The latest thinking and expert insights into the insurance industry.
27 July 2018

Identity Fraud – A Golden Business

Maria Genova is a research journalist and the author of a book on identity theft. She is a frequently invited speaker on privacy, identity fraud and information security. In September 2017 she was a guest at FRAUDtalks.

In order to commit identity fraud, the computers of individuals are hacked, data of these individuals is collected and all kinds of companies are defrauded, including insurance companies. This means, it is done with the data of other people, of honest citizens.

Identity fraud a golden business

When I started my book, I was one of these numerous law-abiding citizens. I thought: “I am not of interest to hackers, I have nothing to hide”. But to them every one of us is interesting. Why? Usually they start off by hacking a computer and then they look what data they can find. To be honest, we all save interesting data on our computers; insurance policies with a huge amount of personal details, a copy of our passport, tax returns. Combined this is enough to steal a complete identity. There are also many companies that leak our personal data, because they have been hacked.

Data is the new gold

How do these hackers get access to our computers? In the past a lot of technical knowhow was required, but nowadays almost everyone can do it. All those petty criminals are turning to the internet. They use the many free tools and step by step instructions that can be found there in abundance. Most hackers are lazy so-and-sos that rather stay at home sitting at their computer and use automatic programs to do the hacking. Distance is not an issue, take for example the Russians. They are interested in our data, because it is worth a huge amount of money. Data is the new gold.

Easy access to personal data

Hackers often gain access because people click on a link in an email. The phishing mails are getting better and better; there are more and more versions without any spelling mistakes and they use the identity of familiar companies and organizations. If you click on a link, the hacker gains access. Recently someone in the audience said he had received such an email and as he did not quite trust it, he opened the email at his work the next day. Bingo. This is how entire organizations are hacked, including insurance companies. And in this way the hackers often also gain access to the data of the clients. Therefore it has become vitally important to tell your employees in an awareness session about the growing digital risks and all the things they need to look out for. This not only prevents reputational damage, but also a lot of distress for clients. It can also save money, as nowadays files are often encrypted by hackers and companies pay them hundreds of thousands of euros to buy back their own files. All because an employee clicked on a single link.

Track and trace

These days nearly all of us shop online, which immediately makes us potential victims. After placing an order, you often get an email with a track and trace number of a delivery service. You click on the link and you get hacked. These hackers have no idea whether you have ordered anything, but they send huge numbers of emails at the same time and there is a great chance that some of the recipients have just placed an order somewhere and are expecting this kind of email.

This also applies to the email you receive from your telephone provider when you have just returned from a holiday saying that your bill is unusually high. You are annoyed, you want to find out more, you click and they have gained access.

Victims of Identity Fraud

What does it mean in practice if you have been hacked and your data has been used for identity fraud? For my book ‘Komt een vrouw bij de h@cker’ I spoke with many victims and I was surprised at the misery these people had to go through and how difficult it turned out to be to actually set right identity fraud. Often a copy of a passport suffices to steal an entire identity, the actual document is not required. The hackers steal such a copy from your computer or from a car rental company in Spain. This is when the misery starts. For example, Boudewijn got a call by the police to say that he had to go to the police station. Someone had rented houses in his name and the police had discovered cannabis plantations on these premises. The police showed him the rental agreements with his forged signature and a copy of his passport. The police did not believe Boudewijn when he claimed that, yes, these were his details, but that he had nothing to do with it. He lost his job and even after the case had been dismissed after 2.5 years due to lack of evidence, Boudewijn was still left with a problem. One wrong tick in the police system meant he could not get a certificate of conduct (VOC) so he could no longer apply for jobs in his field.

Another example of Identity teft

A man’s driving license was stolen and the thieves managed to register 1700 cars in his name. The council stopped his social benefits, because he did not need them if he owned so many cars. Because of this, he could not pay his rent and became homeless. He had to go to court, taking his case all the way to the European Court of Human Rights. Eventually, after 17 years, he won his appeal and was awarded €9000 compensation.

Data is the new gold

Social hacking

Hacking can also be done in another way – via social media. It is easy to, for example, set up a LinkedIn account based on a name and public data. Then you invite colleagues to link to you. Who does not trust a colleague? A few weeks later the hacker sends all the ‘colleagues’ an attachment with a virus. Currently, many social media accounts are straightforward to hack, because the passwords are too simple. A password such as Now18! is easy to hack.

We also share a huge amount of information via social media, as you can clearly see in this video.

Identity verification easy to mislead

Organizations in the Netherlands often use the date of birth, as well as name and address to verify the identity of the person they are speaking to. Name, address and date of birth (Facebook!) are easy to find online.I can obtain all kinds of information: financial data or medical records. I can even change the email address by phone: “Since last week I have a new email address.” “Thank you for letting us know, we will immediately change it in our database.” On request, a week later they will send your rental agreement or insurance policy to the wrong email address that they have in their system. An ideal set of data for identity fraud.

By using information from social media, it is also very easy to put together custom-made phishing emails. If I know where you play tennis, I can send you an email on behalf of your tennis club inviting you to a clinic with a celebrity: please click here to register. I find out where you followed your education on LinkedIn and, piece of cake, here is the invitation for a reunion. The attachment contains a virus which will not be recognized in time by most antivirus scanners. They are nearly always a step behind.

Passwords – two tips and a bonus tip

What can you as a law-abiding citizen do to make things more difficult for hackers? Take care with phishing emails: first click on the email address of the sender and then you will see an entirely different email address appear. When in doubt, hold your mouse over the link in the email – obviously without clicking on it – to see which site you are redirected to. Most of us come up with one strong password and use that for more than one or even every website. That is not a good idea: if one site is hacked and they get hold of you password, they can use it to, for example, sell goods on an auction site in your name. Naturally, they will not deliver the goods and it is you who is the swindler, because it is your account.

But there are so many sites – how can you come up with a different password and remember it as well? Here are two tips:

  1. Use a password manager – a software program that generates a very strong password for every site. In future you will only have to remember one strong, long password. All the passwords are stored encrypted and thus are useless if they are hacked.
  2. For those who prefer to remember the passwords themselves: come up with one strong password and adapt it for each site by changing one letter. For example, you password is ‘aprettylocation1!’ and you replace one fixed letter with a letter from the website. For example, the first (or second or last) letter of LinkedIn becomes the fourth letter of your password: ‘aprlttylocation1!’

And finally, a bonus tip: if you visit websites with banners, your computer can even become infected without clicking. This can be largely prevented, because hackers use leaks in the software and there will be updates for this.

So always install updates as soon as possible and do not continue clicking on ‘Ignore’, that is the best way to protect yourself against hackers.

Contact us

Cookie and Privacy Policy

1. Introduction

When you use this website, FRISS may collect information about your use of the website and the content offered. We believe it is important to handle your (personal) data with due care and confidentiality. When processing your personal data, we comply with the General Data Protection Regulation (Algemene Verordening Gegevensbescherming) and Article 11.7a of the Telecommunications Act (Telecommunicatiewet).

1.1.  Controller

The controller of the processing of personal data is:

FRISS Fraudebestrijding B.V.
Orteliuslaan 15
3528 BA

This processing of personal data is registered with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague under reporting number m00004997.

1.2.  Purposes of data processing

There are several places on our website where you can fill in your (personal) data. We will explain the purposes of the various instances of data processing below.

Filling in the contact form or sending an e-mail

If you fill in the contact form on our website or send us an e-mail, we will only use the (personal) data you provide for the purpose or purposes for which you filled in the contact form or sent the e-mail.

Download form

If you download files on our website (such as e-books, whitepapers or reports), we will use the (personal) data you provide for one or more of the following purposes:

  • for the execution of an agreement, for example to send you the e-book, whitepaper or report you have chosen;
  • for the formation of an agreement, for example by contacting you by telephone or in writing.


If you fill in the application form for the newsletter on our website, your (personal) data will be used to send you the newsletter. Each newsletter contains a hyperlink at the bottom of the message that you can use to unsubscribe.

In addition to the personal data you provide to FRISS yourself, FRISS may collect, record and process additional (personal) data if you use the (web) services of FRISS. This concerns the following personal data:

  • data from the used equipment, such as a unique device ID, version of the operating system and settings of the device you use to access a service;
  • information about the use of a service, such as the time at which you use the service and the type of service that is used;
  • location details from your device or derived from your IP address that is provided to us when you use a particular service;
  • data available from external sources. We may receive information about you from public or commercially available sources.

1.3.  Provision of (personal) data to third parties

Your (personal) data will never be provided to third parties without your permission, unless we have an obligation to do so pursuant to legislation or regulations or you have given permission for this.

1.4.  Security of data

FRISS respects your privacy and ensures that personal data are handled confidentially and with the utmost care. All processed (personal) data is stored exclusively in secure databases. These databases are only accessible to employees of FRISS, to the extent that this access is required by virtue of their position. FRISS makes every effort to secure these systems against loss and/or any form of unlawful use or processing.

1.5.  Inspection, correction and deletion of data and the right to object

You can view your data that is processed by FRISS at any time and free of charge and, if you so wish, modify this data or have it deleted. You can also object to receiving information about products, services or content of FRISS. If you wish to make use of one of these options, you can send an e-mail to the Data Protection Officer of FRISS via privacy@friss.eu or write to the following address:

FRISS | fraud, risk & compliance
Attn. Data Protection Officer
Orteliuslaan 15
3528 BA Utrecht.

2. Cookies

When using this website, information about your use of these services and other websites may be collected by or on behalf of FRISS, for example by means of cookies.

A cookie is a small file that is sent along with pages of a website and stored by your browser on the hard disk of your computer. We use cookies to remember settings and preferences. You can disable these cookies via your browser.

2.1.  The purposes for which FRISS uses cookies

On our website we use cookies for the following purposes:

  • for statistical purposes, in order to analyse the use of FRISS websites. This allows us to keep track of the number of visitors and see which parts of our website are popular. We use Google Analytics in order to track and consult these statistics. On this website you can find explanations about all cookies that may be placed by Google;
  • for what is known as ‘targeting’ purposes, if you have used the download form. By targeting we mean building a profile of you based on your surfing behaviour on our website, after which we may contact you by telephone or e-mail based on the interests you have shown in order to offer you FRISS services that you may be interested in. We use HubSpot in order to track and consult these statistics. On this website you can find explanations about all cookies that may be placed by HubSpot;

3. Changes to this Cookie and Privacy Statement

FRISS may make changes to this Cookie and Privacy Statement. All modifications will be published on this page. We advise you to consult this Cookie and Privacy Statement regularly, so that you are always aware of the content of the current Cookie and Privacy Statement.