Identity Theft Overview: Part I — Explanation of the Crime

November 2003

The nightmare of identity theft

"It could never happen to me," you tell yourself. Shortly thereafter, the phone rings. It's a collection agency, rudely demanding that you pay your past-due bill for the home theater system you recently purchased. There's only one catch: You don't own a home theater system.

 

The next day, a collection notice arrives in your mailbox for unpaid taxes on a home whose deed is in your name — although the home is in a state you've never even visited. The supermarket begins refusing your checks, citing your history of bouncing them — yet you know you've never bounced a check. Your credit report now shows a history of late payments, though you've always prided yourself on paying your bills on time. Panicked, you wonder if it has happened to you — and what you might have done to cause it.

Before you start blaming yourself, note these three simple facts:

• Identity theft can affect anyone, regardless of age, gender, economic status, or race.
• Identity theft is the fastest growing crime in America — an increase fueled, in part, by the involvement of organized crime.
• Almost 10 million Americans were victimized by identity theft last year — an increase of 41 percent over the year before — at a cost to the U.S. economy of nearly $53 billion.

Once thieves have stolen a Social Security number (SSN) or driver's license number, they strike quickly. The average theft is $17,000 and may be a done deal in less than two days. Often, the perpetrators have moved on to the next target before anyone even notices the crime has occurred.

In the end, victims usually aren't saddled with paying their imposters' bills. What they do get stuck with is the arduous task of clearing their credit reports, correcting their financial status, and regaining control of their identity. As they negotiate this maze, they may have problems obtaining new credit, procuring personal loans, renting an apartment, and even getting hired. Victims of identity theft often find that the authorities are overwhelmed and unable to render tangible assistance, as victims try to untangle the web of deception that has allowed another person to impersonate them.

 

What is identity theft?

There are two primary classes of economic crime related to identity theft:

• Account takeover occurs when a thief acquires a person's existing credit account information and uses the existing account to purchase products and services. Victims usually learn of account takeover when they receive their monthly account statement.
   
• In true identity theft or application fraud (often called true name fraud by experts), a thief uses another person's SSN and other identifying information to fraudulently open new accounts and obtain financial gain. Victims may be unaware of application fraud for an extended period of time — which can allow the thief to continue the ruse for months, even years.

 

What methods do identity thieves employ?

Stealing wallets and purses was once the most common way of obtaining SSNs, driver's licenses, credit card numbers, and other identifying information. Today, identity thieves attack virtually every area of an individual's life — wherever personal information is stored or sent. Among the currently favored methods:

• "Dumpster diving" in trash bins for credit card statements, loan applications, and other documents containing names, addresses, account information, and Social Security numbers
• Stealing mail from unlocked mailboxes to get pre-approved credit offers and newly issued credit cards, utility bills, bank and credit card statements, investment reports, insurance statements, benefits documents, or tax information
• Fraudulently accessing credit files by posing as a loan officer, employer, or landlord
• Getting names, addresses, birthdates, and SSNs from personnel or customer files in the workplace
• "Shoulder surfing" at ATM machines and phone booths to capture PIN numbers
• Culling personal data from online sources, such as public records and fee-based information sites

 

How can you reduce the risk of identity theft?

Unfortunately, established personal habits and lax credit industry practices make it relatively easy for criminals to commit identity theft. Nonetheless, you can reduce your risk considerably. The three most important things you can do are:

• Scrutinize your credit report at least twice a year.
• Sign up for a credit monitoring service.
• Periodically check other personal records, such as your DMV file.

That said, every potential target of identity theft — and that means anyone with a credit card, a bank account, a driver's license, or a Social Security number — should minimize his or her risk by following the five steps described below.
For anyone who doesn't know you personally, face to face, your personal information is the key to proving that you really are who you say you are. This makes it immensely valuable — and not just to you. Here are the pieces of personally identifying data that identity thieves covet most:

• Your Social Security number (SSN)
• Your driver's license
• Your credit card information
• Your bank account information
• Your mother's maiden name
• Your home address and phone numbers
• Any other information that helps an imposter pretend to be you

Your Social Security number, in particular, is the key to your credit card and bank accounts and, therefore, a prime target for criminals. Release your SSN only when absolutely necessary — for tax forms, employment records, bank statements, stock and property transactions, and so on. Do not carry your Social Security card in your wallet except in situations where it's truly required, such as your first day on a new job. Avoid carrying wallet cards that display your SSN — health insurance cards being the most notable example — except when necessary to receive care. Avoid providing your SSN on job applications if at all possible.

Don't have your SSN (or your driver's license number, for that matter) printed on your checks, and don't allow merchants to add your SSN to your checks by hand. (There's no law against this, so you may need to be assertive.) If a business requests your SSN, ask if there's an alternative number that can be used instead. Speak to a manager or supervisor if your request is not honored, and ask to see the company's written policy on SSNs. If necessary, take your business elsewhere.

If a government agency requests your SSN, look for a Privacy Act notice. This will tell you if your SSN is required, what will be done with it, and what happens if you refuse to provide it.

In the wrong hands, your home address can create two specific vulnerabilities: mail theft and burglaries that target your personal information. As for your mother's maiden name, people still accept it as proof of identity, so do your best to protect it. Never use it as a password yourself.

Here's a checklist of specific areas where you can make your personal information less vulnerable:

Your wallet or purse. Don't carry your Social Security card, birth certificate, passport, or extra credit cards in your wallet or purse, except when it's truly necessary. At work, store your wallet or purse in a safe place. Whenever possible, avoid carrying other cards that include your SSN, birthdate, home address, or other personal information.

Credit cards. Minimize the number of credit cards you actively use, and carry only one or two in your wallet. Consider canceling unused accounts — even though you don't use them, their account numbers are recorded in your credit report, providing a tempting target for identity thieves. (Be aware, however, that reducing the number of credit card accounts you have might lower your credit score — since that score is based, in part, on having credit cards and installment loans and making timely payments.)

Keep a list or photocopies of all your credit cards, as well as bank accounts and investments, in a secure place (not in your wallet or purse). Include account numbers, expiration dates, and telephone numbers for customer service and fraud departments, so you can contact them quickly if your credit cards are stolen or your accounts are being used fraudulently.

Never permit your credit card number to be handwritten on your checks. It's a violation of the law in many states to do so — and, legal or not, it puts you at risk for fraud. Watch the mail when you expect a new or reissued credit card to arrive, and contact the issuer if the card doesn't show up within two weeks.

Checks. When ordering new checks, pick them up at the bank instead of having them mailed to your home. If you have a post office box, put that address on your checks rather than your home address, so thieves won't know where you live. When you pay bills, don't leave the envelopes containing your checks where they might be stolen; in particular, don't leave them at your mailbox for the postal carrier to pick up or in open boxes at the receptionist's desk in your workplace. If stolen, your checks can be altered and cashed by an imposter. It's also best to mail bills and other sensitive items at the drop boxes inside the post office rather than using neighborhood drop boxes. Store canceled checks in a safe place. In the wrong hands, they can reveal a lot — frequently including your account number, your phone number, and your driver's license number.

Passwords and PINs. When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, your mother's maiden name, your birth date, your middle name, your pet's name, consecutive numbers, or anything else that could easily be discovered or guessed by thieves. It's best to create passwords that combine letters and numbers, and to change passwords on a regular schedule.

Demand that your financial institutions adequately safeguard your data. Discourage your bank from using the last four digits of the SSN as the default PIN they assign to customers. If you've been given the last four SSN digits as a default PIN, change it immediately. You should also ask your financial institutions to add extra security protection to your account. Most will allow you to use an additional code or password (a number or word) when accessing your account. Memorize all your passwords, and don't record them on anything you carry in your wallet or purse. And shield your hand when using a bank ATM machine or making long distance phone calls with your phone card. "Shoulder surfers" may be nearby with binoculars or video camera.

Password-protect files on your computer that contain sensitive personal data, such as financial account information. Create passwords that combine six to eight numbers and letters, upper and lower case.

Marketing lists. Remove your name from the marketing lists of the three credit reporting bureaus — Equifax, Experian and Trans Union — by calling (888) 5-OPTOUT. This will limit the number of pre-approved credit offers you receive. When tossed into the garbage, such offers are a gold mine for identity thieves, who can use them to order credit cards in your name. Add your name to the National Do Not Call Registry. Sign up for the Direct Marketing Association's Mail Preference and Telephone Preference services, which will add your name to name deletion lists used by nationwide marketers. Register for your state's "do not call" list, if it has one. And say no to the sharing of your financial information when given the opportunity by your bank, credit card companies, insurance companies, and investment firms.

Postal mail. To deter mail theft, install a locked mailbox at your residence, or use a post office box or a commercial mailbox service. During extended absences, have mail held at the post office or ask a trusted neighbor to pick it up.

Email and web sites. When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. When paying with credit cards on the Internet, be sure the company uses secure transmission and storage methods. Avoid opening spam and other email from unknown sources — it may contain viruses or other programs that will make your computer vulnerable to intrusion by hackers.

Telephone calls. Never give out your SSN, credit card number, or other personal information over the phone, by mail, or on the Internet unless you have a trusted business relationship with the company and you have initiated the call. Identity thieves have been known to call victims with a scam that goes something like this: "Today is your lucky day! You've been chosen by the Publishers Consolidated Sweepstakes to receive a free trip to the Bahamas. All we need is your Social Security number, credit card number, and expiration date to verify you as the lucky winner." In reality, the only "winner" in this contest is the criminal perpetrating the scam.

Document storage. Store personal information securely in your home — especially if you have roommates, employ outside help, or have service work done in your home. Install a firewall on your home computer to keep hackers from stealing personal and financial data from your hard drive. This is especially important if you connect to the Internet by DSL or cable modem. Install virus protection software — and keep it updated — to prevent a worm or a virus from causing your computer to send out files or other stored information.

Data encryption. Whenever possible, data that you send or store in digital form should be encrypted.

Document destruction. Trash is a prime target for identity thieves. For instance, you should never toss pre-approved credit offers in your trash or recycling bin without first tearing them into small pieces or shredding them; they can be used by "dumpster divers" to order credit cards in your name and have the cards mailed to their own address. Do the same with other sensitive information: credit card receipts, phone bills, bank statements, investment account reports, and so on. If at all possible, purchase a shredder for home use.

When shopping, always take credit card receipts with you; never toss them in a public trash container. Carry the receipts in your wallet, not in the shopping bag. When you pay by credit card, ask how the business stores and disposes of the forms. Avoid paying by credit card if you think the business will treat your data carelessly. Similarly, insist that your financial institutions destroy paper and magnetic records before discarding them.

When you fill out loan or credit applications, find out how the company disposes of them. If you aren't convinced that they store them in locked files and/or shred them, take your business elsewhere. Some auto dealerships, department stores, car rental agencies, and video stores have been known to treat customer applications carelessly.

Finally, before disposing of a computer, remove data by using a strong "wipe" utility program. Do not rely on the "delete" function to remove files containing sensitive information.

Order your credit reports twice a year from each of the three credit bureaus to check for errors and fraudulent use of your accounts, or get a three-in-one merged credit report from one bureau. If cost is an issue, order from one credit bureau now, from another in six months, and from the third six months later — within one year, you will have checked all three.

Use credit monitoring to alert you to suspicious credit activity and possible fraud. Each month, carefully review your credit card, bank statements, and phone bills (including mobile phones) for unauthorized use. Examine your Social Security Personal Earnings and Benefits Estimate Statement each year to check for fraud. The Social Security Administration mails this statement to adult SSN holders about three months before their birthdays.

If you are hit by identity theft, time is of the essence. Assess the situation — but do it quickly, preferably with the guidance of someone who knows this complex terrain and is committed to seeing you through the whole process. Then determine what needs to be done and begin reclaiming your identity.