In January, hackers launched a cyberattack on what might seem an unlikely target: PowerSchool, a provider of student systems for the educational industry. While the young individuals tracked by PowerSchool may not have much money of their own, their identities are worth a great deal to cybercriminals.
A report from Javelin Strategy & Research, 2024 Child & Family Cybersecurity Study, highlights the online threats that children face, and what parents can do to mitigate these risks. For many criminals, a child’s identity can be just as valuable as an adult’s.
“Once that information is out there because a kid gave it up through a social engineering attack, cybercriminals have enough data to start opening up new accounts,” said Tracy Goldberg, Director of Fraud and Security at Javelin and the author of the report.
Targeting the Affluent
Children from more affluent households are at greater risk of being targeted and compromised by cybercriminals. Among children victimized by identity theft, more than half come from households with an annual income exceeding $100,000.
These children often have greater access to social media and other online accounts across multiple devices. They are also more likely to use payment cards, mobile accounts, online gaming, and other e-commerce platforms that cybercriminals target. Criminals have also become increasingly sophisticated in identifying and exploiting children from wealthy families.
“It doesn’t take long for cybercriminals to connect the dots if they know where a child goes to school,” said Goldberg. “They can also determine things like where they’re going on vacation. If the parents are connected to the child, they can figure out LinkedIn connections and where their parents work. They can connect the dots pretty easily.”
Among child ID fraud victims, social media ownership is a common thread. Nearly all child identity fraud victims in the past six years were active social media users when their identities were compromised. This highlights the importance of parents preparing their children for the threats posed by social media.
“A lot of these kids are socially engineered into giving up information about themselves,” said Goldberg. “If they meet someone on an online gaming platform, they oftentimes reveal pieces about themselves that make it pretty easy for cyber criminals to figure out whether they come with family or not.”
A Crime That’s Hard to Detect
Once a child’s identity is stolen, criminals often take over their payment accounts. credit and debit cards being the most commonly compromised instruments. More than half of such victims found that their mobile numbers and login credentials were misused soon after their identities were stolen. Had those accounts been more closely monitored and secured with stronger identity verification, victims might have been alerted that their identity had been stolen or that personally identifiable information (PII) had been compromised long before any fraud occurred.
Using a child’s identity allows criminals to conduct traceable transactions with ease, making these activities appear trusted and worry-free. Neither parents nor children are likely to monitor such breaches. However, the stolen information can still be exploited, even though children themselves would be unlikely to get a loan on their own.
“If the hackers have all of those bits of data, they can open up a credit card, they could open up a peer-to-peer account like a Venmo, they could do all types of things,” said Goldberg. “What makes the children so attractive is that new account fraud on a child’s credit report isn’t going to raise flags because kids aren’t getting credit reports.”
“It’s not typically until a child buys a car for the first time or goes away to college to get an apartment or tries to get a student loan that then they find out that their credit has been compromised,” she said. “There have been all these things on the credit report that the child didn’t open. But at that point it could be several months to years after the initial compromise.”
The Threat of Synthetic Identities
When criminals compromise children’s identities, as in the PowerSchool breach, they reuse bits of their PII in new ways. Traditional credentials, such as email usernames and passwords, can lead to full account takeovers or new account fraud through synthetic identity creation.
Cybercriminals exploit these stolen fragments of personal information by assembling them from multiple sources to create synthetic identities—essentially fabricating a new identity.
“They take maybe the Social Security number of someone who’s recently deceased, the date of birth of someone who lives down the street, and the address from a child that they’ve compromised,” Goldberg said. “It’s all legit pieces of information, but they’re putting it together to create a fake identity. Unless the algorithms on the back end are detecting that this date of birth does not go with this Social Security number, it’s not going to raise a flag.”
To protect children from these types of attacks, an identity protection service (IDPS) is key. Only 5% of parents and guardians report that they covered their children by an IDPS before they became victims of identity fraud. But 95% said they enrolled their child in IDPS only after the victimization. Some parents and guardians never make the investment, even if their children experience identity theft.
“Our Social Security numbers are out there,” said Goldberg. “But because we have credit reports that we’re tapping into on a regular basis, we’re getting alerted. Every financial institution, for the most part, will let you know what your credit report looks like. Anytime I log into my Bank of America account, I’m getting an overview of what my profile looks like. Kids don’t do that.”
Parents need to take the lead in teaching their children about the dangers that are out there.
“The main thing is educating kids to not share information about themselves,” said Goldberg. “Just like stranger danger. You wouldn’t go out and tell somebody at the supermarket who you are, where you live, what your phone number is. Don’t do that online either.”
