Phishing Is the Tool, Ransomware Is the Payload: IBM 2022 Threat Intelligence Index

Phishing remains the top tool for criminals targeting businesses, while ransomware has become the most popular form of cyberattack, according to the IBM Security X-Force Threat Intelligence Index 2022. The report, which catalogs attacks recorded between January and December 2021, ahead of a rise in cyber attacks related to the war in Ukraine, offers some sobering statistics for business owners and cyber security professionals.

Phishing Is the Tool, Ransomware Is the PayloadPhishing accounted for 41% of intrusions in 2021

IBM found that phishing was the leading method of compromising security across all industries, and that it accounted for 46% of intrusions at financial institutions. Criminal organizations now offer Phishing as a Service (PhaaS) and have improved their techniques. IBM reported that phishing campaigns that included phone calls were 3 times more effective than non-call phishing campaigns, with a click rate of 53.2% of those targeted. Major technology brands, including Google, Apple and Microsoft were frequently used to create  phishing emails.

There are two concerning trends here. The first is the arrival of phishing as a service. When organized criminals start working on behalf of multiple clients, they can measure their success rates in the same way that legitimate businesses measure their marketing success. This will allow them to evolve strategies faster.

The second is the astounding 53.2% success rate for attacks that included phone calls.. A little persistence from a hacker should not cause your people to fall for the phish. Robust phishing awareness training becomes even more critical in the face of this threat.

Ransomware led all attacks

Ransomware accounted for 21% of attacks IBM observed and was the most common type of attack encountered in 2021. Those attacks escalated in 2022, as Microsoft noted in its Digital Defense Report. Hackers are not simply using ransomware to extort businesses anymore; increasingly, they use it to exfiltrate data and then wipe systems clean, removing all traces of their activity.

Facing a ransomware attack is bad enough, but the new trick for state-sponsored hackers is to simply erase all your business data without ever asking for a payment. In some cases, stolen data gets put up for sale on the Dark Web, while in other cases the damage to your cyber infrastructure is the intended result. The only remedy for this is to back up your data frequently, a process that benefits from the guidance of an experienced Virtual CISO. Even if you have in-house IT support, speaking with an expert on intrusions and recovery can help you develop protocols that will prevent permanent data loss.

Manufacturers were the top target

In a shift from 2020, manufacturing became the most-targeted industry for cyber criminals observed by IBM, moving ahead of financial services and accounting for 23.2% of all attacks. Ransomware was the most common attack unleashed on manufacturers.

There are two possible reasons for cyber criminals to shift their focus to manufacturers. Supply chain disruptions that magnified in the second half of 2021 put enormous pressure on manufacturers to increase production. Criminals are usually looking for a fast, hassle-free payout. Faced with the prospect of days, if not weeks, of downtime to restore systems, manufacturers found themselves in a place where payments were the quickest way to get operations back up to speed. Don’t give in to that temptation, as hackers can and will erase your data after you make that payment, costing both the time to restore operations and the ransom money.

Manufacturing is also a softer target than financial services. Nearly all banks and service providers have robust cyber security and regular anti-phishing training to thwart attacks. Manufacturers may not recognize the risks to their systems as readily and may not have all systems secured. Legacy software and legacy operating systems are a particular vulnerability for this sector. Remember that anything connected to the Internet is a possible path for a cyber attack.

 

The Signs to Look for When Looking at a Possible Phishing Attack

One of the common ways that hackers can trick their victims is through a phishing attack. They can do this by writing and sending an email that looks like it comes from a real source. This email might ask you for things like your username or password for a certain account, or it might have an attachment or link, which downloads malicious software to your network or computer. Some of these attacks even look like they are coming from a client, an employee, or your boss.

phishingHere are some signs that you might be the potential victim of a phishing attack.

You are Asked for Personal Info

 One of the signs that an email is a phishing email is if you are asked for personal info. Most of these emails look extremely real, and they seem like they are being sent from a trusted source, like your bank, a local hospital, or a site like PayPal. But they are scams. Think of it this way; your bank won’t ask for your bank account information. It already knows your account info, so if something seems weird, it’s probably a scam.

