Introduction to Cyber Security

Module 4: Phishing and Identity

Theft:
Phishing and Identity Theft

• Introduction
• Methods of phishing
• Phishing
• Phishing techniques
• Spear phishing
• Types of phishing scams
• Phishing toolkits and spy phishing
• Counter measures
• Identity Theft

Dayananda Sagar Academy of Technology & Management 2

Introduction
• “Phishing” is the use of social engineering tactics to trick
users into revealing confidential information.
• Phishing is equal parts of technology and psychology,
resorted to a systematic way to exploit netizens, not only by
individual attackers but also by organized criminal groups.
• Phishing is a dangerous enemy among all the
methods/techniques discussed, because the prime objective
behind these attacks is ID theft.
• ID theft involves unauthorized access to personal data.

Dayananda Sagar Academy of Technology & Management 3

Introduction

3. The Phishing attacks are monitored on daily basis and displayed on

www.phishtank.com. It is important to note that more than five million E-
Mails are identified as “verified and valid” phished E-Mails almost
everyday.
4. According to May 2009 Phishing Monthly Report compiled by Symantec
Security Response Anti-Fraud Team:
– Total 3,650 non-English Phishing websites were recorded in the month
of May 2009 and out of these, French language Phishing sites were the
most frequently recorded followed by websites in Italian and Chinese
languages.
– Phishing URLs are categorized based on the top-level domains (TLDs).
The most used TLDs in Phishing websites during the month of May
2009 were “.com,” “.net” and “.org” comprising
50%, 9% and 5%, respectively.

Dayananda Sagar Academy of Technology & Management

4
APWG (Anti-Phishing Working Group)
• The Anti-Phishing Working Group (APWG) -
www.antiphishing.org - is an international consortium, founded
in 2003 by David Jevans. to bring security products and services
companies, law enforcement agencies, government agencies,
trade association, regional international treaty organizations
and communications companies together, who are affected by
Phishing attacks.
• APWG has more than 3,200+ members from more than 1,700
organizations and agencies across the globe. To name a few,
member organizations are leading security companies such as
Bitdefender, Symantec. McAfee, VeriSign and Iron Key. ING
Group, VISA, Mastercard and the American Bankers
Association are the members from financial industry.

Dayananda Sagar Academy of Technology & Management 5

APWG (Anti-Phishing Working Group)
• APWG is focused on eliminating identity theft that results from
the growing attacks/scams of Phishing and E-Mail Spoofing.
• APWG provides a platform to discuss Phishing issues, define
the scope of the Phishing problem in terms of costs and share
information about best practices to eliminate these
attacks/scams.

Dayananda Sagar Academy of Technology & Management 6

Phishing

• It is important to understand these types of E-

Mails with which we deal everyday.
• We will discuss two such E-Mails:
(A)Spam E-Mails
(B)Hoax E-Mails.

Dayananda Sagar Academy of Technology & Management 7

Phishing
•

Dayananda Sagar Academy of Technology & Management 8

Definitions of the term “Phishing.”
• Wikipedia: It is the criminally fraudulent process of attempting
to acquire sensitive information such as usernames, passwords
and credit card details by masquerading as a trustworthy entity
in an electronic communication.

Dayananda Sagar Academy of Technology & Management 9

Dayananda Sagar Academy of Technology
10
& Management
Dayananda Sagar Academy of Technology
11
& Management
 Phishing is different from spam
• Spam attempts to sell a product or service whereas a phished
E-Mail seems to be sent by a legitimate organization/institute.
• Techniques that are applied to Spam messages cannot be
applied to Phishing messages.
• The purpose of a phished E-Mail is to obtain sensitive personal
information about a user.
• As a form of deception, a Phishing E-Mail contains no useful
information for the intended recipient and thus falls under
the category of Spam.

