Coping with Identity Theft & Reducing the Risk of Fraud
The crime of identity theft
It can happen to anyone. The phone rings and a collection agency demands that you pay past-due accounts for goods you never ordered. The supermarket refuses your checks because you have a history of bouncing them. But you have always paid bills on time. What has happened?
The crime of identity theft is on the rise. Recent surveys show there are currently 7-10 million victims per year, greatly exceeding our earlier estimates. Using a variety of methods, criminals steal Social Security numbers (SSN), driver's license numbers, credit card numbers, ATM cards, telephone calling cards, and other pieces of individuals' identities such as date of birth. They use this information to impersonate their victims, spending as much money as they can in as short a time as possible before moving on to someone else's name and identifying information.
There are two types of identity theft. "Account takeover" occurs when a thief acquires your existing credit account information and purchases products and services using either the actual credit card or simply the account number and expiration date. "Application fraud" is what some experts call "true name fraud." The thief uses your SSN and other identifying information to open new accounts in your name. Victims are not likely to learn of application fraud for some time, because the monthly account statements are mailed to an address used by the imposter. In contrast, victims learn of account takeover when they receive their monthly account statement. This guide discusses strategies for reducing the risk of both types of fraud.
Generally, victims of credit and banking fraud are liable for no more than the first $50 of the loss. (15 USC sec. 1643) In many cases, the victim will not be required to pay any part of the loss.
Even though victims are usually not saddled with paying their imposters' bills, they are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, they have difficulty getting credit, obtaining loans, renting apartments, and even getting hired. Victims of identity theft find little help from the authorities as they attempt to untangle the web of deception that has allowed another person to impersonate them.
Stealing wallets used to be the best way identity thieves obtained SSNs, driver’s licenses, credit card numbers and other pieces of identification. While still employed, identity thieves now use more sophisticated means:
1. "Dumpster diving" in trash bins for unshredded credit card and loan applications and documents containing SSNs.
2. Stealing mail from unlocked mailboxes to obtain newly issued credit cards, bank and credit card statements, pre-approved credit offers, investment reports, insurance statements, benefits documents, or tax information. Unfortunately, even locked mailboxes may not stop the most determined thief.
3. Accessing your credit report fraudulently, for example, by posing as an employer, loan officer, or landlord.
4. Obtaining names and SSNs from personnel or customer files in the workplace.
5. "Shoulder surfing" at ATM machines and phone booths in order to capture PIN numbers.
Finding identifying information on Internet sources, via public records sites and fee-based information broker sites.
You cannot prevent identity theft. Criminals can commit identity theft relatively easily because of lax credit industry practices and the ease of obtaining SSNs. But you can reduce your risk of fraud by following the tips in this guide. The most important advice we can give you is to check your credit report at least once a year. If you are a victim of identity theft, you will catch it early by checking your credit report regularly.
Reducing access to your personal data:
1. To minimize the amount of information a thief can steal, do not carry extra credit cards, your Social Security card, birth certificate or passport in your wallet or purse, except when needed. At work, store your wallet in a safe place.
2. If possible, do not carry other cards in your wallet that contain the Social Security number (SSN), except on days when you need them.
3. To reduce the amount of personal information that is "out there," consider the following:
- Remove your name from the marketing lists of the three credit reporting bureaus -- Equifax, Experian (formerly TRW) and Trans Union. Call 888-5OPTOUT. This will limit the number of pre-approved offers of credit that you receive. These, when tossed into the garbage, are a potential target of identity thieves who use them to order credit cards in your name.
- Register for your state’s "do not call" list, if it has one.
- List of state "do not call" lists: www.ftc.gov/bcp/conline/pubs/alerts/dncalrt.htm.
- Have your name and address removed from the phone book and reverse directories.
- Opt-out of the sale or sharing of your financial information when given the opportunity by your bank, credit card companies, insurance companies, and investment firms.
- Install a locked mailbox at your residence to deter mail theft. Or use a post office box or a commercial mailbox service. When you are away from home for an extended time, have your mail held at the Post Office, or ask a trusted neighbor to pick it up.
- When ordering new checks, pick them up at the bank. Don’t have them mailed to your home. If you have a post office box, use that address on your checks rather than your home address so thieves will not know where you live.
- When you pay bills, do not leave the envelopes containing your checks at your mailbox for the postal carrier to pick up, or in open boxes at the receptionist’s desk in your workplace. If stolen, your checks can be altered and then cashed by the imposter. It is best to mail bills and other sensitive items at the drop boxes inside the post office rather than neighborhood drop boxes.
