Selfie hunting: Think twice before confirming your identity

August 12, 2019

During registration, some online services ask you to confirm your identity by uploading a selfie showing you and your ID. It’s a convenient way to prove that you are you. You don’t need to go to some distant office and stand in line. Just take a photo, upload it, and wait a short while for your account to be approved by an administrator.

Unfortunately, it’s not just legitimate websites with a good reputation interested in your selfies; they’re also of interest to phishers. Here’s how the scam works, why criminals are after your photos with ID cards, and how not to swallow the bait.

Verifying your identity

A common business scenario these days begins with an e-mail from a bank, payment system, or social network saying that for “extra security” (or some other reason), you need to confirm your identity.

The link leads to a page with a form prompting you to enter account credentials, payment card details, address, telephone number, or other information, and to upload a selfie with a clearly visible ID card or other document. At this point, you should stop and think — is it really a good idea to upload your selfie with ID? They may well be scammers.

Scammers pretending to be payment system and bank, asking for a selfie upload with document

Scammers pretending to be payment system and bank, asking for a selfie upload with document

Why fraudsters want selfies with ID cards

As we already mentioned, some online services require a photo with ID for registration. If you send a selfie to scammers, they will be able to create accounts in your name — for example, on cryptocurrency exchanges — with a view to using them to launder money. As a result, you may run into problems with the law. Not great.

On the black market your selfie with ID will fetch a far heftier sum than just an ID scan. Having got hold of the coveted photo, the scammers can sell it profitably, and the buyers can use your name as they please.

Typical signs of online fraud

Fortunately for us all, online fraud is rarely the realm of meticulous types who perfect every tiny detail. A close inspection of the phishing e-mail and the website that the link leads to almost always reveals many suspicious elements.

1. Errors and typos

Most likely, the e-mail and data entry form will not be written in the finest prose. Do official websites and e-mails from large organizations often bristle with grammatical errors and typos?

2. Suspicious sender address

Such messages often come from addresses registered on free e-mail services, or belonging to companies with no affiliation whatsoever to the one named in the e-mail.

3. Domain name doesn’t match

Even if the sender’s address looks legit, the site hosting the phishing form is likely to be located on a rogue or unrelated domain. In some cases, the address can be very similar (but still different); in others the difference is striking. For example, a message supposedly from LinkedIn for some reason invites users to upload a photo to Dropbox.

Why would LinkedIn ask for a photo upload to Dropbox? That's scammers

Why would LinkedIn ask for a photo upload to Dropbox? That’s scammers

4. Excessively tight deadline

Often, the authors of such e-mails do their best to hurry the recipient, for example by claiming that the link will expire in 24 hours. Scammers frequently resort to this technique, since the false sense of urgency causes many to act without thinking. But reputable organizations are unlikely to rush you for no reason.

5. Request for information you already provided

Be triple cautious if at least part of the information requested (for example, email address or phone number) is something you already supplied during registration. And in the case of a bank, you and your identity were confirmed when opening the account. Why verify it again for the sake of some nebulous “extra security”?

6. Demands instead of offers

Many resources offer advanced features, including security-related ones, in exchange for information about you — but in your personal account on the website, not by e-mail. And usually it is an offer you can refuse. But in the form that opens from the link in some scam e-mails, there is only one button, as if to suggest that there is no option but to upload a selfie.

7. No information about it on the official website

You may actually have had to confirm your identity on a resource that you had used for a long time. However it’s the exception, not the rule, and details of what’s going on should be available on the official website of the service and easy to google.

Don’t hand out ID card selfies

To prevent fraudsters from stealing your identity, be wary of any requests for data, especially when documents are in play.

  • Be suspicious of requests to verify your identity in services that you have been using for a while. If you’re of two minds about whether to ignore a particular message, look for information on the company’s official website.
  • Pay attention to the quality of the text. Remember that grammatical errors, missing words, and typos in real corporate communications are extremely rare.
  • Check where the message came from, and where the link points. Companies send mailings from official domains, and any exceptions would be explained on their websites. Surveys, login forms, and other official pages are also usually cited on official resources.
  • Any restrictions, such as a pushy time frame for providing information, should ring an alarm bell. It is better to miss the deadline than send your data to cybercriminals.
  • If in doubt, call customer service. But do not use the number provided in the message — find it instead on the official website or in the registration confirmation e-mail.
  • Use a reliable antivirus program with protection against phishing and online fraud.