You are Asked for Money

 If you get an email asking for money, even if it looks legit, it is probably a scam. For instance, if a client emails you and asks for a wire transfer, call them up and ask if it’s real. What makes this such a good scam is that in most cases, the scammer has logged into the person’s account because they steal the credentials. So, you may actually be getting an email from the account of your company’s CEO…but it’s not the CEO who is writing the email.

You Sense Urgency

 If you get an email that has a sense of urgency, like an urgent transfer, it is probably a scam. As soon as you see that something is “urgent,” bells and whistles should go off in your head. Hackers like to cause panic because they know people are more likely to rush to do as asked. Let’s look at this example: you might get an email from your back saying that your bank account has been compromised, and it’s urgent that you go to a certain site, enter your account details, and confirm your account number. Well, guess what? If you do this, the scammer now has access to your bank account information.

The Website or Email Address Look Weird

 You might also get an email that has a weird looking address or website. In general, hackers try to put the name of a company you might recognize in the email address. But that doesn’t mean it’s real. For example, you might bank with Chase Bank. You get an email from @chasebank1.com but guess what? That’s not really Chase. All Chase emails will simply be from @chase.com.

Think About Your Relationship with the Company

 You also should think about the relationship you have with the company you are getting an email from. For example, any email you get from your bank or your health insurance company should come from the company’s system, not from a weird looking email address. Also, if you don’t even have an account with a company you are getting emails from, it’s certainly a scam.

You Get an Email from Yourself

Look at the email closely. Is it coming from…you? Technically, of course, it isn’t, but scammers do this trick a lot.

There are Many Emails in the “To:” Area of the Email

You also want to look at who the email is going to. If there are a lot of email addresses in the “To:” section, it is likely a scam.

Keep an Eye Out for Links

One of the ways that people fall for scams is because they click on the links that are found in emails. Some of these links will download malicious software to your computer and others might take you to a page where someone will try to trick you into giving personal information. Before clicking on a link, hover over it and take a look. If the address is weird, don’t click it.

Spelling or Grammar Errors

Most of these emails that are trying to scam you come from overseas, so it’s very common to see spelling or grammar errors in the email. If you see this, it’s very likely a scam.

Look for Attachments

Finally, if the email has an odd-looking attachment like a Zip file, a PDF, or Word doc, don’t ever open it. It is very likely that there is malware, or a virus, attached. If you believe the attachment could be real, scan it with your antivirus software to be safe.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Phishing is Getting Fishier

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Are Your Employees Putting Your Company at Risk? Here’s How to Find Out!

Even if you have the best security on your computer network, you might have noticed that you still seem to get hacked…or worse. Ask Equifax. Why is this happening? It’s probably because a member of your staff has made it easy for cyber criminals to get inside. It’s really important that you find out who this person is, and keep in mind…it might be more than just one. And it may not even involve security technology.

Part of the problem here, is that employees who “open the door” for these criminals probably don’t even realize they are doing it. These criminals are smart, and they make themselves look really authentic. Sometimes, these crooks even disguise themselves as people your staff know. So, how do you find out who’s letting the bad guys in? Here are some things to try:

Phishing simulation:

