Latest news with #DavidMaimon
NBC News
7 days ago
- NBC News
Social Security number leaked? Chances are, a criminal is already trying to use it
Data breaches that expose the personal information of millions of people can have very real consequences for individuals, most notably: identity theft. A new study found that the more of a person's personal information is easily accessible to criminals on the dark web, the likelier it is that that person will be a target for criminals. The odds skyrocket if the information includes the person's Social Security number, which is usually necessary for financial applications like opening a bank account, applying for a credit card or filing tax returns, all of which are common targets for fraudsters. The findings, published Monday by SentiLink, a company that monitors customer data for fraud on behalf of finance companies, are intuitive. But they are believed to be the first of their kind showing a clear correlation between the robust cybercriminal trade of people's identities and real-world attempts where criminals try to commit fraud against those victims. David Maimon, SentiLink's head of fraud insight, told NBC News he conducted the study by comparing three sets of data from people whose information is available online. For a baseline list of people whose names and addresses were available online, he used publicly available voter registration records. For a set of people whose names and addresses — but not Social Security numbers — were widely traded among criminals, he took names off stolen checks from a ring of check fraud thieves that operated on Telegram. For a list of people whose names, addresses and Social Security numbers were all widely traded among cybercriminals, he downloaded a database of around 100,000 victims, cobbled together from various hacks and repeatedly traded on the dark web since 2021. Maimon then compared more than 2,000 people from those datasets with SentiLink's internal records of attempted identity theft to see how often each of those people had been targeted. The results were dramatic. Only 2.1% of the people from voter registration forms had been targeted by identity thieves. Of those whose names were found in the stolen check ring, 12.1% had been targeted. But nearly all people in the 2021 database with Social Security numbers — 97% — had been victims of attempted identity theft, Maimon found. Data breaches have become increasingly common, to the point where most Americans' information has been repeatedly stolen. The U.S. Federal Trade Commission received 1.1 million claims of identity theft in 2024, though that is believed to be a severe undercount of the complete number of victims. Even children often have their Social Security number stolen, and credit monitoring services rarely help victims much. According to statistics provided to NBC News by the nonprofit Identity Theft Resource Center, there were 1,857 new data breaches in 2024 that included Americans' Social Security numbers. While Social Security numbers are routinely hacked, it's often impossible for a victim to know how widely their information has been shared — a key component of SentiLink's findings. Not all breaches are equal, and cybercriminals often sell hacked data only to the highest bidder to keep it more exclusive. When a person's information does become widely repackaged and repeatedly traded between criminals, they are targeted by thieves repeatedly for a longer period of time, Maimon found. The best course of action, Maimon said, is for people to freeze their credit ratings with the three major credit agencies and to monitor their ChexSystems Consumer Score to see if anyone has opened bank accounts in their name.
Forbes
16-07-2025
- Forbes
What To Do If You Become The Victim Of Identity Theft
Fraud case news headline in newspaper getty I study fraud and cybercrime for a living. Then I became a case study. I've spent years as part of the fraud-fighting community, publishing academic research, sharing insights almost daily on LinkedIn, and speaking at conferences around the country. While much of my work to educate and raise awareness has been embraced, not everyone is a fan. In 2022, after I publicly reported on the alarming rise of check fraud in the U.S. and spoke with several major media outlets, I became a target. The first text message arrived around 7 a.m. I initially dismissed it. But the second message was far more explicit and wasn't just a vague threat—it was personal. My full Social Security number, home address, and a direct warning: ' got your addy, know where all y'all live. stop looking into the check fraud or your credit going low. Screenshots of first (left) and second threatening text messages received on my personal cell David Maimon Concerned for my safety, my university immediately assigned a campus police officer to accompany me wherever I went. While this measure helped deflect any potential physical threats, something more insidious was already in motion. The same criminal actor who threatened me via text had posted my full identity—name, SSN, DOB, address, even my credit report—to one of the underground fraud forums my team had been monitoring. While this exposure was deeply unsettling, it also presented a rare and valuable opportunity: for the first time, I could observe, up close and in real time, how quickly leaked identity data gets exploited by fraudsters. Most leaked personal data, whether stolen from breaches, checks, phishing attacks or malware, circulates through opaque and decentralized criminal networks. The data is often sold or shared in encrypted Telegram groups, invite-only forums, or dark web marketplaces with no clear timestamps. Because of this, researchers rarely know when an identity was first listed for sale or accessed by bad actors. On the other end, when that identity is eventually used to commit fraud—say, to open a bank account or apply for credit—it might not be detected for weeks or even months, if at all. Even if you know when an identity was leaked, matching it to a fraud attempt is nearly impossible. Institutions (financial firms, credit bureaus, government agencies, and public databases) operate in silos. There is no centralized system to link the moment of exposure to the moment of exploitation. Without visibility into the dark web and cross-platform monitoring, it's nearly impossible to draw a clear, causal line between when an identity is posted for sale and when it's exploited. To complicate matters further, linking a fraud attempt to a specific leak often requires access to sensitive internal records—such as KYC data or transaction logs—that are protected by privacy laws and corporate policies. The result is a murky, delayed, and ethically constrained landscape, where timelines are incomplete and attribution is uncertain. Unless the identity in question happens to be your own. A Front-Row Seat to Fraud: The First 96 Hours At exactly 9:56 a.m. on March 29, 2022 — minutes after receiving the second threatening message — my personal information was leaked to a Telegram fraud group: full name, address, SSN, date of birth, and even a PDF of my credit report. I began searching online fraud markets to see if my information had been posted. I found it almost immediately. I alerted my identity theft protection provider, then sat and waited. Within a couple of days alerts started arriving. These alerts suggested that by March 30 — less than 24 hours after the leak of my identity — fraudsters had used my identity to attempt to open accounts at multiple financial institutions, as well as pull my credit report. Working with a victim specialist, we carefully reviewed the suspicious activity and flagged each questionable inquiry. In total, 10 alerts arrived within that first day. I also requested my ChexSystems report to track any new bank accounts opened in my name (ChexSystems is a consumer reporting agency that tracks deposit accounts across U.S. financial institutions). When that report arrived, it showed six fraudulent accounts had been opened within four days of the leak. Screenshot of my personal identifiers as appeared on the First Telegram Group Which Shared it. David Maimon One account in particular stood out: as if to make a point, the fraudsters had gone so far as to mail a debit card linked to one of the fraudulent accounts directly to my home address. The card bore my name and came with a phone number I was supposed to call to activate it. ChecXsystem report of bank accounts created using my stolen identity David Maimon Debit Card received in my residence as a result of fraudsters using my identity to create a new bank ... More account David Maimon After the Storm: Analyzing the Long Tail of Identity Exploitation After that first month, things went quiet. The alerts stopped, and I assumed the worst was behind me. I was wrong. Just a few weeks ago, a letter arrived from the Lifeline Support Center in New York. For context, Lifeline is a federal program that provides monthly subsidies for phone or internet services to low-income individuals. According to the letter, someone had used my identity to apply for these benefits, and I was now being asked to upload supporting documents to complete the application. I had never applied for Lifeline. This was a clear signal: my stolen identity was still actively being used, this time to exploit a government assistance program. Realizing I'd grown complacent, I decided to dig deeper—this time using more sophisticated tools and data sources to see what was happening in the background. With access to internal databases from SentiLink , a major identity verification and fraud detection company I work with, I searched for any records of identity theft attempts tied to my name and Social Security number. What I found was eye-opening. In total, there were 5 incidents in March 2022, three in April, two in May, then one in August 2023, and another in April 2024. Zooming out, several patterns in the fraudsters' behavior began to emerge. First, most of the applications used freshly-created email addresses, likely spun up for the express purpose of the fraud, and cycled through different contact details. Across the board, there was a consistent rotation of emails, phone numbers, and physical addresses, likely designed to evade identity verification systems. Interestingly, while some fraudsters used burner phones or untraceable contact information, others left behind real, personally identifiable phone numbers — even as they were in the act of identity theft. Second, the fraud attempts showed how broad and adaptive the strategy had become. My identity had been used to apply for everything from consumer loans and property leases to telecom services, federal benefits, and even a tax-related service. Third, the volume of activity slowed over time. By mid-2022, the pace had noticeably dropped — perhaps due to increased monitoring, the flagging of my data in fraud databases, or simply the reuse value of the leaked information. But in August 2023, a new and unusual application surfaced — one that included a traceable phone number. For the first time, I was able to link the fraud back to a specific individual. The applicant, who appears to live in New Jersey, has a lengthy criminal record, including charges for breaking and entering, assault, and battery. Then, in April 2024, my identity was used yet again, this time in connection with a tax-related service. Specifically, an account was created under my name with a tax preparation service, followed by an attempt to fraudulently file my taxes. Unlike the earlier flurry of activity, this attempt was targeted and seasonal, aligned with tax season, and likely designed to take advantage of high-volume government processing windows. One final and important note from my analysis: it does not appear that any organized fraud ring was behind the continued misuse of my identity. Instead, the pattern suggests individual actors — likely monitoring Telegram fraud channels — picked up my information and incorporated it into their own schemes. My data had become part of a wider fraud supply chain, passed from one bad actor to the next, each adapting it to their own criminal playbook. Most Recent Use of My Stolen Identity with the LifeLine Support Center in NY David Maimon What This Means for You My experience underscores a sobering reality: once your identity is exposed, you're not a one-time victim. You're probably a long-term asset in a criminal system where your personal data can be recycled, traded, and exploited for years. The fraud may come in waves, or return over time in stealthier, more targeted forms. If this happens to you, here's what I learned the hard way: Move quickly. File police reports, freeze your credit, and start monitoring, not just the three main credit bureaus (Equifax, Experian and TransUnion) but also the ones like ChexSystems that track checking and savings accounts. Stay Vigilant. Just because the alerts stop doesn't mean the fraud is over. It tends to linger, waiting for the next opportunity to surface. Use the right tools. Visibility matters. Strong identity monitoring tools can help you spot issues before they escalate. Track everything. I have the advantage of working in the fraud space, but anyone can watch for suspicious patterns — look at emails, phone numbers, account applications. Free tools and a little online sleuthing can go a long way. The initial incident is rarely the end. It's usually just the opening move. In this harsh reality, the most powerful protection isn't just a freeze or a lock — it's awareness and proactivity. Once your information is out there, you're not just guarding against fraud — you're managing an active threat that learns how to adapt. Staying on top of how your identity is being used isn't paranoia, it's a necessity.
WIRED
04-06-2025
- Business
- WIRED
Deepfake Scams Are Distorting Reality Itself
Jun 4, 2025 6:00 AM The easy access that scammers have to sophisticated AI tools means everything from emails to video calls can't be trusted. Imagine you meet someone new. Be it on a dating app or social media, you chance across each other online and get to talking. They're genuine and relatable, so you quickly take it out of the DMs to a platform like Telegram or WhatsApp. You exchange photos and even video call each over. You start to get comfortable. Then, suddenly, they bring up money. They need you to cover the cost of their Wi-Fi access, maybe. Or they're trying out this new cryptocurrency. You should really get in on it early! And then, only after it's too late, you realize that the person you were talking to was in fact not real at all. They were a real-time AI-generated deepfake hiding the face of someone running a scam. This scenario might sound too dystopian or science-fictional to be true, but it has happened to countless people already. With the spike in the capabilities of generative AI over the past few years, scammers can now create realistic fake faces and voices to mask their own in real time. And experts warn that those deepfakes can supercharge a dizzying variety of online scams, from romance to employment to tax fraud. David Maimon, the head of fraud insights at identity verification firm SentiLink and a professor of criminology at Georgia State University, has been tracking the evolution of AI romance scams and other kinds of AI fraud for the past six years. 'We're seeing a dramatic increase in the volume of deepfakes, especially in comparison to 2023 and 2024,' Maimon says. 'It wasn't a whole lot. We're talking about maybe four or five a month,' he says. 