Fraud and cyberattacks that target children are alarmingly on the rise. According to data from an upcoming report to be published by Javelin Strategy & Research, nearly $1 billion was lost to child ID fraud in 2021. Furthermore, 1 in 50 children were affected by child identity fraud during the past year and 1 in 45 minors’ personal information was exposed via data breaches in the past year.
These attacks are increasing because children are online more than ever. It isn’t just social media; children are playing video games online, engaging in discussion on forums such as Reddit and Discord, and much more. In order to protect these young consumers, parents need to be educated about how their children are being targeted by fraudsters online. But financial institutions can play a key role in stopping child identity fraud as well.
To find out more, PaymentsJournal sat with Javelin’s Director of Fraud & Security Tracy Kitten, and Ben Halpert, founder of savvycyberkids.org, an online resource teaching children and their parents about cyber safety.
Cyber Safety: How to Protect Children in an Increasingly Dangerous Online Environment
PaymentsJournal Cyber Safety: How to Protect Children in an Increasingly Dangerous Online Environment
Getting Ahead of the Child Identity Fraud Problem
The easiest way to stop the scourge of child identity fraud is to get ahead of the problem by educating children and their parents on the various ways fraudsters target children. Criminals obtain personally identifiable information (PII) from children in various ways, such as by interacting with them online or by finding information on the dark web from previously exposed data breaches. After cybercriminals have enough PII, they can use that child’s identity or create a synthetic identity with PII gleaned from multiple victims, and open new accounts, take out loans, or commit many other types of fraud.
Children need to know what types of information they should not give out online and learn to identify the tactics used by those trying to scam them, Kitten said. Financial institutions, though not directly involved in these attacks, can engender consumer trust and loyalty by offering information and education to their customers on how to stop child identity fraud, she added.
“Financial institutions need to let parents know that they are a resource when it comes to preventing child identity fraud,” she said. “Financial institutions have an opportunity to really play the role of a leader in this space and act as an educator to their customers.”
Parents may not even be aware how often their children are online and to what extent their children interact with others. FIs can be a crucial education resource in this area.
“We need to educate parents as to why child identity fraud is such a critical issue and why we have to take action now,” Halpert said.
Controls Easily Bypassed
Social media channels are probably the top environment where fraudsters target children to extract their PII. Though most social media sites have some sort of parental controls, these are “easily bypassed,” noted Kitten.
“Unless as a parent you are looking over their [child’s] shoulder 24/7, it’s really difficult to control what they’re doing and who they are interacting with,” she added. “That’s why they need to learn safe online behaviors early.”
Halpert agreed, noting that children need to be taught what information is okay to share and what isn’t. For example, Savvy Cyber Kids has created a digital guide for parents, grandparents, and guardians about what information children should divulge in an online gaming environment. Many online games usually ask for a user’s birthday, but Halpert asks, “Do they actually need my birthday?”
If that online gaming site later gets hacked, the data are exposed, so parents should explain to their children “when it’s okay to tell a little white lie” and perhaps not input their real birthday. Or when speaking to someone else in a chat during an online game, “parents need to talk to their kids about specific topics that are okay and not okay to share with strangers.”
It’s not just children that need to learn this lesson either, said Kitten.
“Parents oftentimes share too much information about their children online,” Kitten observed. “Where they go to school, where they are on vacation. Some of the information we share online is information we should think twice about before putting out there.”
Starting Education Early
Vigilant cyber safety should be taught to children early, preferably between the ages of three and five, said Kitten. This may seem early, but information learned during that time will be ingrained and carried into adulthood.
“The earlier we start educating children about safe online behaviors, the dividends will pay throughout their lifetime,” she said. “This should be part of the early childhood curriculum.”
Halpert concurred, adding that it is why children are typically taught to say “please” and “thank you” during this age.
“So when they get older, they don’t have to think about whether they should say ‘thank you’; it’s just intuitive,” he added. “It’s the same with cyber safety; it should be ingrained.”
Halpert said that many parents may not realize how much of their and their children’s personal data are exposed; years of corporate data breaches mean any fraudster can easily find millions of password and email combinations on the dark web. That’s why it’s important for parents and children to not reuse passwords across sites. Instead, they should use password managers that create and store unique passwords for each site they log in to.
“There’s been so many breaches over the decades that virtually all our prior passwords are known,” Halpert said. “At this point, all our previous passwords should be thought about as public information.”