Identity Theft Prevention

What You'll Learn

• Distinguish between legitimate HR, payroll, and benefits communications and social engineering attempts designed to harvest personal data
• Apply verification procedures before providing PII in response to any request received by email, phone, or in-person
• Secure personally identifiable information encountered in your role, including personnel files, customer records, and vendor data
• Report suspected identity theft attempts through proper organizational channels with enough detail for the security team to investigate
• Reduce personal exposure to identity theft by managing digital footprints, monitoring for compromised credentials, and securing physical documents at work

Training Steps

1. A Routine Wednesday

   Welcome to Horizon Financial Services! You are Alice, a client relationship manager who handles investment portfolios for high-net-worth clients. It's Wednesday afternoon and you've just finished a productive client call. As you update your notes, your phone buzzes with a voicemail notification.

2. A Moment of Panic

   Alice's stomach drops. A delayed paycheck would be a serious problem - rent is due next week, and she has client dinner expenses pending on her personal card. The urgency in Jennifer's voice sounded genuine. She grabs her phone to call the number from the voicemail: 1-888-927-3847 .

3. The Verification Portal

   'Jennifer' sounds professional and helpful. She explains that Alice needs to verify her banking information through their secure HR portal to prevent payment delays.

4. Providing Banking Details

   The portal looks professional - it has the Horizon Financial Services logo and mentions the quarterly payroll audit. Jennifer guides Alice through the form, asking her to enter her routing number and account number.

5. All Taken Care Of

   Jennifer thanks Alice for her cooperation and confirms the information will be processed within 24 to 48 hours.

6. Reflection

   Alice hangs up feeling relieved. But before we move on, consider what just happened.

7. A Creeping Doubt

   As the afternoon wears on, Alice can't shake a nagging feeling. Why did HR call her personal phone instead of sending an email? Why was the callback number different from the company directory? And when has HR ever asked employees to verify banking details through a website during a phone call? A cold feeling settles in. Alice decides to call the real HR department to check whether Jennifer Walsh actually left that voicemail.

8. The Fallout

   Marcus confirmed Alice's worst fear: Jennifer Walsh is a real HR employee, but she never left that voicemail. Someone impersonated her. The company never requests banking information through phone calls or external portals. Alice's banking details are now in the hands of an attacker. Marcus sends an email with immediate next steps and a link to the Security Portal for filing an incident report.

9. Accessing the Security Portal

   Alice clicks the link to access the Security Portal and file her incident report.

10. Filing the Incident Report

    Alice documents every detail of the attack - the voicemail, the callback number, the fake portal, and the information she provided. The more detail in the report, the better the security team can respond.