Skip to main content

You’ve heard about the “dark web” and wondered how it affects businesses – including small businesses. That was one of the topics addressed at an FTC conference earlier this year on identity theft. Recent headlines about high-profile data breaches have added even more urgency to the discussion. So why should the dark web matter to your company? Unfortunately, when a business suffers a breach, the dark web is often the next stop that sensitive data makes after it’s been stolen.

What is the dark web?

It’s a term that describes places on the internet not indexed by traditional search engines. While not every site on the dark web engages in criminal activity, the dark web is where sites that illegally sell consumer data and other black market goods tend to congregate. For identity thieves, the dark web is a sophisticated marketplace providing one-stop shopping to get the tools to commit cybercrime – whether it’s malware kits, stolen account information, or “drop” or “cash-out” services to help monetize their crimes.

What’s the link between the dark web and the typical Main Street or online business that experiences a breach?

In many instances, data stolen from businesses ends up on the dark web where criminals buy and sell it to commit fraud, get fake identity documents, or fund their criminal organizations. At our recent identity theft conference, presenters described the big box-style shopping experience some sites offer to fraudsters and the steps dark web data purveyors take to keep their customers satisfied. For example, sites specializing in stolen credit cards may allow identity thieves to place custom orders for the data they want to buy – for example, the card type, the bank issuing the card, city and state, and even zip code. According to conference presenters, the cost of a stolen card ranges from $15 to $50, with platinum cards and newer cards fetching a premium. Some of these sites even engage in a perverse form of “customer service,” offering support functions and refund policies.

Dark web offerings aren’t limited to stolen credit cards. Identity thieves also can get compromised bank accounts, health records, credentials, and forged documents. They can even buy entire wallets, complete with credit cards, driver’s licenses, and documents like Social Security numbers and birth certificates – everything a criminal needs to create a new identity.

How do identity thieves use stolen information?

The injury that data criminals inflict is limited only by their malevolent ingenuity. “Classic” identity fraud often involves using stolen information to get credit from financial institutions, including mortgages and other loans, or to apply for tax refunds or other government benefits owed to someone else. Then there’s the three-way ecommerce scam. That’s where identity thieves advertise a high-end item for sale at half-price. When an unsuspecting consumer takes the bait, the crook uses a stolen credit card to buy the item from a retailer and have it drop-shipped to the consumer. The crook then pockets the purchase price from the consumer, turning a tidy profit.

With all of this information, identity thieves also can create synthetic identities. A synthetic identity is a combination of real and fictitious information – for example, a genuine social security number with a fake name – to create identities that are used to defraud financial institutions, government agencies, or individuals. These new identities often contain a portion of a real person’s information, making them harder for victims to discover and unravel. According to a conference presenter, children’s Social Security numbers are estimated to be used in 50% of synthetic identities.

How do identity thieves exploit stolen credentials?

Criminals have figured out how to make money not just from obviously valuable data like credit card or Social Security numbers, but also from stolen credentials like usernames and passwords. To profit from that data, crooks avail themselves of the services of another dark web dweller – the account checker. How does that work? Say a hacker is able to steal usernames and passwords from a site that doesn’t allow them to tap directly into consumers’ financial accounts. Using brute force tools, account checkers use those same usernames and passwords to try to gain access to other sites with more potential for financial gain. They’re banking on the fact that despite advice that we should mix it up when it comes to usernames and passwords, people have been known to repeat their favorites across the web. It’s estimated there are at least 20 sites that offer account checkers for more than 80 well-known businesses, both e-commerce and brick-and-mortar. What this proves is that identity thieves are after all consumers’ data – not just financial – because they’ve learned how to turn seemingly innocuous information into cold criminal cash.

How does the dark web impact small businesses?

With so much media focus on data breaches at companies that possess personal information about millions of consumers, some smaller businesses and organizations might think that cybercriminals wouldn’t target them. They would be wrong. First, the reality is that cybercriminals don’t always target a particular business. They often use automated tools to scope out vulnerabilities in any system, including small businesses. Second, as presenters noted at our conference, information available for sale on the dark web is up to 20 times more likely to come from an entity whose breach wasn’t reported in the media. Many of these are smaller retailers, restaurant chains, medical practices, school districts, etc. In fact, most of the breaches the U.S. Secret Service investigates involve small businesses.

There’s another way that data breaches injure us all. Identity theft and fraud have become go-to methods for funding criminal activity in the U.S. and around the world. Experts at our conference discussed how they’re used to finance criminal organizations, narcotics and human trafficking, illegal weapons sales, revenge porn, extortion, state-sponsored hacking, and even murder for hire.

And all of this data links back to a real person – your customer – whose life can be adversely affected. Turning their financial affairs into a Gordian Knot is just the start. Some people have had their licenses revoked, been pulled over and arrested, or had criminal warrants issued in their name because of identity theft. When their information is used to commit medical identity theft, even their health could be at risk. Criminals have been known to use stolen data to get medical care or prescription drugs in someone else’s name. When an identity theft victim’s medical records become commingled with a perpetrator’s health information, the consequences could be catastrophic.

What can your business do to reduce the risk that information you collect could find its way to the dark web?

It starts with security and continues with your commitment to stick with it. The FTCs data security page has resources for businesses of any size and sector. If you have customers, employees, or friends who are victims of identity theft, encourage them to report it and get a customized recovery plan at

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates