There is yet another dark side to the online world: cyber criminals who seek to scam you, spam you, load nasty things onto your computer, steal your identity, and then steal you blind. They can wreak havoc with your bank account, your credit cards, your computer, your credit rating, your sanity—and never even touch you physically, although the financial and emotional damage is very real. We want to emphasize this point. Just because identity theft is not a physical crime against someone, do not underestimate the amount of fear and stress it puts victims under. It is not a victimless crime by any means.
In February of 2008, the U.S. Federal Trade Commission released a report of the top consumer fraud complaints. For the seventh year in a row, identity theft was the number-one consumer complaint category. Of 813,899 total complaints received in 2007, 32% were related to identity theft.
The most common form of identity theft was credit card fraud, a trend we’re seeing in the police department where we work.
A bulk of these fraud cases (64%) happened as a result of an exchange on the Internet. Forty-nine percent of fraudsters used email to contact their eventual prey, and 15% used the web.
What do all these numbers mean to American consumers? Estimates are that losses range from $55.7 billion in 2006 to $49.3 billion in 2007 (Javelin Strategy and Research, January 2007).
Let’s crunch some more numbers. In that same report by Javelin Strategy and Research, it is estimated that there were 8.4 million victims of identity fraud in 2006. That’s equivalent to 23,000 victims each day. Identity theft and fraud continue to be the most prolific and most profitable crimes committed.
When the Federal Trade Commission issued its “2006 Identity Theft Survey Report,” it estimated that over 8 million Americans reported being victims of identity theft in 2005. That would equate to someone’s identity being stolen every 3.5 seconds!
The fact that these numbers are so close, yet from completely different sources, suggests that they are fairly accurate. That means in the time it took you to read this section, someone’s identity was stolen.
Here are some of the realities of financial cyber crime: A credit card number with security code (the validation digits on the back) and expiration date can be purchased online for $7 to $25. Birth certificates can be purchased online for around $150, and a credit card number with its associated PIN can be bought for about $300.
What many people don’t realize is that an entire “underworld” of the Internet exists solely for the purpose of propagating many different types of crimes, from trading sexually explicit images and video of children to trading credit card numbers. Access to such sites is very restricted, often requiring “sponsorship” by an existing member. Members use secret chat rooms where credit card numbers fly back and forth faster than a Ferrari.
Identity fraud usually involves the unauthorized use of credit and debit cards, where there’s no or only limited liability, so long as the unauthorized use is reported.
Identity theft occurs when a person’s information—date of birth, social security number, driver’s license—is stolen and used specifically for the purpose of establishing a new identity and new credit using the victim’s name.
To complicate matters, the FBI collects statistics on crime using “umbrella” categories. Therefore, when police agencies report crime statistics to the FBI’s repository for crime data, the offense of identity theft is reported as “Impersonation,” whereas identity fraud can be reported as either “Fraud” or “Credit Card Offense”. You can see why it’s so difficult to get a real number on these types of crimes.
What we do know is that when it happens, it can set off a chain of events that leave you exhausted and feeling just as violated and vulnerable as if someone had entered your premises.
Until you’ve worked with or become a victim of identity theft, you cannot appreciate the amount of time it takes to recover from this type of crime. Victims must notify just about everyone they interact with—credit card companies, banks, doctor’s offices, schools, and employers—and advise them their identity has been stolen. The paperwork trail is enormous, and every entity has its own version of forms that must be filled out. Police reports must be filed. Credit reporting agencies must be notified, the Social Security Administration must be notified, and so on.
What’s more, new credit cards and social security numbers must be applied for. Copies of reports must be sent. All this takes an arduous effort and a large amount of time. Often victims have to take time off from work, resulting in a loss of wages. Any future attempts at obtaining credit means the whole story has to be dredged up again, and all the paperwork has to be dug back up and re-sent. Many victims still deal with the ramifications of identity theft years after the crime was committed.
Besides the physical labor of having to stay organized and on top of all your accounts, there is often a fear that someone is out there with all your information. He or she knows your name and where you live. The feeling of being violated is very real.
On a plus side, we can say based on our personal experience and research that identity theft rarely leads to actual physical harm. If there’s any comfort to being a victim of a crime, let that be it. Still, this does not remove the sting of emotions—shame, fear, anger—that identity theft victims often feel.
The NCIC (National Crime Information Center) Identity Theft File protects victims of identity theft by confirming that they are, in fact, the victims and not someone who has assumed their identity. Think about it: If someone has stolen your identity, what’s to prevent him from using it if he gets pulled over for speeding or is arrested? Hence the creation of the NCIC Identity Theft File.
Information needed for the file includes a victim’s name, date of birth, social security number, and type of identity theft. A password that is easily remembered is chosen by the victim and entered into the file. If the victim has any interaction with the police in the future, the police have access to the NCIC ID Theft File to confirm the password. This also serves as a red flag that someone might be using an assumed name so that identity can be confirmed.
One of the most frustrating aspects of identity theft is that it can be extremely hard for victims to prove they are innocent. Numerous cases, some of which we will highlight, demonstrate how difficult it is to untangle yourself from identity theft once you become a victim.
Identity theft victims face the added burden of having to prove that they really did not order that new laptop online or run up thousands of dollars in cell phone fees. That’s what makes this crime so frustrating for both victim and law enforcement—it’s like trying to follow two very clear sets of footprints going off from the scene of a crime in totally different directions. Add to that the fact that credit card companies receive so many reports of identity theft a year that they don’t necessarily believe you were, in fact, a victim. Even if you can prove that you are a victim, they still want to get paid, but trying to sort through authorized and unauthorized purchases isn’t always as easy as it seems, and you are still obligated to pay for any authorized purchases even if you dispute 90% of the balance on the account.
It takes a great deal of time to try and point out that right path. It’s as if the victims become revictimized in the process of trying to clear their name. So why let it happen in the first place if you can prevent it?
The most common form of identity theft is credit card fraud. According to the nonprofit Identity Theft Resource Center, identity theft is subdivided into four categories:
• Financial identity theft—Using another’s identity to obtain goods and services
• Criminal identity theft—Posing as another person when apprehended for a crime
• Identity cloning—Using another’s information to assume his or her identity in daily life
• Business/commercial identity theft—Using another’s business name to obtain credit
Another point of frustration for victims is that they often don’t know their information has even been compromised for weeks, sometimes months, due to the significant financial and customer-confidence stigmas for companies to come forward and admit their data has been compromised. However, it is the right thing to do.
In May of 2008, the Staten Island University Hospital in New York became one of the latest organizations to admit that tens of thousands of patients had their data compromised when a hospital desktop computer was stolen from one of its billing offices.
What makes this situation troublesome is that the hospital waited 4 months to notify patients of the breach. The reasoning? Here’s what one hospital spokesperson told the media:
In taking a look at this, could it have been done sooner? I believe perhaps it could have been done sooner.
The spokesperson, Anthony Ferreri, SIUH president and CEO, went on to say that the hospital went through an 8-to-9-week process to identify a credit-monitoring program for all 88,000 patients with the national credit-reporting agency Equifax before it made notification to patients.
“We wanted to make certain we had the best possible vendor with the experience in the particular area who could protect the credit and the information of those who were affected,” Ferreri said.
These kinds of delays substantially increase the chances that victims will have their identities stolen and compromised. We understand the public relations debacle this kind of breach incurs, but the victims deserve to be notified in a timely manner above the rights of the companies to save face.
Incidentally, this is not the only time data has been stolen from an organization. Laptop thefts are on the rise. Thumb drives can contain volumes of data. iPods and MP3 devices can store thousands of documents. Data is very portable these days, and we understand that despite best efforts, things can get lost. However, companies need to consider the ramifications of losing data and they must establish policies accordingly.
Why is this so difficult to do? That’s easy—we are a mobile society that wants to be able to work anywhere, anytime.
The two most important things you can do to prevent identity theft and the loss of your credit are fairly easy and simple: Monitor your bank and credit card accounts and monitor your credit reports.
In this day and age, almost every bank and credit card company allows you to monitor your account information online. Do it! You should be checking your accounts on a monthly, if not weekly, basis to make sure there are no transactions you do not recognize. If there are, contact the bank immediately. Compare your monthly statements to your receipts and make sure they match. Visiting your bank online is safe as long as you know exactly where you’re going, which is why we recommend that instead of clicking a hyperlink, type in the bank’s URL (Internet address) in the Location tab. Do not ever go to your bank or credit card website from a link in an email because you may be going to a fake site. Start another Internet session and type in www.nameofbank.com yourself to make absolutely sure you are really at the bank’s site. (See more on this in Chapter 11, “Phishing, Pharming, Spam, and Scams.”) Check your accounts often so you see any discrepancies immediately.
Get Your Free Annual Credit Report (annualcreditreport.com)
Memorize this web address: www.annualcreditreport.com. Better yet, bookmark it. Most states participate with this site to allow consumers free access to the three major credit-reporting agencies: Equifax, Experian, and TransUnion.
Prior to joining law enforcement, Felicia spent many years in the consumer credit industry. She remembers the days when credit reports were run on punch cards, then ticker tape. Many times when viewing credit reports of consumers, she was the first one to inform them of a delinquency or discrepancy. The reports were not as readily available to consumers as they are now. They are an important weapon in your online safety arsenal. Make use of them.
If you qualify (based on which state you live in), you are entitled to a free copy of your credit report each year. By staggering your requests and getting only one report from a single credit bureau at a time, you can actually see your credit report once every 4 months (once from each credit bureau per year). This is an extremely important technique in preventing identity theft.
Note that a variety of “free” credit report websites are out there. However, this is the only “official” site set up by the three major credit-reporting companies. Many others will claim to be free but dupe you into purchasing other services. Stick with www.annualcreditreport.com, but make sure you download the report and read it!
Read your credit report thoroughly. Familiarize yourself with all the accounts listed so you can easily recognize any future discrepancies.
Notify the credit-reporting agencies immediately if you see any discrepancies in your credit report. These companies are a central repository for all the financial institutions that report to them, and their reputations rely on their information being accurate. Notify them immediately if you see an account (open or closed) on your credit report that you do not recognize. Someone may be attempting to commit identity theft in your name. The credit agencies are obligated to investigate any discrepancies you report to them.
Verify that your address information is correct. Identity thieves will often take out different addresses or use a P.O. box to have credit cards sent to them.
If you suspect identity theft, you have the right to ask that a “fraud alert” be placed in your file to let potential creditors and others know that you may be a victim. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit, but this is a fair tradeoff to make sure someone else does not seek credit in your name.
You only need to request a fraud alert from one credit reporting agency. That company is then obligated to notify the others. (The contact information for these credit agencies is listed under “Resources” at the end of this chapter.)
There are different kinds of fraud alerts. An initial fraud alert stays in your file for at least 90 days. You must call to extend it if you need it beyond the 90-day period. An extended alert stays in your file for 7 years and requires a police report for documentation.
Be aware that although some identity thieves will sell stolen information immediately, many will warehouse it because they are well aware of this 90-day window. Newly stolen data is considered risky in the underworld of identity thieves, but thieves are still willing to chance getting caught by attempting to sell it.
We want our readers to understand that we come at this topic from all angles—as professionals, as law enforcement, as women, and, unfortunately, even as “victims”.
When we make recommendations, it’s because of all the cases we’ve seen that either could have prevented or could have been worse, or the recommendations come from our own personal experiences. In this case, Felicia became the victim of identity theft and there was little she could have done to prevent it.
Felicia was rather surprised to arrive home to find a collection call on her answering machine. Knowing that she had no outstanding bills, she immediately went online and pulled up her credit report. By staggering the reports, as recommended earlier in this chapter, she was able to see one right away. It was during this review of her credit report that she noticed an account for a cell phone taken out just a few months prior.
Felicia knew the account was bogus and immediately contacted the credit-reporting agency and assured them this was not her account. She followed this up with a letter in writing.
By stating in writing that an account is not yours, the credit reporting agency is obligated to investigate your claim. In this case, someone had taken out a cell phone account in New York under Felicia’s name. The cell phone company was contacted, the account was immediately closed, and the negative information was removed from Felicia’s credit report.
Felicia continues to carefully monitor her credit report knowing that she was, in this instance, very lucky. Millions of people have been through the nightmare of identity theft, with thousands of dollars being sucked out of their personal bank accounts and their credit being ruined—not to mention the exhaustive and lengthy effort it takes to correct everything.
The Federal Trade Commission estimated that in 2006, 5% of identity theft complaints came from people younger than 18. That’s over 500,000 child victims a year. Identity thieves are notorious for grabbing the social security numbers of children and opening up accounts because they are often overlooked and easy to hijack. If you have children, also request a copy of their credit records through www.annualcreditreport.com, and check your children’s history using their social security numbers. Identity thieves love to open accounts under children’s names because the crime can go undetected for years.
One interesting note on this topic is that it is estimated that more than half the cases of identity theft of a minor are perpetrated by a relative (see Identity Theft Resource Center at www.idtheftcenter.org).
Most schools require your child’s social security number (SSN). It would be hard to not provide this information, particularly because many programs, such as Special Education, require a child’s SSN in order to receive service. However, this does not mean the school’s football team has to have it. The point here is to always challenge why an SSN is being required and to ask where that information is being shared. We are not aware of any students who were refused a public education, which is required by law, for not providing an SSN.
Even if schools have strict privacy policies, which most do, your child’s information is being entered into some sort of database, which can be further compromised. Databases containing any personal information are a treasure trove to identity thieves, who can often acquire millions of pieces of data at a time.
Have a conversation with your children about the importance of not giving out personal information, including their social security number. Explain to your teenagers that they are likely to be required to provide their SSN on an employment application because of standard pre-employment credit screenings and the need to report their income to the IRS, if hired, but that they should safeguard their personal information, including their driver’s license and debit cards, always.
The following tips don’t take a lot of time, but they can save a tremendous amount of time in the long run by reducing your risk of becoming an Identity Theft victim:
• Make at least two copies of all your credit cards, your driver’s license, your social security card, your insurance card, and any other cards you carry in your wallet. Make copies of both the front and back of each card. Store one copy at home and one copy somewhere safe outside the home. This will give you quick access to all your account numbers as well as the 800-numbers you may have to call should your purse be lost or stolen. This 5-minute task can save you hours of agony in trying to recall everything you had in your wallet.
• Don’t forget other “minor” forms of ID, such as library cards and supermarket discount cards. Make front and back copies of everything and notify everyone because something as innocuous as a library card could be presented as a form of ID to request another form of ID.
• Going on vacation? Take the copies you made of the fronts and backs of your credit cards and other IDs and stick them somewhere in your luggage away from your wallet. Better yet, record all the info and put it in a file on a USB stick and hide it in your luggage. Remember that you are more vulnerable when traveling, so have the info, including the 800-numbers, readily available so you can get your cards quickly replaced. On that note, if you’re traveling internationally, there’s often a separate 800-number. Keep all this information in a safe place, but not in your wallet.
• Even if you think you may have just misplaced a card, notify the card holder immediately. Thieves will use stolen cards within minutes. Credit card companies have the ability to freeze your account to prevent fraudulent transactions almost immediately. We cannot tell you how many times police departments are notified of fraudulent activity by stores at the same time the victim is still looking around for their misplaced card. Don’t take a chance. It is a lot easier to get a new credit card mailed out than it is to try and correct your credit because of credit card theft or identity theft. Notify the credit card company first, immediately, and then the police if the credit card company advises you of recent activity.
• Tear up or, better yet, shred those preapproved credit card offers that come in the mail. Someone could easily take them and apply for credit in your name. Some towns are even sponsoring “Shred Days,” where citizens can bring sensitive documents to locations with certified commercial shredding trucks.
• Don’t put mail in your mailbox to be picked up if you can avoid it. Those raised flags indicating that there’s outgoing mail are a treasure trove for identity thieves who want to grab bills with account information and copies of your personal checks. Better to drop off the mail in the blue U.S. Mail collection boxes or take it to a post office.
• Make sure if you are moving that you stop your mail several days prior to the move. Do not chance mail being sent to a vacant house.
• One more reason to not put up that mailbox flag—mail theft is rampant these days. Identity thieves have a technique for “washing” checks you wrote out to pay your utility bills using acetone (nail polish remover) to remove the ink. They then use the blank check for wherever they want! Thieves know that a gel-based pen such as a Uni-ball is not washable, so they will first trace over your signature first with a gel-based pen, then wash the check in acetone. This keeps the signature intact, but blanks out the amount of the check. It is highly recommended that you fill out the entire check, including who it is to and the amount, using a gel-based pen rather than a ball-point pen.
• Opt out of the preapproved credit card solicitations. Call 888-5-OPTOUT or go to www.optoutprescreen.com.
• Be alert to bills you normally expect that are not coming. A frequent trick of identity thieves is to issue a change of address on an account.
• Have you ever been checking out at the register when the clerk asks for your phone number? Politely decline! All legitimate businesses expect customers to opt out of this request and have a means of bypassing it. All you’re doing by providing your home phone number is allowing a marketing company to aggregate that much more information about your personal buying habits—thereby making it easier for you to become a target of unwanted solicitations and even scams.
• No matter what the circumstance, if you are asked for your SSN, challenge it! Ask why the information is needed and what the ramifications will be if you don’t provide it.
Although identity theft is a cyber crime, it often begins the old-fashioned way—with someone picking through your trash or stealing from your mailbox. To that end, you should always try to shred any documents that contain any personal account information, receipts that have your credit card number, offers for new credit cards, and so on. Remember that thieves are clever and will use any “shred” (pardon the pun) of your identity to build a new one. That includes your address, your phone number, your date of birth—all of which can be gleaned from many ordinary documents you might not even think need to be shredded, such as a medical bill or a drug receipt. Think like a thief and don’t give them any ammunition! Shred everything.
And remember, if you’re an avid gardener, you can always use that shredded paper as mulch for your plants.
Many different models of shredders are available on the market, but the two most commonly purchased and widely available are the “strip-cut” shredder, which cuts the paper one way into strips, and the “cross-cut” or “confetti” shredder, which uses two contra-rotating drums to cut rectangular, parallelogram, or diamond-shaped shreds. The cross-cut shredder is usually more expensive, but worth the extra investment. The items shredded in a strip-cut shredder are much too easy to stitch back together.
We have seen the output of a strip-cut shredder that basically cuts right in between the space between the text, meaning the text was still completely readable. Make sure that if you opt for a strip-cut shredder that it cuts close enough to render the text unreadable. For added safety, make sure your shredder can shred plastic, including credit cards and CDs that may contain personal information. In other words, the purchase of a shredder is not the place to “cut corners”.
Also, commercial shredding services are available for high-volume operations. Many municipalities and medical facilities use commercial shredding services due to the confidential nature of the paperwork.
When a thief gets hold of a credit card number, the stakes are pretty high that the card could have already been reported stolen. How can the thief test whether or not the account number is good without risking getting arrested? By using the credit card number to make a donation to an online nonprofit agency. Think about it—they don’t get any merchandise delivered, so there’s no trail of delivery; they don’t have to appear anywhere in person and risk arrest, and they can test how much they can charge without sending up a red flag. Unfortunately, it’s the nonprofit organization that gets whacked, not only with a fraudulent donation but then any associated costs with having to try to sort out the dummy donation.
Given how prolific identity theft is, chances are that you or someone you know may become a victim. When that happens, there are steps you can take immediately that will limit your liability. Here are some suggestions you may not have considered:
• Notify your credit card companies immediately. They can issue a stop on an account within minutes to prevent any further fraudulent charges.
• Gather all the documentation you have showing the charges and print everything out.
• Save the screens showing the fraudulent charges if you can. You can save a web page in Internet Explorer by using the File, Save As menu command and giving the page a filename just like you would a document. You can then call that file back up if you need it later on.
• Notify the police. Identity theft is a crime, and although the police may or may not be able to solve the crime, you may need the documentation to prove you were a victim if someone commits more crimes with your identity. File the report for your own future safety.
• Don’t forget to notify the Social Security Administration (www.ssa.gov) and your local Department of Motor Vehicles. You might also want to notify your local postal service because often identity theft involves mail—either bills are sent for accounts you didn’t open or your outgoing bills are stolen to obtain your account information.
• Report the incident to the Internet Crime Complaint Center (www.ic3.gov). This helps in identifying trends and gives law enforcement much needed information. This site has a wealth of resources to help you recover from the crime (see Figure 5.1).
Figure 5.1 The Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). Online reports of cyber crime are accepted at www.ic3.gov.
One of the most interesting features of IC3 is somewhat buried on the site, but well worth the look. IC3 collects statistics for each state, including how it ranks compared to other states. To access this, at the top of the screen, select Press Room and then select Annual Reports along the right side of the resulting page. Alternatively, you could Google “IC3” and “annual reports”. There are no major surprises in the top three complainant states: California, followed by Florida and New York.
Every day more and more companies offer commercial identity theft protection for consumers—often for a price around $10 to $15 a month. The following list of companies is for research purposes only. We are not endorsing any product.
Do your own research before handing over your money. Some “identity theft protection programs” have recently come under scrutiny as a possible source of identity theft, so be careful and Google any company and research it prior to signing up.
• Identity Guard (www.identityguard.com)
• Trusted ID (www.trustedid.com)
• LoudSiren (www.loudsiren.com)
• NameSafe (www.namesafe.com)
More information about these different services can be found at Next Advisor (www.nextadvisor.com).
One such company, LifeLock, out of Tempe, Arizona, made its claim to fame when its CEO, Todd Davis, advertised his own social security number on the company’s website, claiming that his firm could “protect my good name and personal information—just like it will yours”. Unfortunately, it didn’t. Davis’s social security number was used successfully to apply for a loan, and over a hundred LifeLock members (of the supposed one million subscribers) have had their identities stolen while they were enrolled in the program.
Just recently, Experian, the credit-reporting company, sued LifeLock contending that LifeLock’s advertising is misleading and that LifeLock’s primary method of prevention—placing continuous fraud alerts on consumers’ credit files—is illegal. To be fair, and we always try to be fair, there are a million of satisfied LifeLock customers who are quite willing to pay the $10-a-month fee for the protection it affords.
Our point is that your best bet is to be educated in ways to prevent identity theft before it happens—and that’s free!
In May of 2008, Kentucky Attorney General Jack Conway announced the formation of a specialized cyber crime unit to combat, among many things, identity theft.
In June of 2008, Attorney General Conway revealed that when he went to buy music on iTunes, the company refused his credit card and informed him it did not match the ZIP Code on record.
Not only had thieves stolen his credit card information, they charged thousands of dollars on it for computers, phone services, and postage. The thieves changed the Attorney General’s mailing address. That hurts. Felicia won’t ever complain about being duped for a phony cell phone account again.