Innovation, Cybersecurity, and Technology (H) Committee
Thursday, August 15, 2024
11:00 AM CDT
McCormick Place Convention Center—Grand Ballroom—Level 1
Back to Insurance Topics
Identity Theft
Background
Last Updated: 9/25/2024
Identity theft occurs when someone uses your personal or financial information fraudulently, oftentimes for their financial gain. This information can include:
-
Names and addresses
-
Credit card or Social Security Numbers
-
Bank account numbers
-
Medical insurance account numbers
Identity theft remains on the rise, according to the Consumer Sentinel Network, approximately 5.3 million consumer reports were filed in 2023, 48% were for fraud and 19% for identity theft. 40% of identity theft reported was the result of credit card fraud, followed by miscellaneous identity theft at 25%, which includes e-commerce, payment account, email and social media fraud.
The most common types of identify theft in 2023 included credit card fraud (new accounts); miscellaneous identity theft; bank fraud (new accounts); Govt benefits and business/personal loan fraud. Identity Theft Methods: Criminals can access your personal or financial information using a variety of technological or non-technological methods. Technological methods use tools, such as the internet, email, text messaging, phone calls, etc. Some common types of technological methods are
Phishing: This is one of the most common methods criminals use to trick you into plugging in your personal information on a different platform where the attacker then obtains information. These attacks can happen through emails, text messages, etc. The most common form of phishing is called pharming. Pharming is an attack where the criminal tampers with a website host file, and then provides you with a link to a fake website. The trick is that the fake website is made to look as if it were a real and trustworthy website, making the victim more apt to provide their personal information.
Man-in-the-Middle Attack: This method involves the interception of communication between two parties. This can happen when making an online search for the URL address of a company. When clicking on this type of link, the website of this "company" will then direct you to a different URL address. For example, when logging into your online bank account, you will be directed to a fake website mirroring the real site. Once your bank account and any other personal data are successfully entered in the website, this information is then re-directed to the criminal.
Skimming: Skimming is a criminal act where information can be obtained, with just the swipe of a debit/credit card. The first way this is possible is swiping your card in an altered electronic card reader, allowing all the information on the card to be sent to another electronic storage device in which only the criminal can see. The main objective of this act is to obtain the victim's debit/credit card information to further copy their card and use it for their own purchases. Other ways skimming happens can be through a recording device at an ATM machine, or even a salesman that swipe your card on his or her personal digital card reader.
Deepfake: Deepfake identity fraud is a rising concern with the increase in AI-enabled fraud. Deepfakes utilize a generative adversarial network, or GAN, a facial recognition software, to mimic/replace one's face with another, granting them the ability to imitate someone else. According to AuthenticID’s 2024 fraud surveys, deepfakes can be so convincing that 90% of people couldn’t identify a real face in a lineup of deepfake portraits. Deepfakes are most commonly used to spread misinformation, corrupt reputations, or gain access to financial assets.
Non-technological methods include:
Dumpster Diving: Dumpster diving is an act where the criminal obtains personal information by simply sifting through another person's garbage which often contains utility bills, bank statements, medical insurance and other correspondence with confidential information.
Mail Theft: This is simply an act where the criminal goes through different people's mailboxes to try and snatch anything they can use to steal your identity. An identity theft criminal sometimes goes the extra step to even re-route your mail without you ever knowing.
Shoulder Surfing: Shoulder surfing can occur at any time when plugging in a pin number, or secret code. The criminal will proceed to get closer to you, as he tries to read your secret code over your shoulder without you knowing. This can also happen through the lens of a secret camera set up by the identity thief.
Actions
The NAIC and state insurance regulators are increasing efforts to tackle identify theft issues. In 2015 the Cybersecurity (EX) Working Group, Property and Casualty Insurance (C) Committee and the Financial Condition (E) Committee collaborated to develop the Cybersecurity and Identity Theft Insurance Coverage Supplement for insurer financial statements to gather financial performance information about insurers writing cyber-liability coverage nationwide.
In 2017 the NAIC adopted the Insurance Data Security Model Law (#668). A key provision of the model requires licensees to notify consumers when their data was involved in a cybersecurity incident. Consumers may then take steps to protect themselves from identity theft. To date, over half of states have adopted the model.
The Cybersecurity (H) Working Group is charged with monitoring cybersecurity trends related to the insurance industry and supporting state insurance departments in responding to insurance industry cybersecurity events.
If you are a victim of identity theft, please visit https://www.identitytheft.gov/and follow the steps provided.
If you get a phishing email forward it to the Anti-Phishing Working Group at reportphishing@apwg.org
If you get a phishing text, forward it to SPAM (7726)
Meetings
View upcoming meetings or use the completed tab to view the last 150 days.
Committees Active on This Topic
Working Groups
Contacts
Media queries should be directed to the NAIC Communications Division at 816-783-8909 or news@naic.org.