'Now, we're seeing hundreds of these on a monthly basis across the board, which is mind-boggling.' Deepfakes are already being used in a variety of online scams. One finance worker in Hong Kong, for example, paid $25 million to a scammer posing as the company's chief financial officer in a deepfaked video call. Some deepfake scammers have even posted instructional videos on YouTube, which have a disclaimer as being for 'pranks and educational purposes only.' Those videos usually open with a romance scam call, where an AI-generated handsome young man is talking to an older woman. More traditional deepfakes—such as a pre-rendered video of a celebrity or politician, rather than a live fake—have also become more prevalent. Last year, a retiree in New Zealand lost around $133,000 to a cryptocurrency investment scam after seeing a Facebook advertisement featuring a deepfake of the country's prime minister encouraging people to buy in. Maimon says SentiLink has started to see deepfakes used to create bank accounts in order to lease an apartment or engage in tax refund fraud. He says an increasing number of companies have also seen deepfakes in video job interviews. ' Anything that requires folks to be online and which supports the opportunity of swapping faces with someone—that will be available and open for fraud to take advantage of,' Maimon says. Part of the reason for this increase is that the barriers for creating deepfakes are getting lower. There are a lot of easily accessible AI tools that can generate realistic faces and a lot of tools that can animate those faces or create full-length videos out of them. Scammers often use images and videos of real people, deepfaked to slightly change their faces or alter what they're saying, to target their loved ones or hijack their public influence. Matt Groh, a professor of management at Northwestern University who researches people's ability to detect deepfakes, says that point-and-click generative AI tools make it much easier to make small, believable changes to already-existing media. 'If there's an image of you on the internet, that would be enough to manipulate a face to look like it's saying something that you haven't said before or doing something you haven't done before,' Groh says. It's not just fake video that you need to be worried about. With a few clips of audio, it's also possible to make a believable copy of somebody's voice. One study in 2023 found that humans failed to detect deepfake audio over a quarter of the time. ' Just a single image and five seconds of audio online mean that it's definitely possible for a scammer to make some kind of realistic deepfake of you,' Groh says. Deepfakes are becoming more pervasive in contexts other than outright scams. Social media has been flooded over the past year with AI-generated 'influencers' stealing content from adult creators by deepfaking new faces onto their bodies and monetizing the resulting videos. Deepfakes have even bled over into geopolitics, like when the mayors of multiple European capital cities held video calls with a fake version of the mayor of Kyiv, Ukraine. People have started using deepfakes for personal reasons, like bringing back a dead relative or creating an avatar of a victim to testify in court. So, if deepfakes are everywhere, how do you spot one? The answer is not technology. A number of technology companies, including OpenAI, have launched deepfake detection tools. Researchers have also proposed mechanisms to detect deepfakes based on things like light reflected in a person's eyes or inconsistent facial movements, and have started investigating how to implement them in real time. But those models often cannot reliably detect different kinds of AI fakes. OpenAI's model, for example, is specifically designed only to report content generated with the company's own Dall-E 3 tool but not other image generation models. There's also the risk that scammers can abuse AI detectors by repeatedly tweaking their content until it fools the software. ' The major thing we have to understand is that the technology we have right now is not good enough to detect those deepfakes,' Maimon says. ' We're still very much behind.' For now, as video deepfakes get more popular, the best way to detect one relies on humans. Studies on deepfake detection show that people are best at distinguishing whether videos are real or fake, as opposed to just audio or text content, and are in some cases even better than leading detection models. Groh's team conducted one study which found that taking more time to determine whether an image was real or fake led to a significant increase in accuracy, by up to eight percentage points for just 10 seconds of viewing time. ' This sounds almost so simple,' Groh says. 'But if you spend just a couple extra seconds, that leads to way higher rates of being able to distinguish an image as real or fake. One of the ways for any regular person to just be a little bit less susceptible to a scam is to ask, 'Does this look actually real?' And if you just do that for a few extra seconds, we're all going to be a little bit better off.' Deepfakes' popularity could be a double-edged sword for scammers, Groh says. The more widespread they are, the more people will be familiar with them and know what to look for. That familiarity has paid off in some cases. Last summer, a Ferrari executive received a call from someone claiming to be the CEO of the company. The person convincingly emulated the CEO's voice but abruptly hung up the call when the executive tried to verify their identity by asking what book the CEO had recommended just days earlier. The CEO of WPP, the world's biggest advertising agency, was also unsuccessfully targeted by a similar deepfake scam. 'I think there's a balancing act going on,' Groh says. ' We definitely have technology today that is generally hard for people to identify. But at the same time, once you know that there's a point-and-click tool that allows you to transform one element into something else, everyone becomes a lot more skeptical.'
