Theft: It Can Happen to You
has revolutionized how we communicate and conduct business.
Unfortunately, it has also created new opportunities for criminals.
The need to protect personal identities has become just as
important as protecting and preserving financial assets.
Trade Commission (FTC) received more than half a million
identity-theft complaints in 2003, up from 404,000 in 2002.
The actual number of incidents may be higher; not all cases
are reported. In 2002, the FTC estimated that 9.9 million
Americans were victims of identity theft, at a cost of $47
billion to the victims, businesses, and banks. Identity
theft accounted for 42% of the complaints in a government
database of fraud, and cost the average victim more than
$1,000 in damages.
could happen to anyone, as it recently happened to me. One
evening, I received a call from Steve, who was calling about
a $25,000 order for computer equipment that had been placed
with his company in my name. The transaction had already
been approved, but he was confirming the order because the
shipping address differed from the billing address. The
order was placed over the Internet using my credit card
and included my home phone number and address.
called the credit card company and cancelled my card, even
though it was still in my wallet. I explained the situation
to MasterCard, but they were uninterested in pursuing it.
Steve was not surprised with MasterCard’s reaction,
but would not provide the shipping address without a police
report. He suggested that I call the police and report the
incident, which I was hesitant to do.
Within a few
days, I received a suspicious phone call. A woman claimed
to be from MasterCard, updating its records because the
computer system was down. The connection was poor and there
was a great deal of static. She repeated my name and read
off my address. When she asked me to confirm the last four
digits of my Social Security number, I hung up the phone.
Although I thought the call suspicious, I again hesitated
in taking action.
The next evening
I received another call, this one from American Express
wanting to confirm my application for a new credit card
to be mailed to my new address in Brooklyn. American Express
confirmed that the person who had applied for the account
had my Social Security number and other personal data. At
that point, I was certain that my personal information had
been hijacked, and I took the three steps recommended by
Contact the fraud departments of each of the three major
credit bureaus—Equifax, Experian, and Trans Union—and
report that your identity has been stolen. Ask that a
fraud alert be placed on file and that no new credit be
granted without your approval.
For any accounts that have been fraudulently accessed
or opened, contact the security departments of the appropriate
creditors or financial institutions. Close these accounts.
Put passwords (not your mother’s maiden name) on
any new accounts.
File a report with the local police. Get a copy of the
report in case the bank, credit card company, or others
need proof of the crime.
immediate action to protect your personal identity, some
follow-up actions are recommended: Call the FTC’s
Identity Theft Hotline at (877) IDTHEFT or (877) FTC-HELP,
or visit www.consumer.gov/idtheft/index.html
for more information. The FTC puts information into a secure
consumer fraud database where it can be used to help other
law enforcement agencies and private entities in their investigations
and victim assistance.
Review the credit
report and request a fraud investigation of suspicious items
in the report. Additionally, request another credit report
in three to six months, to review further activity.
As a further
precaution, add a fraud victim statement to your file, which
can remain in a credit report for seven years. This statement
asks lenders to contact you by phone before granting credit.
This eliminates instant credit, because a verification call
must be received. It also prevents accessing a personal
credit report online. Victim statements are generally added
when a consumer has confirmed that someone is using personal
information in a fraudulent manner.
for Preventing Identity Theft
Use a paper
shredder to ensure that all documents containing personal
data cannot be retrieved from the trash. To reduce the volume
of mail containing personal information, opt out of prescreened
credit card offers by calling (888) 5-OPTOUT.
Do not leave outgoing or incoming mail in an unlocked
Be extremely careful about supplying a Social Security
number when completing patient histories or other applications.
passwords on your credit card, bank, and phone accounts.
Passwords should not be easy to guess or obtain, such
as your birthdate or mother’s maiden name, even
though many businesses still request it. Passwords should
be changed on a regular basis.
Make sure that personal information is not easily available
to people that come into your home (repairmen, roommates,
Inquire about security procedures for personal data at
your workplace. Ask about access to personal records and
disposal of unneeded records.
