by Detective Robert E. Harris
This past year millions of Americans were put at risk of identity crimes. There are things you can do to protect yourself and things you can do if you become a victim.
With problems as insidious as the fraud phenomenon of identity theft, and the speed with which it is becoming the number one fraud crime in the world, consumers need to take the responsibility to check their credit history and credit reports so they can exercise some measures of protection. Consumers have never been so empowered to check on their credit reported information to insure it is correct and to make corrections if it is not.
Now that the federal government has passed The Fair and Accurate Credit Transactions Act, everyone can get their credit history report for free at least once every year from each of the top three reporting agencies, Equifax, Trans Union, and Experian (more on those agencies later). Everyone should obtain their credit history report and review that information for accuracy. You can also obtain your credit rating scores for a nominal fee. As title executives, you know a credit rating score is a figure based on a fairly complex mathematical model that helps creditors and lenders evaluate the myriad of information in a credit file. But many consumers do not understand their credit history and score and how it can affect them.
The Federal Trade Commission (FTC), the nation’s consumer protection agency, recently released a survey showing that 27.3 million Americans have been victims of identity theft in the last five years, including 9.9 million people in the last year alone. According to the survey, last year’s identity theft losses to businesses and financial institutions totaled nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses.
Where the thieves opened new accounts, the per-victim dollar loss to both businesses and victims was higher and the time spent resolving the problems was greater. The survey found in the past 12 months that 3.23 million consumers discovered that new accounts had been opened, and other frauds, such as renting an apartment or home, obtaining medical care or employment, had been committed in their name. In those cases, the loss to businesses and financial institutions was $10,200 per victim. Individual victims lost an average of $1,180. Where the thieves solely used a victim’s established accounts, the loss to businesses was $2,100 per victim. For all forms of identity theft, the loss to business was $4,800 and the loss to consumers was $500, on average.
ID Theft vs. ID Crime
I realize that the more popular reference to this crime is identity theft; however it has become evident to most law enforcement agencies that ID theft itself is an element of the more broad-based identity crime. ID theft itself occurs when someone obtains personal information with intention to use it for criminal gain. They usurp personal identifiers like full name, birth date, Social Security numbers. Once a person knows those details, he or she can essentially impersonate you to acquire credit cards, pay for utilities, even make large purchases, such as cars and houses. Once they have control of accounts they can drain them, stealing thousands of dollars right before your eyes. The phenomenon is now being referred to as identity crime because the theft of those personal identifiers is not done for the fun of it. More often than not, those identifiers are used to perpetrate criminal activity. Therefore the term ID crime fits more aptly than ID theft.
ID crime gives law enforcement agencies a wider range of options in seeking criminal prosecution than ID theft alone presented just a few years ago. There has been a paradigm shift in focus as the federal government is passing legislation to assist law enforcement agencies.
Just like there are ways to protect yourself from a mugging, I believe there are some proactive measures you can take to be less likely victimized by ID crime.
Some Ways to Protect Yourself
Buy a shredder - they are relatively cheap (especially compared to the cost of having your identity stolen) and are very effective.
Do not throw bank statements, checkbooks, utility bills or old credit cards in the trash. Always shred them or cut them with scissors …but NEVER throw this sensitive information away. There are people who sort through trash to retrieve this information to sell or use it for identity crimes.
When paying for goods at a store or withdrawing money from a cash machine, always protect your passwords, codes, and PIN numbers from shoulder surfers and prying eyes. Question anyone requesting personal information and demand to know how that information is going to be used.
Protect your personal information at home. You may be careful about locking your doors and windows and keeping your personal papers in a secure place, but an identity thief does not need to set foot in your house to steal your personal information. Financial records, tax returns, birth date, and bank account numbers stored on your computer can be stolen. (See sidebar for ways to safeguard this information.)
Obtain and review your credit history as often as you can manage (at least three to four times a year). I’ll repeat this several times; it really is up to you to protect your personal information, and one of the easiest ways is to monitor your history and credit files.
