It may start with a few stolen details online, but it could result in thousands of dollars missing or worse, a reputation down the drain.
Netsafe data shows incidents of identity fraud in New Zealand increased by 86% over the financial year of 2020 and 2021, while incidents of investment fraud have risen by 37% over the same period.
The 2022 Norton Cyber Safety Insights Report also found that more than a fifth of New Zealand adults surveyed experienced identity theft, compared with 16% in 2020.
The report found that the majority of identity theft victims (95%) experienced some impact, such as freezing their credit cards (47%), time spent resolving the issues created (33%), or having money stolen (29%).
Rizwan Asghar is a senior lecturer of computer science at the University of Auckland, specialising in cybersecurity.
He believes the pandemic has increased the amount of identity fraud.
"When we were going into the office, it was easy to check if the IT admin or my manager or someone from the organisation was asking you to do something. It was much easier to double-check because we're there in person," he says.
"But with online, you never know. If you don't pay attention to where this information is being sent when you reply, this may result in identity theft as well."
"It is much easier to commit identity theft online or in cyberspace compared to the traditional settings," he says.
Ian Welch is an associate professor in Victoria University's school of engineering and computer science. He's also the lead of Owhiti, the university's cybersecurity group, and he agrees that COVID-19 has led to increased phishing attacks and, ultimately, identity theft.
"The big thing that was observed overseas, I'm not sure if we saw it so much here, but for instance in the US where they got some monetary support, there were lots of people sending our fake, 'you're entitled to this, simply send us all these details' emails," he says.
"There's definitely a change, they're making use of that fear and uncertainty that we all face around these times."
Welch believes the current figures might not reflect the actual scale of the problem.
"I can well believe this is underreported because people don't always realise and there can be a bit of stigma associated with it. Also, I think that anecdotally that some people discount it, I've had this weird charge to my card but the effort of chasing it up outweighs the risk," he says.
So, as more of our lives move online, what can be done about identity theft?
Obtaining someone's personal information isn't a crime - using it is
CERT NZ explains identity theft becomes a crime when someone uses the information they've taken to get something they're not entitled to, like a credit card, passport or driver's license.
It says even "basic information like your name, date of birth, and address can be enough for someone to impersonate you."
In most cases, identity theft is committed for financial gain, and the victim might not realise it until, as CERT NZ explains:
- they see that someone else has logged into, and is using, their social media accounts.
- they get bills or invoices for things they didn't order.
- they see charges on their bank statements or credit card for things they didn't buy.
- they get turned down for a loan because their credit rating shows they haven't been paying their bills.
- a debt collector contacts them.
Welch points to a recent example where Christchurch man Philip Nicholson had his credit score wrecked, dropping from 900 to 300 after his Flight Centre Mastercard was stolen by identity thieves, who then went on a spending spree.
"They had managed to somehow get access to his account then changed his security questions - those questions like, where we were born, who are parents are, where did we grow up, all that kind of stuff, which can be quite easy to guess in some cases where people reveal too much information about themselves," says Welch.
"They (the thieves) changed his contact address and his email and his phone number so this meant that he wasn't receiving his statements, and he didn't see any transactions on it any kind."
How to protect yourself from online identity theft
Welch says there are several things people can do to prevent their identities or personal information from being stolen, such as checking bank statements.
He says if someone suddenly isn't receiving their bank statements, credit card statements, or other accounts regularly, that could be a worrying sign. But Welch acknowledges that's harder because it's checking absence rather than existence.
The associate professor says he found out about online theft after checking his bank statements.
"Me and my partner, we had somebody buying some auto car parts on our credit card somehow, which is kind of ironic since we didn't at that point actually own a car," he says.
Norton's report also found that of those who experienced identity theft, 43% discovered the theft themselves, most commonly by monitoring their financial accounts online (18%). In addition, more than one in three were notified about their identity theft by an external source (36%), with more than one in five (21%) saying they were told by their bank or credit card company.
Welch says another thing people can do is to run a regular credit check on themselves, and in New Zealand, some websites do free credit checks.
"That sounds like a really worthwhile thing because if someone's stolen your driver's license and some other information, and they get a loan in your name, you're not going to be receiving the statements for those because it's set up under another email and another identity," he says.
There are also mechanisms in place in banks and credit card companies to catch identity thieves. Two-step authentication helps, but Welch says recognising behaviour is a big one, and often AI is used to detect different patterns. For example, he explains that they might look for a burst of transactions in a short time at places the customer doesn't usually shop at.
Welch says sometimes the thieves also buy small purchases to test the card.
"People can buy stolen credit cards on the dark web nowadays, probably on Discord, because you can set up a Discord server and there are there groups for this kind of thing, even in New Zealand," he says.
"They'll sell these credit card numbers and they'll say, 'Oh, well, we've tested them with these small amounts'".
Another tell is purchases in global locations, although Welch says this identifier might not be as effective now with more and more people travelling internationally.
"It used to be that suddenly they ring you because your credit cards are being used in a different country. But nowadays, that happens all the time," he says.
That's where checking behaviour is still the best mechanism. Asghar says generally, most organisations have that kind of system in place.
"The real problem is very small organisations. They may not have the resources to have these sophisticated systems in which case they have to think about the extent of data they are storing," he says.
Welch says simply talking about it with friends and family can also be important. He says about three years ago, the university conducted a study where they ran some phishing attacks on an organisation as an experiment.
"We found that some of the phishing was detected because people actually got together and had a coffee together. They were like, 'did you get this really weird email from our local coffee provider?'," says Welch.
"This social aspect actually helped. And I do wonder whether we lost that to some extent. You can have that recreated online, of course, through social networks of various sorts, but maybe people are more willing to share these things in person."
The future of identity theft
Welch says synthetic identities are the next level of theft, where people generate deep fake identities, using things like AI to scam victims. He says algorithms are being used to create synthetic faces so that they look believable and they don't match anybody in the world, defeating reverse image searches.
"They create these synthetic identities with information that you can't just check easily. It sounds like a really long con where you set up fake Facebook profiles and things like that," he says.
"It's quite troubling - these sorts of cons always went on in the past, but now we're starting to automate them. It's a step up from the old Nigerian prince scam."