Q&A with Blake Hall: The Latest Social Engineering Scams & How ID.me is Defending Against Them
If 2021 has put one thing into perspective in the digital identity market, it is the importance of protecting consumer identity. With data breaches plaguing networks all over the world and identity fraud at an all time high, it is more important than ever to empower all people to protect and control their own identity.
ID.me’s CEO and founder, Blake Hall, walks us through the scams ID.me is seeing today on the front lines of fraud, how to stop these scammers, and protect digital identity.
In your experience, what are you seeing in terms of social engineering?
Social engineering is best understood through the attacker’s point of view as a mathematical probability. In the same way that a marketer thinks about a funnel, criminals identify potential victims as prospects, convert some percentage of those prospects to leads, and then successfully some percentage of those individuals into actual victims of identity theft. They generally harvest people to target from job boards and social media sites. Once they initiate a conversation, they try to build rapport over social media to get the victim to trust them. They’ll often pose as an employer offering a great job, a lottery winner who is distributing free money to ten deserving people, or even as a romantic interest to lure in lonely people. Once the victim trusts them, the identity thief convinces them to send over their personal information, including SSN, as well as images of their photo government ID and other sensitive documents like social security cards. Without any anti-social engineering controls, attackers succeed roughly one out of every five times. The anti-social engineering controls ID.me employs to let people know they are being scammed lowers the efficacy of social engineering attacks by more than five times i.e. from one in five to one in 25. At those levels, criminals have more lucrative targets where their conversion rates are higher, so they go away and become someone else’s problem. Criminal enterprises essentially allocate resources like marketers to the highest performing channels.
Social engineering is a national problem. The FTC reported a 2,920% increase in identity theft tied to government benefits year over year with imposter scams the second most common type of attack. The IRS has a website dedicated to educating the public on multiple forms of social engineering targeted at tax programs each year. Leading banks are also targeted every day and publish materials to help their customers understand how to avoid getting tricked.
How has ID.me stopped these scammers?
Certain people were being directed and guided by these con artists to verify against government agencies and specifically state workforce agencies. Once we engage with a victim, we reverse engineer the attack to understand how the victim was contacted — invariably on social media sites or on a job board — and the specific type of scam the attacker used to trick the victim. We developed counter scripts early on to help these people who were coming in under false pretenses to our self-serve flow and video chat. We make it explicitly clear how their identity is actually being used. For example, we will ask users to confirm they are applying for unemployment assistance for Florida DEO, and not to get a job, prize money or anything else.
How would someone who has been scammed be alerted by ID.me?
We communicate to let people know that their identity was just used at a government agency and confirm that it was an authorized use. For example, your ID.me account and identity was just used to login at a federal agency or at a state workforce agency. If the owner of the identity did not authorize this use or perform that action, they can report the fraud.
Think of it in the same way that a bank will notify you of suspicious activity with your credit card. You get an alert of a possible fraudulent activity on your account, and you can respond, “yes, I recognize the transaction “or “no, that is not my action.” That’s exactly what we’re doing. Every time your credentials are used, we text not the login phone number, but the phone number tied to the identity that we verified. We’ll say, “your identity was used at the IRS, it was just used at Social Security. It was just used at Veterans Affairs.” For each one of those transactions, if you respond “no,” we immediately revoke the credential. We also notify the government agency or partner organization involved so they can suspend any actions taken on the account.
This automated feedback loop enables more people to understand if they’ve been tricked earlier, and it can head off the attack before funds are disbursed. This feedback loop also helps us engage faster to understand how criminals are attacking organizations so we can tailor our controls to stop them.
How are these scammers tricking people into giving away their private information?
One way we’ve seen is that they will create job ads on social media and run it like a marketing campaign. They’ll pretend to be an employer and they’ll create job ads and circulate them through job sites and other social media platforms. Or, they’ll contact job seekers who have uploaded their resumes to job boards. That’s how they harvest victims at scale. If someone clicks a job ad from a social media platform, or if they’re contacted after uploading their resume, then the interaction feels legitimate. Another form of attack involves criminals offering prizes through text messages with links that are sent to a mobile device or email. If the prize is big enough, they can convince enough vulnerable people out there to part with their information.
When this happens, the actual owner of the identity is unwittingly aiding in the attack.
It’s no different than someone convincing you to give you their password and a six-digit code from their phone. Once you do, they’re going to be able to log into your account. There’s not anything that you can do to stop that once it has occurred. Technically once you have the actual owner of the identity fooled and aiding and abetting the criminal’s actions, it’s equivalent to giving the keys to your house to someone you don’t know. If the bad guy is able to walk through the front door, it’s not because the locks didn’t work, it’s because the owner gave them the keys.
Are you seeing these attackers use the same identity at different government agencies?
Yes. Criminals will try to reuse a stolen identity as many places as they can. For example, once a criminal harvests a victim’s photo government ID and personal information — often via social media messaging platforms — they can then go and apply for unemployment, apply for a bank loan, apply for aid from federal programs, access that person’s medical information, and so on.