  • Set up a fake website, and then create a fake email campaign. Send these out to your staff members from a fake address, or better, a real looking address similar to your corporate domain, and see how many people take the bait. You might have to work with someone on your IT staff to spoof the sender’s email address. Make sure it looks legitimate or they will see right through it.
  • Though this might take some time and effort to do, it is a good way to find out where your worries might lie in regards to the cyber security knowledge of your staff.
  • You can also hire a security expert to do this for you. They will create, run, and track your campaign. However, these experts are not cheap, and the campaign isn’t just a one-time thing. Instead, it’s ongoing.
  • There are also many phishing simulation security awareness vendors offering free trials just to see how vulnerable you may be.
  • It only takes a single click to cause a data breach. So, your main goal with this experiment is to find out who that clicker is. Or, who ALL those clickers are.
  • You should send out several fake emails, which ask your staff to click a link. Make sure, however, that they are very random. They shouldn’t be on any type of schedule.
  • Remember, you want to make it look like these are coming from a trusted source. Like a charity, existing vendor, coworker, company officer etc.
  • When you find out who is prone to clicking, you should take them aside and fill them in on the campaign. Don’t lecture them or discipline them. Instead, show them what they did wrong and fill them in on the consequences.
  • Some phishing simulation security awareness vendors offer ongoing computer based training specializing in bringing these clickers up to speed and changing their behavior.
  • Now that you know who the clickers are, send them other staged emails a couple of times a month. See if they click again.
  • You may choose to make sure they know that the random fake emails are coming. This helps to keep them alert to this issue. Or, not and see how that affects their behavior.
  • By using this approach, you can help your staff slow down a bit, and really think about what they are doing when they get an email with a link.
  • You can also create a company policy: Do NOT click on any links in emails on company computers. This helps to stop the need for that employee analysis and will make your staff question each email that comes through.
  • Even with this policy in place, continue to send fake emails to see if someone is disregarding the new rules.

Criminals use fundamental principles of influence and the basics in the psychology of persuasion. There is a science to their process no different than how advertisers, sales and marketers get us to buy stuff. Getting snared isn’t difficult. Being smart and cautious isn’t difficult either. It just requires a little training and reprogramming.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Is Your Small Business Staff Trained in Security Awareness?

The Ponemon Institute released a shocking statistic: about 80% of all corporate data leaks is due to human error. In other words, it only takes a single staff member to cause a huge issue. Here’s a scenario: Let’s say that you have an employee, Betty. Betty is lovely. We love Betty. But when Betty is checking her personal email during her lunch break and sees she has an offer that promises a 10-pound weight loss in only a week, she clicks the link. She wants to learn more about it, so she clicks the link in the email. What she doesn’t realize is that by clicking that link, she just installed a virus onto the computer. In addition, the virus now has access to your company’s network.

This was a very simple act, one that most of us do every day. However, this is why it is so important that your staff is up to date on security awareness. How can you do this? Here are some tips:

  • Present your staff with information about being aware of security, and then come up with a set up where you send them a link they want to click on. This is a process known as “phishing simulation.” If your staff members click on the links, and they probably will, it will take them to a safe page. However, on the page is a message telling them that they fell for a scam, and though they are safe this time, there could be great repercussions.
  • The staff members who click the link should be tested again. This way, you will know if the message got through.
  • Make sure when you give these tests that it isn’t predictable. Send the emails at different times of day and make sure they look different and have a different message. For instance, don’t send the “lose 10 pounds” email twice.
  • Think about hiring someone, a stranger, who will try to get your staff to give them sensitive information about your company over the phone, through email, or even in person. This is a valuable test, as it helps you to determine who the “weak links” are in your company.
  • Give your staff quizzes throughout the year to see who is paying attention to security.
  • You should focus on education, not discipline, when you are doing this. Don’t make them feel bad or punish them. Instead, make sure they know what they did wrong and work on not doing it again.
  • Ensure that your team knows that a data breach can also result in financial, legal, and criminal problems.
  • Schedule checks of workstations to see if any employee is doing something that might compromise your company’s sensitive data. This includes leaving information on a screen and walking away.
  • Explain the importance of security to your staff, and encourage them to report any activity that seems suspicious.
  • After training and testing your staff, make a list of all concepts that you want them to understand. Look at this list often, and then evaluate it time and time again to see if anything needs changed.
  • Don’t forget company officers. When company officers are omitted from this kind of training it poorly reflects on the organization. Some security personnel are afraid to put their Executives on the spot. That is a huge mistake. Security starts from the top.

Remember, there is nothing wrong with sharing tips with your staff. Post them around the office and keep reminding them to stay vigilant. This helps the information to remain fresh in their minds, and helps you to recognize those who are taking security, seriously.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

10 Surefire Staff Security Awareness Techniques

Think about how great this would be: Imagine that all of your company data is safe from hackers. Your hardware is totally safe and secure. You have IT specialists at your disposal at all times and have a constant flow of cash to pay them.

