I think it is truly starting to get out of control. Everyone has jumped on the $1 Million Dollar guarantee as a standard offering for identity theft services.
The value of what you really would get out of that is somewhat questionable. But now I recently noticed that one of the service companies has stepped up the guarantee to $2 Million Dollars.
Well count me in then! I was on the fence for the $1 million, but if they are offering $2 million, that is the ticket. How can I resist?
Are people out there really that foolish? Is upping the artificial "air in a bottle" service guarantee going to suck people in or away from the competition?
I wonder who will be the first to hit the $10 million guarantee mark.
At that point why not just up it to $100 million?
Are you worth a million dollars, how about $2 million? If you are, you most likely have that kind of coin in a brokerage account. Most of them now after E-trade started the trend, cover any fraud losses to your account.
The average loss or theft is in the low thousands with much of that being covered. Our company research has shown that many end up with minimal actual out of pocket expenses.
Their biggest loss is time, effort, anxiety, frustration, in cleaning up the mess left behind. We suggest people start placing a dollar value on that and collect from those companies.
If you receive a fraud alert no matter what is says, this is what it means:
" SOMEONE HAS YOUR PERSONAL INFORMATION......we stopped them from opening up a credit account....... since a thief already has stolen your info, we really can't tell you what else they may do with it"
Friday, April 4, 2008
Tuesday, April 1, 2008
Public becoming more Savvy to Identity Theft Services
A recent story on ABC 7 in San Francisco pointed out the value or lack thereof for services by an identity theft service that charges over $100 a year and pointed out to their viewers how to perform the same services yourself easily and free.
But what we found to be the best comment was followed by a person who pointed out that any alert to fraudulent activity is NOT PREVENTION. If you are alerted to anything by any service you have already been compromised .
Finally, people are seeing the light and recognizing that being alerted does not equal being protected . The damage has been done. You will need to scramble to figure out what the thieves who already have your information are going to do with it next.
This is why defending your identity first and foremost is much more beneficial and easier than finding out you've been alerted.
But what we found to be the best comment was followed by a person who pointed out that any alert to fraudulent activity is NOT PREVENTION. If you are alerted to anything by any service you have already been compromised .
Finally, people are seeing the light and recognizing that being alerted does not equal being protected . The damage has been done. You will need to scramble to figure out what the thieves who already have your information are going to do with it next.
This is why defending your identity first and foremost is much more beneficial and easier than finding out you've been alerted.
Friday, March 28, 2008
The value of one Social Security Number in ID theft
People need to understand how valuable that simple 9 digit social security number really is to an identity thief.
A Chicago area man racked up just under under $300,000 in debt with one womans Social Security number. His purchases included a Range Rover and a home.
Apparently this has been going on since June 2005.
An unfortunate event like this points out how far one person can go with one very crucial piece of information. While most studies point out that losses are generally much smaller, those numbers are averages and will be meaningless to this victim.
She is left picking up the pieces of this man's crime spree. Will she be out the $300,000? Definitely not, but she will be required to file numerous complaints and documents to prove she was not involved or had nothing to do with this crime. She has to exonerate herself first before any financial institution will release her from these debts.
She will spend many hours with various agencies clearing the debris from this. In the end it will cost her time, energy, anxiety, and frustration. She will likely need to take time off from work to handle certain situations.
Will she be out any money? To a large extent no, but what about time from work especially if she is self employed, gas money to travel to a police station to file an affidavit, a trip to a attorneys office, possibly a bank visit, cost of parking an so on. It can add up. Every step of the way will be filled with anger and frustration that she has to go through all this for something that she had nothing to do with.
What she should realize somewhere along this journey, is that people can do things to either avoid this, or prevent it from getting out of control.
This thief obtained her number from somewhere. The fact that he used this one for so long indicates it was likely the only one he had and found it somewhere, either in the mail, trash, on an old document, maybe in a wallet he found or stole.
Where she went wrong was allowing this to go on for 30 months. If she had been actively checking her credit reports, or had a credit freeze placed on her accounts, or fraud alerts put in place, much of this would have been avoided. She should also reflect back on where she may have provided her SSN or lost any personal information.
A little bit of prevention or mitigation would have gone a long way. It is up to you to defend your identity. This unfortunate circumstance with one person and one SSN is why.
