KEY WORDS: IDENTITY THEFT/FRAUD

What is cybercrime?

Cybercrime is a crime that involves a computer and a network. The computer may have been used in the
commission of a crime, or it may be the target. Cybercrime may harm someone's security and financial
health.

What is identity theft in cyber world?

Identity theft happens when someone steals your personal information to commit fraud. This theft is
committed in many ways by gathering personal information such as transactional information of
another person to make transactions

Is identity theft a cyber crime?

Under RA 10175, Computer-related Identity Theft is the intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another, whether natural or
juridical, without right.

What is identity theft explain?

Identity theft occurs when someone steals your personal information—such as your Social Security
Number, bank account number, and credit card information. Identity theft can be committed in many
different ways. Some identity thieves sift through trash bins looking for bank account and credit card
statements.

What is an example of identity theft?

Once identity thieves have your personal information they may: Go on spending sprees using your
credit and debit account numbers to buy “big ticket” items like computers or televisions that they can
easily re-sell.

What are the 3 types of identity theft?

The three most common types of identity theft are financial, medical and online. Learn how you can
prevent them and what to do if they happen to you.
COMMON QUESTION FOR IDENTITY THEFT

What is ID theft?

Texas Penal Code 32.51 is the section that provides for identify theft as a crime in Texas: “A person
commits an offense if the person, with the intent to harm or defraud another, obtains, possesses,
transfers, or uses an item of identifying information of another person without the other person's
consent …”

My identity has been stolen. What do I do now?

Remain calm. This will be a lengthy and stressful process, but as long as you know you are following a
plan, you can increase your chances of solving most, if not all of the problems you face, and increase
your chances of recovering as much as the money you have lost as possible.

Your first step will probably not involve notifying authorities; although that is one of the steps you will
likely take. Your very first step will be to pull your credit report from all 3 major credit reporting
agencies. 

This is free if you have not received a copy of your report in the previous 12 months. In most cases, you
can do this online.

Preparation  and organization  will help you immensely as you navigate through this process. Keep track
of your time and expenses with as much documentation and journaling as possible. Start a file, if not
several files, so that you can keep your information organized.

Check the Office of the Attorney General's Consumer Protection Division's guide to identity theft.

How was my identity stolen?

There are a number of ways a person’s identity can be stolen:

Credit Card Skimming. This involves the use of technology that can sometimes be spotted at gas stations
or ATMs.  The “skimmer” is placed on top of the actual scanner, so it’s sometimes hard to spot.

Dumpster Diving. Searching through trash to find personal information to steal

Hacking. Electronically breaking into personal computers, databases at financial institutions, and online
retailers to steal personal information

Stealing personal effects (purse, wallet). Using someone’s driver’s license, personal checks, or credit or
debit cards directly

Phishing. Using spam email or the phone to pose as a legitimate organization to lure victims into
revealing bank or brokerage account information, password, PINs, Social Security numbers, and other
types of confidential information

Can I get my money back?

Victims can lose

  Time and money spent clearing up financial and credit records

 Lifetime or retirement savings, benefits, or personal property

 Home or home equity

 Retirement income

 Ability to live independently; and

 Employment

The chance of recovering all of the money you have lost is slim.  However, the Identity Theft Guide and
other resources can help ensure that you receive as much money as possible.

How can I prevent having my identity stolen?

1. Secure your social security number (SSN). Don’t carry your social security card in your wallet or
write your number on your checks. Only give out your SSN when absolutely necessary.

2. Don’t respond to unsolicited requests for personal information (your name, birthdate, social
security number, or bank account number) by phone, mail, or online. 

3. Watch out for “shoulder surfers.” Shield the keypad when typing your passwords on computers
and at ATMs. 

4. Collect mail promptly. Ask the post office to put your mail on hold when you are away from
home for several days. 

5. Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.

6. Review your receipts. Promptly compare receipts with account statements. Watch for
unauthorized transactions.

7. Shred receipts, credit offers, account statements, and expired cards, to prevent “dumpster
divers” from getting your personal information.

8. Store personal information in a safe place at home and at work.

9. Install firewalls and virus-detection software on your home computer.

10. Create complex passwords that identity thieves cannot guess easily. Change your passwords if a
company that you do business with has a breach of its databases

11. Order your credit report once a year and review it to be certain that it doesn't include accounts
that you have not opened. Check it more frequently if you suspect someone has gained access
to your account information. 

What type of victim do thieves usually target?

These are characteristics of financial fraud victims in general:

 Senior adults, especially those who have mental or physical impairments

  Individuals who are physically impaired

 Those who have cognitive issues or age-related mental incapacity (e.g., dementia or Alzheimer’s
patients)

 Those who are grieving the loss of a loved one or in another way emotionally vulnerable

 Victims of domestic violence

 Near-retirees

 Previous victims of financial fraud

What resources are available for me if my identity is stolen?

