Risk managers often spend so long looking at macro risks, but what about your own personal worth? KPMG associate director, cyber security, Sarah Roberts delves into the murky depths of the dark web to find your personal worth.

Have you ever stopped to think about the value of your personal identity if it was stolen?  You may be surprised at the answer.

I was recently asked about identity phishing scams targeting the elderly. Whilst anyone can fall victim, the elderly are one of the more vulnerable groups in the community, as scams become increasingly sophisticated.

How can it happen?

There are a myriad of ways personal identity information can be stolen, including:

Hacking – when the perpetrator is able to penetrate the defences of your personal device (computer, mobile, tablet, etc.) via means such as spyware, malware, flaws in security settings, connecting to open or compromised WiFi networks.

Phishing – two more common ways are as follows.

  1. Call or text where the perpetrator impersonates a legitimate third party and requests personal information, such as credit card details, bank account numbers, PIN or to make a payment.
  2. Also called “remote access scams”, where the perpetrator claims, via a call, email or some other ‘notification’, that there is a virus or some other software issue that could lead to you being hacked.  The perpetrator will ask the individual to enable remote access to their computer so the problem can be ‘fixed’ (typically via installing some remote access software).  This gives them access to your computer while they ‘fix’ it and the perpetrator may also try to convince you that a payment needs to be made for the service or some software to remedy the problem.

Inappropriate security on social media – perpetrators look for social media accounts with a lack of protection and high amount of shared content where they can ‘rebuild’ the individual’s personal profile.

Lonely hearts scams – where the perpetrator attempts use emotional deception to influence people looking for romantic partners into providing personal details (or money or gifts).

How much is it worth?

When personal identification information is stolen it’s usually either sold on, via the Dark Web (or other means), or used in more sophisticated scams.  Recent research shows that the value of personal identification information can vary significantly, depending on the nature of information stolen.  For example:

  • a drivers license – $20
  • credit or debit cards – $5 to $110[1]
  • medical records – $1 to $1,000[2]

Interestingly, other research has shown the average price of stolen passports range significantly depending on what is available.

  • a digital passport scan is $14.71[3]
  • if proof of address or secondary ID is added the price jumps to $61.27
  • a counterfeit, physical passport is $1,478
  • a real, physical passport is $13,567.

Perhaps unsurprisingly, like any other legitimate online marketplace, there are also volume or package ‘deals’ available.

The variance in prices reflects the relative value of how different types of information may be used.  For example, the impact of a compromised credit card may be limited to unauthorised purchases.

However, with enough personal information malicious activities can quickly escalate to the setting up new credit cards, obtaining personal finance, or undertaking other unauthorised transactions.  This can often go undetected by the victim for an extended period, potentially months or even years. Sometimes the person is only alerted when they receive a letter in the post advising them that a credit agency is chasing them for the outstanding monies.

What can be done about it?

As the old adage says, “prevention is better than cure”. One of the most effective ways to combat this risk is by simply having a conversation, especially with those people in your family or friendship groups who may be less tech savvy or unfamiliar with how these scams are perpetrated.

It’s important to highlight that scams are becoming more prevalent and that anyone can fall victim. All it takes is a moment of weakness or a highly sophisticated and motivated attacker. People should be encouraged to talk about it and not feel shamed, as the earlier the alarm is raised the sooner action can be taken to help reduce negative impacts.

If you or someone close to you falls victim to a scam, there are some immediate steps that can and should be taken. This includes contacting your relevant financial institutions, law enforcement and/or changing credit cards or account password details. Further, for key accounts two-factor-authentication (2FA), where a generated PIN is accessed via text or a separate authentication app, should be used to reduce the ability of perpetrators to access or seize control of accounts.

For more information, both the ACCC’s Scamwatch website and ASIC’s MoneySmart website have some good information about how your identity may be stolen and what to do if it happens.

[1] Depends on value of the card and extent of information available (bank info, CVV, “fullz info”).

[2] Depends on the completeness of the records as well as if it’s a single record or part or all of a database.

[3] Australian passport scans were the most common but also more expensive on average at $32.00