ODNIHeader2

Print

Protect your information

 

 

 

Data breaches involving personal information result in a broad range of risks to individuals and organizations. This includes identity theft, targeting of individuals with knowledge of sensitive government information and internal business processes, and other intelligence activities that use personal information of U.S. citizens to undermine national security.

 

It is in our collective interest that we take actions to limit the risk of our personal information being exploited, and that we are able to recognize any indicators that we may be the target of such activities.

 

Confirmation that your personal information has been accessed in a data breach is not a guarantee that your information will be misused or that you will be targeted for further exploitation. However, it is important to remain mindful of the risk of such misuse or exploitation.

 

The following information is provided to raise your awareness to this possibility and to help you understand how your personal information may be used by foreign intelligence services, and other “bad actors” (extremists, criminals, hackers, and the like).

 

The information below is provided to raise awareness and provide guidance for mitigating risks; it is not intended to indicate that the government has observed particular adverse effects from data compromises.

 

 General Awareness & Protection Guidance

 

All individuals potentially affected by a breach should be wary of suspicious activities indicating their personal information has been or is being exploited, and follow these protective measures, including:

 

Social Engineering

 

Social Engineering is the term used to describe bad actors using information they have discovered either legally or illegally about you to gain your trust and extract further information or manipulate you to take actions you would not otherwise take.

 

The use of stolen personal information by cyber operators is highly valuable for social engineering as it can be used to create a compelling illusion that you already know an individual or have a shared interest with them. It opens a means to contact you in either cyber space or the physical world to foster that trust or do harm.

 

Examples of how bad actors may use your personal information for social engineering and other purposes include:

 

Phishing (or spearphishing) is a common method used to contact people through email. With phishing, bad actors use social engineering to target their victims and lure them into taking actions that could ultimately compromise their computer or network. Examples include getting a victim to open a malicious attachment or clicking on a bogus embedded link. Like other social engineering attacks, spear phishing takes advantage of a victim’s most basic human traits, such as a desire to be helpful, provide a positive response to those in authority, or respond positively to someone who shares similar tastes or views, or simple curiosity about contemporary news and events. Those who “take the bait,” become unwitting participants in a computer network attack by allowing the attackers to bypass many of our technical defenses.

 

Phishing scams also trick you into providing your confidential information, which is then used to access your accounts. Typically this kind of fraud involves an email, text message, or pop-up window claiming to come from an official source.

 

Social Media Deception (including Facebook, Twitter, Google and LinkedIn) provides bad actors with an avenue to connect to their victims. Attackers may create a fake profile to befriend their victims while posing as a former acquaintance, job recruiter, or someone with a shared interest. Using a fake online persona, an attacker may try and get their victims to reveal more information about themselves or their employers, or they may simply collect more information about their victims from your social media postings.

 

Human Targeting is often used by foreign governments to target individuals with access to information of interest to them. For instance, you may unexpectedly meet someone at a venue of interest, such as a conference or child’s school event, who shares your interests or views and establishes an ongoing relationship. Your new friend may test you by getting you to do seemingly small “favors” for them or getting you to talk about trivial work-related information. Over time, trivial information may lead them to information that is of interest.

 

Travel Vulnerabilities are greater than usual, especially if you are traveling outside of the U.S., as it is common for you to encounter unfamiliar people. Also, your guard may be down because you are traveling for vacation, training, or other relaxing purposes. Therefore, take extra precaution of:

 

Unsolicited Telephone and Text Messages from toll-free numbers can be set up quickly and sometimes exist solely for the purpose of capturing your confidential information, often simply by playing a prerecorded message about your accounts being in trouble. The message prompts you to enter your 16-digit account number. This is followed by a request for your PIN and other personal information. Or you may receive a text message or a phone call with a prerecorded message that describes an urgent situation that requires immediate action. The message may say, “Your account has been blocked. Please call 800-123-4567 to unlock it.” Before you realize you’re being scammed, you’ve given enough information to duplicate your card and access your accounts.

 

Identity Impersonation is acquiring key pieces of your confidential information, such as your name, address, birthdate, Social Security number, and mother's maiden name, in order to commit fraud. Identify Impersonation can be used as a tactic for corporate exploitation via the newly acquired identity. With this information, an identity thief can take over your financial accounts; open new bank accounts; purchase automobiles; apply for loans, credit cards, and Social Security benefits; rent apartments; and establish services with utility and phone companies, all in your name.

 

Reporting

 

To protect yourself and your family, we urge all affected individuals to exercise caution and remain vigilant to any events appearing out of the ordinary or suspicious.

 

If you believe you have observed activity related to a personal data compromise or suspect your personal information has been exploited, report your concern as soon as possible to your security office.

 

The appropriate Federal government sites may also be used to report specific incidents:

 

Videos

 

Know the Risk - Raise your Shield: Spear Phishing

 

Know the Risk - Raise your Shield: Social Media Deception

Know the Risk - Raise your Shield: Human Targeting

 

More Information

 

The additional information, as well as future resources, as can be found at the ncsc.gov web site, including: