Identity Theft: How attackers get hold of your details

Ever wondered how someone got hold of your details? As per recent headlines, it turns out it’s easier than you think…

Photo by Ben Weber on Unsplash

If you haven’t seen the film Identity Thief, spoiler alert! It’s a perfect rainy day movie and stars the ever hilarious Melissa McCarthy in the brilliant but ridiculous story of a guy who gets his identity stolen by a con artist and goes to considerable lengths to get it back.

But while the likelihood of having to fight off armed criminals, escape from a bounty hunter, battle venomous snakes and hitchhike through the Midwest before forging new credit cards to get back the original ‘you’ may be low, the film got me thinking about just how many simple ways there are for criminals to steal identities today.

Here are some of the most common forms of everyday identity theft that pose a risk to all of us, as well as some of the ways we can protect ourselves from the harm and damage caused by stolen or compromised data.

The unsolicited phone call

No matter how charming they might be don’t trust a stranger at the end of the phone!

The mis-sold PPI call is a classic, but unsolicited calls from people claiming to be from legitimate companies, agencies or government institutions are increasingly common. They’re usually asking you to renew your contract, confirm your details or update them because of an attempted hack (oh the irony). If you’re not expecting a call, hang up immediately and call the organisation’s customer service number that’s published on their website to ensure the call was legitimate.

The text message

Smishing (a clever portmanteau of SMS and phishing) involves a text that appears to come from a reputable organization like your bank, mobile provider, PayPal, or HMRC, asking you to click a link, call a number or reply to verify or update your information. Don’t reply or click on anything you’re not expecting and, if in doubt, always contact the organization directly to check. Most legitimate organizations’ websites will already have information about the ways in which they will and will not contact you.

The mobile phone app

CandyCrush, Angry Birds, that quiz that shows you what kind of cheese you are — social media games and apps help pass the time on long commutes, but a lot of them ask for access to your Facebook information. On occasion, scammers (or a certain “analytics” firm) may be waiting behind the app to harvest your personal data and exploit it for nefarious purposes. Thankfully, the Apple and Android teams are getting increasingly stringent about who they let onto their app stores, so hopefully this kind of data leak will soon be a thing of the past.

The social media post

Sorry Kim but some things are best left un-Instagrammed…

Yes, getting the perfect filter on your latest Instagram snap is important, but take care if you’re showing off your jazzy new Curve card, latest gig tickets, or an embarrassing passport photo. Even if these objects are barely in view, there’s a range of techniques scammers can use to zoom in enough to extract your personal information from objects in pictures posted online.

The nosey “shoulder surfer”

Casting a glance as you fill in a form, lurking nearby when you’re at an ATM, or making a mental note as you type into your phone on the bus, the shoulder surfer is often difficult to detect but is surreptitiously stealing your personal or financial information for their own gains. We know to cover our PIN numbers, but we might not think as carefully when we’re filling things in or typing. Think twice, and check who’s around, when you’re dealing with personal information in public.

The phishing email

A phishing email appears to come from someone you know, or at least from a sender that seems legitimate, such as a trusted organization. Phishing emails request you share or update personal information which is then used to gain access to personal or financial accounts, or to click a link that points to malicious data harvesting software.

If you’re reading this blog in your jim-jams on the sofa at home, the best thing you can do to stop yourself fall victim to a phishing attack is to scrutinise the sender’s email address, look for any language in the email that doesn’t seem quite right, and think twice before clicking an enclosed link or divulging personal info in a reply.

If you’re reading it in a professional capacity — for instance, you’re in charge of your company’s email systems — then stopping impersonation of your organization should be a priority. Measures such as setting up DMARC (a security protocol that protects your company emails from spoofing), and ensuring any websites using your logo illegitimately are taken down, can help protect your customers and your brand’s reputation.

Not sure if your organization has DMARC configured correctly? You can check your current email setup with our free investigate tool.

Check email DMARC setup

PUBLISHED BY

Clare Holmes

27 Mar. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Awards

Red Sift named a Top 50 company in 2025 Emerging Stars Awards

Jack Lilley

We’re pleased to share that Red Sift has been named Best Performing Company – Security & Infrastructure in the 2025 Emerging Stars Awards. These awards, part of the Megabuyte100 series, recognise the UK’s 50 best-performing scale-up technology companies based on solid financial performance, from over 800 entries.  Being recognised in this category reflects the…

Read more
DMARC

Mailgun and Red Sift partner to boost email programs with stronger authentication  

Rebecca Warren

Senders know that email is a critical channel for driving customer engagement and establishing trust, yet deliverability and security issues can disrupt email programs. Mailgun, a leader in cloud-based email delivery, is providing free DMARC reporting for all Mailgun senders courtesy of Red Sift OnDMARC. This integration brings senders complete visibility into authentication results…

Read more
DMARC

Over 60% of healthcare organizations remain unprotected against data breaches

Sean Costigan

Introduction Red Sift’s analysis of healthcare organizations that reported large breaches to the Department of Health & Human Services (HHS) in 2023-2024 uncovered a troubling trend: post-breach, 61% remain unprotected against phishing and domain spoofing due to weak or nonexistent DMARC policies. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a widely recognized security…

Read more
Awards

Red Sift wins 2025 Cybersecurity Excellence Award for OnDMARC

Jack Lilley

Executive Summary: Red Sift OnDMARC has been recognized with the 2025 Cybersecurity Excellence Award for its advanced email security solutions. By leveraging AI-powered tools like Red Sift Radar for security issues and Dynamic DNS Guardian for real-time monitoring, OnDMARC provides businesses with robust protection against phishing, spoofing, and business email compromise (BEC).  Key takeaways:…

Read more