Understanding Identity Theft

What is identity theft? 

Many people associate cyber crimes with online scams such as phishing emails. However, most identities are stolen using low-tech methods. There are many ways thieves obtain your personal information:

  1. Phishing/spam: They send an email or pop-up message that looks like it came from a real bank or credit card company asking for identifying information. (This is called phishing.)
  2. Social engineering/pretexting: They pose as a legitimate business or government officials to obtain your personal information from financial institutions, telephone companies, and other sources.
  3. Shoulder surfing: They watch you from a nearby location as you type in your password or credit card number, or listen in on your telephone conversation.
  4. Hacking: They gain unauthorized access into computer networks where information is stored.
  5. Old-fashioned stealing: They steal wallets and purses; mail, computers not protected with passwords, mailed bank and credit card statements, pre-approved credit offers, and new checks or tax information sent through the U.S. Mail.
  6. Dumpster diving or trash rips: They rummage through communal or business trash to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, or telephone number.

Guarding yourself against identity theft

Prevention is the best defense. Try following the suggested precautions below:

  • Don’t give out personal information on the phone, through websites, or in email unless you are sure you know whom you are dealing with.  Yale ITS will NEVER ask you to send information about your account such as passwords or other sensitive personal information via email.
  • Never click on links sent in unsolicited emails.
  • Use strong passwords, change your important passwords annually. Don’t use your Yale password for non-Yale activities (social media sites and other email accounts like Gmail), use unique passwords on each site you login to (bank password should be different from your email password, which is different from your investments password), store passwords in a password keeper utility like Keepass, and backup that password keeper.  Use Multi Factor Authentication on every sensitive site you login to.

Securing physical documents 

  • Don’t carry your Social Security card or write your Social Security number on a check. Provide your Social Security number only if absolutely necessary; you can always ask to use another identifier like a Connecticut driver’s license number.
  • Minimize the ID information and number of credit cards you carry.
  • Keep your personal information in a secure place at home.
  • Do not authorize others to use your credit cards.
  • Protect areas where your mail can be stolen. Secure mail receptacles and promptly remove your mail. Deposit outgoing mail in post office mail boxes.
  • Never leave receipts at bank machines, bank windows, trash receptacles, or gasoline pumps.
  • Sign all new credit cards with “Photo Identification Required.”
  • Shred documents like pre-approved credit applications, receipts, bills, and other financial information.

Protecting your identity from “Phishing” Schemes 

Phishing is a social engineering attempt where well designed and legitimate looking emails and pop up messages lure victims into revealing their username, password, credit card number, Social Security number, or other sensitive information. The Phishing messages used look authentic to the kind of communication you would expect to get from institutions you trust.  Messages used in Phishing scams often are identical from those used by the banks, schools, and merchants you deal with.

However, you should never trust unsolicited email or pop-up messages that ask you to confirm, validate, or update your information by responding to the email or by following a link.

What to do about phishing or other suspicious email messages:

  • Never reply to any message of email that asks for your NETID, password, account information, or anything else that would be considered sensitive information.
  • If you believe a message is a phish, please forward the message, along with the full headers to the email: helpdesk@yale.edu – if you aren’t sure, the most efficient way to get help is to call the help desk when you are at the computer. 
  • Never click on a link in a message. Never call phone numbers that are provided in messages that ask for personnel information.
  • Delete suspicious messages.
  • Don’t open or click on attachments.

Yale University ITS will NEVER send a message to you asking you to validate, confirm, or update your personal information and passwords

Always be suspicious of requests for personal information that come via email, particularly requests for passwords, banking information, or wire transfers of money, even if the request seems to come from a good friend.

Example of a FAKE login Screen -Why is this CAS login fake? Can you tell?

Secure.its.yale.edu looks right, but the site doesn’t end there the full name of the site is secure.its.yale.edu.ezproxy.in.  This site does not end in yale.edu and is therefore note a Yale website. 

How to tell if a webpage is secure 

“Secure pages” are special web pages through which data can be sent in a coded or encrypted format. Secure pages are often used for transmitting passwords, credit card numbers, or other personal or financial information. Whenever a web page asks you to supply your password, credit card information, or other personal information, always check to be sure that the page is secure.

There are two quick ways to tell if a web page is secure:

1. Look for the “https” in the URL address line at the top of the browser window.

2. Verify that the site you are going to is legitimate. So carefully review the website address (URL). If it doesn’t like legit, don’t open it.