Dayananda Sagar Academy of Technology & Management 12

Hoax E-Mails
• These are deliberate attempt to deceive or trick a user into
believing or accepting that something is real, when the hoaxer
(the person or group creating the hoax) knows it is false. Hoax
E-Mails may or may not be Spam E-Mails.
• It is difficult sometimes to recognize whether an E-Mail is a
“Spam” or a “hoax.
• The websites mentioned below can be used to check the
validity of such “hoax’ E-Mails — for example, chain E-Mails.
1. www.breakthechain.org
2. www.hoaxbusters.org
3. http://www.westpac.com.au/security/fraud-and-scams/
latest-hoax-email-examples

Dayananda Sagar Academy of Technology & Management 13

• Spam Emails: The primary intent of spam emails
is to advertise, promote, or sell products or
services to a large audience. And also to
damage system.
• Hoax emails are intended to deceive or mislead
the recipient into believing false information.

Dayananda Sagar Academy of Technology

14
& Management
Methods of Phishing

• The most frequent methods used by the

phishers to entice(attract) the netizens to
reveal their personal information on the
Internet.
1.Dragnet
2.Rod-and-reel
3.Lobsterpot
4.Gillnet

Dayananda Sagar Academy of Technology & Management 15

Methods of Phishing
• Dragnet:
• This method involves the use of spammed E-Mails, bearing
falsified corporate identification (e.g., corporate names, logos
and trademarks), which are addressed to a large group of
people to websites or pop-up windows with similarly falsified
identification.
• Dragnet phishers do not identify specific prospective victims in
advance.
• Instead, they rely on false information included in an E-Mail to
trigger an immediate response by victims — typically, clicking
on links in the body of the E-Mail to take the victims to the
websites or pop-up windows where they are requested to
enter bank or credit card account data or other personal data.
Dayananda Sagar Academy of Technology & Management 16
Methods of Phishing
• Rod-and-reel:
• In this method, phishers identify specific prospective victims in
advance, and convey false information to them to prompt their
disclosure of personal and financial data.
• For example, on the phony webpage, availability of similar item
for a better price (i.e., cheaper price)is displayed which the
victims may be searching for and upon visiting the webpage,
victims were asked for personal information such as name,
bank account numbers and passwords, before confirming that
the “sale” and the information is available to the phisher easily.

Dayananda Sagar Academy of Technology & Management 17

Methods of Phishing
• Lobsterpot:
• This method focuses upon use of spoofed websites.
• It consists of creating of bogus/ phony websites, similar to legitimate
corporate ones, targeting a narrowly defined class of victims, which is likely
to seek out. These attacks are also known as “content injection Phishing.”
• The phisher places a weblink into an E-Mail message to make it look more
legitimate and actually takes the victim to a phony scam site, which appears
to be a legitimate website or possibly a pop-up window that looks exactly
like the official site.
• These fake sites are also called “spoofed” websites.
• Once the netizen is into one of these spoofed sites, he/she might
unwittingly send personal information to the con artists(individuals who
deceive or manipulate others to gain something, typically money, by exploiting
trust.). Then they often use your information to purchase goods, apply for a
new credit card or otherwise steal your identity

Dayananda Sagar Academy of Technology & Management 18

Methods of Phishing
• Gillnet:
• This technique relies far less on social engineering techniques
and phishers introduce Malicious Code into E-Mails and
websites.
• A gillnet in cybersecurity could be used as a
metaphor(metaphor is a figure of speech in which one thing is
directly compared to another) for a security measure or tool
that passively catches intrusions, attacks, or malicious
activities without directly blocking them.

Dayananda Sagar Academy of Technology & Management 19

 SPAMBOT
• SPAMBOT is an automated computer program and/or a script developed,
mostly into "C" programming language, to send Spam mails.

• SPAMBOTS gather the E-Mail addresses from the Internet, to build mailing
lists to send unsolicited E-Mail. SPAMBOTS are also known as web
crawlers, as they gather E-Mail addresses from numerous websites, chat
room conversations, newsgroups and special-interest group (SIG) postings.

• SPAMBOT begins its scan on a webpage and search for two things:
(a) Hyper-links and
(b) E-Mail addresses.
• It gathers and stores E-Mail addresses and crawls (i.e.. follows) through
each hyperlink to a new page to gather E-Mail addresses.

