How the Grinch Stole Your Identity

Reprinted with the permission of Identity Theft 911

For most of us, the start of the holiday shopping season is the cue to pull out our credit cards (or even apply for new ones) and hit the stores, malls, and e-commerce sites to find the perfect gifts for our loved ones. But there are others — identity thieves, con artists, and grinches of other sorts — for whom the holiday season is a chance to defraud the rest of us by stealing and exploiting our credit card information. And with online commerce due to boom this year (an estimated 86 million online shoppers are expected this holiday season) and billions of dollars more in bricks-and-mortar retail sales, the stage is set for credit card fraud to reach record levels.

Of course, the risk is more serious where the incidence of identity theft is highest. For instance, residents of the three metropolitan areas hit hardest by identity theft in 2003 — Phoenix-Mesa, Los Angeles-Long Beach, and Riverside-San Bernardino — should be especially careful. But the fact is that the holiday season revs up risk factors across the board, for reasons that range from increased transactions to family distractions. So whether you hang your hat in Hoboken or in Whoville, you'll want to be even more vigilant than usual.

The good news is that there's a lot you can do to keep scammers from nabbing your credit card information and other identity data — especially if you understand what they do and how they do it.

Receipts as a risk factor

Credit card receipts and bills — dropped on the sidewalk, left in empty shopping bags, or simply tossed in the trash — are an extremely common way for identity thieves to obtain your information and put a damper on your holiday cheer. Some states require that receipts truncate the card number so the whole number won't be available to prying eyes. Unfortunately, this practice isn't universal, so your safest move is to keep receipts in your wallet or purse and shred them before throwing them away. Bills and statements have most of your valuable information printed on them; they, too, should either be kept in a safe place or shredded.

Katrina Schmidt, a resident of Scottsdale, Arizona, can testify to the dangers of throwing away unshredded receipts, bills, and other sensitive documents. In October 2004, a dumpster-diving criminal found “convenience” checks, sent to Schmidt by her credit card company, in the trash outside her apartment. “All of a sudden I was getting calls from my credit card company, asking if I had authorized transactions for thousands of dollars.” says Schmidt. “I was being robbed blind, and I felt very helpless.”

Although Schmidt admits she should have been more careful, she also believes banks and credit card companies that issue such checks must take stronger measures on their end as well. “When these types of checks are cashed, these companies need to step up to the plate and check carefully for signatures and proper identification, as well as contacting the account owner directly about large-scale purchases.”

Location, location, location

In addition to lax industry practices — and her casual treatment of a sensitive piece of mail — there's another important risk factor on Schmidt's list: She lives in Arizona, a hotbed of identity theft and related fraud. According to FTC reports for 2003, Arizona suffered the highest rate of identity theft per capita of any state: 122.4 incidents for every 100,000 people. (South Dakota, with 19.6 per 100,000, had the lowest rate; the nationwide mean was 56 per 100,000.) Statistical projections from the FTC numbers and other data give an estimated 315,048 identity theft incidents in Arizona for 2003 — 5.6 percent of the state's population, or more than one in twenty. In fact, in 2003, the Phoenix-Mesa area had the highest per capita rate of identity theft reported of any major metropolitan area in the U.S.

The message here: If your location puts you at higher risk, you need to know it — and take appropriate precautions. "High-risk location" might mean a city or state with a high rate of identity theft. It might also mean a crowded, chaotic shopping mall, department store, or restaurant, where it's easy to make a mistake. Either way, higher risk demands greater care.

Another Scottsdale resident, Jayson Eagley, had his own brush with identity theft after a visit to a popular fast food outlet. “I left a credit card receipt in the parking lot of Taco Bell. Not even 48 hours later, three automobiles had been purchased with my information,” claims Eagley. “The scary part,” he adds, “is that two of the cars were purchased from the same dealer, who obviously allowed someone who didn’t have proper identification matching the credit card to make thousands of dollars worth of purchases.”

Holiday phone fraud

Eagley, who works for one of the Big Five mobile phone service providers, says that doing credit checks on a daily basis has opened his eyes to the world of identity fraud. “Because of many fraudulent attempts, we now take photocopies of driver’s licenses when customers open new accounts. We also truncate the beginning digits of Social Security numbers on bills and letters. There have been people in the past that have opened up cell phone accounts under someone else’s name and bank account, and have had a contract and service provided for years, undetected. That's how smart the criminals are nowadays.”

