They Stole His Identity and Made Off with £50,000 Before He Had a Clue He’d Been ‘Robbed’
It took months for this man to untangle the web of fake accounts. Security experts say chances are, your identity has already been stolen, too
“It was like a tennis ball machine — wham, wham, wham,” says Christopher R.* of Queens, New York, describing the identity-theft ordeal that took him months to untangle. “New accounts were popping up like popcorn.”
“Every two seconds, another American is affected by identity theft,” says Carrie Kerskie, director of the Identity Fraud Institute at Hodges University in Naples, Florida. A record high 16.7 million people were victimized nationwide in 2017, according to Javelin Strategy’s most recent Identity Fraud report.
Identity theft is the criminal misuse of personal information — name, Social Security number, bank account codes and more – to illegally act in another person’s name. Scammers are constantly coming up with new ways to exploit their victims, with medical identity theft, tax theft and utility fraud as some of the fastest growing categories.
However, Kerskie says, new-account fraud continues to be one of the most common ways that stolen ID information is used. That’s when a criminal opens a credit card, a bank account or a loan in someone else’s name.
Fraudsters used Christopher’s identity to rack up £50,000 worth of charges and cash advances through illicit accounts at 15 different banks.
Real name, phony address
“Most of the accounts had gone into collections by the time I heard about them,” he says. The sophisticated crook had set up a false address under Christopher’s name in another city. Statements and paperwork for the scam accounts all went to the fake address.
“Every address you’ve ever been associated with remains with your credit report for life,” explains Ian Marlow, a cybersecurity expert and founder of a New Jersey firm that hardens computer systems to safeguard sensitive client data for financial and real estate businesses. “But it’s easy to register a new address, and it takes three to five months for it to hit your credit report. It’s a real hole in the verification system.”
Christopher suspects his personal data was compromised in a major health insurance company’s data breach, but he says it’s been impossible to find out exactly how or where it happened. “It can take months or years to figure out how it happens,” Marlow says. To make matters worse, when a bad actor gets their hands on your data, “they will keep using it until you realize it and shut it down — so you have to be able to take fast action.”
It was the banks’ decision to extend credit to someone even though the name didn’t match a long-established address, but it was up to Christopher to clean up the mess. “It seems like the onus falls on victims to prove their innocence,” he says.
Christopher learned about most of the accounts from collections agents who pored over his credit history to reach him at his real address.
“Some of the agents were really nasty,” he says. “It made me so angry that I had to prove myself to them, when they hadn’t checked things thoroughly in the first place.”
In the aftermath, Christopher worried about applying for new jobs (which typically involve a background credit check), and he was reluctant to use social media.
“Why am I so paranoid? Because it happened to me,” he says.
The emotional impact “can be devastating,” Kerskie says. “Victims go through the same response as victims of violent crime — you have been violated by an unknown attacker. I’ve seen people who are pushed over the edge.”
To recover, Christopher followed the steps recommended by the Federal Trade Commission. He filed a police report to document the fraud, then used it as part of the evidence he presented to each creditor. He scrupulously saved all documentation — “Thank God I’m a pack rat” — as he closed each account. And he got the three major credit reporting agencies to place a seven-year extended fraud alert on his credit history. This type of alert, which blocks the opening of new accounts, is available only to victims and requires a police report to place it. Anyone can put a preventative “freeze” on an account.
But there’s no getting rid of that fictitious address. “Three years later, I got another letter that someone tried to send to me there,” he says. “I guess I’m stuck with it now.”
The downside of good credit
The thief who targeted Andrew Connell of St. Johns, Florida, wasn’t quite so slick.
“In retrospect, I'm lucky,” Connell says. “I found out what was going on within a month of it starting, so I was able to react pretty quickly.”
The first sign of trouble was a call from an electronics retailer where Connell already had an account, asking whether he had requested a credit-line increase. He had not, and he told them so. Problem solved — he thought.
One week later, Connell began receiving new credit cards — and bills — from three other retail chains. Someone had used his personal information, including his authentic address, to open charge accounts that financed an £8,000 shopping spree.
His credit report included the name of a bank he’d never done business with. A £15,000 line of credit had been opened in his name.
The new accounts and charges cratered Connell’s excellent credit score, which dropped by nearly 200 points. But taking immediate action made a major difference: After 20 hours on the phone, setting security freezes on his records and closing all the fraudulent accounts, his credit score bounced back to normal. What was more unnerving for Connell — he still has no idea how thieves got his personal data.
“Everyone’s at risk,” Marlow points out. “We’re all fodder.” And the better your credit score, the greater the peril, he says.
“These thieves can get all the information a credit reporting agency has on you — and that’s everything,” he says. “And then they can zero in on those with the highest scores for the best return."
To the bad guys, you’re nothing but a number
No one is safe — not even a professional security consultant like Sean Ahrens of Chicago, Illinois.
“I make an active effort to limit the information that’s out there about me,” Ahrens says. “But the companies that held my information did not protect it the same way.”
When three of the largest data breaches in history exposed him, Ahrens took proactive steps to limit any potential damage. Sure enough, a thief soon tested his defenses.
“I had early warning detection placed on my records,” he explains. A monitoring agency noticed a suspicious new charge made in his name: “They called me and asked, ‘Did you just purchase £5,000 worth of electronics?’ I said no, and they closed (the account) immediately. The guy got away with some TVs,” but there were no negative consequences for Ahrens.
“To the bad guys, you’re nothing but a number,” Kerskie says. “You have a Social Security number and they will use it.”
Constant vigilance may be the only way to stay ahead of determined criminals in search of personal identity information. Here are some of the experts’ favorite tactics.
“A credit freeze is the most effective method,” Kerskie says. Placing a freeze prevents any access to your credit report until you remove it. That’s a headache when you want to lease a car or apply for a credit card, “but it’s your very best defense against new-account fraud,” Kerskie says. She warns, though, that a freeze only works if you apply it to your records at all three major credit bureaus. And don’t overlook two new agencies that also monitor creditworthiness: the National Consumers Telecommunications and Utilities Exchange, which tracks your payment history with phone, cable and power companies; and Innovis, an industry up-and-comer.
“I’ve set up strict alerts on all my cards and bank accounts,” Marlow says. “Every time there’s any action over £1, I get an alert. My wife buys a pack of gum, I get an alert.”
“Is that annoying? Yes,” he admits. “But I call her up and ask, ‘What flavor?’ We have to be proactive.”
“My wife buys a pack of gum, I get an alert.” —Ian Marlow, cybersecurity expert
If a charge looks unfamiliar, don’t hesitate — call your bank or credit card company immediately, Kerskie recommends. “There are no bad consequences to overreacting when it comes to your identity.”
Check your credit report religiously. By law, you can get one free copy from each credit bureau every year. “If you haven’t looked at your credit report in more than three years, pull all of them at once to establish a baseline,” Kerskie says. “Next year, stagger it — pull a different one every few months.”
Watch for changes to basic elements, like your address, and confirm that all listed accounts are legitimate. Scan the report for “hard inquiries” — information requests from credit-granting entities — that you did not authorize.
Consider checking other reports about yourself too. “Every year I request a Social Security report,” Ahrens says. “People can be dipping into your account without you knowing it.”
“Your best friend is a shredder,” Marlow says. “The number one way people get snagged is right at home,” when they toss their bills and bank statements into the trash. “I love my shredder. I have a relationship with it.” A micro-cut machine, which transforms paper into a pile of confetti, can be purchased for as little as £50.
Sign up for online access to your bank account — even if you never plan to use it. “I call it marking your territory,” Kerskie says. If you don’t claim your account’s unique internet link (through the IP address that identifies your computer or other device on a network), you are essentially leaving the back door unlocked. A criminal who has your personal data can break into your account by setting up online account access.
A wealth of personal information sometimes hides in plain sight. The QR code on an airplane boarding pass, for instance, “has your home address, information about your flights, and very often your frequent flyer information,” Marlow says. “If they get access to your account, they can use your miles to buy flights. If they know your travel plans, they also know when you’re not home.”
“People throw [boarding passes] onto the floor at the airport, they take pictures of them and post them to Instagram. Don’t do it,” he advises.
“I call it risk reduction,” Kerskie says. “You need to make yourself less attractive to an identity thief. If you’re a harder target, who’s the bad guy going to go after?”