A new collaborative report, released by Cifas, the UK’s leading fraud prevention service, and Forensic Pathways, highlights that alongside the dark web, the surface web plays an integral role in the selling of personal information.

The new research reveals that personal data is being sold on the surface web via forums and is available through online shops, which are accessible via normal search engines. Furthermore, the findings also show that those selling the data give some individuals’ data away for free by using it as an advert to display what information can be purchased.

In a sample of 30,000 victims of identity fraud, almost a third (8,646) were found on the surface web using name, date of birth, email and/or telephone number, with the majority of those identified on a social media platform. Over two-thirds (69%) of individuals were found on Facebook, with 38% on both Facebook and LinkedIn. Individuals aged 61 years and over were found to have a smaller social media presence; they were, however, more likely to have had an account compromised through a data breach.

Once again, as highlighted by last year’sWho are the victims of identity fraud? report, launched jointly with LexisNexis® Risk Solutions, victims that are company directors are more likely to be identifiable from their social media presence and public director registers. This is particularly the case when the correspondence address is the same as a company director’s home address. 76% of company directors had their home address as their correspondence address and in some cases this related to dissolved companies.

Based on the findings in this report, Cifas and Forensic Pathways have put forward a number of recommendations, including:

  • Deactivate and delete old profiles on social media sites that you no longer use. Keep track of your digital footprints. If a profile was created ten years ago, there may be personal information currently available for a fraudster to use that you’re are not aware of or you have forgotten about.
  • Social media platforms should consider automatically setting a profile to the highest security settings available. It should be an ‘opt-in’ approach for individuals to share personal information, giving them the ability to select what information they choose to reveal.
  • Minimise the data you display publicly online. Take a second before adding information to your profile and question how necessary it is to make this information public. The more personal information you reveal, the more comprehensive a picture a fraudster can create to impersonate you.
  • Owners of forums should monitor and manage them more strictly.This report shows that forums are being used, not for their intended purpose, but for the selling of personal data. Creators of forums should monitor them regularly and there should be sufficient channels to report abuse.
  • Organisations should consider the transparency and proportionality of publicly available data. Further research should be conducted into the balance between transparency and proportionality of publicly available data.

Deborah Leary, CEO Forensic Pathways, said “The findings are eye-opening. This report not only demonstrates the vulnerabilities of personal data held on surface web platforms, but also highlights the pressing need to monitor these with more vigour. It also reminds us that although illegal activity occurs on the dark web, it is also prevalent on the surface web, where the selling of personal data through forums and online shops is clearly evident. We welcome further collaboration from all industries and sectors in the fight against identity fraud.”

Sandra Peaston, Director of Insight, Cifas, said “As individuals, we can take steps to protect our identities online, including deleting old profiles and minimising the data we publicly reveal online. For those who want to promote themselves, either professionally or personally, the real dilemma is whether this promotion outweighs the risks of revealing personal sensitive data.”

“With identity fraud reaching record levels in recent years, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility. Everyone should play their part, from social media platforms taking more responsibility around security settings, to organisations prioritising the security of personal data.”

The full report can be viewed by clicking here.