Feature: How to Avoid Identity Theft
A national expert on identity theft explains this new and growing crime and suggests steps you can take to avoid being victimized.
It was over five years ago now that I received a telephone call from a fraud investigator at a credit card company asking whether I had applied for a credit card at their financial institution. The information reported on the written application had raised an identity theft “red flag” with the credit card company: the “present” address on the application was a “new” address, one different than shown on the credit report the company had obtained to verify my credit worthiness.
I was alarmed and afraid to learn that an impostor had used my name and Social Security number to apply for the credit card. I knew nothing about identity theft. Who would do such a thing, and why me? I felt almost intimately violated, knowing that someone, somewhere was posing as me. And I felt helpless and frustrated: no one would help. The unsympathetic fraud investigator would give me only scant information—the “new,” current address listed on the application blank, and police officers at three different departments provided various explanations for why none would take my complaint: there was no evidence a crime had been committed; a complaint must be filed in the legal jurisdiction where the theft of the identity occurred; and, even one comment that “identity theft is not a crime.”
Thus began a nine-month long, personal investigation that discovered many other victims and uncovered an identity theft network that, for several years, had been operating across the United States. I learned that the perpetrators had used my name and Social Security number to fraudulently apply for and receive over 30 credit cards from banks across the nation, and they used my name and credit worthy record to purchase merchandise ranging from computers, cameras, DVD players and other expensive equipment and magazine subscriptions to lingerie ordered online from a nationally-known store.
Armed with binders filled with documented evidence obtained from Internet searches, telephone calls, and valuable information provided by the postal manager who worked at my “new” address (where I traveled to pick up “my” mail and merchandise), I met with an agent of the United States Secret Service, which handles credit card fraud. They would take it from here. My work was finally finished. Little did I then realize, however, that for the next several years I would become an advocate for victims, a trainer of police officers and business fraud investigators, and a researcher of identity theft issues.
THE MSU PARTNERSHIPS IN PREVENTION
For 14 years prior to my identity theft, my academic research focused on white-collar crime. Now, however, I became curious about identity theft criminals and their networks and the impact of their offenses on other victims. What began as an effort to help victims of identity theft evolved into what is now called the Michigan State University-Business Identity Theft Partnerships in Prevention. The Partnership’s four-fold mission is to provide advocacy for victims of identity theft, work with businesses, where the majority of identity thefts are committed, to help prevent the theft of employee and customer identifying information, provide training for police officers on how to successfully investigate identity theft cases, and conduct research on identity theft crimes, criminals, and victims.
Since the theft of my identity, many things have changed. At that time, few if any police officers knew about the Identity Theft Assumption and Deterrence Act of 1998, under which legislation identity theft is a federal offense. Also, in the past two-three years, many states have enacted legislation which enables victims to file complaints where the fraudulent credit card or merchandise is delivered or where the fraudulent bank or other transaction has occurred, or in the victim’s residential jurisdiction, or where the theft of the identity occurred (which rarely is known).
THE FIRST STEPS A VICTIM MUST TAKE
Further, although often lacking in human and other resources to investigate identity thefts, most police departments today will take a victim’s complaint, which is one of the first steps a victim must take to prevent further abuse. Technically speaking, without a formal police report, there is no crime; also, credit agencies and businesses require a copy of the police report for disputes of erroneous information on a credit report or for claims of payments due for merchandise the victim did not purchase.
However, the very first step is to close all financial accounts—bank, credit card, retail, and others, opening new accounts with new numbers. Victims often ask, “Should I change banks (or credit card companies)?” The answer is, “No.” No financial institution or other business is immune from the threats of identity theft, so long as there are identities to steal and criminals who will steal them. In fact, what most articles on identity theft fail to note is that, wherever there is an individual whose identity has been fraudulently used, there is at least one but usually more, businesses that also are victims—these are the credit card and other companies that shoulder the dollar costs of identity theft. Ultimately, and unless identity thefts are soon mitigated, consumers may be called on to share some of this burden.
THE SECOND STEP: CONTACT THE CREDIT AGENCIES
Victims should next place a “fraud alert” on their files with each of the four credit reporting agencies: Experian, Equifax, TransUnion, and Innovis. The Federal Trade Commission recognizes only the first three; however, Innovis also provides businesses with consumer’s credit information, and Innovis will place an alert on the record and also send the victim a free credit report. To place a fraud alert on the files of the other three credit agencies, or for anyone who wishes to obtain a free credit report so as to verify the accuracy of one’s credit history and other personal information, visit www.annualcreditreport.com. This is the legitimate Web site recommended by Federal Trade Commission. Be aware: numerous other Web sites now advertise free credit reports, but these offers are usually promotional incentives for purchasing identity theft insurance or other, usually unnecessary, services.
THE NEXT STEPS: VISIT THE MSU WEB SITE
To prevent further victimization, victims must take a number of other steps. Depending on the type of crime that was committed using the stolen identity, contacts must be made with the Social Security Administration, Department of Motor Vehicles, Internal Revenue Service, or other federal agencies. Detailed information and step-by-step instructions are provided for victims at the MSU Identity Theft Web site at www.cj.msu.edu/~outreach/identity. Click on the “Victim’s” button to find names, addresses, toll-free telephone numbers and all other information that victims need to protect themselves. Victims learn how to analyze credit reports, clean up credit, and take control of the future flow of personal information. Templates are provided for letters of dispute or correction of information; victims need only insert their own names and addresses. The instructions even underscore the importance of and reasons for using certified mail when dealing with identity theft issues.
AN OUNCE OF PREVENTION
Although the majority of identity thefts are now known to be committed in businesses by the relatively few dishonest employees or people impersonating employees, or by vendors, suppliers or others who gain access to insider passwords or key codes, many identities also are stolen from dumpsters and recycling containers (bar codes on labels often contain mounds of identifying information), from thefts of autos and homes, and by dishonest clerks or waiters who use card readers to steal credit card numbers, or by pocket pickers or purse snatchers. Individuals, therefore, can protect themselves in several ways.
THE SSN
- Memorize your Social Security number and store the card in a safe place.
- Provide your SSN for financial and medical transactions only.
MOTHER’S MAIDEN NAME
- A mother’s maiden name is not necessary to conduct any financial transaction; use instead another password. The mother’s maiden name is usually required to obtain an original birth certificate, which perpetrators use to engage in complete identity takeovers.
THE TELEPHONE
- Unless you initiate a call, decline to give your personal information over the phone.
- Do not give personal information over a cell or portable phone as these transmissions are easily monitored
- Examine telephone statements for unauthorized calls.
- Even if an email source seems legitimate, do not answer unsolicited email requests.
- Unless you know the sender, do not open email attachments (opening an attachment can trigger the release of a computer virus)
THE CREDIT REPORT
- Conduct an annual review of your credit bureau reports, obtained free from each of the three credit-reporting agencies--Experian, Equifax, and TransUnion. Look for “red flags,” such as the listing of addresses where you’ve never lived, accounts not opened by you, or aliases you’ve never used. All are indications of identity theft.
FINANCIAL ACCOUNTS
- Place passwords on all financial accounts, including credit cards, telephone, cell phone, banking and investment accounts.
- Be aware of the mailing date of bank and credit card statements. A missing statement could indicate a thief has changed your address to divert your mail. Contact the bank or credit card company immediately.
- Review bank and credit card statements immediately upon receipt for unauthorized transactions.
ABOUT BANK CHECKS
- Print only first and middle initials and last name, use a post office address where possible.
- Pick up newly ordered checks at the bank or have them sent to a post office box.
ABOUT MAIL
- Take outgoing mail to the post office. Do not leave mail unattended in an outside, open, or unsecured mailbox.
- If using an outside box, use an official U.S. postal boxed with a lock (can be ordered for the U.S. Post Master).
- Shred mail with personal identifying information including magazine labels and pre-approved credit card offers.
- Remove your name from marketing lists by calling 1-888-5OPTOUT.
E-SHOPPING
- Shop safely online by shopping with known merchants.
- Before ordering, check the security of the Web site. The URL, or web site address, should begin with “https.” A graphic, such as a lock, should appear in the bottom right corner of your browser bar. If in doubt about a company, contact the Better Business Bureau in that city or state.
- Before ordering merchandise online, read the company’s privacy policy. Be aware if there is no such policy. You need to know how they intend to use your personal information.
- Use only credit cards for online shopping: never give an online merchant a bank account numbers or Social Security number.
COMPUTER SECURITY
- Secure computers against viruses, key logger programs (that record key strokes), and attacks by other intruders. Several chapters in “Identity Theft Investigations” (address below) are devoted to computer security and written in lay language.
EDUCATE TEENS
- Teens are especially at risk because most have untarnished credit; they have not yet applied for or become delinquent on payments for loans or accounts. The incredibleinternet.com is a valuable source of detailed information about the prevalence of identity theft, the susceptibility of teens, and methods for protection. Contained on the Web site are numerous documents, written by this article’s author, for teens and their parents and teachers.
A LAST WORD, ABOUT PIN NUMBERS AND PASSWORDS
All financial and phone accounts should have an access password or PIN number. Be cautious when choosing these numbers. Strong passwords and PIN numbers—those that provide the best security--are a combination of random and unique letters and digits.
Do not use the following types of information as passwords or PIN numbers:
- Mother's maiden name
- Date of birth
- The last four digits of the Social Security number
- Consecutive numbers or letters (example: 1234, abcd)
- Pet's name
- Spouse's date of birth
- Spouse, son or daughter's name
- Wedding anniversary
- Nickname
- Telephone number
Protect the following types of accounts with passwords or PIN numbers:
- Telephone
- Cell phone
- Checking
- Savings
- Investments
- ATM and debit cards
- Credit cards
- Change passwords about every six-nine months. Do not carry a list of your pin numbers or passwords on your person.
IN SUMMARY:
If you become a victim, close financial accounts, open new accounts with new numbers.
- File a police complaint
- Place fraud alerts on reports of four credit agencies
- Obtain and analyze credit reports for fraudulent activity
- Contact the necessary federal, state and other agencies
- Clean up credit
- Protect the future flow of personal information
For step-by-step instructions, telephone numbers, addresses and all specific information and complete details on the above and other steps that victims must take, visit www.cj.msu.edu/~outreach/identityor email us at idtheft@msu.eduor
Call us at the MSU Identity Theft Crime and Research Lab, 517-432-4236.
WHAT IS AN “IDENTITY”?
Identity theft is defined as either “personal” or “business.” “Personal identity theft’ is the unauthorized use of another person’s “personal identifying information” to obtain: credit, goods, services, money, or property, or to commit a felony or misdemeanor. “Personal identifying information” means an individual’s: name, address, telephone number, driver’s license number, Social Security number, place of employment, employee identification number, mother’s maiden name, demand deposit account number, savings or checking account number, or credit card number.
The mother’s maiden name is the key piece of information needed by a criminal to obtain a birth certificate, called a breeder document, in the victim’s name. The perpetrator uses the birth certificate to obtain a complete set of documents such as a Social Security card, passport, and driver’s license.
“Business identity theft” is the unauthorized use of a business’s “business identifying information to obtain: credit, goods, services, money, or property, or to commit a felony or misdemeanor. “Business identifying information” means a business name, address, telephone number, corporate credit card numbers, banking account numbers, federal employer identification number (FEIN), Michigan Treasury Number (TR), electronic filing identification number (EFIN; Internal Revenue Service), electronic transmitter identification number (ETIN; Internal Revenue Service), e-business websites, URL addresses, and e-mail addresses.
Judith Collins is associate professor of Information Security Management, School of Criminal Justice, MSU and the developer and director of the MSU-Business Identity Theft Partnerships in Prevention and the MSU Identity Theft Crime and Research Lab, established in 1999. Dr. Collins has written four books on identity theft, the most recent ones being, Identity Theft Investigations: For Businesses, Law Enforcement, and Victims (John Wiley & Sons, Inc. 2006) and Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees (John Wiley & Sons, Inc., 2005).
