Identity-Theft Toolkit
Information and Resources for Protection and Prevention

By Vinita M. Ramaswamy

E-mail Story Print Story

Identity theft has proliferated, but it has not received the attention it needs. Ambiguous delineation of responsibilities among law-enforcement agencies, lack of interest in prosecution, uninformed consumers, and easy availability of confidential information make identity theft relatively effortless. Controlling the problem requires a concerted effort on the part of the federal government, law-enforcement officials, businesses, and consumers to educate the public, take precautionary measures that reduce the possibility of theft, follow the money trail to identify and prosecute thieves, and encourage early reporting of theft so that losses are minimized.

What Is Identity Theft?

According to the FTC, identity theft occurs when personal information is used, without an individual’s permission, to commit fraud. According to the FTC’s report “National and State Trends in Fraud and Identity Theft, January–December 2004,” credit card fraud was the most common complaint, followed by phone or utilities fraud, bank fraud, and employment fraud. Other annual identity theft statistics from the FTC survey include:

• Victims: 9.3 million
• Loss to businesses: $52.6 billion
• Loss to individual victims: $5 billion
• Hours victims spent resolving their problems: 297 million.

The successful identity thief needs personal and confidential information such as credit card numbers and CW2 security numbers (on the back of credit cards), driver’s license numbers, ATM cards, telephone calling cards, mortgage details, birthdates, and PINs. The thief can then use this information to conduct a wide range of criminal activities, ranging from applying for false loans and mortgages to using phone cards and charging on credit cards.

According to the Identity Theft Resource Center (idtheftcenter.org), there are four types of identity theft:

• Financial identity theft. The victim’s name and Social Security number (SSN) are used to apply for telephone service, credit cards, or loans, and to buy merchandise or lease cars or apartments.
• Criminal identity theft. The victim’s name, address, and other personal details are given to law-enforcement officials during the commission of a crime. The victim is then mistakenly arrested.
• Identity cloning. The victim’s private information is used by an imposter to establish a new life, complete with the necessary cards, permits, and papers.
• Business-identity theft. Credit cards and bank accounts are opened in the name of a business and are then used to order merchandise or acquire loans.

Obtaining confidential information can be a simple matter:

• Dumpster diving. Looking through a person’s garbage for “pre-approved” credit card offers, copies of old bills, loan applications, and documents with the resident’s SSN.
• Shoulder surfing. Overhearing a person give out personal information over a public telephone or cellphone, or looking over a person’s shoulder as they use an ATM or fill out forms.
• Skimming. Attaching a data storage device to an ATM machine or a retail checkout terminal and reading the credit card or PIN numbers that pass through the device.
• Social engineering. Telephoning someone and pretending to be a landlord, bank officer, or employer in order to get confidential information.
• Mail theft. Stealing pre-approved credit card applications, insurance statements, tax information, or investment reports from mailboxes.
• Retail theft. Stealing files or getting information from accomplices at retailers or service providers’ offices.
• Publicly available information. A search of public and government databases can yield information about driver’s licenses, real estate and other business transactions, vehicle records, certain types of professional certifications, and licensing records. Newspaper classifieds and other private databases also provide a wealth of information.

Other Cybertheft

As technology proliferates and more people use the Internet to conduct business, identity thieves have adapted, with cyber-theft now a common occurrence. An article in BusinessWeek (May 30, 2005) discussed how thieves steal information:

• Phishing. E-mails are sent to unsuspecting victims, asking for information and providing links to false websites. The Anti-Phishing Working Group (APWG; www.antiphishing.org), an international industrial and law-enforcement counter–electronic crime association, noted that phishing scams increased by 1,200% in 2004, with nearly 1,100 unique phishing scams.
• Pharming. E-mails and their related websites have viruses attached. These viruses contain programs that record keystrokes and obtain crucial information.
• Robot networks (botnets). A hacker can control a PC or a network of PCs from a remote location after inserting a control program into an unsuspecting user’s computer.
• Wi-phishing. Consumers sometimes unwittingly use wireless networks set up by fraudsters. This makes it easy for cybercriminals to steal passwords and other information.
• Typosquatting. These are websites with names similar to legitimate websites. When people make typing errors, they land on these false websites. This gives cybercriminals the opportunity to infect computers or to insert “bots” into them.

