Fraud has been part of our history for centuries, from the most rudimentary scams, such as the well-known Pigeon drop or Spanish handkerchief, where fraudsters take advantage of people’s good faith to exchange counterfeit banknotes for valuables, to the most elaborate scams. What these crimes have in common is the criminals’ ability to manipulate their victims and take advantage of their trust.

Today, these methods have evolved, adapting to the digital environment. Just as in the past, fraudsters were able to deceive with a simple banknote, today’s cybercriminals use technology to steal their victims’ identities and commit crimes in their name. This leap from physical fraud to the digital world has made digital identity fraud a growing concern in an environment where our lives are increasingly interconnected.

What is digital identity fraud?

Digital identity fraud is the usurpation of a person’s identity in order to use it to carry out criminal acts in the victim’s name (theft, obtaining private data, cyberbullying, etc.).

It is currently one of the biggest concerns of technology users, who are increasingly aware of privacy and the protection of their data when interacting on social networks or shopping online. And they have good reason to do so, as more and more users are reporting identity theft.

This type of fraud is particularly dangerous because, in many cases, victims are not aware of the theft until it is too late when their data has already been used to commit a sensitive crime or has caused financial or reputational damage that is difficult to repair.

How does digital identity fraud occur?

Identity theft in the digital environment can happen in various ways, all taking advantage of vulnerabilities in systems or in users themselves. One of the most common ways is through the use of social engineering techniques, where fraudsters persuade victims to disclose sensitive information, often by sending fraudulent emails or creating websites that mimic legitimate entities.

Furthermore, fraud can occur through direct data theft on platforms that store personal information, such as social networks, banks or e-commerce as discussed above. In these cases, cybercriminals can use methods such as phishing or spoofing to access private accounts and impersonate their owners.

It is essential to be informed. Here are 6 things you need to know about digital identity fraud.

1. What are the most common types of identity fraud?

There are various forms of digital identity fraud that seek to exploit users’ trust or lack of knowledge. It can be very easy for a criminal to get hold of your details online. These are the most common types of identity theft:

Spoofing

Spoofing is an identity theft technique that we can call hacking. It exploits various technological vulnerabilities to impersonate another person with the aim of stealing private information or gaining access to protected platforms. Although there are different forms of spoofing, they all have in common the creation of a false identity convincing enough to fool victims.

Any digital channel can be susceptible to identity theft through spoofing. The most common spoofs are:

Email spoofing

Email spoofing is one of the most common forms of email spoofing. It involves manipulating the email header to make it appear to come from a legitimate source when, in fact, it has been sent by an attacker. This method is particularly dangerous when used to distribute malware or trick the victim into handing over sensitive information.

A recent example is the rise of emails purporting to be from popular services such as PayPal or Amazon. These emails warn the user about a problem with their account and invite them to click on a malicious link. The user, believing they are interacting with the legitimate platform, enters their credentials, which are immediately captured by the criminal.

Web spoofing (fake sites that look real)

Web spoofing involves creating an almost exact copy of a website to trick users into stealing their passwords. The process usually starts with an email or message that includes a link that redirects the user to the fake page. These pages are often so convincing that they even include SSL certificates, giving the appearance of being secure.

A recent case involved a fake Netflix website, which asked users for their login and payment details, claiming there was a problem with billing. Users who entered their details sent them directly to cybercriminals, who then used this information to access their legitimate accounts or perform fraudulent transactions.

DNS spoofing

DNS (Domain Name System) is the system that translates domain names into IP addresses so that browsers can load the correct websites. In DNS spoofing, attackers manipulate DNS entries to redirect the user to fraudulent sites without the user realising it. Often, these sites mimic critical pages or platforms to obtain login details or financial information.

For example, in 2022, users of several European banks were redirected to fake websites that captured their banking details. This type of attack is particularly insidious because it does not rely on the user making a mistake; the whole process occurs in the background of the system.

ARP and IP spoofing

Address Resolution Protocol (ARP) spoofing is a technique that allows attackers to intercept network traffic between two devices. This type of attack is common on public Wi-Fi networks, where cybercriminals can impersonate the router to which the user is connected and thus capture all data traffic, including passwords and credit card details.

In a case reported in 2021, cybercriminals were found to be using IP spoofing at airports to capture the data of passengers connecting to the public network. Once they gained access to the data traffic, they were able to steal sensitive information or even install malware on victims’ devices.

Pishing

A method of identity theft that involves tricking users into sharing sensitive information (such as credit card numbers, national insurance numbers, passwords or codes) by impersonating a trusted person, entity or company that provides security to users. It is named after fishing, where the bait is set for the prey to bite in order to obtain the booty so desired by the cybercriminal. The term ‘phishing’ is derived from the word ‘fishing’, which refers to the practice of casting a hook to catch prey. In this case, the prey is the victim who ends up sharing valuable information.

Nowadays, various methods are used to execute phishing.

• Phishing via mass emails: In this type of attack, criminals send messages to a large list of recipients with the aim of deceiving as many people as possible.
• Spear phishing is characterised by the personalisation of the message. Instead of sending generic emails, the attacker creates messages specific to a person or a company, thus increasing the likelihood of success.
• Cloning phishing involves replicating legitimate emails that may include malicious attachments designed to infect the user’s computer.

