Scammers can do a great deal with just one or two pieces of personal information. A talented scammer in possession of a name, date of birth, and SSN can do a lot of damage. Data such as SSNs and other identification documents can easily be used for identity theft and fraud, and it is very likely that customers of any company that suffers a data breach will be affected by phishing attacks for years to come. Scammers trade and sell stolen personal details and information on various forums and the dark net, and these details are not even very expensive to obtain.
Additionally, once someone falls for a scam, they become even more desirable to other scammers, as it shows that the person may be susceptible to scams. It also shows a tendency towards general compliance, which scammers count on.
Guidelines for customers after a data breach
After a breach, it is not uncommon for companies to issue guidelines for customers. This is a wise thing to do, as scammers using that stolen data will most definitely target customers. Some of this data will be used to persuade the potential victim that a fraudulent call or email is credible.
For example, a scammer might call, pretending to be a company representative, and tell the victim that they need to set up their payment details again, as that information was erased as a result of the breach. The data they hold on this customer, e.g. date of birth or SSN, may be used to ‘prove’ that the call is legitimate. This type of attack is very successful because it is difficult to separate it from a genuine situation in which something may have gone wrong with someone's payment details. Similar scams affected Talk Talk customers, who are still plagued by a deluge of scam calls that began after a data breach. This is why it is vital to warn customers immediately if your organization suffers a breach. Any delay in awareness will ensure that more customers will be affected by ensuing scams, heightening their susceptibility to be victimized.
Yet we see time and time again that companies affected by cyberattacks stay silent, electing to refute or minimize the scale of the attack instead. Frequently, customers affected by such breaches are also left with little information about how to protect themselves or even what to watch for, including the heightened emotional state that comes from the realization that their sensitive information is being traded by criminals. Often, details on how to implement fraud alerts and a security freeze are provided, which is great advice, but general recommendations about how to defend against phishing attacks are often lacking.
There are several ways people may be affected after the data breach:
- They may become victims of identity theft or fraud.
- Their details may be sold for to other criminals, which will result in an abundance of phishing attacks perpetrated via texts, phone, or email.
- Scammers may orchestrate more detailed and targeted attacks in which they call the victims and pretend to be a legitimate company that's trying to set up a new payment account or protect the victim’s account after the fraud. They may even have lengthy or multiple conversations with victims to enhance credibility and encourage trust, all while harvesting information that will then be used to access bank accounts or open new accounts in the victim’s name.
In the ocean, when a whale dies, its carcass will be attacked not only by big predators but many little fish and other ocean dwellers. Everyone benefits from it in some way. It is a frenzy of activity until there is nothing left.
Similarly, when a large data breach happens, there will be many players that will benefit from it, including opportunistic scammers that may not even have the funds to purchase these details. (Sometimes, customers’ details can be obtained for very little money, however.) Even they can benefit from a large data breach. Here is how and what you can do about it:
1. Receiving a supportive call from someone impersonating a company representative
Every time there is a large news story, scammers get a new opportunity to contact people and put a new spin on old scams. For example, receiving an unexpected call from a scammer pretending to be someone from your bank should arouse suspicion, as should any unsolicited form of contact from a bank or other organization seeking to offer assistance. However, when a large data breach has been publicized in the news and people start to fear that their details have been stolen, this causes great stress and uncertainty. Under such circumstances, they are more likely to act emotionally. This emotional state will likely have an impact on rational thinking and decision making, resulting in impulsive decisions and dismissal of any red flags.
Scammers may even pretend to be someone from a fraud department, ostensibly trying to make things better and safer for the intended victim. This could result in the victim extending immediate trust to the scammer, as the potential victim experiences relief that someone is dealing with the problem. This may lead to more cooperation, especially when it comes to sensitive data. Prior to contacting the victim, the scammers may have some data about the victim culled from the breach, and they may use it as proof that the call is coming from a credible and legitimate source. The true purpose of the call is for the scammer to phish for the missing pieces of information that they need to further their criminal activity such as accessing bank funds.
What to do to protect yourself
Take a moment to be aware of how you are feeling. Anger, fear, panic, desperation, or any heightened emotional response is always problematic. It drives us to make quick and often wrong decisions. Make a point of delaying any decisions, and check the official corporate site for updates about the breach. You can also refer to trusted sites such as the Federal Trade Commission to learn more about how to protect yourself.
If someone calls, ask to call them back the next day. Take the time to double check the number they provided and make sure it matches the one given by the company in question. Even if you recognize the number as a legitimate number, it may not be safe, as scammers can spoof this easily and appear as if they are calling from a reputable company. Instead, call the company and double check that the call really did come from them and not from someone else. Remember – scammers want you to be in a state where you are acting emotionally rather than rationally, and any distressing or emotional current events will give them a perfect opportunity to be more successful.
2. Receiving phishing emails and texts from a source purporting to be the company affected by the breach
Same as with phone calls following a breach, there is likely going to be a flurry of activity in terms of emails and texts you may receive purporting to be from the company that suffered the breach. These may include visuals that you recognize, e.g., familiar logos, which can be highly influential and even links that lead to legitimate online sources. The email may ask you to click a link to see if you have been affected while asking you to provide further sensitive information. Even if they don’t ask for payment information, you can be further compromised, as any piece of information can be useful, and it often helps them with the next scam. Even something like the last four digits of your SSN can be enough to confirm the identity of your other accounts. The emails may also ask you to confirm whether you have been affected by fraud following the breach or to register for extra protection, and it may mimic what has been published by the company itself in order to appear credible.
What to do to protect yourself
As with the advice for protecting yourself from telephone scams, delaying decisions, double-checking the information that was given in the email, and avoiding any links that are given in emails can help you to obtain a good protective posture.
3. Beware of social media campaigns and websites pretending to be fraud recovery services
Following a big data breach that is affecting a large number of people, opportunistic scammers who don’t actually have your data will try to think of ways to get it. The breach gives them a perfect opportunity to cast a wide net and wait until you come to them, an opportunity they may not have otherwise. This often includes creating websites that offer fraud recovery services or websites where people can check if their details have been stolen (usually by providing some personal information first). These websites may be publicized on social media and social platforms, especially in posts and threads where the recent data breach is being discussed. Scammers will also maintain a presence on these forums, recommending the fraudulent websites to others and using social proof as a way of enhancing credibility.
What to do to protect yourself
Trust, but verify. Social platforms are a good source of first-hand information and recommendations, but it’s good to be vigilant and double-check the information. Legitimate pages that offer such services have been around for a while and are widely known and recommended. Always use legitimate sources to double-check information. One simple way is to manually enter the site into a Google search bar, which will warn you if the site is risky.
Remember, every data breach is a rich ground for scammers, and many will try to target the affected customers as well as the general population. There are criminals whose only purpose is to harvest data on potential targets such as people who may be more likely to comply or who may be particularly good targets. This data makes them money, as it is sold time and time again to other scammers. After a data breach, many such criminals target affected customers to obtain missing information, so watch out for any emails, phone calls, or texts that are connected to the data breach.
Additional Resources for Staying Safe
This advice is not exhaustive but it’s a good start for learning what to be aware of. Learning how to protect yourself is vital. Along with reading security blogs such as Tripwire’s State of Security, some sites such as USA.GOV, the Federal Trade Commission, the FBI, and the Consumer Financial Protection Bureau all offer good advice. Stay safe.