Many people spend time at home with family and friends during the holiday season — which creates the perfect opportunity for another type of telephone scam. Soon after purchasing a workout program over the telephone with her credit card, Phoenix resident Janet Finn started receiving bills for purchases she hadn't made. The source of all of the purchases was Southeast Asia — which didn’t surprise her one bit. “I should have known better than to give my credit card information over the telephone," she explains. "I lived in Manila for 16 years, and this type of fraud was extremely popular there, even way back then. It finally happened to me — and it cost me valuable time and money getting the situation rectified.”

Bobbi Tirman, a resident of Mesa, Arizona, also gave her credit card information while purchasing a product over the telephone — only to find later that her card limit had been exceeded on multiple Internet e-commerce sites. “You don’t know who to trust these days," Tirman notes. "But it’s almost good that this happened to me on a smaller scale. Now I am very cautious and willing to learn about ways I can protect myself. It could have been much worse. In my opinion, knowledge on the subject is the key to prevention.”

The best way to protect yourself from this type of criminal activity is to be cautious in giving out any personal information over the telephone. Know who you're talking to. And, if at all possible, only give information to people that you have initially contacted or researched — never to companies that have called you first.

Skimming

Even cautious credit card users won't think twice about handing their card to a waiter, a cashier, a bartender, or a hotel clerk — then having it vanish for what seems like an eternity. This, besides being consummately annoying, turns out to be dangerous as well. Using a pager-size electronic device called a skimmer, a service worker with even the briefest access to your credit card can scan and store your account information, then download it later to a counterfeit card.

The illegally manufactured counterfeit card is nearly identical to the original; in addition to the magnetic stripe that holds your stolen account information, many bear holograms and logos that that will easily fool the untrained eye. A typical skimmer can hold data from up to 200 credit cards — which can make an evening's tips look pretty paltry by comparison.

“A Far East factory will do as many as 5,000 cards a night. The next day, those cards are in a suitcase on the way to Europe,” says George Wallner, chairman and chief strategist at Hypercom Inc., a leading provider of point-of-sale card payment terminals.

While most of the waiters, clerks, and other service workers you'll encounter are undoubtedly hardworking, honest people, there are plenty of scammers out there too. Skimming, according to one source, costs credit card issuers more than $350,000 per day. It’s estimated that 10 to 15 U.S. restaurants per week are identified as harboring skimmers. There's no telling how many remain undiscovered.

The key to protecting yourself against skimming is to keep a close eye on the clerk and the card, so that they are both in your sight at all times. Also, although it may seem old-fashioned, paying with cash is an alternative that can prevent skimmers from walking away with your identity. Reviewing monthly statements and bills for unwarranted charges is also an important way to nip credit card fraud in the bud.

Credit card companies are trying to protect themselves as well by incorporating software that tracks unusual spending patterns. However, this method is far from being foolproof, and fraud experts insist that there's no substitute for vigilance on the part of individual consumers.

Shoulder surfing

At this time of year, the chaotic crowds and endless lines in malls and stores make shoulder surfing even easier and more lucrative than usual. The victim might be at a retail counter, at a public computer or kiosk, standing in line, using a mobile phone, or having an ordinary conversation. The perpetrator simply sees or overhears the sensitive information that's being communicated, then uses it to his or her own advantage. Mobile phone cameras and web cams give this fraud method a further twist.

A good way (and, quite possibly, the only way) to defend against shoulder surfing is to write down sensitive information rather than saying it out loud — and to avoid repeating such information on the phone or in conversation if there's a chance you'll be overheard. Of course, any time you enter a PIN or a password related to a credit card, debit card, or bank account, be sure that no one can see what you're entering. you should also be wary of anyone who seems to be paying unusually close attention — they may be hoping to capture your PIN, then steal your card.

