As new research on identity theft continues to roll in, it paints an unsettling picture of how good crooks are getting at their craft. Although the number of U.S. breaches fell in 2018, the number of records exposed containing sensitive, personally identifiable information (such as Social Security and financial-account numbers) spiked by 126% from the year before, according to a report from the Identity Theft Resource Center. "That tells us thieves aren't committing less crime—they're just getting better at it," says Eva Velasquez, president and CEO of the ITRC.
One of the largest breaches disclosed last year was at Marriott International, which admitted in November that its Starwood guest reservation database had been hacked starting in 2014. That exposed up to 383 million guest records (though the number of guests affected is likely smaller because of multiple records). Many records contained data such as passport numbers, addresses, dates of birth and, in some cases, customers' payment-card information. Quora, an online question-and-answer platform, also discovered a breach of account information including names, e-mail addresses and passwords of up to 100 million users. Hackers may try to enter stolen usernames and passwords into other sites—say, those of banks or retailers—in hopes that some customers reuse their log-in details across several accounts. "The chances that some of those credentials will work on one or more other websites are exceptionally high," says Velasquez.
Email fraud red flags
Fortunately, none of those 2018 breaches involved Social Security numbers—a key piece of information a thief can use to run away with someone else's identity. But the 2017 Equifax data breach exposed the names, Social Security numbers, birth dates and other sensitive data of more than 145 million Americans. Those bits of info are permanent pieces of your identity, and they may sit idle for years before a criminal puts them to work.
The overall number of fraud victims fell significantly last year from 2017, thanks largely to a decline in fraud against existing credit and debit cards, according to a Javelin Strategy & Research report. But in both 2017 and 2018, the number of victims who faced some liability for fraud more than doubled from 2016, and so did the victims' out-of-pocket costs. Incidents of fraud in which criminals open new financial accounts in a victim's name or take over existing non-card accounts, such as brokerage or retirement accounts, were well above historical levels in 2017 and 2018 and "are much more difficult, and frequently expensive, for victims to resolve," says Javelin.
Sophisticated schemes. Imposter scams, in which crooks claim to be representatives of the IRS, Social Security Administration or other entities in attempts to glean personal information or money from their targets, topped the list of consumer complaints submitted to the Federal Trade Commission in 2018—the first time such scams have reached the number-one spot. Scammers are taking aim at both consumers and businesses with increasingly realistic "phishing" e-mails, persuading individuals to click on links or attachments that could infect their computers with malware or prompt them to send sensitive information.
In early 2017, Pooja Raval found out that a staff member of the community health center where she worked as a physician had been tricked into e-mailing the employees' W-2 tax forms—which contain a treasure trove of personal info, including Social Security numbers, addresses and income information—to a crook. Thieves can use such valuable pieces of data to impersonate victims in several ways—and since the breach, Raval, of Cambridge, Mass., has encountered a few of them. A criminal attempted to file a tax return and collect a refund in her name; the IRS noticed that something was amiss and sent Raval a letter before issuing the refund. She was instructed to bring the letter and various identifying documents to an IRS center so that she could get an Identity Protection PIN to file with her tax return. (Before she could make it to the center, the IRS sent her the PIN.)
Someone has repeatedly tried to use Raval's information to get health insurance. And a credit card was fraudulently opened in her name—despite freezes she placed on her credit reports, says Raval. Rather than being able to take steps to prevent identity theft, she says she has had to "wait and fix it retroactively." Raval says she lacked support from her employer in repairing the damage, and she left the company early last year.
Stronger protections. If there's a bright spot among the bad news, it's that policymakers are paying attention. The Equifax data breach "has created a lot of interest in legislation both at the state and federal level to provide consumers with greater protection from identity theft," says Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.
Last September, a federal law that made credit freezes free for everyone went into effect. The same law also requires the Social Security Administration to offer financial institutions a more streamlined system to ensure that the Social Security number a customer provides matches up with the name and birth date associated with that SSN. The measure is designed to cut down on synthetic identity fraud, in which criminals piece together real SSNs—often of children—with fake names and other bits of personal info to create new identities. More federal data-privacy laws may be on the way, too. The Senate Banking Committee recently sought input on the collection, use and protection of sensitive personal information by financial regulators and companies.