 The resources available to you are plentiful and growing!

 www.idtheft.gov

 www.bbb.org

 www.victimsofcrime.org

 www.victimbar.org

 www.annualcreditreport.com

 www.consumerfinance.gov

 https://www.fbi.gov/investigate/white-collar-crime/identity-theft

 http://www.utica.edu/academic/institutes/cimip/idcrimes/resources.cfm

 www.idtheftcenter.org

 https://postalinspectors.uspis.gov/investigations/mailfraud/fraudschemes/
mailtheft/IdentityTheft.aspx

 https://www.usa.gov/identity-theft

 Resources specific to Texas

 http://www.idtheftcenter.org/States/texas.html

 http://texasattorneygeneral.gov/identitytheft

 www.dps.texas.gov/driverlicense/idtheft/idtheft2.htm

I have reported my ID theft to several agencies. Why haven’t they called me back?

Reporting is important.  It will allow you to assert certain rights, it will allow research agencies to more
accurately account for how much identity theft is occurring, and where and when and to whom it is
occurring, it allows for the sharing of information to other reporting agencies that can protect
consumers by working on prevention and detecting fraud.  

That said, sometimes those are the only purposes for reporting.  In other words, in many cases, the act
of reporting does not cause a case to be opened or an investigation to begin.  Therefore, the agency will
not have a need to return your call or to follow up on your report. Managing expectations regarding
your claims will help you as you work to clear up all the problems resulting from this criminal act.

What if no one finds out who stole my identity?

This is often the case.  However, this does not necessarily prevent the victim from being able to recover
their money.  In some cases, organizations, institutions, and even the credit reporting agencies may be
liable for some of the damages you have incurred.

You may want to contact the National Crime Victim Bar Association for a referral to an attorney who
can litigate on your behalf. You might find private attorneys that will offer their initial consultations at no
cost or obligation.

Cybersecurity questions about your information security program or the

threats you face
1. Why do I need to worry about information security?

The threats are real – and it’s not some shady character with a gray hooded sweatshirt
looking at scrolling lines of green code. From a volume standpoint, it’s largely automated and
in general broadcast to large swaths of the Internet (although the most significant threats are
targeted).  Cisco Talos has hard statistics on the fact that roughly 85% of all email traversing
the Internet is spam – either marketing or malware.  The spam filters do a good job at
catching and stopping that 85% but some are bound to go unnoticed and pass through to
your users.

Any system or service exposed to the public Internet is threatened – every 39 seconds an
attack hits an Internet-connected system or web server on average according to the
University of Maryland.  Again, many of these are unsuccessful, but it only takes one hitting
unpatched or particularly vulnerable computer systems to cause trouble.

2. What are the biggest cybersecurity threats right now?

Without question, wire transfer fraud and ransomware headline the most critical threats
facing organizations.

Wire transfer fraud occurs when a manual bank transfer occurs to transfer funds between
entities.  Attackers compromise an organization’s email system and use their unauthorized
access to start looking for finance and payment-related employees. Our Incident Response
team sees attackers lurk in the email for months waiting for a payment to compromise. Then
the two entities exchange emails with payment info, they will insert a second email making it
seem like there was a transcription error and to please use the new account number (or take
the exchanged credentials and attack the bank account directly).  They then divert the
transferred money out of the fake destination before anyone notices.  There are other
flavors of this type of attack, but this example demonstrates the need for authenticated
verification of wire transfers that use multiple mechanisms to prevent this type of theft.

Ransomware is a flavor or malicious software (malware) that encrypts data and critical
system files, rendering computers and data unusable without decryption. Decryption is only
possible with a key that is only provided if a ransom is paid to the attacker.  These ransoms
are paid using cryptocurrencies like Bitcoin and range from hundreds to millions of dollars in
value.  The attacks have gotten quite sophisticated in their methods for attacking, gaining
unauthorized access, and infecting organizations (while attacks against home users are
down, targeted attacks against companies and municipalities is sharply increasing) have
evolved to include sophisticated and difficult to discern emails (phishing) or using other
malware to spread their ransomware payloads (the Emotet virus is currently the most
common).

These ransomers have developed into sophisticated operations with help desks, 24×7
technical support, and trained negotiators.  They make every attempt to encrypt during off-
hours and target backup mechanisms to make recovery without paying the ransom very
difficult – as a result, many organizations pay the ransom to recover their computer systems
and critical sensitive data in days rather than weeks or months (or not at all).  Ransomware-
infected companies have even had to go out of business because of the cost of recovery.
3. What are our compliance obligations regarding sensitive data?
While one can argue that the reasons of maintaining the confidentiality, integrity, and
availability of data and services to their employees, partners, consumers, and customers are
a sufficient reason to have a robust information security program, many organizations are
not aware that they are legally required to have a robust program to prevent and respond to
data breaches.  Sometimes the subtlety of whether or not you must comply with a particular
compliance regime is difficult.  Getting expert help from a trusted advisor is recommended if
there is any question as to whether you have compliance obligations regarding sensitive
information or confidential data.