Pharming

Pharming is a digital fraud technique that shares similarities with phishing but differs in its method of execution. Pharming relies on the spoofing of emails or web pages to obtain sensitive information from the user. Attackers redirect web traffic to their fake sites, often by installing viruses or Trojans on victims’ devices or by using fake DNS servers. This type of attack is usually more difficult to detect, as users may not realise that they are visiting a fake website instead of a legitimate site.

2. How to avoid the risk of identity fraud?

It is hard to say, but while surfing the net, you are never 100% sure. Therefore, the best advice is to be cautious and always be on the lookout for suspicious emails or websites.

Even so, there are tips that will certainly help mitigate the risk of being phished for illegal purposes:

• Check that the URL being used is reliable and comes from the provider with whom you are communicating.
• Use an antivirus that can detect malware in order to minimise the effects of an attack.
• Secure your connection and try to avoid using public Wi-Fi.
• Before taking any action or executing any downloadable or attached file, verify that the sender of an email is someone you can trust.
• Check the web page you are accessing is where you want to go, especially if credentials or confidential data will be used.
• Do not open links that look strange, and hover over them to see the actual URL.
• Look for the website’s digital certificate. It is usually found to the left of the search bar.
• Be especially careful when surfing websites that contain our financial or personal information, which is the most vulnerable.
• Regularly monitor the movements of your bank accounts and credit cards.
• If you are a company, it is always advisable to use secure hosting and payment gateway services and install complementary security tools for your website or digital shop.
• There are procedures for stealing personal information in person in our daily lives, such as manipulating ATMs or cloning credit cards, so you should always be cautious.
• If you have lost your ID card or been the victim of theft, you should report the incident as soon as possible.
• Use strong passwords containing lowercase and uppercase letters, digits, and characters. Similarly, avoid using passwords that can be guessed because they are related to your life (your pet’s name or a special date).
• Periodically renew the access credentials to your platforms.
• Do not use the same password for all platforms. If one platform is breached, all of them will be breached.

3. What are the legal consequences of impersonating someone?

Impersonation is a serious crime with significant legal consequences. Depending on the seriousness of the fraud, penalties can vary:

• Prison: The prison sentence for identity fraud can range from 6 months to 6 years in Spain, depending on the seriousness of the case. This sentence depends on several factors, including breach of privacy, theft of personal information and actions carried out in the name of another person.

• Determining factors in sentencing:
  • Type of offence: whether the fraud is related to other crimes such as identity theft or financial fraud.
  • Benefit obtained: Whether the offender derived any financial or personal benefit from the offence.
  • Damage to the victim: Material, psychological or legal damage caused to the victim is considered in sentencing.
  • Recidivism: If the offender has committed this offence before, the penalty may be more severe.
  • Compensation: Victims of identity theft are entitled to compensation for the damage caused. It includes material damage, psychological damage, and legal problems that have arisen, such as being included on lists of defaulters.

4. How do you know if your identity has been impersonated?

It is difficult to detect whether you have been a victim of identity theft until negative consequences occur. However, there are some signs that may indicate that your identity has been stolen:

• Suspicious bank movements: Charges or withdrawals on your accounts that you don’t recognise.
• Unauthorised purchases: Charges on your credit cards that you have not made.
• Security notifications: Alerts of data breaches or suspicious access to services you use.
• Denial of credit services: Credit or loan applications are rejected because of a compromised financial history, even if you are not in default.
• Suspicious activity on social media: Photos of you or unknown information on profiles you did not create or access to your account.
• Undue collections: You receive emails, calls or letters demanding payment of debts that are not yours.

5. What to do if your identity has been impersonated?

If you have been a victim of identity theft, it is crucial to act quickly. The first thing you should do is gather all relevant information to support your report, such as unrecognised charges, purchases you did not make, suspicious emails or screenshots of any irregular activity. With this information in hand, the next step is to file a report with the authorities as soon as possible. Speed is key to limiting damage and starting a formal investigation.

In cases of bank spoofing, the priority is to immediately cancel the affected cards and block the accounts involved. Contacting your bank to handle complaints and obtain further details is essential to prevent future financial inconvenience. If the impersonation has occurred on social media, report the incident directly to the affected platform. Although the networks have specialised teams for this type of problem, the process can be slow and unclear in terms of resolution.

If you have an insurance policy that covers damages resulting from phishing, notify the insurer of the incident as soon as possible, providing them with all the evidence collected to speed up the compensation process.

6. How can you prevent identity fraud in your company?

Digital identity fraud in business often occurs when a customer uses a third party’s data to take advantage of a service or register. To prevent this type of fraud, it is essential to implement a comprehensive data verification system. Be sure to check the information provided by new customers in detail: name, date of birth, signature, and above all, verify the authenticity of the documents presented. It is vital to confirm that the person submitting the documents corresponds to the identity reflected in them.

At Mobbeel, our goal is to ensure secure and reliable digital transactions, allowing companies to effectively and effectively verify the identity of their customers in a few seconds with a good user experience. With our MobbScan solution, you can scan identity documents to validate their legitimacy and confirm, if necessary, that the person presenting them is who they claim to be.

If you want to know more about MobbScan, our KYC solution to avoid digital identity fraud, do not hesitate to contact us.

PRODUCT BROCHURE

Discover our identity verification solution

Verify your customers’ identities in seconds through ID document scanning and validation, and facial biometric matching with liveness detection.