Private companies and the government have a big responsibility in taking better care of your personal data. But you can take steps to safeguard your identity, too.
Tax ID theft
More than your refund is at risk.
The problem: Your tax return could be attractive to an identity thief even if you are not owed a refund. Filing for a refund using a stolen identity is still the most prevalent form of tax ID theft, although new security protocols have made it more difficult. In the past, a criminal needed only your name, date of birth and Social Security Number (SSN) to file a tax return in your name, because he or she could make up the other details, including W-2 information, to claim an outsize refund. Now a thief may need more information to beat the system.
Although stolen identity refund fraud remains a threat, employment-related identity theft—in which a crook earns wages under your SSN—is on the rise, says Lisa Weintraub Schifferle, the Federal Trade Commission's identity theft program manager. Another type of tax fraud involves someone claiming your children as his or her dependents.
You probably won't know that you are a victim of tax fraud until the Internal Revenue Service tells you, or your electronic filing is rejected because a return has already been submitted using your SSN.
How to avoid it: Filing your return as early as you can—even if you owe money—is the only way to beat a thief to the punch. If you are filing electronically, stick with a secure internet connection. Don't use unfamiliar tax software or a new tax preparer without screening for complaints and checking for scams.
Victims of tax fraud will be assigned an Identity Protection (IP) PIN. Residents of California, Delaware, Florida, Georgia, Illinois, Maryland, Michigan, Nevada, Rhode Island and the District of Columbia may request a PIN on their own for federal filing. However, if you're approved, you must use the PIN for all future filings.
The IRS will never call or e-mail you and threaten to arrest or deport you if you don't pay up. Normally, the IRS initiates contact by mail. But more recently, the agency started contracting with private debt collectors who may contact you on its behalf.
"We used to be able to say that the IRS will never call you to collect a debt, but now you may be called if you owe back taxes," says Schifferle. However, you will be notified by letter first, and legitimate debt collectors will not argue if you want to call the IRS to verify their identity.
What to do if you're a victim: The IRS is getting better at catching suspicious returns and verifying with the real people behind those SSNs, says Velasquez. And although the agency will help you sort out the fraud and return the refund you're entitled to, the process could take months. You will need to file all future taxes with an IP PIN, and you may experience other hiccups, such as an inability to use the tool that automatically transfers your tax return data into a FAFSA (the Free Application for Federal Student Aid form) for tax transcripts affected by fraud.
If you receive a letter from the IRS noting suspicious activity, call the phone number provided in your letter to learn your next steps. Keep meticulous records of your conversations. Or, if your e-filing was rejected, report the incident to the IRS by filling out and sending in an IRS Identity Theft Affidavit, or Form 14039, by mail; if you report your identity theft at IdentityTheft.gov, you can submit the affidavit electronically. You will still need to file your taxes by the April 15 deadline (or request an extension), even if it means paper filing.
The IRS estimates that it will take 120 days to get your refund if one is due, or more than 180 days for complex cases. But Velasquez says that callers to the Identity Theft Resource Center have reported resolutions anywhere from around a month to a year later. You will receive a new IP PIN each year to include on your tax return.
Call your state department of revenue (find the link at taxadmin.org/state-tax-agencies) to put it on notice that your federal tax return was compromised, even if you're not sure whether someone is trying to defraud you at the state level, says Velasquez. "A thief can only use your data to file one fraudulent federal return," she says, "but can file across multiple states."
They've got your (mobile) number
The Social Security number has been the most important unique identifier for decades, but a new kind of ID has emerged in the last decade or so as an alternative: your mobile phone number. When a company wants to verify your identity when you log in to an account from a new device, for example, it'll often ask you to verify a code it texts to the mobile number they have on file. "But that's not a piece of information that's designed to be kept secret," says Jake Williams, security principal of Rendition Infosec and a former NSA hacker. "We give it out, put it in our e-mail signatures."