Dayananda Sagar Academy of Technology & Management 20

 SPAMBOT
• The term SPAMBOT is also sometimes used with reference to
a program designed to prevent Spam to reach the subscribers
of an Internet service provider (ISP).
• Such programs are called E-Mail blockers or filters.
• Such E-Mail blocker and/or filter, occasionally, may block a
legitimate E-Mail message which could not be delivered to the
intended recipient.
• This can be avoided by allowing each subscriber to generate a
whitelist of specific E-Mail addresses the blocker should pass

Dayananda Sagar Academy of Technology & Management 21

 Homograph Attack
• The meaning of homograph is that two words are spelled the same way
but differ in meaning (e.g.. fair).
• Phishers use homograph attack on the Internationalized Domain Name
(IDN) to deceive the netizens by redirecting them on the phony website
which look like the original website.
• ASCII has several characters which look alike, for example, "0" (zero) and *'
O " (o alphabet in uppercase), “l" (L alphabet in lowercase) and "I" (i
alphabet in uppercase). Example could be www.microsoft.com could be
juggled as www.rnicrosoft.con . This phenomenon opens a rich vein of
opportunities for Phishing attacks.
• The phisher could create and register a domain name which appears
almost identical to an existing domain and takes the netizen to the phony
website.

Dayananda Sagar Academy of Technology & Management 22

Homograph Attack
• Phisher could send E-Mail messages displaying the URL of a
phony website, purporting to come from the original site, but
directing netizens to the phony website.
• The phisher could easily record information such as passwords
or account details through this spoofed website, while passing
traffic through the original website.
• The netizens will never be able to notice the difference, until
some suspicious or unusual activity occurs with their accounts.

Dayananda Sagar Academy of Technology & Management 23

 Phishing Techniques

1. URL (weblink) manipulation

2. Filter evasion

3. Website forgery

4. Flash Phishing

5. Social Phishing

6. Phone Phishing
Dayananda Sagar Academy of Technology & Management 24
 Phishing Techniques

1. URL (weblink) manipulation: URLs arc the weblinks (i.e., Internet

addresses)that direct the netizens/users to a specific website. In Phishing
attack, these URLs are usually supplied as misspelled,
for example, instead of www.abcbank.com, URL is provided as
www.abcbankl.com. Phishers use Lobsterpot method of Phishing and
make the difference of one or two letters in the URLs, which
is ignored by netizens. This makes a big difference and it directs users to a
fake/bogus website or a webpage.
2. Filter evasion: This technique use graphics instead of text to obviate
from netting such E-Mails by anti-Phishing filters. Normally, these filters
are inbuilt into the web browsers.
• Internet Explorer version 7 has inbuilt “Microsoft phishing filter.” One can enable it during the
installation or it can be enabled post-installation.
• Firefox 2.0 and above has inbuilt “Google Phishing filter,”.
• The Opera Phishing filter is dubbed Opera Fraud Protection and is included in version 9.5+.

Dayananda Sagar Academy of Technology & Management 25

Phishing Techniques

3. Website forgery: In this technique the phisher directs the

netizens to the website designed and developed by him, to login into the
website, by altering the browser address bar through JavaScript
commands. As the netizen logs into the fake/bogus website, phisher gets
the confidential information very easily. Another technique used is known
as “cloaked” URL - domain forwarding and/or inserting control characters
into the URL while concealing the weblink address of the real website.

4. Flash Phishing: Anti-Phishing toolbars are installed/enabled to

help checking the webpage content for signs of Phishing, but have
limitations that they do not analyze flash objects at all.Phishers use it to
emulate the legitimate website. Netizens believe that the website is
“clean” and is a real website because anti-Phishing toolbar is unable to
detect it.
Dayananda Sagar Academy of Technology & Management 26
Phishing Techniques

5. Social Phishing: Phishers entice the netizens to reveal sensitive

data by other means and it works in a systematic manner.
A. Phisher sends a mail as if it is sent by a bank asking to call them
back because there was a security breach. The victim calls the
bank on the phone numbers displayed in the mail.
B. The phone number provided in the mail is a false number and
the victim gets redirected to the phisher.
C. Phisher speaks with the victim in the similar fashion/style as a
bank employee, asking to verify that the victim is the customer
of the bank. For example, “Sir, we need to make sure that you
are indeed our customer. Could you please supply your credit
card information so that I can verify your identity?”
D. Phisher gets the required details swimmingly.
Dayananda Sagar Academy of Technology & Management 27
Phishing Techniques

6. Phone Phishing: We have explained “Mishing” - mobile

Phishing attacks. Besides such attacks, phisher can use a fake
caller ID data to make it appear that the call is received from a
trusted organization to entice the users to reveal their personal
information such as account numbers and passwords.

