Bursting the Bubbles: Harvesting and Sales of PII By Cybercriminals

Personally Identifiable Information

Personally Identifiable Information (PII)?

Data is the new oil! It powers business decisions, shapes digital user experiences, and enables problem-solving. With its importance to businesses and individuals, data, especially Personally Identifiable Information, has captured the eye of malicious actors such as organized crime groups, cybercriminals, and internet fraudsters. Most malicious actors will sell data collected to advertisers, researchers, or competitors in underground digital marketplaces. Further, the breached data can be used to perpetrate more targeted cyber-attacks such as business email compromise, identity theft, etc. Therefore, it is important to understand what constitutes PII and proactive techniques to protect it.ย 

Personally Identifiable Information (PII) is any information that can be used for identifying a person. This includes categories of data such as full name, national identification number, driverโ€™s license, financial information, and medical records. There has been a recent spike in the collection and subsequent sales of people’s personal information attributed to the increasing use of technology and digital services. For example, during the COVID-19 pandemic, virtual meeting platforms were widely used for harvesting peopleโ€™s PII data across the African terrain.ย 

Standard techniques used by malicious actors include: 

  • Online registration for events: Participants are required to supply personal information when registering for webinars, conferences, online classes, scholarships, financial aids, and grants.
  • Call for submission of documents: Attackers may pose as recruiters, angel investors, and funders to collect data through resumes, CVs, certificates, proposals.
  • Malware attacks: Malicious software such as info stealer and trojans can be used to collect data covertly.

Common Red flags:

While the techniques used by attackers to collect data may seem trivial, it can be challenging to identify such scams; hence many fall prey on a day-to-day basis. However, being cognizant of some obvious and common indicators can help targeted audiences avert attacks and protect their PII. 

Common red flags include:

  • Requests for sensitive identification details e.g National Identification Number (NIN), International Passport number, voter ID, etc.
  • Request for financial records or documents such as credit card information, banking details, etc.ย 
  • Unrelatable invitation ads
  • Unverifiable or unreputable meeting organizers and companies

With the increasing number of cyberattacks, it is paramount to consider data protection and privacy techniques. 

Individuals, organizations, and other stakeholders need to implement the recommendations outlined below. 

  1. Take ownership of your security and privacy.
  2. Register your data only on trusted platforms, and supply only the information that you are comfortable disclosing to the public.
  3. Use secure channels (those that employ encryption) when transmitting sensitive information.
  4. Enforce and be compliant with data protection laws, e.g. NDPR, GDPR, HIPAA, etc.
  5. Prosecution of offenders as outlined in the existing laws.
  6. Understand the provisions detailed in data protection laws.

Despite implementing protective measures, you can still become a victim of a cyber incident that exposes your data. What should you do then? It would be helpful if you consider reporting to relevant authorities as well as seeking cyber professionals who can analyze the incident and offer solutions. CcHUB provides intelligence and cyber incident handling services to vulnerable groups and individuals. 

Report using the details provided below.


Chats: +2349030124390 (signal & Whatsapp only)

Email: help@cchubnigeria.com

Twitter: @safeonline_NG, @Cc_HUB