Information and Resources
for Protection and Prevention
Vinita M. Ramaswamy
2006 - Identity theft is the fastest-growing crime in the
United States. It affects 13.3 persons per minute, 799 per
hour, or 19,178 per day. It is financially and emotionally
devastating for the victims, who face a long, hard struggle
to regain their credit history even as they deal with a frightening
sense of vulnerability and invasion. Less than 5% of complaints
are prosecuted, however, despite the fact that identity theft
is number one on the Federal Trade Commission’s (FTC)
list of fraud-related crimes (43% of all reported crimes).
Unfortunately, victims are not the only ones who pay the price.
Society as a whole incurs additional costs in the form of
higher interest rates and fees, higher prices, and increased
theft has proliferated, but it has not received the attention
it needs. Ambiguous delineation of responsibilities among
law-enforcement agencies, lack of interest in prosecution,
uninformed consumers, and easy availability of confidential
information make identity theft relatively effortless. Controlling
the problem requires a concerted effort on the part of the
federal government, law-enforcement officials, businesses,
and consumers to educate the public, take precautionary
measures that reduce the possibility of theft, follow the
money trail to identify and prosecute thieves, and encourage
early reporting of theft so that losses are minimized.
Is Identity Theft?
to the FTC, identity theft occurs when personal information
is used, without an individual’s permission, to commit
fraud. According to the FTC’s report “National
and State Trends in Fraud and Identity Theft, January–December
2004,” credit card fraud was the most common complaint,
followed by phone or utilities fraud, bank fraud, and employment
fraud. Other annual identity theft statistics from the FTC
Victims: 9.3 million
Loss to businesses: $52.6 billion
to individual victims: $5 billion
victims spent resolving their problems: 297 million.
successful identity thief needs personal and confidential
information such as credit card numbers and CW2 security
numbers (on the back of credit cards), driver’s license
numbers, ATM cards, telephone calling cards, mortgage details,
birthdates, and PINs. The thief can then use this information
to conduct a wide range of criminal activities, ranging
from applying for false loans and mortgages to using phone
cards and charging on credit cards.
to the Identity Theft Resource Center (idtheftcenter.org),
there are four types of identity theft:
Financial identity theft. The
victim’s name and Social Security number (SSN) are
used to apply for telephone service, credit cards, or
loans, and to buy merchandise or lease cars or apartments.
Criminal identity theft. The
victim’s name, address, and other personal details
are given to law-enforcement officials during the commission
of a crime. The victim is then mistakenly arrested.
Identity cloning. The victim’s
private information is used by an imposter to establish
a new life, complete with the necessary cards, permits,
Business-identity theft. Credit
cards and bank accounts are opened in the name of a business
and are then used to order merchandise or acquire loans.
confidential information can be a simple matter:
Dumpster diving. Looking through
a person’s garbage for “pre-approved”
credit card offers, copies of old bills, loan applications,
and documents with the resident’s SSN.
Shoulder surfing. Overhearing
a person give out personal information over a public telephone
or cellphone, or looking over a person’s shoulder
as they use an ATM or fill out forms.
Skimming. Attaching a data storage
device to an ATM machine or a retail checkout terminal
and reading the credit card or PIN numbers that pass through
Social engineering. Telephoning
someone and pretending to be a landlord, bank officer,
or employer in order to get confidential information.
Mail theft. Stealing pre-approved
credit card applications, insurance statements, tax information,
or investment reports from mailboxes.
Retail theft. Stealing files
or getting information from accomplices at retailers or
service providers’ offices.
Publicly available information.
A search of public and government databases can yield
information about driver’s licenses, real estate
and other business transactions, vehicle records, certain
types of professional certifications, and licensing records.
Newspaper classifieds and other private databases also
provide a wealth of information.
technology proliferates and more people use the Internet
to conduct business, identity thieves have adapted, with
cyber-theft now a common occurrence. An article in BusinessWeek
(May 30, 2005) discussed how thieves steal information:
Phishing. E-mails are sent to
unsuspecting victims, asking for information and providing
links to false websites. The Anti-Phishing Working Group
(APWG; www.antiphishing.org), an international industrial
and law-enforcement counter–electronic crime association,
noted that phishing scams increased by 1,200% in 2004,
with nearly 1,100 unique phishing scams.
Pharming. E-mails and their
related websites have viruses attached. These viruses
contain programs that record keystrokes and obtain crucial
Robot networks (botnets). A
hacker can control a PC or a network of PCs from a remote
location after inserting a control program into an unsuspecting
Wi-phishing. Consumers sometimes
unwittingly use wireless networks set up by fraudsters.
This makes it easy for cybercriminals to steal passwords
and other information.
Typosquatting. These are websites
with names similar to legitimate websites. When people
make typing errors, they land on these false websites.
This gives cybercriminals the opportunity to infect computers
or to insert “bots” into them.
conventional wisdom would indicate that high-tech users
are the main culprits of identity theft, statistics show
otherwise. Obtaining personal information is relatively
simple. Many people tend to be neglectful, carelessly throwing
away credit card receipts or paycheck stubs—seemingly
harmless pieces of paper that have a wealth of information,
including names, addresses, signatures (credit card receipts),
and SSNs. A study by the California-based consulting firm
Javelin Strategy and Research found that 26% of the fraud
victims knew the identity thief, while 29% of the victims
had had their wallets or credit cards stolen.
the method used, the victim still faces big losses and hours
of painstaking work to bring life back to normal. Knowing
that a few simple precautions can ensure the safety of personal
information is very important.
the Risk of Identity Theft
identity is usually made up of pieces of information such
as name, address, SSN, mother’s maiden name, PIN,
date of birth, bank account number, and credit card number.
An identity thief looks for these pieces of information,
then links them together to commit a crime. While
safeguards from identity theft and punishments for the crime
continue to increase, all consumers are responsible for
protecting themselves. Because research shows that most
identity thieves take advantage of negligence and easily
available information, a few simple steps can minimize these
Credit reports should be obtained and reviewed regularly.
Precautions must be taken to prevent personal information
from being shared by creditors and clearinghouses. Websites
such as www.privacyrights.org and www.junkbusters.com
provide information on how to stop information sharing.
Use credit-reporting agencies’ “opt-out”
option to stop them from sharing confidential information,
such as SSNs, with credit card companies or other businesses.
Never provide personal information by telephone or e-mail
unless initiating the communication.
Do not have personal information, such as driver’s
license numbers and SSNs, printed on checks or other visible
Do not write down PINs and passwords in a readily accessible
list. If a list is necessary, it should be well secured.
Do not use debit cards for online transactions.
Do not leave wallets and purses unattended in a car or
shopping cart or on a counter while shopping.
Carefully monitor credit card, telephone, and other bills,
as well as bank statements. A late bill requires immediate
Maintain careful records of credit and debit cards, bank
accounts, loans, and property owned.
Place incoming and outgoing mail in secured mailboxes.
Protect computers with firewalls, spam-killers, and other
programs to reduce cyber attacks.
Carry the minimum number of credit cards and other forms
of identification at all times.
Use a shredder to destroy unneeded documents that might
include confidential information.
the Identity Thief
a bank, the police or other authorities, or an identity-theft
victim may hire a fraud examiner/forensic accountant to
help find the cybercriminal and to provide evidence for
conviction. When a forensic accountant is retained for such
a job, an important first step is to obtain a fraud/forgery
affidavit from the victim. According to Peter Donnelly (“ID
Theft: Hunting Down and Nabbing the Thieves,” cfenet.com,
Fraud Articles July/August 2004), this affidavit should
state that the victim had no knowledge of the crime and
did not give permission to use his credit card or to open
case of fraudulent bank accounts or credit cards, the originals
or best copies of checks, sales drafts, account applications,
and delivery receipts can be used as evidence. If wire transfers
were involved, copies of the sending and receiving reports,
as well as a current transactions report, and a suspicious
activity report (SAR) are also helpful. Many of these transactions
are confidential, but if a bank reports the crime or is
itself the victim of a crime, the federal Right to Financial
Privacy Act does not apply.
case of credit card applications, discrepancies in the information
provided, such as employment history, salaries, addresses,
area codes, zip codes, driver’s license numbers, and
SSNs, can be used to demonstrate fraud. The places and times
that charges were made to the credit card are significant,
as are the items purchased. Some stores, especially gas
stations, may have video surveillance tapes.
the suspects are receiving fraudulent checks, credit cards,
or merchandise by mail, postal authorities may be helpful
in identifying the imposter. Careful analysis of the mail
cover may reveal the real name and address of the suspect.
If a P.O. box is being used, the postal inspector or the
owner of the private mailbox can provide the name of the
renter. Additionally, the forensic accountant can go Dumpster
diving to see if any valid evidence has been thrown away.
tax records, rental agreements, and other evidence of occupation
or ownership can link the suspect to the activities of receiving
fraudulent checks or stolen property. Publicly available
databases, as well as government databases, can be used
to check the driver’s license numbers and the SSNs.
Finally, other investigative techniques, such as surveillance,
fingerprints, and DNA evidence, can also be used to build
a solid case against the suspect.
agencies at the federal, state, and local levels work hard
to find identity thieves and to prosecute them to the fullest
extent of the law. The U.S. Department of Justice uses federal
statutes covering computer, mail, wire, financial institution,
and credit card fraud to prosecute cases of identity theft.