Dayananda Sagar Academy of Technology & Management 28

Spear Phishing
• Spear Phishing” is a method of sending a Phishing message to
a particular organization to gain organizational information for
more targeted social engineering.
• Spear Phishing describes any highly targeted Phishing attack.
Spear phishers send E-Mail that appears genuine to all the
employees or members within a certain company,
government agency, organization or group.
The message might look like as if it has come from your
employer, or from a colleague who might send an E-Mail
message to everyone in the company .
• It could include requests for usernames or passwords.
Unfortunately, through the modus operandi of the Spear
phishers, the E-Mail sender information has been faked or
“spoofed.”
Dayananda Sagar Academy of Technology & Management 29
Spear Phishing
• While traditional Phishing scams are designed to steal information from
individuals, Spear Phishing scams work to gain access to a company’s
entire computer system.
• If you respond with a username or password, or if you click on the links or
open the attachments in a Spear Phishing E-Mail, pop-up window or
website, then you might become a victim of ID theft and you might put
your employer or group at risk.
• Spear Phishing also describes scams that target people who use a certain
product or website.
• Scam artists use any information they can to personalize a Phishing scam
to as specific a group as possible.
• Thus, “Spear Phishing” is a targeted E-Mail attack that a scammer sends
only to people within a small group, such as a company.
• The E-Mail message might appear to be genuine, but if you respond to it,
you might put yourself and your employer at risk.

Dayananda Sagar Academy of Technology & Management 30

 Whaling
• A specific form of “Phishing” and/or “Spear Phishing” – targeting executives
from the top management in the organizations, usually from private
companies.
• The objective is to swindle the executives into revealing confidential
information.
• Whaling targets C-level executives sometimes with the help of information
gleaned through Spear Phishing, aimed at installing malware for keylogging
or other backdoor access mechanisms.
• E-Mails sent in the whaling scams are designed to masquerade as a critical
business E-Mail sent from a legitimate business body and/or business
authority.
• Whaling phishers have also forged official looking FBI subpoena E-Mails and
claimed that the manager needs to click a link and install special software to
view the subpoena.

Dayananda Sagar Academy of Technology & Management 31

Avoiding Spear Phishing Scams
• There are few precautions you can take to avoid making yourself a victim
of Phishing scam:
1. Never reveal personal or financial information in a response to an E-Mail
request, no matter who appears to have sent it.
2. If you receive an E-Mail message that appears suspicious, call the person or
organization listed in the From line before you respond or open any
attached files.
3. Never click links in an E-Mail message that requests personal or financial
information. Enter the web address into your browser window instead.
4. Report any E-Mail that you suspect might be a Spear Phishing campaign
within your company.
5. You can use the Phishing filter - it scans and helps identify suspicious
websites, and provides up-to-the-hour updates and reports about known
Phishing sites.

Dayananda Sagar Academy of Technology & Management 32

 Types of Phishing Scams
1. Deceptive Phishing
2. Malware-based Phishing
3. Keyloggers
4. Session hijacking
5. In-session Phishing
6. Web Trojans
7. Pharming
8. System reconfiguration attacks
9. Data theft
10. Content-injection Phishing
11. Man-in-the-middle Phishing
12. Search engine Phishing
13. SSL certificate Phishing

Dayananda Sagar Academy of Technology & Management 33

Types of Phishing Scams

1. Deceptive Phishing: Phishing scams started by broadcasting deceptive

E-Mail messages with the objective of ID theft. E-Mails are broadcasted to
a wide group of netizens asking about the need to verify banking account
information, system failure requiring users to re-enter their personal
information, fictitious account charges and/or undesirable account
changes, new free services requiring quick action.

2. Malware-based Phishing: It refers to scams that involve running

Malicious Code on the netizens system. Malware can be launched as an E-
Mail attachment or as a downloadable file from a website or by exploiting
known security vulnerabilities. For example, businesses are always found
to be ignorant to keep their operating systems (OS) antivirus software up
to date with latest patch updates released by vendors.

