Data Leaks Generate Lures for Phishing Attacks
Not all security incidents are created equal, but about 58% of data breaches compromise personal data. Every week brings reports of a new data breach. So, unless a significant amount of personally identifiable information (PII) is uncovered – Social Security number, medical records, or bank account numbers — most people read the story and move on. What they don’t realize is that seemingly harmless personal data can be used as leverage in future highly targeted attacks, like phishing, to steal more valuable information.
The amount of consumer data compromised in data leaks and data breaches is staggering. Just this year, there have been multiple breaches — from Facebook to T-Mobile to CVS – impacting millions, and many people aren’t even aware they happened.
You can’t change the data compromises that have happened already. However, you can protect against future fraud by understanding what information has been stolen and how scammers might use it. It’s pretty well known that scammers frequently use stolen personal information to access even more data through phishing.
Threat Actors Play a Critical Role in Phishing Attacks
In a phishing attack, a scammer sends an email designed to trick a human victim into believing it’s coming from a reputable organization or someone they know. The criminal’s goal is to convince individuals to click on a malicious link, download malware, and/or reveal personal information. This compromised and sensitive data could include anything from a password to Social Security numbers (SSN) and/ or bank account and credit card numbers. Any type of leaked data can and will be used to infiltrate and compromise sensitive information. For example, the general settings you select when creating a new account online, the security questions you choose to protect those accounts, and so much more.
In the first three months of 2021, the number of malicious phishing sites increased 47% Year-over-Year from 2020, reaching upwards of 350,000 fake sites designed to steal PII. Twenty-two percent of data breaches stem from phishing, and a full 74% of phishing attacks involve credential phishing — or using stolen usernames and passwords.
The Latest Real-World Breach Phishing Threats
If you’re a business professional, chances are you are on LinkedIn. The popular business networking site has also been a victim of impersonated emails. After 500 million LinkedIn records were exposed in April and most recently, 700 million records from the social network were offered for sale on the Dark Web, phishing emails claiming users were locked out of their account were delivered to inboxes worldwide.
Scammers love impersonating government agencies because the fear factor drives victim responses and thus success in their fraud campaigns. Phishing schemes designed to steal government credentials increased sixty-seven percent in 2020. In July 2021, the Ontario Securities Commission (OSC) issued an alert to industry firms, warning them of a recent phishing attack impersonating OSC’s chair and CEO. Individuals who clicked on the email or opened attachments in these messages were advised to change their email passwords immediately.
The CVS Health data breach in June 2021 affected millions – even billions – of consumers, yet it didn’t receive strong coverage due to a low level of compromised PII. In this incident, a third-party vendor accidentally posted an unsecured database containing more than a billion search records of CVS Health customers. The 204 GB leaked database was not password protected and included visitor and session IDs, device information, configuration data, as well as multiple records for medications, including COVID-19 vaccines and CVS products. In most cases, the search data could not be linked to a specific person. However, the data also contained email addresses linked to CVS accounts.
Potential Risk to Consumers from the CVS Data Exposure
What risk does a breach like CVS pose to people whose information was exposed? We asked Al Pascual, Sontiq’s Senior Vice President of Data Breach Solutions, to put it into perspective. “The CVS breach received a 1 rating by the BreachIQ algorithm, but that is not to say this security incident is insignificant. One of the top risks related to the CVS data leak is targeted scams – which can include phishing attempts to commit fraud or simply solicit additional PII. A combination of two factors makes this data especially effective in phishing schemes: it is specifically tied to consumers’ past behaviors, and it is all seemingly benign. Affected consumers should be on the lookout for emails from CVS and/ or brands they may have been searching for at CVS.com.”
Pascual continued, “Why? Well, it is not hard to imagine a consumer letting their guard down when they receive an email about the exact product they were just searching for – say, baby diapers. That’s especially true if that email only asks for the consumer’s phone number, address, baby’s name, and birthdate to send future discounts. Of course, criminals would be using the email as a cover for collecting personal information on the consumer and their family. Alternatively, the criminal could take a bolder tact and set up a checkout page for discounted bundles of baby diapers to collect card data. These are only a couple of examples, but at the end of the day, it is all about abusing the trust that consumers have in CVS to further acts of fraud.”
5 Steps to Protect Against Phishing Schemes
When sending phishing scams, hackers are after more sensitive information, such as logins and payment information, or can easily penetrate your devices by embedding malware in the email. Follow these five easy tips to protect against phishing scams:
- Set up two-factor authentication (2FA) on all online accounts, so an extra layer of validation with a one-time code is needed to gain access.
- Set up criminal marketplace scanning to identify where your other sensitive data are already available–which could be combined with your breach records to conduct fraud in your name. These types of services may be included in an identity theft protection service.
- Keep a close eye on all emails you receive and never click on the link or call the phone numbers provided in the email. Instead, navigate directly to the organization’s website and call the customer service number listed there.
- Set up your email inbox to filter out spam and phishing mail.
- Hover your mouse over a link to verify that it is going where you expect it to before you click.
Sontiq’s Intelligent Identity Security (IIS) cloud-based platform, newly launched in 2021, serves as the foundation of our identity theft and cyber threat solutions. Gain total identity control through an array of credit, privacy, and fraud protection tools along with state-of-the-art Dark Web and continuous credit monitoring. Every time a breach hits the news, Sontiq’s BreachIQ offers personalized breach risk assessments through artificial Intelligence algorithms that identify a user’s unique data breach risks. And if you become a victim of identity fraud, you are one click away from a dedicated Resolution Specialist who provides Sontiq’s best-in-class, white-glove resolution services.