The United States Department of Justice (DOJ) does not spell out any distinction between identity theft and identity fraud, saying only that they:
“…are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.”
There is a meaningful distinction between the two, however, and from a security professional’s standpoint it’s important to understand it. But the precise definition of each is not universally agreed upon.
For example, IdentityHawk distinguishes the two by saying that theft is when an actual person’s information is stolen and used for criminal purposes, while fraud is when a crook invents a non-existent person and uses that identity criminally.
Another minority view is that identity fraud consists of fraudulently accessing a victim’s existing accounts, while identity theft involves using the same stolen information to open new accounts that are charged to the victim.
However, most sources define identity theft as the act of stealing or obtaining sensitive or protected personal information, and identity fraud as any fraudulent act committed with the use of that information. And when it comes to understanding how to secure against both, this is the most useful way to think about it.
A new era of fraud
According to reports gathered by Fortunly, identity fraud cost Americans $3.3 billion in 2020, nearly double the $1.8 billion cost in 2019, and incidents keep rising. One in three U.S. citizens is thought to have experienced identity theft. The majority of incidents involve credit-card fraud, and in 2020 most stolen identities were used to apply for government documents and benefits.
Most of the personal and financial information used in identity fraud consisted of consumer information stolen from businesses. Indeed, there have been so many large-scale data breaches in the past few years that we find it useful to think of this as the “post-breach” era of security: The data is out there, and now the challenge is to prevent its misuse.
As the nonprofit Identity Theft Resource Center (ITRC) puts it in their 2021 Data Breach Report:
“We may very well look back at 2021 as the milestone year when we officially moved from the era of identity theft to an era of identity fraud. That is to say, the time when cybercriminals shifted from mass data accumulation (identity theft) to mass data misuse (identity fraud).”
Identity theft prevention
Even in the post-breach era, it’s critical to protect against the types of cyberattacks that result in data breaches. Since most such attacks originate with a phishing or other email-borne attack, a comprehensive email protection solution is the highest priority. Critical features include:
- AI-powered phishing detection to spot evasive threats based on analysis of normal internal and external communication patterns
- Advanced data-loss prevention that ensures outbound traffic doesn’t include any sensitive or protected data
- Effective security-awareness training to reduce the risk of users falling for phishing scams that do end up in their inboxes
Barracuda Email Protection provides these capabilities and much more.
Of course, modern cyber-threats that can lead to identity theft leverage multiple vulnerabilities across network, cloud, and application/API deployments. So it’s also important to ensure comprehensive and effective application security (such as that provided by Barracuda Cloud Application Protection) and modern network security (might I recommend Barracuda CloudGen Firewall?).
Identity fraud protection
When stolen information is used to perpetrate identity fraud crimes against organizations, it often involves the misuse of stolen network access credentials and identifying info to gain access to sensitive or protected data, deploy ransomware, or conduct fraud by moving funds directly or requesting wire transfers under false pretenses.
Your first and most important line of defense should be a modern access-control system that employs Zero-Trust capabilities. Traditional multifactor authentication (MFA) is no longer sufficient in the post-breach era.
Zero Trust Network Access (ZTNA) solutions like Barracuda CloudGen Access constantly monitor a wide range of factors such as device name, IP address, geo-location, time and date, etc. to enforce highly granular access controls at all times — not just at the moment of connection.
ZTNA capabilities are a key component of a Secure Access Service Edge (SASE) network security architecture. Combined with a full-featured SD-WAN solution like Barracuda CloudGen WAN, you get comprehensive security and control over data, performance optimization, simple and secure remote access, and more. SASE provides high security against the identity fraud that is becoming increasingly common now that so much personal data has been stolen.
Guard your identity
Apart from attacks on organizations, identity theft and fraud frequently have terrible impacts on individual victims: Bank accounts wiped out, credit ratings ruined, massive debt accumulation.
The Houston Police Department has published a useful list of 10 ways to protect yourself. The main thing is to be aware of all the ways in which your data may be exposed. Do what you can to minimize exposure, and monitor your credit-card statements and credit reports closely.