Cifas, the UK fraud prevention trade association, and Forensic Pathways, a data analysis and forensic software company, says that the dark web, and the surface web, are where personal information is sold by and for online criminals.
Their research suggests that personal data is being sold on the surface web via forums and through online shops, accessible via normal search engines. Those selling the data give some individuals’ data away for free by using it as an advert to display what information can be purchased.
In a sample of 30,000 victims of identity fraud, almost a third (8,646) were found on the surface web using name, date of birth, email and/or telephone number, with the majority of those identified on a social media platform. Over two-thirds (69 per cent) of those people were found on Facebook, with 38pc on both Facebook and LinkedIn. Those aged 61 years and over were found to have a smaller social media presence; they were, however, more likely to have had an account compromised through a data breach.
As highlighted by last year’s Who are the victims of identity fraud? report, launched with LexisNexis Risk Solutions, victims that are company directors are more likely to be identifiable from their social media presence and public director registers. This is particularly the case when the correspondence address is the same as a company director’s home address. Some three-quarters, 76pc of company directors had their home address as their correspondence address and in some cases this related to dissolved companies.
Cifas and Forensic Pathways offer recommendations, including:
Deactivate and delete old profiles on social media sites that you no longer use. Keep track of your digital footprints. If a profile was created ten years ago, there may be personal information currently available for a fraudster to use that you’re are not aware of or you have forgotten about.
Social media platforms should consider automatically setting a profile to the highest security settings available. It should be an ‘opt-in’ approach for individuals to share personal information, giving them the ability to select what information they choose to reveal.
Minimise the data you display publicly online. Take a second before adding information to your profile and question how necessary it is to make this information public. The more personal information you reveal, the more comprehensive a picture a fraudster can create to impersonate you.
Owners of forums should monitor and manage them more strictly. This report shows that forums are being used, not for their intended purpose, but for the selling of personal data. Creators of forums should monitor them regularly and there should be sufficient channels to report abuse.
Organisations should consider the transparency and proportionality of publicly available data. Further research should be conducted into the balance between transparency and proportionality of publicly available data.
Deborah Leary, CEO of Forensic Pathways, said: “The findings are eye-opening. This report not only demonstrates the vulnerabilities of personal data held on surface web platforms, but also highlights the pressing need to monitor these with more vigour. It also reminds us that although illegal activity occurs on the dark web, it is also prevalent on the surface web, where the selling of personal data through forums and online shops is clearly evident. We welcome further collaboration from all industries and sectors in the fight against identity fraud.”
And Sandra Peaston, Director of Insight, Cifas, said: “As individuals, we can take steps to protect our identities online, including deleting old profiles and minimising the data we publicly reveal online. For those who want to promote themselves, either professionally or personally, the real dilemma is whether this promotion outweighs the risks of revealing personal sensitive data. With identity fraud reaching record levels in recent years, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility. Everyone should play their part, from social media platforms taking more responsibility around security settings, to organisations prioritising the security of personal data.”
