Identity Theft: It Can Happen to You

Identity Theft: It Can Happen to You

By Amy Diller-Haas

Technology has revolutionized how we communicate and conduct business. Unfortunately, it has also created new opportunities for criminals. The need to protect personal identities has become just as important as protecting and preserving financial assets.

The Federal Trade Commission (FTC) received more than half a million identity-theft complaints in 2003, up from 404,000 in 2002. The actual number of incidents may be higher; not all cases are reported. In 2002, the FTC estimated that 9.9 million Americans were victims of identity theft, at a cost of $47 billion to the victims, businesses, and banks. Identity theft accounted for 42% of the complaints in a government database of fraud, and cost the average victim more than $1,000 in damages.

Identity theft could happen to anyone, as it recently happened to me. One evening, I received a call from Steve, who was calling about a $25,000 order for computer equipment that had been placed with his company in my name. The transaction had already been approved, but he was confirming the order because the shipping address differed from the billing address. The order was placed over the Internet using my credit card and included my home phone number and address.

I immediately called the credit card company and cancelled my card, even though it was still in my wallet. I explained the situation to MasterCard, but they were uninterested in pursuing it. Steve was not surprised with MasterCard’s reaction, but would not provide the shipping address without a police report. He suggested that I call the police and report the incident, which I was hesitant to do.

Within a few days, I received a suspicious phone call. A woman claimed to be from MasterCard, updating its records because the computer system was down. The connection was poor and there was a great deal of static. She repeated my name and read off my address. When she asked me to confirm the last four digits of my Social Security number, I hung up the phone. Although I thought the call suspicious, I again hesitated in taking action.

The next evening I received another call, this one from American Express wanting to confirm my application for a new credit card to be mailed to my new address in Brooklyn. American Express confirmed that the person who had applied for the account had my Social Security number and other personal data. At that point, I was certain that my personal information had been hijacked, and I took the three steps recommended by the FTC:

Contact the fraud departments of each of the three major credit bureaus—Equifax, Experian, and Trans Union—and report that your identity has been stolen. Ask that a fraud alert be placed on file and that no new credit be granted without your approval.
For any accounts that have been fraudulently accessed or opened, contact the security departments of the appropriate creditors or financial institutions. Close these accounts. Put passwords (not your mother’s maiden name) on any new accounts.
File a report with the local police. Get a copy of the report in case the bank, credit card company, or others need proof of the crime.

After taking immediate action to protect your personal identity, some follow-up actions are recommended: Call the FTC’s Identity Theft Hotline at (877) IDTHEFT or (877) FTC-HELP, or visit www.consumer.gov/idtheft/index.html for more information. The FTC puts information into a secure consumer fraud database where it can be used to help other law enforcement agencies and private entities in their investigations and victim assistance.

Review the credit report and request a fraud investigation of suspicious items in the report. Additionally, request another credit report in three to six months, to review further activity.

As a further precaution, add a fraud victim statement to your file, which can remain in a credit report for seven years. This statement asks lenders to contact you by phone before granting credit. This eliminates instant credit, because a verification call must be received. It also prevents accessing a personal credit report online. Victim statements are generally added when a consumer has confirmed that someone is using personal information in a fraudulent manner.

Steps for Preventing Identity Theft

Use a paper shredder to ensure that all documents containing personal data cannot be retrieved from the trash. To reduce the volume of mail containing personal information, opt out of prescreened credit card offers by calling (888) 5-OPTOUT.

Do not leave outgoing or incoming mail in an unlocked mailbox.
Be extremely careful about supplying a Social Security number when completing patient histories or other applications.
Place passwords on your credit card, bank, and phone accounts. Passwords should not be easy to guess or obtain, such as your birthdate or mother’s maiden name, even though many businesses still request it. Passwords should be changed on a regular basis.
Make sure that personal information is not easily available to people that come into your home (repairmen, roommates, neighbors).
Inquire about security procedures for personal data at your workplace. Ask about access to personal records and disposal of unneeded records.
Never reveal personal information to businesses that solicit by e-mail or phone, and carefully review all credit card, bank, brokerage, and utility statements for unauthorized transactions.

Additional Precautions When Using Computers

Use virus protection software, and update it often.
Don’t open e-mail from unknown parties or click on unknown hyperlinks.
Avoid “phishing” scams in which unsolicited e-mails request users to update their records by clicking on a hyperlink that directs them to a site that mimics the legitimate website of a company such as AOL, PayPal, or a credit card company. To update personal data, go to the desired company’s authorized website or call directly.
Make sure to use a secure browser with up-to-date encryption capabilities.
Use firewalls to protect against hackers.
When you dispose of a computer, make sure to use a method that totally clears out the hard drive, such as this one from the National Aeronautics and Space Administration (www.hq.nasa.gov/office/oig/hq/harddrive.pdf).
Be aware of the privacy policies of websites.
Avoid storing personal information or passwords on laptops, which could enable unauthorized access to personal accounts.

Federal Laws

In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act, amending 18 USC section 1028 to make it a federal crime when anyone:

Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

Violations of the act are investigated by the U.S. Secret Service, the FBI, and the U.S. Postal Inspection Service and are prosecuted by the U.S. Department of Justice.

How Does Identity Theft Happen?

Identity theft is insidious. Eighty percent of the victims who report identity theft do not know how their personal information was obtained. There are countless ways that one’s identity can be stolen, including: stealing wallets, purses, or credit cards; stealing mail (both outgoing and incoming); diverting mail using change of address forms; or stealing personal data from the trash. Some thieves obtain credit reports by pretending to make a legitimate request, or steal personal information sent over the Internet. In 52% of the cases in which the victim discovered how information was stolen, the thief turned out to be a family member, neighbor, or coworker. Business record identity theft is often conducted by insiders that work for schools, hospitals, tax preparers, or municipalities and exploit or sell the stolen data. Many victims are not even aware of the theft until notified by their employers or vendors that customer or employee personal records have been stolen (see Exhibit 1).

How Is Personal Information Used?

Once personal information is obtained, it can be used in a variety of ways, including having credit card statements diverted to a new address, opening up checking or credit card accounts, and borrowing money. Some victims have discovered that thieves have obtained government benefits or documents in their name, such as driver’s licenses, tax reports, and Social Security cards. Although there may be limits to victims’ financial responsibility for debts, it often will take countless hours to erase the bad credit created by the theft. According to a May 2000 survey conducted by two nonprofit advocacy agencies (the California Public Interest Research Group and the Privacy Rights Clearing House), most victims spend an average of 175 hours and up to 23 months actively trying to resolve the problems created by identity theft (see Exhibit 2).

I was never able to figure out exactly how my identity was stolen. Two possibilities in my case were the trash in my office, where I had thrown out copies of medical insurance forms, and a theft about a year earlier of personal information files at the college where I teach. But it also could have been stolen online or in some other way; there are numerous opportunities for criminals to obtain this information. Shortly after my experience, my college adopted specific guidelines that included the shredding of documents that contain personal information.

Small businesses with few internal controls may be the entities most vulnerable to this type of crime. Business and personal records should be protected from unauthorized access, and internal controls should be put in place to protect sensitive data from dishonest employees or Internet thieves. A company’s financial health could be seriously undermined if personal or proprietary information is compromised.

Amy Diller-Haas, CPA, is an associate professor of business at Kingsborough Community College, Brooklyn, N.Y.