Dayananda Sagar Academy of Technology & Management 34

Types of Phishing Scams

3. Keyloggers

4. Session hijacking: It is an attack in which netizens’ activities are

monitored until they establish their credentials by signing into their
account or begin the transaction and at that point the Malicious Code
takes over and comport unauthorized actions such as transferring funds
without netizen's knowledge.

5. In-session Phishing: It is a Phishing attack based upon one web

browsing session being able to detect the presence of another session
(such as visit to an online banking website) on the same web browser and
then a pop-up window is launched that pretends to be opened from the
targeted session. The advantage of in-session Phishing attack is the phisher
does not need the targeted website to be compromised but to rely on
modern web browsers to support more than one session.
Dayananda Sagar Academy of Technology & Management 35
Types of Phishing Scams

6. Web Trojans: It pops up to collect netizen’s credentials and transmit them to

the phisher while netizens are attempting to log in. Such pop-ups are usually
invisible.
7. Pharming: It is an attack aiming to redirect a website's traffic to another
bogus website. In Pharming, an attacker cracks vuinerability in an Internet
service provider's (ISP) DNS server and hijacks the domain name of a
commercial site. Therefore, anyone going to the legitimate site is then
redirected to an identical but bogus site.

Dayananda Sagar Academy of Technology & Management 36

Types of Phishing Scams
8. System reconfiguration attacks: Phisher can intrude into the netizens’
system to modify the settings for malicious purposes. For example, URLs saved
under favorites in the browser website might be of modified bank and can be
redirected to a fake/bogus websites.

9. Data theft: Critical and confidential data getting stolen is one of the biggest
concerns . As more and more information resides on the corporate servers and
the Web, attackers have a boom time because taking away/copying information
in electronic form is so easy! Unsecured systems are often found to be
inappropriately maintained from cyber security perspective. When such
systems are connected, the web servers can launch an attack with numerous
methods and techniques. Data theft is a widely used approach to business
espionage. Phishers can easily make profit from selling the stealth confidential
communications, design documents, legal opinions and employee-related
records to those who may want to embarrass or cause economic damage to
competitors.

Dayananda Sagar Academy of Technology & Management 37

Types of Phishing Scams
10. Content-injection Phishing: In this type of scam, phisher replaces part of the
content of a legitimate website with false content to mislead the netizen to reveal
the confidential personal information. For example, Phisher may insert Malicious
Code to capture netizen’s credentials that can secretly collect information and
send it to phisher.
11. Man-in-the-middle Phishing: In this type of attack, phisher positions himself
between the netizen and the legitimate website or system. Phisher records the
input being provided by the netizens but continues to pass it on to the web server
so that netizens’ transactions are not affected. Later on phisher can either sell or
use the information or credentials collected when the user is not active on the
system. This attack is very difficult to detect

Dayananda Sagar Academy of Technology & Management 38

Types of Phishing Scams
12. Search engine Phishing: It occurs when phishers create websites with
attractive sounding offers and have them indexed legitimately with search
engines. Netizens find websites during their normal course of search for
products or services and are trapped to reveal their personal information. For
example, phishers set up fake/bogus banking websites displaying an offer of
lower credit costs or better interest rates than other banks. Netizens who use
these websites to save or make more from interest charges are encouraged to
transfer existing accounts and enticed to giving up their details.

Dayananda Sagar Academy of Technology & Management 39

Phoraging
• It is defined as a process of collecting data from many different online
sources to build up the identity of someone with the ultimate aim of
committing identity theft.
• Phoraging is information diving i.e.,searching for information with the
aim of identity theft whereby a phisher collects data from various
sources such as social networking sites, viruses and Spyware to build
up the identity of a person.
• The phishers always work in a smarter way, hence nowadays they are
focusing on "matrimonial sites" as well as “social networking sites for
professionals" (e.g., www.linkedin.com ) to reveal personal
information such as date of birth, personal E-Mail address, contact
details and what not as the members cannot post false information on
these websites.

Dayananda Sagar Academy of Technology & Management 40

DNS Hijacking

• DNS hijackers use malware in the form of a Trojan to

exchange the legitimate DNS server assignment by the
ISP with a manual DNS server assignment from a
bogus DNS server.
• When netizens visit the reputable websites with
legitimate domain names, they are automatically
hijacked to a malicious website that is disguised as the
legitimate one.
• This opens up the malicious website to perform any
criminal act that the phisher wishes because the
netizen thinks that he/she is on the real website.

