“I think my personal information has been compromised…”
The starting point
- Ask yourself how you think your personal information was first put at risk
- Was it from something you did or something in your control? For example, a virus on your computer, a response to a telephone scam.
- Was it something someone else did? For example, an organisation responsible for your personal information, break-and-enter event.
- Knowing a bit about how it happened can influence the response recommended. For example, if it was online, we would recommend a series of online-focused strategies. Please see IDCARE First Aid
Developing an Inventory
- Ask yourself what type of personal information has been put at risk. If it’s a physical theft or loss, working that out will be pretty easy. If it’s an online compromise, it can get a bit tricky. We recommend developing an inventory of “at risk” personal information and credentials.
- Once you have built your list, the journey commences to find out what each organisation requires you to do. What can be done is completely up to the individual organisation. iDcare knows this – we test individual organisation response measures.
- If you know that your personal information has been stolen and then misused to fraudulently obtain a product or service, you need to act quickly. This means that your personal information may be used to commit crimes. We recommend you engage quickly with the organisation responsible for the specific credential (for example, your bank if your credit card is being used or your State or Territory driver licence issuing authority if your driver licence is being used). This organisation may be different to the organisation that has accepted your stolen personal information.
Engaging with Organisations
- When you engage with the relevant organisation you can expect to have them go through their own due diligence – they can’t accept things on face value as unfortunately others will falsely represent they have been a victim of identity theft and misuse when they haven’t.
- It pays for you to ask these organisations how the person that has fraudulently used your personal information accessed, or applied for access, to the product or service. In other words – when accessing a product or service, what forms of personal information is required? Having this information will give you a sense of what personal information they have about you, and therefore, what other steps you need to take.
Reporting to Police
- If you are satisfied that an identity theft and misuse event has occurred, we recommend that you report it to police. Unless the identity theft and misuse event involves a Commonwealth Government service or credential, events are typically best reported to your local State/Territory police. New Zealanders just need to concern themselves with New Zealand police (when in New Zealand).
- It’s important in this process that you obtain a police incident or police report number. This is useful to have when engaging with other organisations because it legitimises you as a victim of identity theft .
The risk came from the online environment
- If your compromise involves products or services that you access from online, change your passwords immediately.
- Finally, consult our IDCARE First Aid and consider the medium to longer term response options.
A phishing email has been set up in my business name
- If you or your customers are noticing emails being sent that are purporting to be from your business, you may have a phishing scam running in your name.
- Phishing scams are used by criminals as a means to obtain personal information either through the response to such emails by people or through the execution of malware or other viruses.
Here’s what we recommend:
Step 1 – the domain name owner, in this case the real organisation, must identify the registrar of the fraudulent/fake/phishing domain. To do this, you can use an online tool that acts as an address finder. Common tools include:
The results will require you to click on “whois lookup”. You are then looking for the “Sponsoring Registrar”.
Step 2 – You then need to contact the Sponsoring Registrar with the following details:
(i) Who the real organisation is and your real domain (i.e. you)
(ii) Precise details on the phishing/fraudulent/fake URL (make sure the whole extension is provided) – take a screen shot of the site and of the domain lookup details. Be careful not to launch / click on any of the links. If you do, apply our IDCARE First Aid.
(iii) A description of the nature of the fraud – e.g. This is an unauthorised phishing email etc
(iv) The action requested to be taken – for example, domain takedown / removal
This may take 48 hours. Ensure that you request an acknowledgement to be emailed once this is done.
Step 3 – email your clients and raise awareness about the fraudulent site. Consider posting something on your Internet site, and acknowledge that you have taken steps to address the issue. Provide them with iDcare’s contact details.
- If you have any residual concerns, please contact us and we’ll work with you every step of the way.