A Chicago area man racked up just under under $300,000 in debt with one womans Social Security number. His purchases included a Range Rover and a home.
Apparently this has been going on since June 2005.
An unfortunate event like this points out how far one person can go with one very crucial piece of information. While most studies point out that losses are generally much smaller, those numbers are averages and will be meaningless to this victim.
She is left picking up the pieces of this man's crime spree. Will she be out the $300,000? Definitely not, but she will be required to file numerous complaints and documents to prove she was not involved or had nothing to do with this crime. She has to exonerate herself first before any financial institution will release her from these debts.
She will spend many hours with various agencies clearing the debris from this. In the end it will cost her time, energy, anxiety, and frustration. She will likely need to take time off from work to handle certain situations.
Will she be out any money? To a large extent no, but what about time from work especially if she is self employed, gas money to travel to a police station to file an affidavit, a trip to a attorneys office, possibly a bank visit, cost of parking an so on. It can add up. Every step of the way will be filled with anger and frustration that she has to go through all this for something that she had nothing to do with.
What she should realize somewhere along this journey, is that people can do things to either avoid this, or prevent it from getting out of control.
This thief obtained her number from somewhere. The fact that he used this one for so long indicates it was likely the only one he had and found it somewhere, either in the mail, trash, on an old document, maybe in a wallet he found or stole.
Where she went wrong was allowing this to go on for 30 months. If she had been actively checking her credit reports, or had a credit freeze placed on her accounts, or fraud alerts put in place, much of this would have been avoided. She should also reflect back on where she may have provided her SSN or lost any personal information.
A little bit of prevention or mitigation would have gone a long way. It is up to you to defend your identity. This unfortunate circumstance with one person and one SSN is why.
Thursday, March 20, 2008
HealthNow New York Shows How to Mishandle a Data Loss
Healthow a healthcare claims provider in upstate New York has earned a spot on our office identity theft "Wall of Shame" this month for totally blowing how to handle a data loss then offering a service they will do next to nothing and the high cost will ultimately be passed on to their employers or members directly.
Last week the Buffalo, New York claims provider sent letters to 40,000 members alerting them to a possible loss of personal information. An employee downloaded patient information and then apparently lost the laptop. Apparently this happened many months ago and they first “spent an exorbitant amount of time” to try and locate the laptop, which they still believe is in the company’s building.
This company is responsible for keeping track of medical and health records of thousands and they want people to believe that they are just sitting on a laptop they cannot find. Maybe when they clean their room it will turn up. What are they, a 10 year old? It does not give me much confidence and points to pure lack of control on their part.
Then they make a second attempt at pacification by stating they are not even sure what information it contained. Teenagers deploy keyloggers, governors get their text messages exposed, malware can track every click of a mouse, and parents can track and view everything a child does on a computer for $39, but a healthcare organization of this magnitude has not a clue what their employee downloads from their database.
The employee is now a former employee but apparently they are still in contact with him. Another vote of confidence.
And the final nail in the coffin is this statement: “With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable. Reasonable? For who? Around 4 months has passed and any chance of giving the people a heads up to potential fraud is all but vanished.
If you read between the lines....the laptop has sensitive information on it, they know it, that is why they looked for it for months. Better to not have to be exposed. The former employee who left for another job, fired within a week of the loss or theft. That laptop with sensitive information is long gone, they know it. Now, backed into a corner and options have run out, time to air the dirty laundry.
And to throw out a useless bone, free credit monitoring for a year. When you get alerted by the agency that someone tried to open an account in your name, you'll sleep better knowing a stranger definitely has your personal information and is trying to use it. Credit monitoring will alert you right away that a thief has opened up and used $10,000 of credit in your name. That way you can start the mop up and recovery process.
But wait, the thief may not be done with your information. They will use it for draining existing bank accounts, or for a criminal arrest and then the patient or victim get s warrants issued against them for not appearing in court. It will be useful when medical services are provided to the thief, or prescriptions are obtained then sold illegally on the street. It is handy for a disability claim , or sell to an illegal immigrant to get a job. So much for the monitoring bone, won't help with any of this.
There are pro-active ways to defend yourself against many of these pitfalls, but knowing about them in a timely manner is key.
Last week the Buffalo, New York claims provider sent letters to 40,000 members alerting them to a possible loss of personal information. An employee downloaded patient information and then apparently lost the laptop. Apparently this happened many months ago and they first “spent an exorbitant amount of time” to try and locate the laptop, which they still believe is in the company’s building.
This company is responsible for keeping track of medical and health records of thousands and they want people to believe that they are just sitting on a laptop they cannot find. Maybe when they clean their room it will turn up. What are they, a 10 year old? It does not give me much confidence and points to pure lack of control on their part.
Then they make a second attempt at pacification by stating they are not even sure what information it contained. Teenagers deploy keyloggers, governors get their text messages exposed, malware can track every click of a mouse, and parents can track and view everything a child does on a computer for $39, but a healthcare organization of this magnitude has not a clue what their employee downloads from their database.
The employee is now a former employee but apparently they are still in contact with him. Another vote of confidence.
And the final nail in the coffin is this statement: “With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable. Reasonable? For who? Around 4 months has passed and any chance of giving the people a heads up to potential fraud is all but vanished.
If you read between the lines....the laptop has sensitive information on it, they know it, that is why they looked for it for months. Better to not have to be exposed. The former employee who left for another job, fired within a week of the loss or theft. That laptop with sensitive information is long gone, they know it. Now, backed into a corner and options have run out, time to air the dirty laundry.
And to throw out a useless bone, free credit monitoring for a year. When you get alerted by the agency that someone tried to open an account in your name, you'll sleep better knowing a stranger definitely has your personal information and is trying to use it. Credit monitoring will alert you right away that a thief has opened up and used $10,000 of credit in your name. That way you can start the mop up and recovery process.
But wait, the thief may not be done with your information. They will use it for draining existing bank accounts, or for a criminal arrest and then the patient or victim get s warrants issued against them for not appearing in court. It will be useful when medical services are provided to the thief, or prescriptions are obtained then sold illegally on the street. It is handy for a disability claim , or sell to an illegal immigrant to get a job. So much for the monitoring bone, won't help with any of this.
There are pro-active ways to defend yourself against many of these pitfalls, but knowing about them in a timely manner is key.
Saturday, February 23, 2008
FTC Identity Theft Data Causes Skewed Views
The FTC has issued the latest report for 2007 on Consumer Fraud and Identity Theft Complaint Data. With no great shock or surprise identity theft is still the number one complaint by a long shot being 32% of the reported 813,899 total complaints reported. The next closest category was Shop at Home/ Catalog Sales with a mere 8%. There were 20 categories in all and the bottom 13 categories were each 2% or less.
This is a good report as it paints many pictures but at the same time skews the reality due to how the information is collected.
Certain areas of the
Because the reporting is entirely voluntary lends more of an explanation as to why some states have more incidences than others. The reality of identity theft crime statistics goes much deeper than the simplistic overview of the charts of this report.
A Skewed View
I have read a number of articles from various states that have had a decrease in the number of incidences reported to the FTC are feeling incredibly good about it. They are utilizing this information to pat themselves on the back. In
But kudos goes to the Wisconsin Bankers Association who says the FTC information does not reflect what they are seeing.
Take a state such as
No signs of abatement
One thing can be said with certainty is that identity theft is not showing any significant signs of abatement.
With all of the services available to stop this, and alert you of that, and the thousands that are paying monthly fees, one would expect this number would be dropping dramatically, or at least see a slight dent in the numbers.
But then again if you rely on some reporting agency with a subscription service you pay monthly to tell you someone has your information and tried to open some type of account in your name, the theft has already happened and is likely eligible to be reported to the FTC anyway. Paying money each month to have someone tell you a theft has occurred will not change the fact that a thief already has your information.
Reporting to the Police
What is still shocking in this report is the number of people who did not report the crime to a police agency which was 65% or 158,535. Why they chose not to is a mystery that we are looking into, but even more disturbing was the revelation that of the 35% that did take the time to report the crime 8% of those did not get a report taken from the police.
The reality of what was going on at the time is the police are looking around the precinct when a victim calls or shows up. They see they have 2 muggers, a car thief, and an arsonist all waiting to be booked and processed. An identity theft victim comes in declaring a theft that by appearances likely occurred across state lines or out of the country. The probability of an arrest is remote, but the headache of the extra paperwork 100% guaranteed.
The message sent is this is a crime to be treated lightly by consumers and the some (not all) police agencies are not be doing enough to encourage or educate people in how to protect themselves. If thousands are turned away and led to believe the police can do nothing, then a feeling of helplessness will likely prevail.
The best defense is self defense. A majority of identity theft starts with people leaving the gates to their identity open and allowing the fraud to occur.
Wednesday, February 6, 2008
Is your W-2 missing from your mailbox this week?
This really is about the golden ticket for an ID thief, your W-2. It has everything they need to get started being you. That form is your link between your employer, you, and the federal government. It is the one item in your mailbox this time of year that the thieves know is coming and has your vital social security number on it.
The beauty of that golden ticket is they are sitting in millions of mailboxes this week waiting for you to save it from the grasp of an identity thief. Didn’t get yours yet? Did your employer mail it out already to an unlocked curbside ID thief treasure chest, also known as a mailbox? You might want to start inquiring now.
What makes this so easy for the thieves is you have been receiving it in this manner forever and it has never been a problem. You know it is coming; you wait for it almost, especially if you are anticipating a refund. Many also know that their employer is required to issue them no latter that the last day of January. For those who choose not to hand it directly to the employees, they use the always reliable, United States Postal Service.
The safety net ends there. Once it is placed in that old trusted receptacle on your house, by the curb, at the end of a long driveway, or in a communal type apartment system, it is fair game to anyone who happens by.
That’s what makes you so vulnerable. An old system that seemed stable and reliable is now being exploited on a grand scale by identity thieves who rely on you to think that it will not happen. Ask 1 out of every 30 Americans last year who thought the same way. They will beg to differ.
Thursday, January 31, 2008
Federal government rebate scams continue to grow and flourish
Two days ago I wrote about the issue of all the talk of the federal rebates and how fraudsters, scammers and ID thieves would come out of the woodwork to capitalize on it from unsuspecting and eager individuals. I had listed the common tactics that thieves will be using as reminders for what to be cautious about but it is already going well beyond those and getting people engaged from every possible angle.
Here is a list of the latest scams brought to the attention of the IRS:
Rebate Phone Call
At least one scheme using the word "rebate" as part of the lure has been identified. In that scam, consumers receive a phone call from someone identifying himself as an IRS employee. The caller tells the targeted victim that he is eligible for a sizable rebate for filing his taxes early. The caller then states that he needs the target´s bank account information for the direct deposit of the rebate. If the target refuses, he is told that he cannot receive the rebate.
This phone call is a scam. No legislation has yet been enacted that would allow the IRS to provide advance payments to taxpayers or that determines the details of those payments. Moreover, the IRS does not force taxpayers to use direct deposit. Those who opt for direct deposit do so by completing the appropriate section of their tax return, with bank routing and account information, when they file; the IRS does not gather the information by telephone.
Refund e-Mail
The IRS has seen several variations of a refund-related bogus e-mail which falsely claims to come from the IRS, tells the recipient that he or she is eligible for a tax refund for a specific amount, and instructs the recipient to click on a link in the e-mail to access a refund claim form. The form asks the recipient to enter personal information that the scamsters can then use to access the e-mail recipient´s bank or credit card account.
In a new wrinkle, the current version of the refund scam includes two paragraphs that appear to be directed toward tax-exempt organizations that distribute funds to other organizations or individuals. The e-mail contains the name and supposed signature of the Director of the IRS´s Exempt Organizations business division.
This e-mail is a phony. The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers.
Filing a tax return is the only way to apply for a tax refund; there is no separate application form. Taxpayers who wish to find out if they are due a refund from their last annual tax return filing may use the "Where´s My Refund?" interactive application on this Web site, IRS.gov. The only official IRS Web site is located here at www.irs.gov.
Audit e-Mail
Another new scam brought to IRS attention contains features not seen before by the IRS. Using a technique calculated to get almost anyone´s attention, the e-mail notifies the recipient that his or her tax return will be audited. This is the first scam of which the IRS is aware that uses this to get the victim to respond.
Unusual for a scam e-mail, it may contain a salutation in the body addressed to the specific recipient by name. Most scam e-mails seen by the IRS are sent using the same technique used by spammers, in which hundreds of thousands of messages are sent to potential victims based on Internet address. Because of the volume, the typical scam e-mail is not personalized.
This e-mail instructs the recipient to click on links to complete forms with personal and account information, which the scammers will use to commit identity theft.
This e-mail is a phony. The IRS does not send unsolicited, tax-account related e-mails to taxpayers.
Changes to Tax Law e-Mail
This bogus e-mail is addressed to businesses, accountants and "Treasury" managers. It instructs them to download information on tax law changes by clicking on a series of links to publications on businesses, estate taxes, excise taxes, exempt organizations and IRAs and other retirement plans. The IRS believes that clicking on a link downloads malware onto the recipient´s computer. Malware is malicious code that can take over the victim´s computer hard drive, giving someone remote access to the computer, or it could look for passwords and other information and send them to the scamster. There are other types of malware, as well.
The urls contained in the link are not legitimate IRS Web addresses. All IRS.gov Web page addresses begin with http://www.irs.gov/.
Paper Check Phone Call
In a current telephone scam, a caller claims to be an IRS employee who is calling because the IRS sent a check to the individual being called. The caller states that because the check has not been cashed, the IRS wants to verify the individual´s bank account number. The caller may have a foreign accent.
In reality, the IRS leaves it entirely up to the individual to choose to cash or not cash a paper check. The IRS has no business need to know, and does not ask for, bank account or similar information, except when taxpayers indicate on their tax return that they are opting for the direct electronic deposit of their refund. In that case, however, it is the individual´s responsibility to provide the IRS with the correct bank routing and account numbers on the tax return; the IRS does not contact taxpayers to verify the information.
What to Do
Anyone wishing to access the IRS Web site should initiate contact by typing the IRS.gov address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.
Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails, phishing@irs.gov, using instructions contained in an article titled "How to Protect Yourself from Suspicious E-Mails or Phishing Schemes." Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting IRS.gov and entering the words "suspicious e-mails" into the search box in the upper right corner of the front page.
Those who have received a questionable telephone call that claims to come from the IRS may also use the phishing@irs.gov mailbox to notify the IRS of the scam.
Here is a list of the latest scams brought to the attention of the IRS:
Rebate Phone Call
At least one scheme using the word "rebate" as part of the lure has been identified. In that scam, consumers receive a phone call from someone identifying himself as an IRS employee. The caller tells the targeted victim that he is eligible for a sizable rebate for filing his taxes early. The caller then states that he needs the target´s bank account information for the direct deposit of the rebate. If the target refuses, he is told that he cannot receive the rebate.
This phone call is a scam. No legislation has yet been enacted that would allow the IRS to provide advance payments to taxpayers or that determines the details of those payments. Moreover, the IRS does not force taxpayers to use direct deposit. Those who opt for direct deposit do so by completing the appropriate section of their tax return, with bank routing and account information, when they file; the IRS does not gather the information by telephone.
Refund e-Mail
The IRS has seen several variations of a refund-related bogus e-mail which falsely claims to come from the IRS, tells the recipient that he or she is eligible for a tax refund for a specific amount, and instructs the recipient to click on a link in the e-mail to access a refund claim form. The form asks the recipient to enter personal information that the scamsters can then use to access the e-mail recipient´s bank or credit card account.
In a new wrinkle, the current version of the refund scam includes two paragraphs that appear to be directed toward tax-exempt organizations that distribute funds to other organizations or individuals. The e-mail contains the name and supposed signature of the Director of the IRS´s Exempt Organizations business division.
This e-mail is a phony. The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers.
Filing a tax return is the only way to apply for a tax refund; there is no separate application form. Taxpayers who wish to find out if they are due a refund from their last annual tax return filing may use the "Where´s My Refund?" interactive application on this Web site, IRS.gov. The only official IRS Web site is located here at www.irs.gov.
Audit e-Mail
Another new scam brought to IRS attention contains features not seen before by the IRS. Using a technique calculated to get almost anyone´s attention, the e-mail notifies the recipient that his or her tax return will be audited. This is the first scam of which the IRS is aware that uses this to get the victim to respond.
Unusual for a scam e-mail, it may contain a salutation in the body addressed to the specific recipient by name. Most scam e-mails seen by the IRS are sent using the same technique used by spammers, in which hundreds of thousands of messages are sent to potential victims based on Internet address. Because of the volume, the typical scam e-mail is not personalized.
This e-mail instructs the recipient to click on links to complete forms with personal and account information, which the scammers will use to commit identity theft.
This e-mail is a phony. The IRS does not send unsolicited, tax-account related e-mails to taxpayers.
Changes to Tax Law e-Mail
This bogus e-mail is addressed to businesses, accountants and "Treasury" managers. It instructs them to download information on tax law changes by clicking on a series of links to publications on businesses, estate taxes, excise taxes, exempt organizations and IRAs and other retirement plans. The IRS believes that clicking on a link downloads malware onto the recipient´s computer. Malware is malicious code that can take over the victim´s computer hard drive, giving someone remote access to the computer, or it could look for passwords and other information and send them to the scamster. There are other types of malware, as well.
The urls contained in the link are not legitimate IRS Web addresses. All IRS.gov Web page addresses begin with http://www.irs.gov/.
Paper Check Phone Call
In a current telephone scam, a caller claims to be an IRS employee who is calling because the IRS sent a check to the individual being called. The caller states that because the check has not been cashed, the IRS wants to verify the individual´s bank account number. The caller may have a foreign accent.
In reality, the IRS leaves it entirely up to the individual to choose to cash or not cash a paper check. The IRS has no business need to know, and does not ask for, bank account or similar information, except when taxpayers indicate on their tax return that they are opting for the direct electronic deposit of their refund. In that case, however, it is the individual´s responsibility to provide the IRS with the correct bank routing and account numbers on the tax return; the IRS does not contact taxpayers to verify the information.
What to Do
Anyone wishing to access the IRS Web site should initiate contact by typing the IRS.gov address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.
Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails, phishing@irs.gov, using instructions contained in an article titled "How to Protect Yourself from Suspicious E-Mails or Phishing Schemes." Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting IRS.gov and entering the words "suspicious e-mails" into the search box in the upper right corner of the front page.
Those who have received a questionable telephone call that claims to come from the IRS may also use the phishing@irs.gov mailbox to notify the IRS of the scam.
Identity Theft “Prevention” Defined Accurately
Everybody that talks about prevention uses the word in a different way. It is about perspective. Here is an example:
Think about how you would feel if this scenario happened: Your bank called and said “someone infiltrated your savings account and they have been making withdrawals regularly for the last three months. Your account has been drained of $25,000 but due to our diligence we stopped it and you still have $15,000 left. We have effectively prevented the thief from draining your account. We thought you’d like to know we mitigated your loss.”
Was there any prevention here? Absolutely! Are you going to be happy about it? I doubt it. People are paying big money for a false sense of the word “prevention”. They are really paying for and getting “mitigation”.
Now let’s compare the words “prevention” and “mitigation”:
pre·ven·tion [ pri vénshən ] (plural pre·ven·tions)
action that stops something from happening: an action or actions taken to stop somebody from doing something or to stop something from happening
- the prevention of crime
mit·i·gate [ mítti gàyt ] (past and past participle mit·i·gat·ed, present participle mit·i·gat·ing, 3rd person present singular mit·i·gates)
lessen something: to make something less harsh, severe
When put in the context of identity theft: Everyone uses the word prevention when they are referring to credit freeze, fraud monitoring and credit reports, and credit monitoring, data scouring etc.
Now let’s look at it from the context of the consumer: Prevention would be keeping my information completely secure and preventing it from being stolen in the first place.
Real prevention is thwarting the theft of your personal information. Securing your name so nobody uses it for anything. That is what ID theft “prevention” truly is.
If I rely on a credit report, a fraud alert or a credit freeze to stop something from happening, that means that SOMEONE ALREADY HAS OBTAINED MY PERSONAL INFORMATION ! A CRIME HAS ALREADY OCURRED! Now that does not sound like identity theft prevention at all, it most definitely is mitigation. Sure it may have plugged a small hole but in the grand scheme of the information that thief still has, it is like putting a bandage on a bullet wound.
So how can credit freeze, fraud monitoring and credit reports, and credit monitoring qualify as prevention? Well, they stopped something from happening, and that has some limited value, but now who has this information and where are they going with it next? Keep in mind if they have gone to the effort to steal your info, they are going to use it. A car thief does not steal a car and drive around in it until it runs out of gas. They are going to use the stolen device until it no longer meets their needs. The same with your identity, it could be used next for medical services, prescriptions, getting arrested, forging a check, and so on.
An ID theft recovery company stated under the guise of “prevention” that they look for changes in your existing accounts and they look for new accounts and transactions in your name. By doing this, they can detect someone's attempt to steal your identity before it gets too far and before any damage has been done. Sorry people, but if any of this is detected, the damage has been done. SOMEONE HAS ALREADY STOLEN YOUR IDENTITY! THEY HAVE YOUR PERSONAL INFORMAION AND ARE PUTTING IT TO USE! This should not be sugar coated as identity theft “prevention”. The prevention ship has sailed, it is now time to mitigate.
You will still have to wonder when or where they may use it next. And you still may have work to do, to get everything closed down, changed, modified etc. and you may never be completely sure you’ve plugged the gaps because how do you know your personal information has not been passed around or sold on the black market?
So how much is “mitigation” really worth? It is up to you, but most will pay much more for “prevention”.
True identity theft “PREVENTION” is about stopping the crime from occurring, and that starts with preventing and keeping your information out of the hands of the thieves to start with. True prevention is up to you! True prevention starts with you doing the right things with your personal information.
Don’t confuse paying for mitigation services and expect prevention. You may not end up being happy with the results.
Tuesday, January 29, 2008
Talk of federal government rebates gives identity thieves a fresh angle
It is on the news almost nightly, in the newspaper daily, and on the internet. We are hearing about it just about every day. To stimulate the economy, President Bush is working very hard to seal the deal for many Americans to get rebate checks from the federal government.
For many Americans all the talk of a bonus $600-$1200 check from the federal government is exciting news. Many would like to get it today if that were possible. Everyone wants to be sure the government has their correct name, address, and all the other pertinent information so there will not be a delay. Unfortunately, many will end up with their identity stolen instead.
The thieves will play on that anticipation of you wanting the extra cash as soon as possible and will deploy all the traditional and still effective tactics.
The more common and widespread tactics that will be used:
1)Phishing: Hundreds of millions of emails will go out across the country claiming to be from the IRS or the federal government and will direct you to a special website to verify your personal information. If you click on the link you will end up at an official looking site with all the federal seals making it look authentic. Some phishing sites will even have warning about identity theft on them to give them a more secure look to any visitor.
Red Flag: People have many different email accounts, the government does not use email to contact anyone. You do not supply an email on you tax return!
2)Vishing: This is like the email hunt for information, but you will get a phone call instead. It may be a live person, it may be a recording, it may be a recording asking you to call an 800 number back and verify your information. They may ask for your social security number, bank account number where you would like your check deposited, even a pin number for a debit account.
Red Flag: The federal government will not call you for anything like this, ever. What makes this method even more dangerous, thieves can purchase any name they want to appear on your caller ID, such as IRS Rebate, Federal Rebate Office, US Gov’t Rebate, or any combination of words to get you to believe the call is authentic.
3)Websites: There will be scores of websites popping up using search terms to get you to visit them. Such terms will be “IRS rebate” ,“Federal Rebate”, “ Government Rebate” to name a few. They will bank on people using searches in Google and MSN and Yahoo, to find out more information. The sites may bait people in by claiming if you enter your information now, you will get a check in 2 or 3 weeks. That expediency will be extremely enticing to many so they will get drawn in and become victims.
Red Flag: The only sites that may have any information about this program will be an existing one with quite a bit of other information as well. It will end with a .GOV suffix. Examples are IRS.Gov, SSA.Gov, WhiteHouse.Gov. Any site with an official sounding name but a different suffix is not a federal site. Example is IRS.com which is owned by banks.com and is a play to get you to use their services for tax filing.
4)US Postal Service Mail: You may get a letter or a post card in the mail asking you to verify your bank account or social security number or other sensitive information. It may ask you to call a specified number or go to a website and enter in information.
Red Flag: The government will be using tax returns from previous years records to determine eligibility and addresses. They are not going to mount a new campaign to update records and personal information. If you do get something in the mail from the IRS or other federal agency, take the time to verify the validity prior to acting on it.
None of these tactics are new, but the event that will trigger their upsurge is. Basically this is an extra bonus for identity thieves to prey on victims who will not see this coming because they are blinded by the thought of the dollar sign.
The only real way to combat this offensive is to think about the details before you act. Ask yourself a few common sense questions, and practice fire prevention vs. firefighting.
The best defense for your identity is self defense.
Monday, January 28, 2008
Attention grabbing survey sites could set the stage for ID theft
There are a number of sites that quiz you about yourself and then tell you something about yourself in return. Our site does that as well. We ask you information about your personal daily habits and use proprietary algorithms backed by research to gage your risk for ID theft with an output that is in an easy to understand ID Risk Level. No ads, no personal information requested, not even email.
Someone emailed me recently asking about other sites that have quizzes and pointed out a few in particular and asked me how safe they are even if just for fun.
Some sites, by piquing your interest in certain, even silly subjects, are looking for something. There are a number of sites that purport being able to tell you when you are going to die! Wonderful, that information will certainly come in handy. It makes my retirement investment planning so much easier.
Well, you’re not gullible, but you went there for fun, as a joke, just to see, etc. All in good fun as long as you are not giving them any personal information.
So what could a site like this really be after? Mainly ad revenue. By getting thousands of people to go through the site and take the “date of your death survey”, they land you in a seemingly never ending, page after page of offers for everything from free laptops to a cruise around the world to magazines and so on. The catch is you have to get past saying no to these or fill out a few with your personal information like name, address, phone number, email etc. and what seems to be fairly harmless information. Only, once you go past the myriad of ads asking you to fill in information will you get your “calculated” date with the grim reaper.
So I tried it at a site this person asked me about. I answered the few simple questions and then waited for my results, it had to be calculated, apparently they have a long connection to go through and the grim reaper’s WiFi was down. In the meantime, they graciously had me take review some of their fine offers and click “no” if not interested. I counted 97 (yes, I counted because I assumed it was going to be big) offers that I said “no” to and still was not given my much awaited date with death. I even filled in a few with some random misinformation thinking if they got me on one maybe they would cough up that date! Nothing. I literally gave up as it was appearing to be more and more of a perpetual scam. I guess I’ll need to keep my retirement plans in place for now.
Seriously though, what was really happening was a massive operation to get you to provide just the basics of personal information. Now the company that runs the site may only be a conduit and collecting ad dollars from the marketing agency who is the real culprit in this operation. Fill one out correctly with real information and you have just asked to receive a minimum of 100,000 emails with other exciting offers include. Hey, you asked!
That information may possibly be used by them directly for ID theft, Spamming, phishing, etc. They may sell it to others who will use it unscrupulously. Worse yet, you will be put on a sucker list. This is a list created about people who willingly provide information thinking they are going to win a prize. AKA in their business “a sucker”. ID thieves love suckers. They know they are the easiest of easy targets. The people who think they will really get something for nothing, the same people who ultimately will give the thieves the keys to their identity in much the same way. The thieves already know you are an optimists, and play that hand against you to the fullest.
So the next time you go to a site and think you are providing information that is harmless, looking for that humorous “date of your death” you may find out a new date, when your identity was stolen.
Friday, January 25, 2008
Prudential’s rock crumbles when it comes to securing personal information
Prudential Financial gets a spot on our office’s Identity Defense Wall of Shame this month. They had a temp worker collect personal information from a customer then the temp worker stole the customer’s identity to go on a three month, $70,000 spending spree!
According to the article about this event, Prudential takes customer information and security very seriously. We see that clearly from the end result of this encounter between a Prudential temp employee and a Prudential customer.
Stop and think about what happened here. A financial conglomerate worth $36 billion does not have the sense of how to secure personal information that it receives. Collecting customer information is the most volatile point in a transaction because it is up to the person who collects it as to how the information is treated. This is where Prudential’s security falls apart. The people collecting information should be trusted, longer term, well paid employees, who hopefully, will want to keep their job and have little or at least minimal incentive to steal. Instead they gave that crucial task to a 23 year old temp worker, who obviously did not care about his temp job and felt he needed to supplement his income.
I’m sure they spend millions on data security, and backup systems and passwords and encryption etc. As a financial institution they are required to have secure systems on all fronts. But no matter how big your walls are, or how many lines of defense you have, if you can’t complete step 1 and put the information into secure areas, it is useless. Picture your bank having the tellers leave all the money on the counters at night and still go lock the safe.
If Prudential has procedures in place, the management team is not reading the company manual. To be fair, this could easily happen with just about any employee and it is where a significant portion of all ID theft occurs. But when you assign tasks to someone who is not even an employee, then any incentive to do the right thing is minimized because there is no long term bond.
For the sake of all of their existing customers let’s hope they have a better system in place for securing their personal information.
Subscribe to:
Posts (Atom)