There might be some telltale signs on your credit report that only you would recognize as an indication that there has been some identity theft/identity crime activity. Quite often, consumers are not even aware that they have been victimized until long after the crime has been committed. Some signs to be wary of:
These are just a few signs or symptoms. Remember, identity crimes cannot definitively be prevented; however we can take certain steps that may reduce our chances of being victimized, and getting the credit information is an important part. But it’s not enough just to obtain the information. You must learn to interpret the reports as well.
A Real Example
As the president of the North American Consumer Protection Investigators, I’ve spoken with executives from companies seeking partnerships for protection against consumer crimes. One company account representative told me she had actually heard one of my ID theft presentations at an ALTA® event in San Diego. She confessed that a few days afterwards, her wallet was stolen. Unfortunately, she did not hear my presentation sooner in order to take some steps to help in this type of situation.
One of the best proactive things you can do is to take an inventory of what is in your wallet. I suggest you do this now, before a crisis. Photocopy what is in your wallet so that you have a real copy representation of account numbers and phone contacts for your credit cards and you can quickly react. The woman I mentioned confessed it was several days before she could get the information together for her credit card companies, DMV, bank cards, etc. Still fearful that some of the information may not have been accounted for, she found that she was forced to change accounts and monitor others, which is often extremely time consuming. While no particular action can prevent all instances of ID crime, by taking proactive measures, we can lessen the opportunity of being victimized and increase our opportunity to address this situation if it does happens.
What’s Your Theft Quotient?
One of the fun things I do in my live seminars is to have the audience take the ID theft quotient test - a series of questions with point values that lets me know where the audience stands on how to prevent themselves against ID theft. I will not give you the test here (sorry, you’ll have to attend a seminar sometime soon). However, I will very briefly mention some of the things to consider.
Social Security Numbers. Where do you see your Social Security number? Is it on your driver’s license, printed on your personal checks, etched into the side of your electronics in your living room? Have you used it to enter a contest? Do you think you have to carry your Social Security card in your wallet? Your Social Security number should be a well-guarded secret. Do not carry the card with you. If your wallet is stolen, your number can be used to open other accounts, obtain loans, etc. Do not put it on your checks or other identification. If it appears on your driver’s license, ask the DMV to assign you another number.
Bills in Your Mailbox. How many of you put your outgoing bills in the mailbox attached to your house or at the end of your driveway? A crook can easily take that bill, do a little check washing and have access to your account and other checks. The crook can change that account and move it to another bank or apply for a credit card change of address on those credit cards. He/she can max out the card, and you won’t even get the bill. A number of laws limit consumers’ liability if you are a victim of identity theft. Not all costs are covered however.
Credit Card Offers. Do you get any preapproved credit cards in the mail? Shred, shred, shred. Never just toss them in the trash. Likewise, you probably get offers for credit cards via banner ads on the Internet. Ignore them.
Corporate America and ID Theft
This past year alone millions of Americans were put at risk of identity crimes because of a series of data-security breaches like the fiasco at Ameritrade, Bank of America, CardSystems, CitiGroup/UPS, DSW, even Experian/Topeka Credit Bureau, and GM MasterCard, just to name a few. Data brokers such as these need to be held more accountable to develop, implement, and maintain an effective information security program to protect sensitive consumer information. Their safeguards might include better encryption, truncation, and other security measures currently available or under development. So, again, right now it is largely an individual’s efforts that will lessen the likelihood of victimization.
In another example, ChoicePoint is a Georgia-based company that sells information in three markets—insurance, business and government, and marketing. According to a recent quarterly statement filed at the Securities and Exchange Commission, ChoicePoint sells “claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services, and people and shareholder locator information searches...print fulfillment, database and campaign management services.” ChoicePoint has managed to attain a large share of the commercial data broker market with strategic purchases of other businesses since its spin-off from Equifax in 1997. In February 2005, ChoicePoint announced that the company sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft. California police have reported that the criminals used the data to make unauthorized address changes on at least 750 people, and investigators believe the personal information of up to 400,000 people nationwide may have been compromised.
