Terrifying video on identity theft: dramatic or accurate?

Identity theft video from lobbyists

Febelfin is a banking lobby in Belgium, representing the interests of small to large banks in the nation, and recently has set out to tackle the problem of identity theft. “Would you panic while internet crooks took over your life?” the company asks. “We put one real victim through the test. We scared the hell out of him by gradually taking over his life. His freaked out reactions, should urge people to be very vigilant and never to share personal and banking information by mail or by telephone.”

The video ends with directions to go learn more tips for safe internet banking at SafeInternetBanking.be.

So is it overly dramatic or accurate?

We all know that identity theft is serious, particularly as the world shifts to internet banking and alternative banking options like PayPal, but we wondered if this video which is said to be real is just entertaining and overly dramatic, or is this an accurate dramatization of identity theft.

For the answers, we asked PwnedList Co-Founder, Steve Thomas to asses the video. He explains that in the video the hacker first engaged in “catfishing” on Facebook and sending a successful phishing email for banking credentials to pull off the identity theft.

Thomas said, “The only questionable piece of information was the bank he used, which I guess someone might post that on Facebook, something like “I hate Bank of America!”, but people rarely talk about banks on facebook. The hacker could have guessed and tried a few different banks, though.”

It makes sense given that they are in Belgium, so perhaps their banking options are more limited than here in North America.

But how did they get someone to give bank credentials?

Thomas explains, “the phishing e-mail basically read (pardon my complete lack of knowledge of the German language) ‘Click here,’ which I’m guessing redirected to a website that looked identical to his bank, where he logged in, allowing his credentials to be stolen. Phishing e-mails do work, but they have been around for a long time, and some e-mail providers (Gmail) identify phishing e-mails to varying degrees of success. Banks also are well aware of what phishing campaigns are going on and can shut down campaigns to varying degrees.”

That sounds hopeful, right? Thomas told AGBeat that “It’s actually easier to get information about a person than the video makes it appear (at least in the US).” Additionally, Thomas notes, “The hacker stole someone’s identity and made a fraudulent purchase. This happens every day, with even less effort. Some banks try to prevent this with smart authentication (geolocation, identifying a new device and requiring two factor authentication, etc) but those are easy enough to get around.”

Uh oh.

“I routinely find out where someone lives, who they are friends with, where they have worked, where they work now, and what job they have without ever needing to friend them on Facebook,” Thomas stated. “The catfishing added some comedy, but was unnecessary.”

Privacy controls are not enough

What can someone do to protect themselves from catfishing damaging them? Thomas recommends the following steps be taken:

1. Remove information about you that you don’t want to be public from Facebook. Assume anything you have ever put into Facebook is public. Privacy controls are not enough.
2. Probably a bad idea to announce what bank you use on any social website. Same goes for when you leave for vacation or ‘check-in’ away from home (see pleaserobme.com for examples on how ‘check-ins’ make you vulnerable).
3. Google yourself. Identify the websites that have information on you. Contact them to remove the information (they might if you ask nicely).

And what can someone do to protect themselves from phishing? Thomas suggests:

1. Use an e-mail provider that identifies phishing attempts. Most major providers do, I know Gmail does.
2. Don’t click links in e-mails that are not trusted. If someone is directing you to a website, type it in manually, so you know where you are going.
3. Make sure you use HTTPS and check the SSL certifications (though this can be broken too, so don’t just rely on this).
4. If you ever attempt to login to your bank account, but the website won’t let you in (and you know you are using the right password), then congratulations! You are most likely a victim of phishing. You need to know how to contact your bank properly to change your password and lock down your account.
5. In general, make a plan right now for when a hacker steals your credentials. It is no longer an ‘if’, it’s a ‘when’.

How common is this?

Just in the AG offices alone, 75 percent of us have had our identities stolen in one way or another and had money drained from accounts. That’s a pretty substantial number, especially in light of our team being comprised of mostly tech savvy people that are fully aware of catfishing and phishing – it happens to the best of us.

Take Thomas’ advice seriously, because according to him, the video isn’t a dramatization and it is actually easier to get your information than they lay out in the video.