Dayananda Sagar Academy of Technology & Management 41

Distributed Phishing Attack (DPA)
1. Distributed Phishing attack is an advanced form of Phishing attack that works as
per victim's personalization of the location of sites collecting credentials and a
covert transmission of credentials to a hidden coordination center run by the
phisher.
2. In this attack a large number of fraudulent web hosts (i.e., servers controlled by
the phisher) are used for each set of lured E-Mails.
3. Each server collects only a tiny percentage of the victim's personal information.
This minimizes the possibility that the phisher shutdown the fraudulent web host
within hours of initial mailing, due to risk of detection of the origin of the
fraudulent E-Mail.
4. Each victim is referred to a unique webpage and in the extreme case the benefits
of detection are kept minimum.
5. Even if the victim recognizes the fraudulent E-Mail as a component of a Phishing
attack, disabling the web server and/or the weblink to the fraudulent web server
will not prevent any other potential victims from being betrayed of their personal
information.
6. Phishers launch attacks through thousands of servers using collections of
compromised systems such as Botnets and/or zombies .

Dayananda Sagar Academy of Technology & Management 42

Phishing Countermeasures
Security measures to avoid being a victim of Phishing Attack
1.Keep antivirus up to date
2.Do not click on hyperlinks in E-Mails
3.Take advantage of anti-Spam software
4.Verify https
5.Use anti-spyware solutions
6.Get educated
7.Use Microsoft Baseline Security Analyzer
8.Firewall
9.Use backup system images
10.Do not enter sensitive information into pop-up windows
11.Secure the host file
12.Protect against DNS Pharming attacks

Dayananda Sagar Academy of Technology & Management 43

Phishing Countermeasures

Dayananda Sagar Academy of Technology & Management 44

SPS Algorithm to Thwart Phishing Attacks
• The key idea behind SPS is that web Phishing attack can be immunized by
removing part of the content that entices the netizens into entering their
personal information. SPS sanitizes all HTTP responses from suspicious URLs with
warning, messages; however, netizens will realize that they are browsing
Phishing sites.
• The Phishing attack comprised two phases:
(a) attraction and (b) acquisition.
• E-Mail Spoofing attracts netizens, to acquire personal information, the spoofed
E-Mail entices the netizens to execute the attached crimeware, to access a
“spoofed” website.

Dayananda Sagar Academy of Technology & Management 45

SPS Algorithm to Thwart Phishing Attacks
The characteristics of SPS are:
1.Two-level filtering: SPS employs two-level filtering composed of strict URL
filtering and HTTP response sanitizing.
2.Flexibility of the rule set: By filtering HTTP responses, the algorithm
distinguishes between legitimate websites and other suspicious websites based
on a rule set written by the operator of SPS.
3.Simplicity of the filtering algorithm: A simple two-level filtering algorithm can
be described into 20 steps and can easily apply the SPS functions.
4.Accountability of HTTP response sanitizing: SPS prevents netizens from
disclosing their personal information to Phishing sites by removing malicious HTTP
headers or HTML tags from HTTP responses. SPS can also alert netizens about
requested webpage containing suspicious parts that are under threat at the time
of Phishing attacks.
5.Robustness against both misbehavior of novice users and evasion techniques:
An SPS built-in proxy server can protect netizens from almost all deceit cases of
web Spoofing, regardless of netizen’s misbehavior and evasion techniques used
by the phisher.
Dayananda Sagar Academy of Technology & Management 46
Identity Theft (ID Theft)

• This term is used to refer to fraud that involves someone

pretending to be someone else to steal money or get
other benefits .
• ID theft is a punishable offense under the Indian IT Act
(Section 66C and Section 66D).