Although conventional wisdom would indicate that high-tech users are the main culprits of identity theft, statistics show otherwise. Obtaining personal information is relatively simple. Many people tend to be neglectful, carelessly throwing away credit card receipts or paycheck stubs—seemingly harmless pieces of paper that have a wealth of information, including names, addresses, signatures (credit card receipts), and SSNs. A study by the California-based consulting firm Javelin Strategy and Research found that 26% of the fraud victims knew the identity thief, while 29% of the victims had had their wallets or credit cards stolen.

Whatever the method used, the victim still faces big losses and hours of painstaking work to bring life back to normal. Knowing that a few simple precautions can ensure the safety of personal information is very important.

Minimizing the Risk of Identity Theft

A person’s identity is usually made up of pieces of information such as name, address, SSN, mother’s maiden name, PIN, date of birth, bank account number, and credit card number. An identity thief looks for these pieces of information, then links them together to commit a crime. While safeguards from identity theft and punishments for the crime continue to increase, all consumers are responsible for protecting themselves. Because research shows that most identity thieves take advantage of negligence and easily available information, a few simple steps can minimize these risks:

• Credit reports should be obtained and reviewed regularly.
• Precautions must be taken to prevent personal information from being shared by creditors and clearinghouses. Websites such as www.privacyrights.org and www.junkbusters.com provide information on how to stop information sharing.
• Use credit-reporting agencies’ “opt-out” option to stop them from sharing confidential information, such as SSNs, with credit card companies or other businesses.
• Never provide personal information by telephone or e-mail unless initiating the communication.
• Do not have personal information, such as driver’s license numbers and SSNs, printed on checks or other visible paper.
• Do not write down PINs and passwords in a readily accessible list. If a list is necessary, it should be well secured.
• Do not use debit cards for online transactions.
• Do not leave wallets and purses unattended in a car or shopping cart or on a counter while shopping.
• Carefully monitor credit card, telephone, and other bills, as well as bank statements. A late bill requires immediate action.
• Maintain careful records of credit and debit cards, bank accounts, loans, and property owned.
• Place incoming and outgoing mail in secured mailboxes.
• Protect computers with firewalls, spam-killers, and other programs to reduce cyber attacks.
• Carry the minimum number of credit cards and other forms of identification at all times.
• Use a shredder to destroy unneeded documents that might include confidential information.

Finding the Identity Thief

Often a bank, the police or other authorities, or an identity-theft victim may hire a fraud examiner/forensic accountant to help find the cybercriminal and to provide evidence for conviction. When a forensic accountant is retained for such a job, an important first step is to obtain a fraud/forgery affidavit from the victim. According to Peter Donnelly (“ID Theft: Hunting Down and Nabbing the Thieves,” cfenet.com, Fraud Articles July/August 2004), this affidavit should state that the victim had no knowledge of the crime and did not give permission to use his credit card or to open bank accounts.

In case of fraudulent bank accounts or credit cards, the originals or best copies of checks, sales drafts, account applications, and delivery receipts can be used as evidence. If wire transfers were involved, copies of the sending and receiving reports, as well as a current transactions report, and a suspicious activity report (SAR) are also helpful. Many of these transactions are confidential, but if a bank reports the crime or is itself the victim of a crime, the federal Right to Financial Privacy Act does not apply.

In case of credit card applications, discrepancies in the information provided, such as employment history, salaries, addresses, area codes, zip codes, driver’s license numbers, and SSNs, can be used to demonstrate fraud. The places and times that charges were made to the credit card are significant, as are the items purchased. Some stores, especially gas stations, may have video surveillance tapes.

If the suspects are receiving fraudulent checks, credit cards, or merchandise by mail, postal authorities may be helpful in identifying the imposter. Careful analysis of the mail cover may reveal the real name and address of the suspect. If a P.O. box is being used, the postal inspector or the owner of the private mailbox can provide the name of the renter. Additionally, the forensic accountant can go Dumpster diving to see if any valid evidence has been thrown away.

Property tax records, rental agreements, and other evidence of occupation or ownership can link the suspect to the activities of receiving fraudulent checks or stolen property. Publicly available databases, as well as government databases, can be used to check the driver’s license numbers and the SSNs. Finally, other investigative techniques, such as surveillance, fingerprints, and DNA evidence, can also be used to build a solid case against the suspect.

Law-enforcement agencies at the federal, state, and local levels work hard to find identity thieves and to prosecute them to the fullest extent of the law. The U.S. Department of Justice uses federal statutes covering computer, mail, wire, financial institution, and credit card fraud to prosecute cases of identity theft. The Identity Theft and Assumption Deterrence Act of 1998 made identity theft a federal offense and increased the role of the FTC to develop the nation’s central database of identity theft complaints. The President signed the Identity Theft Penalty Enhancement Act in 2004 to increase the penalties for serious identity theft and increase the deterrence for future crimes.

