Hacker typing on keyboard showing personal data theft, identity theft

Identity Theft Report: Social Media Account Takeovers up 1,000% As 40% Of Personal Data Theft Victims Saw Their Information Misused

The Identity Theft Resource Center (ITRC), a San Diego-based nonprofit that has been providing assistance to victims of identity theft since 1999, is sounding a warning of major increases in certain types of personal data theft along with more complex attacks and scams.

The most eye-popping item from the group’s annual 2022 Consumer Impact Report is a 1,000% increase in social media account takeover attacks in 2021. Criminals coming back for more money is also an increasing problem in the wake of a compromise, as they appear to be focusing in on identities from which they were initially able to steal a significant amount. And there is an overall increased probability of personal information being misused if it is lost in a data breach.

Personal data theft issues taking longer to resolve

The ITRC surveyed a total of about 1,600 victims of personal data theft. 40% of these victims say that their personal data was stolen, compromised or misused during the period of April 2021 to March 2022.

There are some small pieces of good news from the survey: the number of repeat personal data theft victims appears to be down somewhat, as is the average amount of money lost in incidents for most victims (under $500). However, about 50% of the survey respondents say they were victimized more than once. And criminals appear to be focusing on the most lucrative targets, as the amount of people that lost at least $10,000 to personal data theft jumped from 9% of respondents in 2020 to 30% in 2021.

Victims are also reporting more complex attacks that take longer to resolve. The majority (55%) say that their personal data theft incident went unresolved in the previous year, a substantial increase from the 37% that reported this in 2020. This complexity and the drawn-out remediation process appears to be accompanied by an increase in stress, with 24% more reporting some sort of physical health impact due to the incident. A little over two-thirds of victims now say they experience a physical or mental health issue as a result of the theft.

The overall reduction in the average financial impact may be attributed to an increase in victim awareness of defensive measures and swift response to notification of personal data theft; there has been an increase in those that both freeze their credit after hearing of a breach and obtain an identity protection PIN number from the Internal Revenue Service (IRS) for tax purposes.

Major increase in criminal activity on social media

The ITRC report adds more evidence to a growing body indicating that cyber criminals are running wild on social media platforms, with a 1,000% increase in account takeovers in just a year’s time.

Surprisingly, the victims in this survey overwhelmingly said that they were being targeted on Instagram. 85% said that they had their Insta account compromised during the survey period. This is interesting as there have not been any recent major breaches of Instagram that involved leaked credentials, indicating that scammers are very active individually targeting people on the platform. Facebook and Twitter have also seen documented upticks in this sort of activity recently, and 25% of respondents said that they had a Facebook account compromised during the period.

48% of the social media victims said that they followed an attack link that appeared to come from a friend on the platform. 22% said that they were taken in by a crypto scam, another area of cyber crime that really ramped up during the pandemic period as home-bound people began to dabble in the markets for the first time. And while social media account takeovers are often thought of more as a nuisance or an attempt to perpetuate scams than a means of theft, 51% of the respondents said they lost either personal money or sales revenue when the account was hijacked.

Social media platforms (and general cloud-based “free” services) have also developed a general reputation for being unresponsive to customer issues, something echoed by the survey participants. 70% say they remain locked out of a lost social media account, and 67% say the attacker has continued to post as them since taking it over.

The social media activity is contrasted with only a relatively slight uptick in personal data theft of government credentials and accounts; this category saw a huge jump of 154% going into 2021, but only a 7% increase in the prior year. Criminals may be increasingly viewing social media as a low-hanging fruit that can be used for profit in a variety of creative ways, ranging from passing malware to trusted friends to posting cryptocurrency and confidence schemes to account followers.

The study did not delve into personal security measures or specific reasons for the data theft, but Melissa Bischoping, Director at Tanium, adds some general advice for protection from common attempts on personal and social media accounts: “Often times, theft of personal information and identity theft comes as a result of a breach for a site or service that a consumer does business with and not as a direct result of targeting the information. This may be additionally distressing when the consumer has done all the “right things” to protect themselves with secure password management, multi-factor authentication, and awareness to avoid falling victims to scams. As if the theft of data wasn’t violation enough, consumers may find themselves victims of financial fraud that has long-term consequences including the loss of their homes or jobs. Theft of personal data will continue to occur as long as it is profitable and successful for criminals.  I recommend consumers treat personal data like they would other valuables — prevent access to it when you can, and monitor for access when those preventions fail. Locking your credit report, setting up an IRS PIN, and freezing credit cards you do not actively use is a great, free first step.”