The Identity Theft and Assumption Deterrence Act of 1998
made identity theft a federal offense and increased the
role of the FTC to develop the nation’s central database
of identity theft complaints. The President signed the Identity
Theft Penalty Enhancement Act in 2004 to increase the penalties
for serious identity theft and increase the deterrence for
Identity-Theft Victims Can Do
theft happens fast and silently, but the damage inflicted
can be enormous. Many victims are unaware that criminal
activities are being carried out using their personal information.
Awareness of an imposter usually comes in the form of an
unpleasant surprise when a collection agency or a bank calls
about an unknown bill or loan. In some cases, a victim becomes
the focus of a police investigation after his name is used
to commit crimes. Warning signs that private information
might be compromised include the following:
Bills from an unknown credit account
Unauthorized charges on credit, long-distance telephone,
or bank accounts
Calls from collection agencies regarding unfamiliar debts
Checks disappearing from checkbooks
Bank and credit card statements don’t arrive on
Credit reports shows unauthorized accounts
Being turned down for a credit card, mortgage or other
loan, or other form of credit due to unauthorized debts
on a credit report.
it becomes obvious that identity theft has taken place,
the FTC advises victims to act quickly and assertively.
law-enforcement agencies. The fraud should
be reported to the local police or sheriff’s department,
which will then fill out an identity-theft report. The victim
must obtain a copy of this report because it may be required
by credit rating agencies, credit card companies, and banks.
a fraud alert. Report the fraud immediately
to the fraud department of the three main credit-reporting
bureaus. (See the Sidebar.)
The bureaus must be requested to place a fraud alert on
the victim’s credit report. Initially, a fraud alert
may be placed for 90 days. The alert may be extended for
seven years (this requires a copy of the police report).
credit reports. Once the fraud alert has been
placed, the credit bureau will mail a copy of the credit
report to the victim. These credit reports must be carefully
checked, and unauthorized transactions should be noted.
Continuous monitoring of the credit report is necessary
to ensure that no new transactions have taken place without
proper authorization. In some states, a “security
freeze” may be requested; this prevents anyone from
accessing credit files without express permission from the
or existing accounts. If a credit report shows
that new accounts have been opened without the knowledge
of the lawful owner, or that fraudulent activities have
been conducted using existing accounts, creditors must be
contacted by phone and in writing. The Fair Credit Reporting
Act has been amended to allow a victim to prevent businesses
from reporting fraudulent accounts to credit bureaus.
collectors. The name of the collection company,
account representative, phone number, and address should
be recorded. Verbal and written communications are necessary
to report the fraud to collection agencies. A written statement
must be requested from the collection agency stating that
the victim is no longer responsible for the debt.
The bank must be informed of any fraudulent accounts or
fraudulent activities in an existing account. A security
alert must be placed on the account, outstanding checks
must have a “stop payment” order placed on them,
and existing accounts must be canceled and new ones opened
with new passwords and security codes. The bank must file
a report with ChexSystems, a consumer-reporting agency that
compiles reports on checking accounts. If an ATM card or
debit card was stolen, it must be reported immediately.
New cards with new passwords must be acquired and monitored
carefully. The victim may still be responsible for a fraud
if the report is not filed immediately.
Identity thieves can open new wireless, local, and long-distance
service accounts in a victim’s name. The local telephone
company must be contacted, in writing and by phone, for
its fraud policy.
loans. If an identity thief has obtained a
student loan in a victim’s name, it must be reported,
in writing, to the school that opened the loan, along with
a request that the account be closed. This information should
also be reported to the U.S. Department of Education.
to the FTC. The identity theft must be reported
to the FTC as soon as possible, along with the police report
number. The FTC makes this information widely available
issues. The Social Security Administration
must be notified in case a victim’s SSN was illegally
used. (Sometimes a new SSN may be necessary.) In addition,
U.S. Passport Services and the local department of motor
vehicles, if a driver’s license was involved, should
be notified. The U.S. Secret Service may become involved
if the dollar amount is high, or if a fraud ring is involved.
cases. If an imposter engages in criminal
activities that result in a court indictment, the services
of a lawyer may be required. The court with jurisdiction
over the case must be informed, as well as the district
attorney handling the case. A copy of the police report
would be useful in this case.
all, the FTC advises victims to maintain good records of
all transactions and complaints, including phone logs and
copies of communications. The FTC also recommends that victims
do not pay any bills that are a result of the fraud. If
the business or the debt collector aggressively pursues
the case, a willingness to cooperate should be reiterated,
and government regulators informed immediately.
websites providing information on consumer and victims rights
M. Ramaswamy, PhD, is an associate professor at the
University of St. Thomas, Houston, Texas.