What Identity-Theft Victims Can Do

Identity theft happens fast and silently, but the damage inflicted can be enormous. Many victims are unaware that criminal activities are being carried out using their personal information. Awareness of an imposter usually comes in the form of an unpleasant surprise when a collection agency or a bank calls about an unknown bill or loan. In some cases, a victim becomes the focus of a police investigation after his name is used to commit crimes. Warning signs that private information might be compromised include the following:

• Bills from an unknown credit account
• Unauthorized charges on credit, long-distance telephone, or bank accounts
• Calls from collection agencies regarding unfamiliar debts
• Checks disappearing from checkbooks
• Bank and credit card statements don’t arrive on time
• Credit reports shows unauthorized accounts
• Being turned down for a credit card, mortgage or other loan, or other form of credit due to unauthorized debts on a credit report.

Once it becomes obvious that identity theft has taken place, the FTC advises victims to act quickly and assertively.

Contact law-enforcement agencies. The fraud should be reported to the local police or sheriff’s department, which will then fill out an identity-theft report. The victim must obtain a copy of this report because it may be required by credit rating agencies, credit card companies, and banks.

Place a fraud alert. Report the fraud immediately to the fraud department of the three main credit-reporting bureaus. (See the Sidebar.) The bureaus must be requested to place a fraud alert on the victim’s credit report. Initially, a fraud alert may be placed for 90 days. The alert may be extended for seven years (this requires a copy of the police report).

Monitor credit reports. Once the fraud alert has been placed, the credit bureau will mail a copy of the credit report to the victim. These credit reports must be carefully checked, and unauthorized transactions should be noted. Continuous monitoring of the credit report is necessary to ensure that no new transactions have taken place without proper authorization. In some states, a “security freeze” may be requested; this prevents anyone from accessing credit files without express permission from the owner.

New or existing accounts. If a credit report shows that new accounts have been opened without the knowledge of the lawful owner, or that fraudulent activities have been conducted using existing accounts, creditors must be contacted by phone and in writing. The Fair Credit Reporting Act has been amended to allow a victim to prevent businesses from reporting fraudulent accounts to credit bureaus.

Debt collectors. The name of the collection company, account representative, phone number, and address should be recorded. Verbal and written communications are necessary to report the fraud to collection agencies. A written statement must be requested from the collection agency stating that the victim is no longer responsible for the debt.

Banks. The bank must be informed of any fraudulent accounts or fraudulent activities in an existing account. A security alert must be placed on the account, outstanding checks must have a “stop payment” order placed on them, and existing accounts must be canceled and new ones opened with new passwords and security codes. The bank must file a report with ChexSystems, a consumer-reporting agency that compiles reports on checking accounts. If an ATM card or debit card was stolen, it must be reported immediately. New cards with new passwords must be acquired and monitored carefully. The victim may still be responsible for a fraud if the report is not filed immediately.

Telephone. Identity thieves can open new wireless, local, and long-distance service accounts in a victim’s name. The local telephone company must be contacted, in writing and by phone, for its fraud policy.

Student loans. If an identity thief has obtained a student loan in a victim’s name, it must be reported, in writing, to the school that opened the loan, along with a request that the account be closed. This information should also be reported to the U.S. Department of Education.

Report to the FTC. The identity theft must be reported to the FTC as soon as possible, along with the police report number. The FTC makes this information widely available to investigators.

Other issues. The Social Security Administration must be notified in case a victim’s SSN was illegally used. (Sometimes a new SSN may be necessary.) In addition, U.S. Passport Services and the local department of motor vehicles, if a driver’s license was involved, should be notified. The U.S. Secret Service may become involved if the dollar amount is high, or if a fraud ring is involved.

Court cases. If an imposter engages in criminal activities that result in a court indictment, the services of a lawyer may be required. The court with jurisdiction over the case must be informed, as well as the district attorney handling the case. A copy of the police report would be useful in this case.

Above all, the FTC advises victims to maintain good records of all transactions and complaints, including phone logs and copies of communications. The FTC also recommends that victims do not pay any bills that are a result of the fraud. If the business or the debt collector aggressively pursues the case, a willingness to cooperate should be reiterated, and government regulators informed immediately.

Useful websites providing information on consumer and victims rights include www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm and www.consumer.gov/idtheft/.