{"id":27926,"date":"2019-08-12T07:51:00","date_gmt":"2019-08-12T11:51:00","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=27926"},"modified":"2019-11-15T06:23:46","modified_gmt":"2019-11-15T11:23:46","slug":"selfie-with-id-card-scam","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/selfie-with-id-card-scam\/27926\/","title":{"rendered":"Selfie hunting: Think twice before confirming your identity"},"content":{"rendered":"

During registration, some online services ask you to confirm your identity by uploading a selfie showing you and your ID. It\u2019s a convenient way to prove that you are you. You don\u2019t need to go to some distant office and stand in line. Just take a photo, upload it, and wait a short while for your account to be approved by an administrator.<\/p>\n

Unfortunately, it\u2019s not just legitimate websites with a good reputation interested in your selfies; they\u2019re also of interest to phishers<\/a>. Here\u2019s how the scam works, why criminals are after your photos with ID cards, and how not to swallow the bait.<\/p>\n

Verifying your identity<\/h2>\n

A common business scenario these days begins with an e-mail from a bank, payment system, or social network saying that for \u201cextra security\u201d (or some other reason), you need to confirm your identity.<\/p>\n

The link leads to a page with a form<\/a> prompting you to enter account credentials, payment card details, address, telephone number, or other information, and to upload a selfie with a clearly visible ID card or other document. At this point, you should stop and think \u2014 is it really a good idea to upload your selfie with ID? They may well be scammers.<\/p>\n

\"Scammers<\/a>

Scammers pretending to be payment system and bank, asking for a selfie upload with document<\/p><\/div>\n

Why fraudsters want selfies with ID cards<\/h3>\n

As we already mentioned, some online services require a photo with ID for registration. If you send a selfie to scammers, they will be able to create accounts in your name \u2014 for example, on cryptocurrency exchanges \u2014 with a view to using them to launder money. As a result, you may run into problems with the law. Not great.<\/p>\n

On the black market your selfie with ID will fetch a far heftier sum<\/a> than just an ID scan. Having got hold of the coveted photo, the scammers can sell it profitably, and the buyers can use your name as they please.<\/p>\n

Typical signs of online fraud<\/h3>\n

Fortunately for us all, online fraud is rarely the realm of meticulous types who perfect every tiny detail. A close inspection of the phishing e-mail and the website that the link leads to almost always reveals many suspicious elements.<\/p>\n

1. Errors and typos<\/h4>\n

Most likely, the e-mail and data entry form will not be written in the finest prose. Do official websites and e-mails from large organizations often bristle with grammatical errors and typos?<\/p>\n

2. Suspicious sender address<\/h4>\n

Such messages often come from addresses registered on free e-mail services, or belonging to companies with no affiliation whatsoever to the one named in the e-mail.<\/p>\n

3. Domain name doesn\u2019t match<\/h4>\n

Even if the sender\u2019s address looks legit, the site hosting the phishing form is likely to be located on a rogue or unrelated domain. In some cases, the address can be very similar (but still different); in others the difference is striking. For example, a message supposedly from LinkedIn for some reason invites users to upload a photo to Dropbox.<\/p>\n

\"Why<\/a>

Why would LinkedIn ask for a photo upload to Dropbox? That\u2019s scammers<\/p><\/div>\n

4. Excessively tight deadline<\/h4>\n

Often, the authors of such e-mails do their best to hurry the recipient, for example by claiming that the link will expire in 24 hours. Scammers frequently resort to this technique, since the false sense of urgency causes many to act without thinking. But reputable organizations are unlikely to rush you for no reason.<\/p>\n

5. Request for information you already provided<\/h4>\n

Be triple cautious if at least part of the information requested (for example, email address or phone number) is something you already supplied during registration. And in the case of a bank, you and your identity were confirmed when opening the account. Why verify it again for the sake of some nebulous \u201cextra security\u201d?<\/p>\n

6. Demands instead of offers<\/h4>\n

Many resources offer advanced features, including security-related ones, in exchange for information about you\u00a0\u2014 but in your personal account on the website, not by e-mail. And usually it is an offer you can<\/em> refuse. But in the form that opens from the link in some scam e-mails, there is only one button, as if to suggest that there is no option but to upload a selfie.<\/p>\n

7. No information about it on the official website<\/h4>\n

You may actually have had to confirm your identity on a resource that you had used for a long time. However it\u2019s the exception, not the rule, and details of what\u2019s going on should be available on the official website of the service and easy to google.<\/p>\n

Don\u2019t hand out ID card selfies<\/h3>\n

To prevent fraudsters from stealing your identity, be wary of any requests for data, especially when documents are in play.<\/p>\n