Yahoo
12-05-2025
- Business
- Yahoo
People's identities for sale; prices start at just $1
People's identities are up for sale. In some cases, prices start at just $1. [DOWNLOAD: Free WHIO-TV News app for alerts as news breaks] We look at how this is happening and what you can do to protect yourself today on News Center 7 Daybreak from 4:25 a.m. until 7 a.m. TRENDING STORIES: Superload weighing almost 370K pounds could cause problems for Greene County drivers Dog dies after being found in basement of Ohio home Officer injured after police hit by vehicle, police say The prices start at $1 on online marketplaces to buy a Social Security number and more. Justin Gray, from our sister station WSB TV in Atlanta, reports he has even seen a spreadsheet of identities offered for free to a company for not paying a ransom in a data breach. 'You don't have to be very skilled. You just need to know where to look,' said Professor David Maimon. We will update this story. [SIGN UP: WHIO-TV Daily Headlines Newsletter]
Yahoo
24-03-2025
- Business
- Yahoo
Social Security retirement accounts are being sold online – What you need to know
An identity theft researcher at Georgia State University has found Social Security retirement accounts for sale online. 'They take over the SSA accounts. Then they change the account details on the Social Security Administration website, and then they funnel the payments,' said GSU Professor David Maimon. Maimon showed Channel 2 consumer investigator Justin Gray a video an identity thief posted bragging about his access to a retiree's account. 'You can see the name, date and the balance,' Maimon said. 'The whole point of the scam is to try to take over there those individuals Social Security payments.' The Trump Administration said new changes they are making this month to require more in-person identity verification are designed to prevent just this type of fraud. 'Americans deserve to have their Social Security records protected with the utmost integrity and vigilance,' said Lee Dudek, Acting Commissioner of Social Security. 'For far too long, the agency has used antiquated methods for proving identity. Social Security can better protect Americans while expediting service.' RELATED STORIES: New Social Security requirements pose barriers to rural communities without internet, transportation Social Security in-person identity checks opposed by advocates and retirees alike A list of the Social Security offices across the US expected to close this year Under the new SSA policy being rolled out over the next 2 weeks, SSA beneficiaries will no longer be able to verify their identity by telephone. People looking to claim benefits or change direct deposit who cannot use their personal 'My Social Security' account, which requires online identity proofing, will then need to visit a local Social Security office to prove their identity in person. Former Social Security Commissioner Martin O'Malley counters that cuts in staff by the new SSA leadership will hurt not help protect from fraud. SSA plans to cut 7,000 jobs even though its current staffing is already at a 50-year low. 'In one day, on one Friday, the entire leadership of the Cyber Security office left. What the public will see is longer and longer and longer and longer waiting times for everything,' O'Malley said. Maimon told Gray that his team started seeing an increase in the SSA accounts for sale before the change in administration, and it has continued after. 'Usually, we see things rising and falling and because of the absence of control, criminals and fraudsters, thrive in times of crisis and times of change,' Maimon said. Another step SSA says they are in the process of taking to limit fraud is using the Treasury Department's Account Verification Service for any direct deposit changes. The Treasury system is designed to verify the existence, status, and ownership of bank accounts before making payments, reducing the risk of improper or fraudulent payments.
