Summer is in full swing! Many people are taking advantage of nice weather and open roads to enjoy time with friends and family that they perhaps have not seen in a long time. Vacation travel, time off from work and school, and the reopening of attractions and events make the season an exciting time after last year’s pandemic-induced hiatus. This excitement extends beyond good vibes and wide smiles as cybercriminals stay active in their pursuit of preying on and exploiting any workable angle for their crimes.
Here’s a look at some scams for you to keep in mind as you enjoy the summer. While these threats may be alarming, highlighting them here is intended to keep you aware of the risks they present while not trying to discourage you from making the most of the summer season. As with many common cyber threats, an awareness of the risks is critical to reducing exposure and to having a restoration plan in place for when you do become a victim.
Ride-Share and Delivery Company Scam
A widespread scam that has been in heavy operation for the last year or more involves some of the largest companies in the ride-share and delivery services sectors. The basis of the scam consists of the theft of customer identities of people who had used the services of Uber (and Uber Eats), Lyft, Grubhub, DoorDash, Amazon, and Instacart. Armed with pilfered PII, the threat actors created, sold, or rented fake driver and delivery accounts to then be used for the same companies they were stolen from.
After creating fake accounts, they were sold and used by individuals who were not technically able to work for the services. Convicted criminals, individuals without a driver’s license, and undocumented immigrants purchased these accounts so that they could work for a ride-share or delivery services company without their being flagged. Another incentive was the referral system that many of these companies have which delivers cash bonuses for getting other drivers to sign up.
This scam came to light recently thanks to a Justice Department report charging 19 Brazilian nationals involved with a scheme that used over 2,000 stolen identities. The report indicates that the threat actors began the scam in January 2019 or at some point before then and continued relatively undetected until April 2021. During that timeframe, many thousands of people rode in the vehicles of the criminals or received deliveries from them. While the scam’s intent seems to be directed more at the companies providing the services than at the customers themselves, the thought of having a fake driver is unsettling at best.
Another aspect of this scam that is worth noting is its relative simplicity. This wasn’t a massive cyberattack on big businesses using skilled hackers and cutting-edge tactics. Instead, the criminals used older methods of identity theft to commit fraud. Many fake accounts were created using phony ID cards with images stolen from customers who provided identification upon delivery.
With some basic-level editing skills, the thieves were able to create documents that easily slipped past the ride-share and delivery company’s verification processes. Once the documents and fake accounts were created, the conspirators exploited these services as much as possible. In addition to simply earning money as a driver, they used bots and GPS spoofing to earn extra income and avoid detection. The criminals appear to have worked together for several years to put the scheme into action.
Uber appears to have been the first company to discover the fraud, It informed the Justice Department. A spokesperson for the company indicated that Uber has a special investigation team that helps track and flag this type of fraud. Still, the simple scheme went undetected for some time. Lyft also made a statement that it was in talks with the Justice Department to prevent this type of fraud in the future. Most of the other companies involved have yet to make any official statement on the matter.
Ten of the defendants have already been arrested and charged for this scam, while another nine remain at large. If you think you might be a victim of this fraud, click here for some direction from the DOJ.
Autofill Auto Insurance Fraud
Another simple but effective scam to be on the lookout for involves auto insurance companies and stolen PII. A glaring security issue has been exposed with automatic-fill functions on the websites of several major car insurance providers. The intent of the autofill convenience feature on a website was to make it easier to submit information to obtain a policy. Unfortunately, it also made for an easy opportunity to commit fraud.
This scam plays out like this – Threat actors gain access to basic PII, such as your name and address. They visit an auto insurance company’s website with the autofill features and plug this information in. Next, the fraudsters are essentially gifted more valuable data such as Social Security and driver’s license numbers due to the security loophole in the websites. From there, the PII can be used to commit many types of fraud with unemployment fraud being a common focus for this particular scam.
New York state first alerted the public to this scam earlier in 2021. In a letter directed at the auto insurance industry, the NY Cybersecurity Division and Department of Financial Services emphasized the need for these companies to fix the security issues that sit at the heart of the fraud. It’s difficult to assess how widespread of a problem this is for consumers. Progressive claims that less than 1% of their customers in New York are at risk, while GEICO sent out a data breach notice to around 140,000 California customers.
This autofill auto insurance scam seems to be more complex than are the ride-share and delivery services fraud mentioned above. International criminal rings employ more high-level tactics to access valuable PII based on the information gained from autofill features. An ongoing concern is that these same tactics can be used to glean data from other consumer services including credit bureaus and mortgage lenders.
While the scams described here should remain on your radar for the summer, you should also have an identity restoration plan in place to limit potential risks for the future. Staying informed and well prepared is an essential practice to combat the many evolving threats affecting consumers.
LibertyID provides expert, full service, fully managed identity theft restoration to individuals, couples, extended families* and businesses. LibertyID has a 100% success rate in resolving all forms of identity fraud on behalf of our subscribers.
*LibertyID defines an extended family as: you, your spouse/partner, your parents and parents-in-law, and your children under the age of 25.