Credit cards and credit reports:
1. Reduce the number of credit cards you actively use to a minimum. Carry only one or two of them in your wallet. Consider canceling unused accounts. Even though you do not use them, their account numbers are recorded in your credit report, providing a tempting target for identity thieves. But be aware that reducing the number of credit card accounts might lower your credit score. Part of your score is determined by having credit cards and installment loans and making timely payments. (For more information on credit scoring, visit www.myfico.com.)
2. Keep a list or photocopy of all your credit cards, bank accounts, and investments -- the account numbers, expiration dates and telephone numbers of the customer service and fraud departments -- in a secure place (not your wallet or purse) so you can quickly contact these companies in case your credit cards have been stolen or accounts are being used fraudulently.
3. Never give out your SSN, credit card number or other personal information over the phone, by mail, or on the Internet unless you have a trusted business relationship with the company and you have initiated the call. Identity thieves have been known to call their victims with a fake story that goes something like this. "Today is your lucky day! You have been chosen by the Publishers Consolidated Sweepstakes to receive a free trip to the Bahamas. All we need is your Social Security number, credit card number and expiration date to verify you as the lucky winner."
4. Always take credit card receipts with you. Never toss them in a public trash container. When shopping, put receipts in your wallet rather than in the shopping bag.
5. Never permit your credit card number to be written onto your checks. It's a violation of California law (Civil Code sec. 1725) and laws in many other states, and puts you at risk for fraud.
6. Watch the mail when you expect a new or reissued credit card to arrive. Contact the issuer if the card does not arrive.
7. Order your credit report once a year, or better twice, from each of the three credit bureaus to check for errors and fraudulent use of your accounts. Credit reports cost $8-$9 in most states. If you are on a budget, order from one credit bureau now, from another in six months, and the third six months later. In one year you will have checked all three.
8. You do not have to be an identity theft victim to place a "fraud alert" on your three credit reports. With the alerts, you place a statement on your files requesting credit issuers to call you at your phone number before issuing credit. In theory, anyway, if an imposter attempts to open credit in your name, the credit grantor will contact you first. But they do not always pay attention to fraud alerts, so this strategy does not ensure that you’ll prevent identity theft. When you place fraud alerts by phone, the credit bureaus give you a temporary alert, good for only a few months. If you wish to extend the fraud alert, you must write the three credit bureaus and request a seven-year fraud alert.
9. Californians are now able to "freeze" their credit reports, a stronger alternative to fraud alerts. (California Civil Code 1785.11.2, implemented January 1, 2003) This law enables individuals to prevent others from accessing their credit files and thereby prevents thieves from opening up new credit card and loan accounts. Security freezes are available at no charge to identity theft victims and for an annual fee for non-victims. The California Office of Privacy Protection provides a guide on security freezes, www.privacy.ca.gov/financial/cfreeze.htm.
10. Several companies, including the three credit bureaus, offer credit monitoring services for an annual fee ranging from $50-$120 a year. They notify you when there is any activity on your credit report, thus alerting you to possible fraud. We do not endorse credit monitoring services because we believe that individuals should not have to pay a fee to track their credit. At the very least, consumers should be able to obtain one free credit report a year from each bureau, a provision which is law in six states: Colorado, Georgia, Massachusetts, Maryland, New Jersey, and Vermont.
Passwords and PINS:
1. When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother’s maiden name, your birthdate, middle name, pet's name, consecutive numbers or anything else that could easily be discovered by thieves. It’s best to create passwords that combine letters and numbers.
2. Ask your financial institutions to add extra security protection to your account. Most will allow you to use an additional code or password (a number or word) when accessing your account. Do not use your mother's maiden name, SSN, or date or birth, as these are easily obtained by identity thieves.
3. Memorize all your passwords. Don't record them on anything in your wallet.
4. Shield your hand when using a bank ATM machine or making long distance phone calls with your phone card. "Shoulder surfers" may be nearby with binoculars or video camera.
Social Security numbers:
1. Protect your Social Security number (SSN). Release it only when absolutely necessary (like tax forms, employment records, most banking, stock and property transactions). The SSN is the key to your credit and banking accounts and is the prime target of criminals.
If a business requests your SSN, ask if it has an alternative number that can be used instead. Speak to a manager or supervisor if your request is not honored. Ask to see the company's written policy on SSNs. If necessary, take your business elsewhere. If the SSN is requested by a government agency, look for the Privacy Act notice. This will tell you if your SSN is required, what will be done with it, and what happens if you refuse to provide it. If your state uses your SSN as your driver’s license number, ask to substitute another number.
If possible, do not provide the SSN on job applications. Offer to provide it when you are interviewed.
2. Do not have your SSN or driver’s license number printed on your checks. Don't let merchants hand-write the SSN onto your checks because of the risk of fraud. There is no law against this, so you may need to be assertive.
3. Examine your Social Security Personal Earnings and Benefits Estimate Statement each year to check for fraud. The Social Security Administration mails it to adult-age SSN holders about three months before the birthday. The SSA web site has additional information, www.ssa.gov/mystatement. Reach them by phone at (800) 772-1213.
4. Do not carry your SSN card in your wallet except for situations when it is required, the first day on the job, for example. If possible, do not carry wallet cards that display the SSN, such as insurance cards, except when needed to receive healthcare services. A California law places restrictions on the display and transmission of SSNs by companies. It is being phased in through 2005. For more information, read the California Office of Privacy Protection guide on SSN "recommended practices," at www.privacy.ca.gov/recommendations/ssnrecommendations.pdf.
5. If you live in a state that uses the SSN as the driver’s license number, we recommend that you contact your Department of Motor Vehicles and request a different number.
Internet and computer safeguards:
1. Install a firewall on your home computer to prevent hackers from obtaining personal identifying and financial data from your hard drive. This is especially important if you connect to the Internet by DSL or cable modem.
2. Install and update virus protection software to prevent a worm or virus from causing your computer to send out files or other stored information.
3. Password-protect files that contain sensitive personal data, such as financial account information. Create passwords that combine 6-8 numbers and letters, upper and lower case.
4. When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. For more online shopping tips, read Safe Shopping Tips.
5. Before disposing of your computer, remove data by using a strong "wipe" utility program. Do not rely on the "delete" function to remove files containing sensitive information.
Responsible information handling:
1. Each month, carefully review your credit card, bank and phone statements, including cellular phone bills, for unauthorized use.
2. Do not toss pre-approved credit offers in your trash or recycling bin without first tearing them into small pieces or shredding them. They can be used by "dumpster divers" to order credit cards in your name and mail them to their address. Do the same with other sensitive information like credit card receipts, phone bills, bank account statements, investment account reports, and so on. Home shredders can be purchased in many office supply stores. We recommend cross-cut shredders.
3. Demand that financial institutions adequately safeguard your data. Discourage your bank from using the last four digits of the SSN as the PIN number they assign to customers. If you have been given the last four SSN digits as a default PIN, change it to something else. Insist they destroy paper and magnetic records before discarding them. By not adopting responsible information-handling practices, they put their customers at risk for fraud.
4. When you fill out loan or credit applications, find out how the company disposes of them. If you are not convinced that they store them in locked files and/or shred them, take your business elsewhere. Some auto dealerships, department stores, car rental agencies, and video stores have been known to be careless with customer applications. When you pay by credit card, ask the business how it stores and disposes of the forms. Avoid paying by credit card if you think the business is not careful. When paying with credit cards on the Internet, be sure the company uses secure transmission and storage methods.
5. Store canceled checks in a safe place. In the wrong hands, they could reveal a lot of information about you, including the account number, your phone number and driver's license number.
6. Store personal information securely in your home, especially if you have roommates, employ outside help, or have service work done in your home.
7. Any entity that handles personal information should train all its employees, from top to bottom, on responsible information-handling practices. Persuade the companies, government agencies, and nonprofit agencies with which you are associated to adopt privacy policies and conduct privacy training.
Remember, if you are a victim of identity theft, or if your wallet or SSN has been lost or stolen, place fraud alerts on your three credit reports right away.
For More Information
Credit Reporting Agencies (see also PRC Fact Sheet 6, www.privacyrights.org/fs/fs6-crdt.htm)
Order credit report Report fraud
Equifax (800) 685-1111 (800) 525-6285
Experian (888) EXPERIAN (888-397-3742) (888) EXPERIAN (888-397-3742)
TransUnion (800) 916-8800 (800) 680-7289
Federal Trade Commission Identity Theft Clearinghouse
Phone: (877) IDTHEFT (877-438-4338)
FTC’s free 34-page identity theft guide, "When Bad Things Happen to Your Good Name," available by phone and www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
California Office of Privacy Protection
Phone: (866) 785-9663 or (916) 323-0637
Guide to California identity theft and privacy laws, www.privacy.ca.gov/laws.htm. See also the state’s official web site on legislative bills and statutes, www.leginfo.ca.gov.
Identity Theft Resource Center
Phone: (858) 693-7935
Privacy Rights Clearinghouse
Phone: (619) 298-3396
Test your identity theft risk factor, www.privacyrights.org/itrc-quiz1.htm
Compilation of Identity Theft Surveys
Additional web sites:
U.S. Dept. Of Justice, identity theft info, www.usdoj.gov/criminal/fraud/idtheft.html
U.S. FBI, identity theft information, http://norfolk.fbi.gov/1999/ident.htm
Identity Theft Survival Kit. Phone: (800) 725-0807. Web: www.identitytheft.org
Fight Identity Theft, www.fightidentitytheft.com