For example – an organization provides a portal for consumers to find a healthcare provider
and also has the ability to allow the consumer/potential patient to upload insurance and
health-related information to aid the search and communicate with the potential provider. 
They assumed that because they were handling healthcare-related confidential data that
they were required to comply with HIPAA.  It turns out that as a result of the American
Recovery and Reinvestment Act of 2009 (ARRA 2009) there is a distinction for health
records collected and handled by non-HIPAA-covered entities.  In this case the data they
were collecting was considered a “Personal Health Record” and not “Protected Health
Information” and thus was covered by the Federal Trade Commission – which does not have
the same compliance requirements for the use of this sensitive data but does have very
strict breach notification rules.

To make it even more confusing, if this organization was a HIPAA-Covered Entity, this

sensitive information would be considered to be PHI. This confusing narrative was provided
to underscore the need to get good advice from a knowledgeable source to determine if you
have compliance obligations regarding sensitive information.
Cybersecurity questions related to staffing
4. Do I have a designated and trained information security expert on staff or a third-party
trusted information security and risk advisor?

A 2011 Symantec Threat Management Survey found that “most enterprises are not
confident in their security posture and that staffing is a major issue limiting IT security’s
effectiveness.” Specifically, 46 percent of those who lack confidence cited insufficient
security staff, while 45 percent pointed to a lack of time to respond to new security threats.

Worldwide, 43 percent reported understaffing as a major issue. While in North America, that
number is 53 percent.  This is significant.  There is a lack of trained and experienced
information security and risk management candidates. Some estimates say that unfilled
cybersecurity jobs worldwide will reach 3.5 million by 2021.

As an employer of information security-related personnel, we have hired a core team of

experts and have taken active steps to identify candidates and develop expertise from
within. We also work with local technical schools and higher education institutions to foster
new talent in the community.

Many organizations have a need for information security and risk management in their
business but do not have enough work to justify the salary of a dedicated resource. In this
case, they turn to a trusted cyber security advisor to help them develop a reasonable and
appropriate information security program.

5. Does anyone on the board have Information Security and Risk Management expertise?

Many information sources have begun talking about the importance of information security
and risk management oversight by the board of directors.  Computer systems and data
systems were once a business enhancement – they have transitioned to business-critical
tools (our ransomware experience has made this obvious).  As a result, boards must be aware
of the confidentiality, integrity, and availability of their sensitive data and computing services
and systems.  At a minimum, there should be a formal mechanism (usually a formal
committee of cyber security professionals) that includes experts in information technology,
security, risk management, and business to digest the current threat and risk landscape and
make recommendations to address these risks to the board.

6. Is our information technology department staffed appropriately? 

This seemingly simple question is very difficult to answer succinctly.  It very much depends
on the answer to all the other questions presented in this list of questions…  The size,
complexity, geography, business type, customer characteristics, specific technologies in use,
compliance obligations, etc… all directly affect the answer.  To effectively answer the
question requires a good understanding of the threat and risk landscapes that the
organization operates within.  This is the true value of a robust risk-based cybersecurity
program – it allows an organization to make staffing and business decisions that are
reasonable and appropriate to address their needs and obligations.
Cybersecurity questions related to your existing information security
program
7. Am I spending enough / appropriately on information security-related tools and
controls? (Is there a network security or information security tool I should buy?)

Similar to the staffing question, the answer here is nuanced.  It depends.  In our experience
with helping organizations get their arms around their threats and risks and developing a
reasonable and appropriately-scaled information security program, they have most (if not all)
the licenses and tools they need to address their risks.  The difficulty is in their configuration
and the ability of the information technology organization to get meaningful information
from them.  Often the roadblock to an effective program is one of time and availability of IT
staff.  It is not uncommon for IT staffing to be less than what is required given the size and
complexity of the organization. In addition, automating tasks that cause IT staff to be
diverted from projects due to an endless break/fix cycle can improve the chances of
information security-related projects being successful.

8. Do I need cybersecurity insurance? Is our cybersecurity insurance policy appropriate to

our risks?
The answer to both of these questions is easy: Yes. Your organization should have cyber
insurance (for a variety of reasons).  According to CyberInsureOne, 27% of US Firms have no
plans to purchase cybersecurity insurance, only 8% of manufacturing companies have it, and
only 50% of healthcare-related organizations are cyber-insured.  This is despite the fact that
the two greatest threats detailed above target these two verticals – wire fraud at
manufacturing and ransomware in healthcare.

