact IRS and what steps to take if you are a victim. In addition to the traditional Identity Theft schemes, in recent years we have seen some specific types of fraud schemes. If your information has been exposed, these are three ways malicious actors may try to monetize that information.
- Tax Return Fraud
- Medical Identity Fraud
- Child Identity Theft
Tax return fraud occurs when someone uses you and your family members’ personal data like name, SSN, and address to file a tax return in your name in order to claim a refund. Often victims of this type of fraud only learn that their identity has been stolen when they file their tax return and it is rejected. because someone has already filed a return using the same SSN. As tax season approaches, there is no doubt that the fraudsters are getting ready to exploit this vulnerability. Although there is no magic button to protect yourself from tax return fraud, we recommend you file your tax returns as early as possible.
If you want to learn more about tax return fraud and what to do if you are a victim, check the links:
- Tax-Related Identity Theft by Federal Trade Commission Consumer Information
- Identity Theft: What to Do If Someone Has Already Filed Taxes Using Your Social Security Number by Intuit Turbotax
- Identity Theft Central by IRS
In this fraud scheme, your personal information can be used to seek treatment in the emergency room, get prescription drugs, and file insurance claims. Individuals whose health data (insurance ID, Medicare enrollment ID, etc.) have been exposed along with their personal information are particularly at risk. If the thief’s health information is mixed with your own, your treatment, insurance and payment records, and credit report may be affected.
If you receive bills, medical collection notices, or debt collector calls about medical services you did not receive, or if your health insurance provider notifies you that you have reached your benefits limit, you may have fallen victim to medical identity fraud. Even if there are no warning signs, you should regularly review your medical bills and records to check for accuracy, particularly if your personal data has recently been exposed in a breach.
The following sources provide additional practical steps to protect yourself from medical identity fraud:
- Medical Identity Theft by Federal Trade Commission Consumer Information
- Medical ID theft by Fraud!Org
- What Is Medical Identity Theft? by LifeLock
Child identity theft occurs when someone uses a child’s SSN to open bank or credit card accounts, apply for loans, apply for government benefits, etc. The crime can go undetected for years because most people do not monitor their children’s credit. In fact, most younger children should not have a credit report unless there has been an incidence of fraud, so it is harder to request a minor’s credit report from credit bureaus. Because of this, victims of child identity theft often do not know about the theft until years later when they are denied benefits and loans due to bad credit.
In general, you should protect your child’s personal data the way you would protect your own. Do not share your child’s SSN unless absolutely necessary. Ask how your child’s school is using and storing their personal data. If there is a data breach reported at your child’s school, much the same as if your employer suffers a breach, take action to ensure your child is not a victim of Identity Theft with this further reading on the topic:
- Child Identity Theft by Federal Trade Commission Consumer Information
- What Is Child Identity Theft? by LifeLock
It is normal to keep records of family members on your work computer. Perhaps you needed the SSNs of all your family members to enroll them in the company-sponsored healthcare plan. Maybe it was easier to manage your family finances all in one place. Whatever the reason, the reality is that most employees have some personal data from their family members on their work computers. If this data has been exposed, you need to consider taking preventative steps for every family member whose data might have been compromised. For adult family members, this process is the same as your own, while special steps must be taken for minors.
Hopefully, the resources provided here will help you be better informed about the risks of Identity Theft and related fraud schemes and leave you with your own arsenal of practical steps to take if your data is exposed.