Another major security breach at a private data broker was from the company LexisNexis as they admitted that personal information on 310,000 U.S. citizens might have been stolen. At the time, LexisNexis said the breach only affected 32,000 people; however, they now say its databases had been fraudulently breached 59 times using stolen passwords, allowing access to addresses, Social Security Numbers, and other sensitive information at about ten times the original estimates.
Congress is exploring legislative remedies because of these and many other data security breaches. The Senate Judiciary Committee has begun consideration of S. 1408, the Identity Theft Protection Act. The measure would require data brokers and others covered by the law to develop, implement, and maintain an effective information security program to protect sensitive information. The law would also require data brokers to immediately report security breaches compromising 1,000 or more consumers to federal officials and consumer agencies. Currently there is no federal requirement in that regard, and state laws vary. California requires notification, but most other states do not. While the proposed law fills several glaring gaps in data security, some consumer groups claim it doesn’t go far enough and have expressed concern about intense lobbying by banking and other affected industry groups….Ah, democracy!
New Scams Every Day
In recent months we’ve seen attempts at ID crimes made through the Internet, such as the Nigerian scam e-mails asking for money because a relative has been killed in a government takeover. We’ve also seen the new phenomenon that has grown exponentially known as “phishing.” Phishing with a ‘ph’ is much like the other fishing. You cast out a net and see what you can reel in. Scammers will send out 100,000 e-mails, and if they get just two good hits, that’s a good day.
You could receive an e-mail that looks legitimate, but it is not. Pretending to be from a legitimate retailer, bank, or government agency, the sender asks you to confirm your personal information for some made-up reason: your account is about to be closed, or an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they’re from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people’s banking information to deposit their winnings in their accounts. Don’t take the bait.
Here are some of other phishing schemes to be aware of:
Don’t click on the link in an e-mail that asks for your personal information. It will take you to a phony Web site that looks just like the Web site of the real company or agency. Check whether the message is really from the company by calling them.
Phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency making the same kinds of false claims and asking for your personal information. Don’t give it. If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information.
Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don’t request your account number or other personal information. Law enforcement agencies might also contact you if you’ve been the victim of fraud. To be on the safe side, ask for the person’s name, the name of the agency or company, the telephone number, and the address. Then get the main number and call to find out if the caller is legitimate.
Job seekers should be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your Social Security number and other personal information. Verify the person’s identity before providing any personal information. Act immediately if you’ve been hooked by a phisher. If you have provided account numbers, PINs, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a “fraud alert” on your files at the credit reporting bureaus and other advice for ID theft victims, contact the FTC’s ID Theft Clearinghouse, www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number is 202-326-2502.
Even if you didn’t get hooked, report phishing. Tell the company or agency that the phisher was impersonating them. You can also report the problem to law enforcement agencies through the National Fraud Information Center/Internet Fraud Watch, www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you provide helps to stop identity theft.
Credit Cards and the Web
Credit card schemes are big on the Web so be extra careful and actually read the fine print. Privacy policies should be available on the Web site you are doing business with. Always check before you give the information and, more importantly, know whom you are doing business with. Do your due diligence. Some policies clearly state that they will take every thing you give them and sell it to others (and you wondered why your e-mails tripled last month and the phone just will not stop ringing). But you won’t know that unless you read the policy statement.
Understand the return policies. Even in “brick and mortar” stores, you can’t always get your money back. To be in compliance with state law (at least in most states), a brick and mortar store must have its return policy posted in the store. On the Internet the store might have a link to their policy. Read it before you buy. Always print the policy and your order so you have a record. Paying by credit card is actually better than paying by check. Not only do you have certain protections by doing so, but you also have protection over an extended period of time. You can contact the credit card company if you’ve been defrauded.
Personal firewalls definitely help. Remember on your secure browser you’ll see icons such as a lock letting you know that you are in a secure area and that you are communicating directly with that Web site.
|Keeping Your Computer Information Safe|
If You Are a Victim
If you think (or vividly discover) you have been victimized, the FTC recommends that you take three actions immediately:
First, contact the fraud departments of each of the three major credit bureaus. Tell them to flag your file with a fraud alert including a statement that creditors should get your permission before opening any new accounts in your name.