Never reveal personal information to businesses that solicit
by e-mail or phone, and carefully review all credit card,
bank, brokerage, and utility statements for unauthorized
Precautions When Using Computers
Use virus protection software, and update it often.
Don’t open e-mail from unknown parties or click
on unknown hyperlinks.
Avoid “phishing” scams in which unsolicited
e-mails request users to update their records by clicking
on a hyperlink that directs them to a site that mimics
the legitimate website of a company such as AOL, PayPal,
or a credit card company. To update personal data, go
to the desired company’s authorized website or call
Make sure to use a secure browser with up-to-date encryption
firewalls to protect against hackers.
When you dispose of a computer, make sure to use a method
that totally clears out the hard drive, such as this one
from the National Aeronautics and Space Administration
Be aware of the privacy policies of websites.
Avoid storing personal information or passwords on laptops,
which could enable unauthorized access to personal accounts.
In October 1998,
Congress passed the Identity Theft and Assumption Deterrence
Act, amending 18 USC section 1028 to make it a federal crime
transfers or uses, without lawful authority, a means of
identification of another person with the intent to commit,
or to aid or abet, any unlawful activity that constitutes
a violation of Federal law, or that constitutes a felony
under any applicable State or local law.
the act are investigated by the U.S. Secret Service, the
FBI, and the U.S. Postal Inspection Service and are prosecuted
by the U.S. Department of Justice.
Does Identity Theft Happen?
is insidious. Eighty percent of the victims who report identity
theft do not know how their personal information was obtained.
There are countless ways that one’s identity can be
stolen, including: stealing wallets, purses, or credit cards;
stealing mail (both outgoing and incoming); diverting mail
using change of address forms; or stealing personal data
from the trash. Some thieves obtain credit reports by pretending
to make a legitimate request, or steal personal information
sent over the Internet. In 52% of the cases in which the
victim discovered how information was stolen, the thief
turned out to be a family member, neighbor, or coworker.
Business record identity theft is often conducted by insiders
that work for schools, hospitals, tax preparers, or municipalities
and exploit or sell the stolen data. Many victims are not
even aware of the theft until notified by their employers
or vendors that customer or employee personal records have
been stolen (see Exhibit
Is Personal Information Used?
information is obtained, it can be used in a variety of
ways, including having credit card statements diverted to
a new address, opening up checking or credit card accounts,
and borrowing money. Some victims have discovered that thieves
have obtained government benefits or documents in their
name, such as driver’s licenses, tax reports, and
Social Security cards. Although there may be limits to victims’
financial responsibility for debts, it often will take countless
hours to erase the bad credit created by the theft. According
to a May 2000 survey conducted by two nonprofit advocacy
agencies (the California Public Interest Research Group
and the Privacy Rights Clearing House), most victims spend
an average of 175 hours and up to 23 months actively trying
to resolve the problems created by identity theft (see Exhibit
I was never
able to figure out exactly how my identity was stolen. Two
possibilities in my case were the trash in my office, where
I had thrown out copies of medical insurance forms, and
a theft about a year earlier of personal information files
at the college where I teach. But it also could have been
stolen online or in some other way; there are numerous opportunities
for criminals to obtain this information. Shortly after
my experience, my college adopted specific guidelines that
included the shredding of documents that contain personal
with few internal controls may be the entities most vulnerable
to this type of crime. Business and personal records should
be protected from unauthorized access, and internal controls
should be put in place to protect sensitive data from dishonest
employees or Internet thieves. A company’s financial
health could be seriously undermined if personal or proprietary
information is compromised.
Diller-Haas, CPA, is an associate professor of business
at Kingsborough Community College, Brooklyn, N.Y.
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators,
and other accounting professionals. It is edited by CPAs for CPAs.
Our goal is to provide CPAs and other accounting professionals
with the information and news to enable them to be successful
accountants, managers, and executives in today's practice environments.
The New York State Society of CPAs. Legal