5. Identity Theft
“Sometimes you need to get hit in the head to realize that you’re in a fight.”
—MICHAEL JORDAN
Imagine that one day you wake up and find that someone has opened a credit card in your name and charged $10,000 to it. Or used your health insurance. Or maybe drained your bank account, hacked into your email and sent spam to everyone in your address book, and removed all your files in iCloud. Identity theft is a waking nightmare—and it becomes a real horror movie when you realize that some dude, somewhere, knows where you live.
Identity theft occurs when someone steals your personal information and uses it without your permission. They do this by collecting pieces of information about you from different sources and putting it together, like a dossier. Identity theft is a serious crime that can wreak havoc on your finances, credit history, and reputation, and it can take time, money, and patience to resolve. Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, get medical treatment on your health insurance . . . Basically, they can do anything you could do.
In this chapter, I’ll show you how to deal with identity theft if it happens—specifically, how to quickly limit the damage and recover your life—and how to prevent it from happening in the first place.
Identity thieves are thinking about how to steal identities all the time, and they typically automate the technical parts, like sending out phishing emails. American and Eastern European crime syndicates are behind a lot of the world’s identity theft, but there are a lot of small-time identity thieves, too. These small-timers use illicit software programs, but they also go through your garbage at home, survey your workplace, and haunt the town dump. They may work—or pretend to work—for legitimate companies, medical clinics, pharmacies, or government agencies and use that cover to convince you to reveal personal information. Some thieves contact you by email or phone, pretending to represent an institution you trust, and try to trick you into revealing personal information.
The good news is that more and more companies are aware of the problem of identity theft. Unlike the women who had to deal with this issue 10 years ago, at least you won’t need to teach everyone you meet what the hell identity theft even is.
SIGNS OF IDENTITY THEFT
If you are a victim of identity theft, you will likely find out about it the hard way: you might get a letter from the IRS saying you have a tax problem, your credit card might max out when you haven’t been using it much, or you may find that your bank account is empty the next time you write a check or try to use your debit card. Here are some things to look out for:
• Your credit card suddenly stops working or has weird charges.
• You can’t withdraw your money from an ATM.
• Your bank statement shows withdrawals that aren’t yours.
• You stop getting your bills or other important mail.
• A company or store tells you that your information has been compromised in a data breach.
• You receive emails about financial, medical, or shopping accounts you didn’t set up.
• Your bank, credit card, or other financial service notifies you of a password reset that you didn’t initiate.
• Your checks bounce, or a store suddenly won’t take them.
• Debt collectors call you about debts that aren’t yours.
• You find unfamiliar accounts or charges on your credit report.
• Doctors bill you for services you didn’t use.
• Your health insurance tells you that you’ve reached your benefits limit, but you know you haven’t.
• A health plan won’t cover you because your medical records show a condition you don’t have.
• The IRS tells you that multiple tax returns were filed in your name or that you owe taxes on income from a job you don’t have.
Even if none of these signs is apparent, you should always be on alert. Keep an eye on your bank and other account statements for unusual activity. If you suspect that your wallet, Social Security card, or other personal or financial information has been lost or stolen, act immediately.
RUN, DON’T WALK
If you suspect identity theft, take action immediately. Here’s what you need to do:
• Freeze all compromised accounts.
• Place a fraud alert on your credit.
• Order your credit reports and note anything that is incorrect.
• Create an Identity Theft Report with the FTC (you’ll need this to fix your credit reports and to dispute charges).
• Use your credit reports and your Identity Theft Report to fix your credit reports and get information about the thief.
• Call the appropriate authorities (like the IRS if your Social Security number has been compromised).
• Alert businesses involved in fraudulent charges.
Place a Fraud Alert
Placing a fraud alert is free, and it means that if the identity thief tries to open accounts in your name, the credit companies will call you. To place a fraud alert, call one of the three credit bureaus: Equifax, 1.800.525.6285; Experian, 1.888.397.3742; or TransUnion, 1.800.680.7289. (You only need to call one, because each is required to contact the others for you, but be sure to confirm that they will do so.) Tell the person on the phone that you are the victim of identity theft.
Mark your calendar for 90 days after the day you place a fraud alert. The alert lasts for 90 days, and you should renew it at least once.
Order Free Credit Reports
Once you’ve placed a fraud alert, you should be able to order free credit reports from the credit bureaus. Ask each company to show only the last four digits of your Social Security number on your report. When the reports come and you review them, check everything. You may well find unauthorized charges or accounts you didn’t create.
File an Identity Theft Report
You’ll find instructions for filing an Identity Theft Report on the FTC’s website http://consumer.ftc.gov/, but you’ll probably have to file the report at http://ftccomplaintassistant.gov/. Click Identity Theft, and then click the link that applies to you, such as Identity Theft: I am a victim of identity theft. Someone has used my personal information.
If you need help filing an Identity Theft Report, call the FTC at 1.877.IDTHEFT (1.877.438.4338). They should be able to answer your questions and connect you with the right law enforcement agencies. If the person who handles your call can’t help you, hang up and try again. Maybe the next person can help. (This is a government agency after all.)
Contact the IRS
If you think someone has used your Social Security number to get a tax refund or land a job, or if you receive a notice from the IRS indicating a problem, contact the IRS Identity Protection Specialized Unit (1.800.908.4490). You should also submit IRS Form 14039, ID Theft Affidavit (http://irs.gov/pub/irs-pdf/f14039.pdf). Finally, alert the Social Security Administration fraud hotline at 1.800.269.0271.
Alert Businesses
If you know which accounts the thief has used, contact each affected business and jot down whom you contacted, when you contacted them, and the outcome of each contact. Speak with someone in the fraud department, and then follow up in writing, making sure to send correspondence by certified mail with a return receipt. And as you contact these businesses, request copies of any documents the identity thief used to open a new account or make charges in your name. According to the FTC website, “The business must send you free copies of the records within 30 days of getting your request. For example, if you dispute a debt on a credit card account you did not open, ask for a copy of the application and applicant’s signature.”
DON’T LET IT HAPPEN TO YOU
Identity theft can wreak havoc in your life, and not knowing who has your personal information or what they’re doing with it can be really scary.
Sometimes when your identity is used without your consent, it will feel like your life has been violated. It has. If you’re feeling scared, angry, confused, and overwhelmed, Chapter 4 offers tips on how to cope. But here are some tips to prevent identity theft from happening in the first place.
Prevent Identity Theft
These are some simple measures you can take to reduce the risk of your identity being stolen:
• Prevention tip #1: The minute you find out that a site or company you use has been hacked, change all passwords and information associated with your account, even if the hacked company tells you you’re safe. Companies often don’t inform the public of a security breach for a long time, and they often don’t fully understand how badly they were hacked. And they lie.
• Prevention tip #2: Remove as much information as possible from people-finder websites: they’re a gold mine for identity thieves and stalkers. Chapter 7 will tell you how.
• Prevention tip #3: Be stingy with personal information like your phone number, address, and everything in the red and yellow lists in Chapter 2.
• Prevention tip #4: Make sure that people aren’t looking over your shoulder, or shoulder surfing, when you’re on your phone or computer.
• Prevention tip #5: Don’t let information used for security questions get out in the open. This includes things such as your pet’s name, your mother’s maiden name, your first car’s model, the city you were born in, and so on.
Identity thieves don’t like to work too hard, and it’s often said that online criminals typically go after the low-hanging fruit (meaning the easiest things they can grab). Following these prevention tips will keep you safely out of reach.
Avoid Phishing Attacks
Phishing is a technique that criminals often use to attempt to steal your identity by tricking you into thinking that an email, SMS, or even a phone call is from an organization or company that you trust. Their goal is to dupe you into disclosing your personal information or login credentials when you connect to what appears to be a legitimate website or data collection form. Sometimes these sites or forms look surprisingly legitimate—like Facebook or Twitter; other times they’re laughably bad. Some fake sites even display official-looking federal law enforcement symbols claiming to be, for example, the Federal Internet Enforcement Administration, and make bizarre threats designed to scare you into clicking their links or entering information!
To reduce your chances of becoming a phishing statistic, don’t open files, click links, or download programs sent to you by strangers. For that matter, since a friend’s email account may have been compromised, be wary when opening any attachment or clicking any link that you’re not expecting or that just doesn’t seem right. With malware attacks becoming increasingly sophisticated, almost any file you open—even an image file—could contaminate your computer with malicious software. Therefore, it’s a good idea to make sure your email is set up to only display images from email addresses you have approved.
Security researcher Georgia Weidman writes:
If you didn’t order it and aren’t expecting it, then you can be 99.9% sure it is a phishing attack. You can always contest any charges to your credit card if and when they show up. Ignore it. If you aren’t the type of person who can ignore it, go to the company’s website not by clicking a link but by typing in the web address you know and trust for that company.*
And let’s not forget text messages sent to your phone. But it’s just text, right? How can a text message compromise your phone? Clicking a link sent in a text can open a link in your mobile browser, which in turn can install password-stealing malware on your phone just as it might on your computer. Mobile browsers are no more immune to phishing attacks than your desktop browser is.
So if you get a text message that says you’ve won a $100 gift card to some store and you need to click a handy link to log in to claim your prize, don’t do it. Once it’s on your phone, the app can get access to any sensitive data stored on your phone, or it might run malicious code to get additional access. Bottom line: always question the source of incoming messages that invite you to respond.
If Your Phone or Computer Is Stolen
The theft of a phone, tablet, or computer—or even just misplacing a device—puts your private information at risk, even if the device is protected by a password. When this happens, the first thing to do is change your passwords for the accounts that are connected to that piece of hardware. Use a friend’s phone or computer if necessary, and get to work ASAP.
You don’t necessarily have to change all of your key passwords, though. Think back to when you last used the device, and try to remember if you might have been logged in to your email, Facebook, Twitter app, or a shopping website (like Amazon). Make a list, change the passwords for these accounts immediately, and alert any credit card companies or other payment options (like PayPal) that might be connected to those accounts.
Install an Antitheft Tracking App
Unless your device is password protected or encrypted, or has an antitheft tracking app installed that lets you wipe or lock your device remotely, a thief may have access to everything you left open.
Tracking and antitheft apps allow you to track your devices remotely through an account on the app’s website, and they give you a range of settings to activate when the device is lost or stolen. There are plenty of apps available to download, so choose the one that best suits you. Apple and Google both have their own antitheft apps, but others are available, too—check out Lookout, Kaspersky, McAfee, AVG, Where’s My Droid, and Prey.
Prey is a great example of a tracking and antitheft app. It’s free to download and super easy to set up. All good antitheft apps should allow you to activate them remotely and send you your device’s location when it’s not with you. The app should also offer a way to camouflage itself so a thief won’t know it’s an antitheft app. Prey disguises itself as a game, for example. You should have the option to remotely lock and wipe your device and have it ring, vibrate, or sound a siren on command, and you should be able to control these features easily by sending a text or by messaging the device through a web interface.
Your app should also be able to take photos from the device’s camera and upload them to your online account so you’ll not only be able to see where your laptop or phone is but who has it. Then you can give this information to the police.
Permanently Delete Information from Your Device
Computers, tablets, and phablets can all hold your personal and financial information, including your passwords, account numbers, addresses and phone numbers, contacts’ addresses and phone numbers, medical information, tax returns, receipts, files left behind by browsers and operating systems, and much more. While all of that stuff is easy to save, it’s tricky to make disappear, and sometimes that’s exactly what you need to do. For instance, you might be selling your old laptop, upgrading your phone, or loaning a device out, and you want to make sure everything sensitive, like financial files, is wiped.
Unfortunately, even when you think you’ve deleted a file, it’s not necessarily gone—bits and pieces of it remain on your computer, and they can often be retrieved with a data-recovery program. To remove data from a hard drive or your internal device memory permanently, you have to wipe it.
You’ll find software tools to wipe hard drives online and wherever computers are sold. These programs are generally inexpensive, and some are even free. Some will erase the entire disk or drive, while others will allow you to select which files or folders to erase. Some overwrite or wipe the hard drive many times (the more wipes, the better), while others overwrite it only once.
Before you clean a drive, phablet, or phone memory, save any files you want to keep either online (to a service like Dropbox) or to an external hard drive or flash drive. Then use a program like Blancco (http://dban.org/) to wipe or overwrite the drive or the memory on your phone. If you’re cleaning a phone, the phone should offer its own way to wipe or reset it, but don’t forget to wipe the SD card too (or remove it entirely). And if you’re wiping a phone, thoroughly check to make sure that your email, texts, photos, and personal files are really gone.
Finally, remove the SIM card, which might store your contacts, and the SD card, which contains files like your photos. Now your device is really wiped clean.