Currently, because the insurance companies want to sell the insurance to these threatened
companies, the cost of cybersecurity insurance is very low.  Making sure that you have the
RIGHT insurance with an appropriate level of coverage is a challenge. As a result, we work
with several insurance brokers to identify the best practices for good cybersecurity
insurance coverage.  Like many of the questions presented here, determining the correct
level of coverage depends upon an awareness of the threats and risks facing an organization.
Ultimately, there are three things an organization can do with risk – they can address it
directly by making a change or implementing a tool, they can insure themselves to address
the risk (in the insurance industry they refer to this as “transferring” the risk), or they can just
decide to “assume” the risk and hope it doesn’t happen.

9. Are our information security and business priorities aligned?

The holy grail of information security is strong alignment with the business.  Everyone has
access to the security system tools and data they need to do their work (but no more), the
data and services are available when needed, and the data and the analysis of that data are
trustworthy and accurate.  Striking the balance between protection and convenience (and
monetary cost, frankly) is the difficult part.

10. Is our written information security program (WISP) based upon an appropriate
information security framework?
There is a wide variety of information security and information technology frameworks that
provide guidance to appropriate controls to protect the confidentiality, integrity, and
availability of data and services (some you might have heard of include NIST SP800-53, NIST
Cyber Security Framework, ISO 27001, HITRUST, Cobit, ITIL, CIS Controls, and AICPA Trust
Services Criteria).  Choosing the correct one depends on your compliance obligations,
geography, business vertical, and organizational complexity.  It is possible to map one
framework to another – and some of them have been designed for just that purpose. 
HITRUST and the CIS controls are built with this in mind. HITRUST certification is an
expensive, but effective way to demonstrate compliance – and anyone can download the
actual controls for free. The CIS controls is a framework created by industry experts, maps
well to other frameworks and is intended to be free for anyone to download and implement.

11. Do our documented policies match what is actually happening in practice?

Often an organization’s written policies and standards are very well written and line up with
their compliance obligations.  An auditor comes in, reviews the documents, and gives the
documents a passing grade…  Unfortunately, the things written in these documents do not
line up with what is actually happening in the organization.  Our approach is to have lean,
well-organized documentation that addresses the threats and risks facing an organization in
clear and concise language.  The end result is that instead of having compliance without real
information security, an organization is secure by design and compliant by default.

12. Do we know where our data is and how it is protected (data lifecycle management)?

Ultimately, an information security program is concerned with the confidentiality, integrity,

and availability of the data and services that utilize, store, transmit, and process that data. 
Knowing the nature of that data, how sensitive it is in terms of compliance obligations,
where it lives, where it is transmitted, where it is used, who has access to it, and how long it
should be kept is vital.  For many organizations that data is core to their business.  Just like
an auto repair shop must keep track of and care for their tools, an organization must keep
track of and care for their data and services.  Very often this starts with classifying the data
and establishing rules for the various classifications.

13. Are our employees being appropriately trained on cybersecurity?

Information security awareness training is vital for organizations. The two primary threats
detailed earlier primarily rely on mistakes by employees to be successful. Wire transfer fraud
tricks employees into sharing or relying upon restricted or incorrect account information. 
Ransomware most often is distributed by email-based attacks and requires employees to
open infected attachments or click on malicious links.  Even well-configured systems with
robust monitoring mechanisms can let these emails and cyber attacks slip by.  The final and
most important line of defense against these attack vectors is the person sitting at their desk
making a determination if what they are looking at is real communication and not an
attempted cyber attack.  All organizations should be providing mandatory and engaging
cybersecurity awareness training at the time of hire and at least every year to refresh the
employees and keep security at the top of their minds.
14. Can we detect an attempted or successful cybersecurity incident, brute force attack, or
data breach?
A mature information security program not only puts mechanisms and controls in place to
prevent an incident or data leakage/data breach but also includes mechanisms to monitor
the operation of their web server presence, network traffic, systems, services, and users to
notice when something bad or unintended is happening, such as unauthorized access,
suspicious network traffic, a brute force attack, or some other type of cyber attack.  The use
of automated mechanisms (such as an intrusion detection system or an intrusion prevention
system for network security) to aid the perpetually overworked and understaffed IT team is
essential, and appropriately tuned alerting is one of the primary goals of the information
security program because any Internet-connected environment is under constant attack. 
Detecting only those attacks with a chance of being successful is essential.

15. Do we know how to respond in a cyber security emergency?

Having a documented plan (that is updated as personnel and the environment change) for
how to respond to an incident or its big brother, a disaster, is only the first step.  Educating
the people who must respond when an emergency occurs (and their backups in the event
they are unavailable) is the next task.  Finally, and perhaps most important, is testing that
plan regularly (and learning from and addressing the results of those tests).  Again – having
something lean and useful is more important than reams of paper sitting on a shelf.