ID.me defeats these attacks in two ways. First, we notify individuals every time their identity is used on our network so they can report unauthorized use. Second, we are an identity network, like Visa, so if we see an identity trying to apply at three or four different agencies on the same day, then we know that we’re either looking at first party eligibility fraud or a third party attack.
What is ID.me doing to stop people from falling for these scams?
To use a soccer analogy, ID.me is like an elite goalkeeper stopping shots. We’re really good at our position, but we need help from the forwards to press to win the ball back, we need midfielders to deny space, and we need defenders to close down bad guys before they shoot.
These attacks are starting on job boards and social media platforms. There must be better identity verification on those platforms so individuals aren’t able to impersonate employers and key executives at companies through fake accounts. There should also be strong identity verification before users are able to view uploaded resumes. Like a normal organization, the advertising for victims is happening on social media, so stopping fraud there is key.
We need help from the media and industry partners to educate consumers. People should never give away images of government IDs and sensitive personal information over social media or messaging sites. Consumers should always ensure they are interacting with the company they think they are talking to on the company’s official website. Run a Google search for that company and make sure you’re not interacting with a fake domain.
Finally, data breaches tied to critical infrastructure like DMVs really enable attackers. Once criminals have sensitive data about the victim, they are able to perpetrate their scams more effectively. For example, they might pose as an official from a government agency, and, since they already know a lot about their target, the victim might be more willing to trust them.
When a victim reaches ID.me, they’ve already been fully manipulated by the attacker, they’ve given that criminal all their sensitive data, and they’re invested in getting whatever the attacker promised them. ID.me then engages at the very bottom of the funnel and surfaces key context and data points to pierce the scam. By understanding the most common types of scams, we are able to tell victims our service is explicitly not meant to do whatever the attacker promised them.
This enables victims to understand they’ve been tricked and to report the fraud. While the majority of attacks are stopped during verification through these controls, we have found that for some victims it takes two or three targeted notifications before they finally report being fooled.
We’ve heard a lot about data brokers. What is their role in perpetuating these scams?
Data brokers are unable to detect this type of attack because they don’t have feedback loops to surface context for victims and because they have far fewer signals relative to ID.me. ID.me can leverage data points and signals from the login, from the identity verification steps, and from the notification messages we send to individuals to detect, stop, and investigate social engineering attacks. Data brokers only see the identity verification step, and they’re typically using insecure authentication methods like Knowledge Based Authentication. Because the actual owner of the identity is performing these steps — albeit under the direction of the attacker — data brokers will pass the user forward on this step. Since they aren’t able to control the copy on the screens or to notify the user of activity involving their identity in a networked fashion, they are completely blind to these attacks. In other words, ID.me is surfacing social engineering attacks at scale and in real-time in a way that hasn’t been done before in the public sector.
As digital identity verification goes mainstream, how can we better protect people?
Better identity verification on job boards and on social media platforms is a must. We also need to educate people. People need to be educated to always contact companies at their official business number or to sign-up or login through their product directly if they need to share personal data. With that said, at the end of the day, there will always be a segment of vulnerable people in this country that can be manipulated. Back to the soccer team analogy, we need a team effort to stop these criminal rings from harming people.
Do you have any lessons from your military background that could apply to thwarting these attackers?
In Iraq, General McCrystal taught us that “It takes a network to defeat a network.” These bad guys are a network and they’re sharing information, they’re moving and juking in real time. They pick off these government agencies, one by one. We’re also a network and we’re creating a horizontal layer across the government agencies. But there’s a whole host of good guys upstream from us where we need to work together as a team to be able to defeat this in the same way that the bad guys are attacking us. Or we’ll just continue to get picked off one by one.
Why is it important for people to claim their identity?
As more people are registered onto ID.me’s network and have claimed their ID, social engineering gets harder and harder. We don’t allow two accounts to tie to the same unique identity, so registering an ID locks out bad guys. Our goal is for people to have portable, digital credentials that work like a Visa credit card — one secure digital login accepted everywhere you want to be.
Once you have a digital version of a Visa card and you’ve registered your digital identity, you are at far lower risk of social engineering for the rest of your life. If you protect your login with a FIDO security key, someone would need to physically take that key from you to commit identity theft. Even if they had your personal data and your photo ID, they still couldn’t harm you.
We are putting people into a proactive stance where once they’ve claimed their identity, they’re the only one who can authorize activity. Imagine somebody files a tax return in your name to commit tax fraud with the IRS. And instead of the IRS processing it, if you’ve claimed your identity, you can say “I did not take this action, this is not me.” Instead of reacting to fraud, we are empowering people to prevent unauthorized use of their identity before harm is done.
We have 62 million users and we add 145,000 new users per day. No system is perfect, but relative to all the other systems that are available in this country, we have much higher levels of access and security. We are motivated to keep making our platform more accessible to all users. For example, we added support for Chinese speakers — in addition to English and Spanish — in our self-serve flows and video chat. We are adding support for more languages.
If we can make our network a little more accessible every day, then we’ll make America a more equitable society over time. And that is really the story of our country. We’re motivated to make the reality of America live up to our shared ideals.