Over the past few years, some hackers have taken advantage of this vulnerability by executing a "SIM swap" hack, typically by calling a telecom company, saying they've lost their phone and need their number—your number—to be swapped to a new SIM card they bought from the store. If they can convince a customer support agent they're you with a few bits of personal information, they'll have access to any account you've secured with your phone number by resetting your password.
Most people aren't prominent enough to be subject to this kind of attack, Williams says. People in the public eye or in high-risk positions are more likely to be targeted. For protection, it's possible to port your phone number to a VOIP—an internet-based calling service—which is much more difficult to SIM swap.
Medical ID theft
Avoid health care hijackers.
The problem: Medical identity theft—when a criminal uses your health information to receive medical care or prescription drugs or file insurance claims in your name—is rare, but it's hard to shake and likely on the rise.
In the fall of 2017, Tyler P. of Austin, Texas, received a call from the billing department of a local hospital for an emergency-room visit the month before, saying that he owed $7,000 for back surgery. Tyler had been on a plane to Memphis the day the hospital said he had checked in for the procedure. After losing his wallet a few months earlier, Tyler had frozen his credit and was scrutinizing all his bills for any sign of fraud. But with just his driver's license and an insurance card, a thief had all he needed to ask for a back operation and a week-long stay in recovery. "It was nuts," Tyler says.
Tyler made a flurry of phone calls, first to his insurance company, then to the police, then to the hospital to begin disputing the charges. But the real challenge was untangling the criminal's medical records from Tyler's. "There were a lot of people [at the hospital] who didn't know what to do with me," he says. Eventually, Tyler connected with an administrator in the billing department who agreed to work with him.
Beyond the bill, having incorrect information in a medical record can have deadly consequences years after the crime; for example, you could be denied a certain treatment due to an allergy or condition on records left behind by an identity thief.
How to avoid it: Your health providers are likely to ask for your Social Security number, but your health insurance information is usually enough to receive and manage care, especially if you've used the provider in the past. Thankfully, the Social Security Administration stopped printing Medicare cards with SSNs on them in 2018.
Review statements you receive from your medical or insurance providers. If you recently received treatment but the explanation of benefits seems to differ even a little, don't write it off as a mistake. And if you receive mail from providers you haven't used, don't toss it; thieves may have used your identity to get care.
What to do if you're a victim: File a police report, then contact your medical providers and ask to see a copy of your records. Some institutions may balk at handing them over if you say they've been compromised with someone else's medical data, but the right to request your records overrules an identity thief's right to privacy, says the Federal Trade Commission.
Ask your provider for an "accounting of disclosures" to have a paper trail of every institution to which they've sent a copy of your medical records. As you contact providers, send time-stamped letters explaining your situation along with a copy of your police report. If you catch the fraud early, you may be able to contact the billing department of your provider and ask to cancel the debt. But if the debt is passed on to an outside collector, you'll need to use the protections offered by the Fair Credit Reporting Act and Fair Debt Collection Practices Act—such as the right to an investigation—to clear things up, according to Pam Dixon, founder of the World Privacy Forum.
Credit and debit card fraud
Safeguard your plastic and your account information.
The problem: The U.S. transition to credit and debit cards equipped with microchips—and payment terminals that accept chip transactions—is reducing fraud on existing card accounts. If ID thieves try to intercept chip transactions, they can't get enough usable data to create counterfeit cards. Losses from fraud on existing card accounts fell from $8.1 billion in 2017 to $6.5 billion in 2018, according to a recent report from Javelin Strategy & Research.
But payment terminals at gas pumps, in particular, are vulnerable to "skimming" of customer card data by crooks because gas stations don't yet face liability for counterfeit-card transactions at the pump. Starting in October 2020, gas stations that haven't upgraded to chip terminals at the pump may incur liability for such transactions.
Fraudsters are also going online to steal payment credentials. Through a method called formjacking, they embed malicious code on retail websites to grab customers' payment information. Such fraud affected more than 4,800 websites per month last year, on average, according to a recent report from Symantec. Small and midsize retailers are often targets, although well-known companies such as British Airways and Ticketmaster have been hit, too.
How to avoid it: Don't store your card information on retail sites or apps. "I never save my payment information. It takes 10 seconds to type it in," says Carl Carpenter, CEO of security firm Arrakis Consulting. Certain issuers—including Bank of America, Capital One and Citi—offer virtual numbers for most of their credit cards. Rather than enter your card's real number when shopping online, you use a different number that's linked to your card account.
Gas-pump skimmers are hard to spot because they're typically installed inside the machine. Steer clear of pumps at the edges of the station. Crooks are more likely to place skimmers there, where they can insert the devices unnoticed. At the ATM, shield your hand as you enter your PIN in case a thief has put a camera on the machine to capture your PIN (along with a skimmer to record your card data).
It's not a bad idea to get notifications from your financial institutions—whether by e-mail, text message or through a mobile app—each time a transaction goes through on your credit or debit card. Sometimes thieves make small purchases to test a card, which you may not notice if you receive alerts only for large transactions. "Some people say they don't want to be bothered. The truth is, you do want to be bothered," says Adam Levin, founder of identity-protection service CyberScout.
Consider paring the number of payment accounts you use so that you have fewer to track, suggests Velasquez. If possible, use a credit card for most purchases. Legally, your liability for fraudulent purchases with a credit card is capped at $50—and you'll owe nothing if your card number (but not the card itself) is used fraudulently. Plus, the major card networks have zero-liability policies for fraudulent account use, and credit cards come with stronger liability protections than debit cards. And with debit and prepaid cards, you may owe late penalties and overdraft fees.
What to do if you're a victim: Immediately call your bank or credit card issuer if you see unauthorized transactions. Or your bank may notice first that something is amiss. You'll receive a card with a new number. If a criminal used your financial account's online log-in information to steal funds, change your username and your password.
Liability for funds taken with a stolen debit card varies depending on how quickly you report the issue; you're off the hook if your card number (but not the physical card) is stolen and you tell the bank within 60 days of it sending your statement. If you promptly notify your financial institution, you'll likely get the money back—but you may have to wait until the bank processes your claim.
Protect your kids' data
The federal law that mandates free credit freezes includes provisions for freezing the credit records of children younger than 16. If you're a guardian or conservator or have a power of attorney for someone—say, an elderly parent—you can freeze his or her files, too.
If your child doesn't have a credit report, the agency must create one and freeze it upon a parent or guardian's request. You'll have to send the request by snail mail with copies of supporting documents, such as your child's birth certificate and your driver's license. (Freezing a child's Equifax file, however, has been difficult and confusing for some customers, so you may want to wait until the agency works out the kinks.)
Children are attractive targets for ID thieves because it may be years before anyone notices that a child's identity has been snatched. Take care to keep track of a child's PINs because several years may pass before the child needs to lift the freeze, says Velasquez. She advises telling a trusted family member or friend where to find your children's PINs as backup.
Unusual mail in a child's name—such as preapproved credit card offers or debt-collection notices—is an indication that his or her identity may have been stolen. Tell your children not to hand over their personal information online (or anywhere else) without your permission.
The power of putting your credit on ice
The case for placing a security freeze on your credit reports is stronger than ever, even if you haven't yet suffered identity theft. Thanks to a federal law that went into effect last year, both placing and lifting a freeze is free for everyone. And when you ask to remove a freeze online or by phone, the credit agencies—Equifax, Experian and TransUnion—must lift it within an hour of receiving your request.
A freeze is designed to stop a criminal in his tracks if he attempts to open a credit line in your name. (It does not, however, block criminals from accessing accounts you already have.) A lender cannot view your credit report—a collection of data about your credit activity—in response to a new credit application when a freeze is in place. You must contact each credit agency separately to place and remove freezes. For good measure, you could also freeze your report with Innovis, a fourth credit agency, at innovis.com or by calling 800-540-2505.
If you run into roadblocks while dealing with the credit agencies, you can enlist a pro to help. Representatives of the Identity Theft Resource Center's free services (call 888-400-5530) will walk you through the steps. Or, if you subscribe to an identity-theft monitoring service, its reps may assist you. If you're getting nowhere after repeated attempts to work with a credit agency, try submitting a complaint to the Consumer Financial Protection Bureau. It will forward your complaint to the agency and aim to get you a response within 15 days.
Managing your freeze. When you place a freeze, each agency will give you a PIN, which you may later need to provide to unfreeze the reports. Equifax and TransUnion now allow customers to thaw their reports through password-protected online accounts (no PIN required), but you'll still need the PIN to lift a freeze over the phone. Keep your PINs and passwords in a safe place.
Be aware that new creditors aren't the only entities that may want access to your credit report. Some banks, for example, ping a potential new customer's credit report for identity verification when he or she applies to open a checking or savings account. If you want to use a third-party service that offers free credit scores, access to your credit reports or monitoring of your reports for significant changes, you may have to lift the freeze when you enroll—or, in some cases, the service won't work at all. Ask a service which credit agency's report it accesses—you may have to lift the freeze at only one agency. To create a My Social Security account online, for example, you'll have to remove a freeze temporarily only on your Equifax report; you can re-freeze the report after you've enrolled (you won't have to lift the freeze if you go to a Social Security office to open the account). Whether or not retirement is near, it's smart to create an account now to prevent a thief from opening one in your name and using it to collect benefits.
Stay vigilant. Even if you've frozen your credit reports, keep tabs on them. Every 12 months, you can get a free copy of your report from each agency at annualcreditreport.com. Make sure that you recognize each account listed.
A credit-monitoring service, which regularly scans your credit report and sends you alerts of significant changes, may be useful even if your reports are frozen. For example, a change in address may indicate that someone has taken over one of your existing accounts and redirected your mail.
You can get free monitoring of all three reports through CreditKarma.com (for Equifax and TransUnion monitoring) and FreeCreditScore.com (Experian). Some paid identity-theft monitoring services cover all three credit reports and offer other features, such as scanning of the dark web for your personal information and remediation services if you do become an identity-theft victim.
If a suspicious account shows up on your credit report, contact the lender's fraud department. If someone has stolen your identity, file a police report and fill out an Identity Theft Report at the Federal Trade Commission's IdentityTheft.gov website, then send those documents to the lender and the credit agencies. The agencies must remove fraudulent information from your reports if you send them the FTC form.
Don't get hooked by fake messages.
The problem: Phishing can come in the form of e-mails, texts, social media messages or phone calls that try to extract personal information from you or infect your device with malware. These devious messages may address you by name, appear to come from a person or company you recognize, and mimic the look and tone of communications from your bank, social media accounts or employer.
If you fall for a phisher's e-mail or other message and click on a nefarious link, or open a malicious attachment, "your computer or phone gets owned by the bad guys," says Stu Sjouwerman, CEO of KnowBe4, a company that provides security-awareness training. Criminals can monitor your activity, steal your log-in credentials to sensitive websites, spy on you by turning on your camera or microphone remotely, hold your data for ransom, and more.
How to avoid it: KnowBe4's top-clicked phishing subject lines in the last three months of 2018 included "Password Check Required Immediately," as well as the timely "Your Order with Amazon.com," and "Happy holidays! Have a drink on us." Kelvin Coleman, executive director of the National Cyber Security Alliance, says phishing campaigns often materialize in relation to big health scares, natural disasters, tax season and elections.
Scan e-mails for visual cues that something is off, such as grammatical errors, misspelled words or distorted company logos, says Brian Lapidus, head of identity theft and breach notification at security firm Kroll.
Examine the "from" e-mail address to see if the user name and domain are recognizable, or if they contain subtle typos, such as "@amazom.com." Hover over hyperlinks with your cursor to see if the link that pops up matches the web address in the message. Instead of clicking on links from e-mails sent by, say, your bank or brokerage, type the web address into a separate tab. A fishy link may lead to a realistic mockup of the institution's website, complete with the padlock symbol and "https"—widely seen as signs of authenticity—in the URL, says Stacy Shelley, vice president of marketing at PhishLabs, a cybersecurity firm.
Rather than opening attachments you don't recognize, use the "preview" function if your e-mail has one to view them safely. Better yet, contact the sender in a separate e-mail or text to ask if he or she e-mailed you an attachment. Be extra careful when viewing e-mail on a mobile device, where you can't hover over a link or easily see a full URL after clicking on a link.
Equip your devices with anti-malware software and regularly install security patches and updates. (For more tips, see lockdownyourlogin.org.) Set up two-factor authentication where possible, and back up files once a month to the cloud, an external hard drive or memory stick in case your device needs to be wiped clean or a criminal holds your data for ransom.
What to do if you're a victim: Change the passwords to your financial accounts and other important websites as soon as possible, preferably from another computer in case a keylogger is recording these new passwords on your compromised device. Run a malware detection tool, such as Malwarebytes, to see if your computer was infected. If your device has been locked with ransomware, try searching the internet for unique words in your ransomware note to see if you can find a free decoder.
Or find a pro to help. Best Buy's Geek Squad charges $100 for remote virus and spyware removal, or $150 for in-store or at-home help. Staples charges $100 for remote service, $160 for an in-store fix, and $300 for a technician to visit your home. McAfee Virus Removal Service ($90) and Norton Spyware & Virus Removal ($100) will help you remotely as well.
How to secure your devices
Ask any security expert how consumers most often shoot themselves in the foot, and the response will almost certainly be passwords. The most common password in the world is "123456," followed by "password." We are bad at passwords.
The best solution is a password manager. LastPass offers a free version of its software that will generate, store and save randomized passwords across all your devices, all locked behind a single master password. Many browsers function like password managers, offering to save your log-in information. Some, including Google Chrome, will even generate a random password for you. But the password requirements for your Google account aren't very strict, with no uppercase letter, number or symbols needed. If your master password is easy to crack, all the accounts saved inside could be at risk.
Another crucial practice for securing your devices is two-factor authentication, or 2FA. You've experienced 2FA if a service has sent you an e-mail or text to confirm your identity before signing in. If an account gives you the option to require 2FA whenever you log in, it's generally a good idea to use it. The extra step prevents a thief with your bank password from accessing funds remotely.
Not all 2FA systems are equal, however. If an account only offers authentication via basic text messaging, you may be vulnerable to a "SIM swap". For now, this is still rare, and "having 2FA is better than not having it, no question," says Jake Williams, principal of Rendition InfoSec and former NSA hacker. The website turnon2fa.com offers step-by-step instructions for activating the feature across dozens of websites, from Facebook to Fidelity.
Where to get help
Tap these resources to protect yourself from ID theft, to get assistance if you do become a victim and to receive alerts about new scams.
- The nonprofit Identity Theft Resource Center helps victims resolve identity theft. Call the ITRC at 888-400-5530, or start a live chat online at idtheftcenter.org.
- The AARP Fraud Watch Network hotline (877-908-3360) offers victim assistance, and you don't have to be an AARP member to use it.
- The Federal Trade Commission's IdentityTheft.gov walks victims through the steps to recovery depending on the type of fraud they experienced and offers sample letters to send to credit agencies, lenders and other involved parties. FraudSupport.org also guides victims to resources.
- For detailed instructions on how to place a credit freeze, including web links and phone numbers for the credit agencies, see Freeze Your Credit in Three Steps.
- To stay up-to-date on the latest scams, you can sign up for alerts at fraud.org, consumer.ftc.gov/features/scam-alerts and aarp.org/money/scams-fraud.
- To see if any of your e-mail addresses or accounts have turned up in a data breach, go to HaveIBeenPwned.com. If you turn up a positive result, it's time to update your passwords.
- If a suspicious e-mail shows up in your inbox, use Google's Safe Browsing URL checker to see if a website has been reported as dangerous to visit. This can include malware-laden cesspools as well as legit sites that have been compromised. See more at transparencyreport.google.com.
|For more news you can use to help guide your financial life, visit our Insights page.|