Unfortunately, this is a fantasy for most of us. No matter how secure we think our network is or how much we pay our IT people, there is always a chance for a data breach. Does this mean we should stop the fight, though? No way.

Instead of throwing in the towel, it’s very important that you start focusing on security awareness, and this starts with teaching your staff how to handle sensitive company data and keep it safe from the bad guys. Here are some strategies that might work to get the message across:

  • Make sure that every employee on your staff understands how important security is, especially at their own workstation. Each employee you bring on in the future should also be instructed in this before being allowed to access the company’s network.
  • Safety, security and privacy policies must be in place and must address all the necessary concerns required to keep all data in check. Review these policies with new and current employees.
  • Set up some fake “phishing” emails to see if any of your staff take the bait. This fake set up will get the point across to your staff without putting your network at risk.
  • Set up a policy that terminates any employee that is involved in a data breach. This is a great incentive to keep company information safe.
  • Install software onto your network that can detect when your staff is doing something that they shouldn’t be doing. This software isn’t meant to discipline staff. Instead, it’s meant to alert them when they are doing something dangerous that could put sensitive information at risk
  • Make sure your staff understands all of the cyber-attack warning signs. This way, they can easily spot anything suspicious.

Maximize Security Awareness in the Workplace

Here are eight ways to further maximize security awareness in the workplace:

  1. Create a Baseline – Before you can get any type of awareness training going, it’s important to know where you stand. So, do something like a fake phishing email and see how many employees fall for it. This way, you know how much work you have ahead of you.
  2. Remain Realistic with Social – Thinking that you can totally ban any activity that puts your network at risk, such as social media, isn’t very realistic. Instead, teach your employees to be careful when using these websites. Show them example after example of how social posting has gone south ending up in firings.
  3. Use the Right Tools – Stock your arsenal with the right tools. There are programs out there that can help with security awareness in the workplace. “Phishing simulation training” is a quick search.
  4. Use your Creativity – Even if you don’t have a lot of cash to use, you can still make this a fun learning process for your staff. For instance, if its Christmas time, hand out candy canes to your staff, but around each candy, put a small paper with the company’s security policy printed on it.
  5. Get the Help of High-Ranking Execs – If you can get the execs to help you out, employees are likely to listen. How can you do this? Mention the term “return on investment” and relate it to your company’s security. You can be sure that this will get them moving. And remind them that company officer are being fired left and right when there is a data breach.
  6. Bring in Other Departments – It also is a good idea to bring in other departments to help with security awareness. Even people that might not be connected to your network, such as cafeteria or housekeeping staff, can be helpful. You should also make sure to involve your HR department, because they can usually encourage staff to follow policies. Accounting needs to have a say too.
  7. Evaluate Your Plan Often – Every 90 days, take a look at how your program is doing. This is quite effective. To avoid any type of information overload, you should take it slow, too. Perhaps only introduce security topics every three months or so, and then evaluate employee performance 90 days after.
  8. Provide Security “Appreciation” training – This goes beyond security awareness training into the realm of getting into cultural and societal misconceptions, myths and inaccuracies that perpetuate a lack of accountability. Example: “It can’t happen to Me” is total BS and is a form a denial preventing people from being proactive.
  9. Personalize the Experience – Some employees won’t get serious about things until they are affected. So, make sure that your staff understands that security awareness is about them, too, not only the executives of the company. Make sure they also know that they can use the same practices at home to keep their personal information safe.

Teach Them Actual Self Defense – Might sound crazy, but understanding how to save their own lives or the life of a loved one in the event of a physical attack provides an enormous amount of perspective. This is one simple way to open one’s mind on the value of security.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

The Best Gmail Phishing Scam Ever!

If you use Gmail, pay attention! Security experts have announced that there is a very effective phishing scam out there, and you are a target. This scam, which has only been growing over the past couple of months, is also hitting other email providers, too. However, it’s quite difficult to detect.