Dayananda Sagar Academy of Technology & Management 47

Identity Theft (ID Theft)

• Federal Trade Commission (FTC) has provided the statistics about each
one of the identity fraud mentioning prime frauds presented below
1. Credit card fraud (26%): The highest rated fraud that can occur is
when someone acquires the victim’s credit card number and uses it
to make a purchase.
2. Bank fraud (17%): Besides credit card fraud, cheque theft and
Automatic Teller Machines (ATM) pass code theft have been reported
that are possible with ID theft.
3. Employment fraud (12%): In this fraud, the attacker borrows the
victim's valid SSN to obtain a job.
4. Government fraud (9%): This type of fraud includes SSN, driver
license and income tax fraud.
5. Loan fraud (5%): It occurs when the attacker applies for a loan on the
victim's name and this can occur even if the SSN does not match the
name exactly.

Dayananda Sagar Academy of Technology & Management 48

Identity Theft (ID Theft)

• the various usage of ID theft information.

1. 66% of victims’ personal information is used to open a
new credit account in their name.
2. 28% of victims’ personal information is used to purchase
cell phone service.
3. 3. 12% of victims end up having warrants issued in their
name for financial crimes committed by the identity thief.

Dayananda Sagar Academy of Technology & Management 49

Personally Identifiable Information (PII)

• The fraudster always has an eye on the information which

can be used to uniquely identify, contact or locate a single
person or can be used with other sources to uniquely
identify a single individual.
• PII has four common variants based on personal,
personally, identifiable and identifying.

Dayananda Sagar Academy of Technology & Management 50

Personally Identifiable Information (PII)

• The fraudsters attempts to steal the elements mentioned

below, which can express the purpose of distinguishing
individual identity:
1. Full name;
2. national identification number (e.g., SSN);
3. telephone number and mobile phone number;
4. driver's license number;
5. credit card numbers;
6. digital identity (e.g., E-Mail address, online account ID);
7. birth date/birth day;
8. birthplace;
9. face and fingerprints.

Dayananda Sagar Academy of Technology & Management 51

Personally Identifiable Information (PII)

• The information can be further classified as

(a) non-classified and
(b) classified.

Dayananda Sagar Academy of Technology & Management 52

Personally Identifiable Information (PII)

• Non-classified information
1. Public information
2. Personal information
3. Routine Business information
4. Private information
5. Confidential Business information

Dayananda Sagar Academy of Technology & Management 53

Personally Identifiable Information (PII)
• Classified information .
1. Confidential: Information that requires protection and
unauthorized disclosure could damage national security (e.g.,
information about strength of armed forces and technical
information about weapons).
2. Secret: Information that requires substantial protection and
unauthorized disclosure could seriously damage national
security (e.g., national security policy, military plans or
intelligence operations).
3. Top secret: Information that requires the highest degree of
protection and unauthorized disclosure could severely damage
national security (e.g., vital defense plans and cryptology
intelligence systems).

Dayananda Sagar Academy of Technology & Management 54

Types of Identity Theft

• Financial identity theft

• criminal identity theft
• identity cloning
• business identity theft
• medical identity theft
• synthetic identity theft
• child identity theft

Dayananda Sagar Academy of Technology & Management 55

Types of Identity Theft
1. Financial Identity Theft :
• Financial ID theft includes bank fraud, credit card fraud, tax refund
fraud, mail fraud and several more.
• Financial identity occurs when a fraudster makes a use of someone
else's identifying details, such as name, SSN and bank account details,
to commit fraud that is detrimental to a victim's finances.
• For example, the fraudster fraudulently can open a new credit card
account in the victim’s name and the card charges up, payment is
neglected, leaving the victim with bad credit history (i.e., horrible
credit score) and a world of debt.
• The process of recovering from the crime is often expensive, time-
consuming and psychologically painful.
• Many a times, before a crime is detected, the fraudster is capable of
running up hundreds to thousands of dollars worth of debt in the
victim’s name.
• This type of fraud often destroys a victim's credit and it may take
weeks, months or even years to repair. As technology moves along and
fraudsters become more advanced, financial ID theft will continue to
pose a great threat to many individuals.

Dayananda Sagar Academy of Technology & Management 56

Types of Identity Theft
2. Criminal Identity Theft:
• It involves taking over someone else's identity to
commit a crime such as enter into a country, get special
permits, hide one’s own identity or commit acts of
terrorism. These criminal activities can include:
1. Computer and cybercrimes;
2. Organized crime;
3. Drug trafficking;
4. Alien smuggling;
5. Money laundering.

Dayananda Sagar Academy of Technology & Management 57

Types of Identity Theft

3. Identity Cloning :
• Instead of stealing the personal information for financial
gain or committing crimes in the victim's name, identity
clones compromise the victim's life by actually living and
working as the victim.
• ID clones may even pay bills regularly, get engaged and
married, and start a family.
• An identity clone will obtain as much information about
the victim as possible.
• This enables them to answer questions in an informative
manner when they are on the move or asked about the
victim's life.

Dayananda Sagar Academy of Technology & Management 58

Types of Identity Theft

4. Business Identity Theft :

• “Bust-out” is one of the schemes fraudsters use to steal
business identity; it is paid less importance in comparison with
individual's ID theft.
• It is extremely important to protect business sensitive
information (BSI) to avoid any further scams.
• BSI is the information about the business/organization,
privileged in nature or proprietary information which is
compromised through alteration, corruption, loss, misuse or
unauthorized disclosure, could cause serious damage to the
organization.
• Such information is like a “sensitive asset” for the
organization.

Dayananda Sagar Academy of Technology & Management 59

Types of Identity Theft

• Business Identity Theft: Countermeasure

• Secure your business premise with locks and alarms.
• Put your business records under lock and key.
• Shred, Shred and Shred
• Be cautious on the phone
• Limit access to your IT systems
• Protect the IT system from hackers
• Create the awareness that the Internet is a dangerous place
• Avoid broadcasting information
• Create and enforce a organization-wide infor security policy.
• Disconnect the access of ex-employees immediately

Dayananda Sagar Academy of Technology & Management 60

Types of Identity Theft

• Medical Identity Theft:

• There are greater opportunities for protected health
information (PHI) changing hands when multiple agencies
are connected over computer networks and the Internet
— for example, medical representatives, health officers,
doctors, medical insurance organizations, hospitals, etc.

Dayananda Sagar Academy of Technology & Management 61

Types of Identity Theft

• Reasons why medical ID theft is particularly damaging the

victims include:
1. Approximately one-third of victims of medical ID theft
surveyed had someone else’s medical information or
medical history on their medical record, increasing the
possibility of patients being treated incorrectly because of
incorrect medical records.
2. More than 10% of victims of medical ID theft surveyed
were denied health or life insurance for unexplained
reasons.
3. More than two-third of victims surveyed receive a bill for
medical services that were provided to an imposter.

Dayananda Sagar Academy of Technology & Management 62

Types of Identity Theft

6. Synthetic Identity Theft:

• This is an advanced form of ID theft in the ID theft world.
• The fraudster will take parts of personal information
from many victims and combine them.
• The new identity is not any specific person. but all the
victims can be affected when it is used.

Dayananda Sagar Academy of Technology & Management 63

Types of Identity Theft

7. Child Identity Theft

• Parents might sometimes steal their children’s identity
to open credit card accounts, utility accounts, bank
accounts and even to take out loans or secure leases
because their own credit history is insufficient or too
damaged to open such accounts.

Dayananda Sagar Academy of Technology & Management 64

Techniques of ID Theft

1. Human-based methods:
• Direct access to information
• Dumpster diving
• Theft of a purse or wallet
• Mail theft and rerouting
• Shoulder surfing
• False or disguised ATMs (“skimming”)
• Dishonest or mistreated employees
• Telemarketing and fake telephone calls

Dayananda Sagar Academy of Technology & Management 65

Course Content

2. Computer-based technique
• Backup theft
• Hacking, unauthorized access to systems and database
theft
• Phishing
• Pharming
• Redirectors
• Hardware

Dayananda Sagar Academy of Technology & Management 66

Identity Theft: Countermeasures
• One should be always vigilant and should take optimum care
toward protecting the self-identity.
1. Monitor your credit closely
2. Keep records of your financial data and transactions .
3. Install security software
4. Use an updated Web browser
5. Be wary of E-Mail attachments and links in both E-Mail and
instant messages.
6. Store sensitive data securely
7. Shred documents
8. Protect your PII
9. Stay alert to the latest scams

Dayananda Sagar Academy of Technology & Management 67

References

1. Cyber Security: Understanding cybercrime, computer Forensics and Legal

Perspective By Nina Godbole and Sunit Belapure.

Dayananda Sagar Academy of Technology & Management 68