At the same time, ask the credit bureaus for copies of your credit reports. Credit bureaus must give you a free copy of your report if it is inaccurate because of fraud. Review your reports carefully to make sure no additional fraudulent accounts have been opened in your name or unauthorized changes made to your existing accounts. In a few months, order new copies of your reports to verify your corrections and changes, and to make sure no new fraudulent activity has occurred.
The agencies are:
Second, contact the creditors for any accounts that have been tampered with or opened fraudulently. Ask to speak with someone in the security or fraud department, and follow up in writing. Following up with a letter is one of the procedures spelled out in the Fair Credit Billing Act for resolving errors on credit billing statements, including charges that you have not made.
Third, file a report with your local police or the police in the community where the identity theft took place. Keep a copy of the file in case your creditors need proof of the crime.
Since 1998 the FTC has had an Identity Theft Program to assist identity theft victims and provide guidance on how to resolve the problems. They also help consumers refer complaints to appropriate criminal law enforcement agencies and provide business and consumer education across the board. The FTC maintains the nation’s primary identity theft Web site, which provides critical resources for consumers, businesses, and law enforcement at www.consumer.gov/idtheft. If you’ve been victimized, you can also file a complaint with the FTC by contacting the FTC’s Identity Theft Hotline by telephone: 877-IDTHEFT or TDD: 202-326-2502; by mail: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580; or www.consumer.gov/idtheft. Ask for a copy of ID Theft: When Bad Things Happen to Your Good Name, a free comprehensive consumer’s guide to help you guard against and recover from identity theft.
It is also a good idea to complete an ID Theft Affidavit (also available from the FTC). It is a true statement, certified, but doesn’t have to be. Fill it out as soon as possible while the details are fresh in your mind. It may not mean anything today or tomorrow, but it may in three years when you try to prove your innocence to creditors.
Other Things You Can Do
If an identity thief has stolen your mail for access to new credit cards, bank and credit card statements, preapproved credit offers and tax information or falsified change-of-address forms, report it to your local postal inspector. If you discover that an identity thief has changed the billing address on an existing credit card account or has accessed your bank account or ATM card, close the account. When you open a new account, ask that a password be used before any inquiries or changes can be made on the account. Avoid using easily available information like your mother’s maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers. Avoid the same information and numbers when you create a PIN number.
If an identity thief has established new phone or wireless service in your name and is making unauthorized calls that appear to come from — and are billed to — your cellular phone or is using your calling card and PIN, contact your service provider immediately to cancel the account and calling card. Get new accounts and new PINs.
If it appears that someone is using your SSN when applying for a job, get in touch with the Social Security Administration (SSA) to verify the accuracy of your reported earnings and that your name is reported correctly. Call (800) 772-1213 to check your Social Security statement.
In addition, the SSA may issue you a new SSN at your request if, after trying to resolve the problems brought on by identity theft, you continue to experience problems. Consider this option carefully. A new SSN may not resolve your identity theft problems, and may actually create new problems. For example, a new SSN does not necessarily ensure a new credit record because credit bureaus may combine the credit records from your old SSN with those from your new SSN. Even when the old credit information is not associated with your new SSN, the absence of any credit history under your new SSN may make it more difficult for you to get credit. And finally, there’s no guarantee that an identity thief wouldn’t also misuse a new SSN.
If you suspect that a thief is using your name or SSN to get a driver’s license, report it to your Department of Motor Vehicles.
We must be ever more vigilant to protect our personal information. By taking the steps outlined in this article you can reduce your risk of being a victim of identity crime.
Detective Robert E. Harris is manager of the General Investigations Unit in the Office of Consumer Affairs for Virginia. This article is an excerpt from a presentation he made during the ALTA® Tech Forum this past April. The session was so popular, he was asked to make another presentation during ALTA®’s Annual Convention in New York.