According to researchers at WordFence, who make a security tool for WordPress, this is a pretty serious attack and can have quite an impact, even for those who are up on security.

Here’s how it works:

You get an email from someone you trust…like a friend or family member or Google. The email, however, is actually not from them. It just looks like it is. Attached to the email is an attachment, which, when opened, links to a fake Google sign-in page. Everything about this Google sign-in page looks legit…but the address in the address bar is not…and here’s where it gets tricky. The address bar actually has a URL that looks real: https://accounts.google.com. However, before that address is whats called a “data URI”. Google it. This is NOT a URL. Instead, it allows the hackers to get your username and password as soon as you enter them into the fake login screen. To make things even worse, once they sign into your actual inbox, they use your information, including attachments and emails, to target your contacts.

Protecting Yourself From This Scam

If you are a Google Chrome user, you can protect yourself by taking a look at the address bar before clicking anything. A green lock symbol is your indicator that it is safe to browse. However, there are some scammers out there who have created their own site that are HTTPS-protected…which also means they will have a green lock. So, also take a look at the address.

Another thing that you can do is add in two-step authentication, which is an extra layer of security. Ultimately, it will help to lower the odds that your account will be compromised. You also might want to consider a security token, as well. If you don’t use two-step authentication with every account that offers it (Facebook, Twitter, iCloud etc), you’re a bit foolish my friend.

Google is aware of the issue, and they are working on improving security for their users. In the meantime, remain vigilant as you browse.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Look out for Shipping E-mail Phishing Scams

Stop clicking on e-mails about your package delivery! Scam, scam, scam! Look, it’s simple:13D

  • Scammers are also pretending to be from the DHL and FedEx shipping companies, not just UPS.
  • Crooks know that at any given time, thousands and thousands of U.S. people are waiting for a package delivery.
  • So these cyber thieves send out mass e-mails by the millions, knowing that they will reach a lot of people who are expecting a package.
  • The subject line of these e-mails says something about “your delivery” or “your shipment” that lures the recipient into opening the e-mail. Usually, the message is that the delivery has failed, and the recipient is tricked into clicking on an attachment or a link.
  • And that’s when malware gets downloaded to their computer.

This technique is called social engineering: tricking people into doing things they shouldn’t. People are too quick to click. I wonder how many of these clicker-happy people ever even gave their e-mail address to UPS. The last time I sent something via UPS, I don’t even recall being asked for my e-mail address.

But people so freely give out their e-mail address, that when they receive one of these phishing e-mails by crooks, they think it’s legitimate. They believe that the attachment is a new shipping label to print out. They even believe the threat that if they don’t use this new label right away, they’ll be charged a fee. It’s all about hurry, hurry, hurry! People don’t stop and T-H-I-N-K first.

What can be done about this? First off, don’t freely give out your e-mail. That way, if you get an e-mail from a company that you just, by chance, happen to be doing business with, you’ll know it’s a fraud—because you never gave your e-mail to that company in the first place.

Next, share this information with your family and friends. They’ll probably all deny that they’re capable of falling for this scam, but I’m sure that when the unwise ones are alone, they’ll give it some hard thought.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect Yourself from Phishing

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

13DWhile some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

  • 67% were spear phished last year (spear phishing is a targeted phishing attack).
  • E-mails with an employee’s first name had a 19% higher click rate.
  • The industry most duped was telecommunications, with a 24% click rate.
  • Other frequently duped industries were law, consulting and accounting (23%).
  • Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

  • 99% use e-mail spam filters.
  • 56% use outbound proxy protection.
  • 50% rely on advanced malware analysis.
  • 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

  • Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
  • Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
  • Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to recycle Old Devices

When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: Out of site, out of mind, into criminal’s hands.

7WYour discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.

Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.

Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.

Only 25 states have e-waste recycling laws. And only some e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.

Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.

To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.

I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.

The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.

What to Do

  • If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:

Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3rd party software to accomplish this.

  • If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.
  • Or send it to a reputable recycling service for purging.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention