New target for thieves: Your good name

Con artists can cloak themselves in your identity. Here's how they operate, how new laws address the threat, and how to protect yourself.

By Susan Harrington Preston
Senior Editor

They hit our mailbox," says Kansas City, MO, ophthalmologist John C. Hagan of a 1999 fraud. "My wife had put a bill in it, and they stole the bill." The Hagans had literally raised a red flag—the one on the side of the mailbox that shows there's mail to be picked up.

"They copied the check somehow so it was blank," Hagan explains. "Then they used it to deposit $3,500 in an account they'd opened in our bank."

The thieves opened the account in the bank the Hagans used because that way, the check would clear immediately. "They were part of a huge statewide check-forging ring," says Hagan. "Usually they'd deposit three or four checks and walk out with a couple thousand in cash. We found out when the bank called us about the check." The Hagans had to fill out notarized forms about the fraud, close the old bank account and open a new one, and pacify creditors who phoned to say they hadn't gotten paid.

Believe it or not, the Hagans were relatively lucky. One recent survey of 66 identity-theft victims found that fewer than half considered their cases closed. In the resolved cases, straightening out the records had taken an average of 23 months. The victims with open cases had averaged 44 months of such work to date.

Overall, victims had spent up to $2,000 cleaning up their credit problems, not counting $800 to $40,000 in lawyers' fees. The San Diego-based Privacy Rights Clearinghouse and the Sacramento-based California Public Interest Research Group conducted the study.

In each of the 10 worst cases, the thief became the victim's long-term evil twin: Caught committing another crime, the impostor gave police the victim's personal information upon arrest. Police investigated eight victims for crimes or issued warrants for their arrest. In one case, a thief was checked into federal prison in Chicago under the victim's name.

Doctors, with their high incomes, are particularly vulnerable to identity theft. Can you assure that it won't happen to you? Probably not, the Federal Trade Commission warns in its booklet, "ID Theft: When Bad Things Happen to Your Good Name." Still, you can take steps to improve the odds that you won't become a victim (see box below).

Where thieves learn all about you

Identity theft often begins with a low-tech crime. Someone takes your wallet, or breaks into your home to rifle through your drawers. Maybe thieves go "Dumpster diving" in your trash, looking for credit card offers and statements you've tossed. Or they file a change of address with your post office, or with credit card companies, so they can have their purchases—and bills—sent to a new address. It may be a while before you realize that you didn't get a bill for something you yourself charged, and the thief can use your card that much longer.

Prompt action will minimize the impact of identity theft (see box below). But it's not always easy to tell you're a victim. For instance, if you don't pay a credit card bill you didn't receive, your credit rating may take a hit long before you notice.

Even if you spot a theft right away, you can still have troubles. After FP Donald Turner of Huber Heights, OH, left his wallet behind at a Utah ski shop in 1999, he canceled his credit card promptly. A few hours later, he phoned the credit card company back to double check and learned that the thief had reactivated the card and bought more than $300 worth of merchandise.

"Back then, the issuer required only the final digits of your Social Security number and your ZIP code to reactivate the card," says Turner. His Social Security number was on his driver's license also in his wallet.

Usually, thieves need little stolen information to get a lot more. The most common tactic, according to Alexandria, VA, privacy consultant Robert Douglas, is "pretext" theft. After learning a few facts about you, the thief dupes a financial firm by pretending to be you, or dupes you by pretending to be a financial firm.

Another common scam: The thief poses as a landlord or potential employer, say, and deceives a credit-reporting company. It's legal for these firms to sell data for business purposes spelled out in the Fair Credit Reporting Act, the decades-old federal law that also gives consumers the right to check and correct their own credit records.

Credit-reporting firms typically sell abbreviated reports that include such information as Social Security number, address history, and maiden name. Armed with this information, thieves use your credit and bank accounts for their own benefit, or, in five out of six cases, open new accounts in your name. Those may be bank accounts, new-car loans, lines of credit, apartment rentals, and property leases.

Privacy: An ideal, not a reality

Among the information thieves can get, according to Douglas, are your shopping preferences, long distance phone records, pager records, 800 number records, medical records, and even your pets' names. That's why you shouldn't use easy-to-guess passwords for your ATM or credit cards. If a thief knows the dates of your wedding and birthday, your child's birthday, your SAT score, and so forth, sometimes all it takes to get into your accounts is to try each in turn.

"The truth is, almost anything can be learned about anybody in the United States today," Douglas told FDIC officials last year. "Privacy in the United States is too often just a concept, not a reality."

If a thief's source of information is a hospital or health system, a scam can affect many doctors. That's what happened to several physicians in a network health system last year. (We won't name the system, because the crime is still under investigation.) A "mole" in a network hospital apparently sold doctors' Social Security numbers and other personal information to would-be con artists.

An FP found out about it when a Pier One Imports store sent him a letter refusing credit. "Whoever filled out the application wasn't exactly a Rhodes scholar," the FP says. "They had my name and address, but no phone number. Pier One refused credit because they couldn't verify the information."

Fraud rings can use your professional identity, too, as did six people arrested last year on charges that they'd used doctors' provider numbers to defraud California's Medicaid program of $1.39 million. During investigations, doctors themselves can come under suspicion.

Where to buy an identity? On the Web

The Internet punches new holes in your identity shield, not by providing new opportunities for theft—hackers account for very few cases—but by offering an easier place to sell what has already been stolen. Want to see how easy? "Use any of the Internet search engines for the phrase 'bank account search,' " Douglas suggests, noting that doing so reveals an array of sites with information for sale.

Thieves can get more than data via the Net. "Anyone with a computer and a credit card can obtain, almost instantly, a seemingly genuine Social Security card printed with the name and number of [his] choosing," said James G. Huse Jr., inspector general of the Social Security Administration, speaking before a Senate subcommittee last year. And although buying or selling a fake Social Security card is a felony, he noted, "the cards sold over the Internet often carry easily removable stickers identifying them as 'novelties.' "

Recent legislation makes for new safeguards

Laws are beginning to catch up with the problem. Until the federal Identity Theft and Assumption Deterrence Act took effect in 1998, it was illegal to collect personal information from private documents, but it wasn't a crime to use it. Now, it is.

The Gramm-Leach-Bliley Act of 1999 zeroed in on financial institutions, such as banks, credit unions, insurers, and investment companies. The law says they can't sell information about you to unaffiliated third parties without your okay. You can instruct them not to disclose the information, and financial institutions must notify you in writing about that option each year.

The law covers only financial institutions—not, say, marketing firms. And whether you opt out or not, it's still legal for a business to share its information about you internally, with its affiliated third parties. A bank, for instance, could share information with its mortgage, insurance, and brokerage subsidiaries. And the sprawling octopus arms of some financial institutions can encompass a lot of third parties.

For information on how Internet Web sites invade your privacy, see "Is your life an open e-book?" .

Don't lead an ID thief into temptation

• Don't carry more credit and ID cards than you need, and don't carry your Social Security card.

• Ask how information will be used before you give it out, and don't give information over the telephone unless you placed the call.

• Use a paper shredder at home and at work.

• Put a lock on your mailbox. The post office won't keep a key, but the carrier will put the mail through a slit in the front of the box. Alternatively, open a post office box.

• At home, put personal information in a private place. At institutions where you work, find out where records on you are kept, and request that they be safeguarded from theft.

• Make sure the ID number on your driver's license isn't your Social Security number. If it is, your state's motor vehicle department may let you use a different number.

• When you open a credit card or bank account, ask for a password that must be used before any inquiries or changes can be made to the account.

• Pick hard-to-guess passwords for your ATM and credit cards, and change them periodically.

• When making purchases or providing confidential information on the Web, be sure you're using a secure site and browser. A URL that begins with "https" rather than "http," once you indicate you're about to place an order, indicates a secure site; a locked padlock icon at the bottom of the screen signifies a secure Web browser.

• Opt not to receive unsolicited credit card offers by phoning 888-5-OPTOUT. All three major credit bureaus use this number.

• Read the Federal Trade Commission's "ID Theft: When Bad Things Happen to Your Good Name," and the Federal Deposit Insurance Corp.'s "When a Criminal's Cover Is Your Identity." The booklets are available at https://www.consumer.ftc.gov/topics/identity-theftand http://www.fdic.gov/consumers/privacy/criminalscover/ .

• When visiting Web sites, look for Good Housekeeping-style seals of approval from the Better Business Bureau's BBBOnline (www.bbbonline.org); the privacy program offered by TRUSTe (www.truste.org), an independent nonprofit organization; and the WebTrust program, run by VeriSign, a Mountain View, CA, private firm. Clicking on the seal should take you directly to the organization's site, where you can verify whether the Web site is listed.

• Check your credit records at least annually. The firms can charge you as much as $8.50 per report, though the reports are free in some states and under some circumstances. To order reports, contact Equifax, PO Box 105496, Atlanta, GA 30348, 800-685-1111, www.equifax.com; Experian, PO Box 9600, Allen, TX 75013, 888-397-3742, www.experian.com; Trans Union, PO Box 1000, Chester, PA 19022, 800-916-8800, www.tuc.com.

What to do if you're a victim

• Immediately contact credit card companies, banks, auto dealerships, brokerage firms, telephone carriers—any organizations through which fraud was committed—and close accounts in your name.

Visa and MasterCard limit cardholders' fraud charges to $50 in most circumstances, but no federal law limits your liability for fraud involving personal checks. The FDIC says that most states put the onus of liability on the bank, but usually you must notify your bank within certain time limits. Similarly, your losses from stolen ATM and debit cards are limited to $50 if you report the theft within two days. Wait three to 60 days to report the theft, and your liability may rise to $500. Report it after 60 days, and you could lose all the money the thief withdraws from your account.

• Follow up each phone call you've made to financial institutions with a letter that spells out the details of your case.

• Phone the major credit bureaus to report the fraud: Equifax (800-525-6285), Experian (888-397-3742), and Trans Union (800-680-7289). Ask that a fraud-alert hold be placed on your account so that creditor inquirers can't approve additional credit using your name and number without contacting you first. Ask how long the flag will be posted and what you must do to have it extended. Add a victim's statement to your credit report, including a description of the problem and a contact telephone number.

• For check fraud, ask your bank to contact its check verification service to warn retailers not to accept your checks, or, if you can, contact the services yourself. You can also directly contact some credit bureaus' verification services, such as Equifax's (800-437-5120).

• File a report with local police. Also notify the local postal inspector, if the fraud involved mail theft or a false change-of-address form; the department of motor vehicles, if the fraud involved your driver's license; and the SEC, if the fraud involved your investment accounts.

• Finally, phone the Federal Trade Commission's Identity Theft Hotline (877-IDTHEFT), or file a complaint via its Web site at www.consumer.gov/idtheft . Although the FTC doesn't pursue individual complaints, it serves as a law-enforcement clearinghouse for ID theft investigation. If the theft involved the Internet, you can also notify the Internet Fraud Complaint Center, a joint effort by the FBI and the National White Collar Crime Center, which is a network of local law-enforcement agencies. You'll make your complaint online at www.ifccfbi.gov.

 

Sue Preston. New target for thieves: Your good name. Medical Economics 2001;4:45.