Insider Identity Theft Poses Major Threats

Robert Siciliano Identity Theft Expert

A Boston woman has been indicted for allegedly stealing at least 34 identities, which she was able to access from her workplace, a medical cost-management firm.

“This was an extensive scheme in which the defendant used her access to the victims’ personal identifying information as a means to steal their identities, obtain credit cards in their names without their knowledge, and then use those credit cards to make purchases for her own personal gain,” said the local District Attorney. “The defendant had access to a large database of health care professionals that contained their personal information.”

State police learned of the fraud when a physician discovered that a credit card had been set up in her name and sent to a P.O. Box in Lowell, Massachusetts. Further investigation by postal inspectors revealed that other cards had also been sent to this P.O. Box. If convicted, she could face up to 75 years in state prison for 15 counts of grand larceny, 100 years for 20 counts of credit card fraud, 55 years for 22 counts of identity theft, and 20 years in for being a “common and notorious thief.”

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks or government agencies, or simply someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, in that order. If the thief has regular access to a database, he can simply copy and paste the information into an online credit application, or hand write the information on a paper credit card application.

Many credit applications request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. Box or the thief’s own address, where the new credit card will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. Box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued and the fun begins.

Once the thief receives the new card, he or she activates it from a throwaway cell phone. The next step is to either use the card to withdraw as much cash as possible from an ATM, or max it out with charges and then resell the stolen goods through classified ads or online auctions. If the thief is suffering from a drug addiction, it can be impossible to stop this cycle, because stealing identities goes hand in hand with addictive behavior. It’s like gambling. Thieves get a high or a rush when they feel they’re beating the system.

In the case of the Boston woman mentioned above, most people’s first response would be a determination that her employer should have done more to protect the data. There are numerous technologies that monitor, manage, control and restrict who has access to sensitive information. Today, these technologies are being deployed more often than ever before, due to various regulatory issues. However, regardless of what technologies are deployed, all you need to open a file cabinet is a key, if the cabinet is even locked in the first place. So how do you protect yourself when someone has full access to all your information?

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.
2. Invest in Intelius Identity Protect. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;
Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Identity Theft Scammers Targeting Online Classifieds

Robert Siciliano identity theft expert

Throughout the past week or so, scammers from Nigeria, Belgium and the UK have been coming after me in full force, via Craigslist. Unfortunately, the popular online classifieds website has become a launchpad for criminal activity. Everything from online affinity or advance fee scams to baby killers and the Craigslist killer have hampered the website’s reputation.

I use Craigslist to find renters for an apartment that I own. Last year, scammers copied my advertisement verbatim, except for the contact information, which they replaced with their own, and the price, which they reduced by half. The scammer, who claimed to be the property owner, informed potential renters that he was in Austria, and instructed them to drive by the apartment, and to send him a deposit check if they liked the look of the place. Fortunately, I happened to be present when a couple came by, per the scammer’s instructions. We discovered the ruse and contacted Craigslist. The fake ads continued popping up, but after numerous emails to Craigslist, they were all removed.

Last week I posted a new ad, and within minutes, I received the following email:

Subject: RENTAL INQUIRY!!hope to hear from you soon

Hello Robert,

Let me know if the room/apt you advertise on craigslist.com is still available and let me know if you can accept certified cashier check as mode of payment..And the last price for the space.

I’m presently in Belgium.I will be coming immediately the place is vacant for me to move in.But the issue is that because of the distance i wont be able to come to see the place.Meanwhile let me tell you a ill about myself..I don’t smoke and I don’t have boyfriend.Am Sarah Smith and my nick name is SERA and am 26years old i lost my dad some years back when i was young so my mom had to remarry so she married to Mr Scott Michael who is my step dad now..He has been the one who has been taking care of me all this while i believe he is a God sent to me cux i have never regretted moment with him..Things i like are as follows reading,swimming and chatting with people around me and also make them happy..I have always been thinking of how i will affect peoples life positively by making donations to the less privileges cus when i looked at my pass when i lost my dad from the story my mom told me..I noticed it is not easy for people that as no parent.Well i hope when we meet in person you will know more about me..Meanwhile my step dad will need the followings to make payment to you ASAP..

1.Your name and surname.
2.Address in full with the zip code..
3.I will need your phone number

I wait to have this information from you so that my step dad can make payment for the rental fee and security deposit in advance … I Await to hear from you….

Hope to hear from you pretty soon.

Thanks, SARAH

It’s easy to dissect this scam. The person who sent this email has two goals. First, the scammer wants to build a relationship with his or her mark. He or she provides a (horribly written) story in an attempt to establish trust. The victim is then more likely to fall for the scam, following the scammer’s instructions and conducting the necessary financial transactions. Many victims are foolish enough to provide account numbers or other personal identitifying information. Second, the scammer is setting up an affinity, or advance fee scam. In such a con, the scammer mails you a check. You deposit this check in your bank account, and it temporarily clears. In that limited window of time, the scammer will request that you return some or all of the money. He may claim to have changed his mind about renting or buying from you, or that he accidently made the original check out for more than the agreed upon sum. So you wire the money back. Within a day or two, the bank calls to let you know that the original check was counterfeit. So you’ve lost the money you wired to the scammer.

How can you protect yourself from scams like this, or other scams that take advantage of online classified ads? Use common sense, be smart, and pay attention. If you do that, you won’t fall for these types of cons.

When we were young, our parents told us not to talk to strangers. Strangers are not yet part of our trusted circle. So don’t trust them! There’s no benefit to paranoia, but being a little guarded can prevent you from stumbling into a vulnerable situation.  Since predators use online classifieds to lure unsuspecting victims, you should find out as much as possible about strangers who contact you. Use Google or iSearch.com to investigate names and email addresses.

Whenever possible, deal locally. People who cannot meet you in your town are more likely to be scammers. And even when you do meet in person, you should be wary.

Never engage in online transactions involving credit cards, cashier’s checks, money orders, personal checks, Western Union, MoneyGram or cash, that require you to send money to a stranger in response to money they have sent you. This is an advance fee scam.

Be smart. Don’t disclose your financial information, including account or Social Security numbers, for any reason. Scammers will say anything in order to get this information.

Prevent check fraud. When sending checks in the mail, you want to prevent “check washing,” which occurs when they recipient alters the name of the payee and increases the dollar amount, draining your checking account. Something as simple and inexpensive as a select uni-ball pen can help. These pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out.

Secure your PC. Make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Protect your identity. You can’t prevent all forms of identity theft. However you can significantly reduce your risk by making a small investment in your personal security by investing in Intelius Identity Protect or considering the options described in this blog post.

Robert Siciliano identity theft speaker discussing advanced fee scams

Check Fraud Identity Theft is Rising

Robert Siciliano Identity Theft Expert

As opening new lines of credit becomes more difficult, identity thieves are gravitating toward check fraud.

Check fraud is a billion dollar problem. As predicted by the Identity Theft Resource Center, check fraud, which accounted for 12% of financial crimes in 2007, increased to 17% in 2008. According to the American Bankers Association Deposit Account Fraud Survey Report, $969 million were stolen via check fraud in 2006, up from a reported $677 million in 2003. Of the $969 million dollars lost to check fraud, 38% was stolen through return deposit scams, 27% was stolen using cloned checks, 28% was stolen using counterfeit checks,  and 7% was stolen by altering or washing checks.

In an article in The New York Post, a brazen ring of thieves enlisted crooked bank tellers to run a check fraud scheme that was brought down when the crooks made the mistake of forging checks from a NYPD account. Two criminal hacker ringleaders organized the counterfeit scam, using 950 “soldiers,” or “mules,” to deposit and cash counterfeit checks, netting them millions of dollars. Three bank tellers were involved, stealing and selling customer profiles which included names, Social Security numbers, and account numbers. Insider identity theft of this kind accounts for up to 70% of all instances of identity theft.

Check fraud victims include banks, businesses and consumers themselves. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

I presented a program on motivation and self-improvement at a women’s prison in Massachusetts a few years back. I requested a little background on the women I was speaking to, just because I watch too many movies and I wanted to know if there was any possibility I’d get shanked. The case worker informed me that about 80% of the women were incarcerated for check fraud and shoplifting. It seems that when some people get a checkbook, they consider it an opportunity to print money.

There are numerous forms of check fraud:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check and cashes or deposits it. There’s really nothing anyone can do to protect themselves from this, aside from guarding their checks and going over their bank statements carefully.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves. In order to prevent your checks from being counterfeited, make sure you shred all canceled checks before throwing them away, and be sure to lock up any checks in your home or office. Consider a locked mailbox so nobody can access your bank statements. You should also seriously consider using online banking exclusively, and discontinuing paper statements.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check. In this case, it’s generally the bank or whoever cashed the check that gets burnt, unless they are able to go after the person who used their own account.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves. In this case, something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

If you write a check to pay a bill and then put it in your mailbox for the postal carrier to deliver, you put yourself at a higher risk for check fraud. Thieves see that red flag up and go phishing for checks. I suggest using a uni-ball pen and taking checks directly to the post office, or dropping them in a big blue mailbox.

If you plan to do any online banking, which millions do, make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Robert Siciliano identity theft speaker discussing identity fraud and security

Requests For Social Security Numbers Leads to Identity Theft

Robert Siciliano Identity Theft Expert

A patient at a Washington state medical clinic was asked for his Social Security number numerous times. Many of us have endured this familiar process. Considering the recent buzz about identity theft, this patient became concerned about releasing his own sensitive personal data, and requested that the facility remove his Social Security number from their records. The clinic refused, the patient put up a stink, and was ultimately ejected from the facility. The clinic considered his request unreasonable, and a violation of their rules and regulations. So, who’s right and who’s wrong in this scenario?

One Saturday afternoon, years ago, my spouse and I went to a major chain that rents videos. Without naming them, let’s just say they rent some block buster movies. The account was under my wife’s name, but she didn’t have her card with her that day. Upon checkout, the pimply faced 17-year-old clerk said, “No problem,” and asked for her Social Security number, which appeared on the screen in front of him. I freaked out and was ejected from the store. So, who’s right and who’s wrong?

In both cases, the customer is wrong. That may not be the answer you were expecting. I was wrong and the patient was wrong.

In general, routine information is collected for all hospital patients, including the patient’s name, address, date of birth, Social Security number, gender and other specific information that helps them verify the individual’s identity, as well as insurance enrollment and coverage data. And due to federally mandated laws like HIPAA, they are careful to maintain confidentiality of all patient information in their systems.

Corporations such as banks, credit card companies, automobile dealers, retailers and even video rental stores who grant credit in any form are going to ask for your name, address, date of birth, Social Security number and other specific information that helps them verify your identity and do a quick credit check to determine their risk level in granting you credit.

The Social Security Administration says, “Show your card to your employer when you start a job so your records are correct. Provide your Social Security number to your financial institution(s) for tax reporting purposes. Keep your card and any other document that shows your Social Security number on it in a safe place. DO NOT routinely carry your card or other documents that display your number.” But beyond that they have no advice and frankly, no authority.

Over the past fifty years, the Social Security number has become our de facto national ID. While originally developed and required for Social Security benefits, “functionality creep” occurred. Functionality creep occurs when an item, process, or procedure designed for a specific purpose ends up serving another purpose, which it was never intended to perform.

Here we are decades later, and the Social Security number is the key to the kingdom. Anyone who accesses your number can impersonate you in a hospital or bank. So what do you do when asked for your Social Security number? Many people are refusing to give it out and quickly discovering that this creates a number of hurdles they have to overcome in order to obtain services. Most are often denied that service, and from what I gather, there is nothing illegal about any entity refusing service. Most organizations stipulate access to this data in their “Terms of Service” that you must sign in order to do business with them. They acquire this data in order to protect themselves. By making a concerted effort to verify the identities of their customers, they establish a degree of accountability. Otherwise, anyone could pose as anyone else without consequence.

So where does this leave us? I have previously discussed “Identity Proofing,” and how flawed our identification systems are, and how we might be able to tighten up the system. But we have a long way to go before we are all securely and effectively identified. So, in the meantime, we have to play with the cards we are dealt in order to participate in society and partake in the various services it offers. So, for the time being, you’re going to have to continue giving up your Social Security number.

I give up mine often. I don’t like it, but I do things to protect myself, or at least reduce my vulnerability:

How to protect yourself;

  • You can refuse to give your Social Security number out. This may lead to a denial of service or a request that you, the customer, jump through a series of inconvenient hoops in order to be granted services. When faced with either option, most people throw their arms in the air and give out their Social Security number.
  • You can invest in identity theft protection.
  • You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. You can use Google news alerts to sweep the net and take precautions to prevent social media identity theft.
  • Protect your PC. Regardless of what others do with your Social Security number, you still have to protect the data you have immediate control over. Make sure to invest in Internet security software.

Robert Siciliano, identity theft speaker, discusses the ubiquitous use of Social Security numbers.

What have you done in the past when asked for your SSN? Did you refuse? What happened?