Phishing

The identity theft scam du jour is phishing, a technique that combines spam with brand forgery to trick recipients into giving up personal, financial, and account information. The con uses a combination of spam emails and fake corporate web sites to impersonate legitimate businesses to unwitting customers — using bogus return addresses, stolen logos, and lookalike destination sites to lend an air of legitimacy. The phony emails often tell potential victims that they must "update" or "validate" their billing information to keep their accounts from being suspended or terminated. The recipient is then directed to a web site with a convincing address and a look-and-feel that seems real — often right down to the typeface and the corporate logo. All too often, recipients end up giving the criminals valuable information — including credit card numbers, PINs, and even Social Security numbers.

Washington Mutual customers — along with thousands of perplexed non-customers — recently received a phishing email with the following ominous message:

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by December 5, 2004, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.

Recipients are asked to provide their username and password to the criminals, after which they are redirected to the bank’s actual web page. By then, though, the damage has been done. By the time the fraud is discovered, the consumer may already have lost thousands of dollars.

Dave Siebler, an Arizona native, recently signed up for an eBay account in order to start a home-based business. Within three days, he received an email that purported to be from eBay — but thanks to an article he had recently read online, he was able to determine that it was a phishing attempt. “The site looked completely legit, but I wondered why they were updating my information when I’d only created an account a few days before. I was very close to responding with my personal information, because the message seemed very urgent, telling me that my account might be suspended. This happening to me has shown me exactly how large-scale this problem is. I’m sure that thousands of other people are getting the exact same email.”

According to the Anti-Phishing Working Group, there were 1,142 active phishing sites reported in October 2004 alone. In addition, there has been a 25 percent average growth rate in phishing sites per month between July and October 2004. Some of the largest companies in the world — including Best Buy, Amazon.com, US Bank, and eBay — have been targeted by phishing fraud. The financial services sector continues to be the number one victim, accounting for 73 percent of all phishing crimes in October 2004, and the United States continues to host the majority of these fraudulent activities. TowerGroup, a leading information provider for financial and technological firms, states that phishing attacks will account for more than $137 million in losses worldwide in 2004.

Anti-phishing measures

There are several significant steps you can take to protect against phishing. The most important is also the simplest: Don't give out any personal or financial information in response to an emailed request — especially if the reason given is a supposed "update" of your records or a threat to suspend your account. Legitimate companies will never ask you to provide this type of information via email. Furthermore, it's very unlikely that a nationwide retailer, Wall Street brokerage firm, or Fortune 500 bank is relying on you to back up its database.

It is also very important to be cautious about opening emailed attachments or downloading files from emailed web addresses. When in doubt, don't. Some phishing emails can exploit security holes in Microsoft's Windows, Outlook, and Internet Explorer (IE) software to secretly install a "Trojan horse" program on your computer or connect it to a network in, say, Russia or Thailand. Others use IE flaws to disguise web addresses to mimic trusted web sites. Finally, it is highly recommended that you use a firewall and keep antivirus software up-to-date. These low-cost measures could save you thousands of dollars, many hours of effort, and months or years of heartache and frustration.

Other holiday scams

Some identity-related crimes, such as breaking-and-entering, can be difficult to prevent — but, here again, there are ways to reduce your risk. For instance, you definitely don't want your Social Security number on your driver’s license. Just ask Arizona resident Cynthia Anderson. “My car was broken into,” Cynthia explains, “and the only thing in my wallet was my driver’s license. Unfortunately, my Social Security number was printed on it, and that gave the criminals full access to my information. Within two days, two different credit card accounts were opened under my name, and charges were made on another credit card that I had. They were able to find out my credit limits and everything!”

Here are some other precautions you can take to minimize risk and detect fraud early, no matter what scam method a criminal might use:

• Closely review bills and statements upon arrival for signs of unwarranted purchases or opened accounts.
• Either shred bills and statements or store them securely.
• Monitor your credit reports frequently to reduce the damage from any fraud that may occur.
• Recent changes in the Fair Credit Reporting Act entitle you to free annual credit reports. Obtain yours, and review them carefully.
• Paying with cash is a great way to leave credit cards and other sensitive information at home while doing your holiday shopping.
• If you must use credit or debit cards, keep a close eye on them at all times — especially in the hands of a waiter or a cashier.
• Never respond to an unsolicited email by giving out personal information.

In an ideal world, we could enjoy the holiday season untroubled by thoughts of identity theft. The truth is, though, that we can never be too safe when it comes to our personal information. By understanding the risks and taking appropriate precautions, you can give yourself the best holiday gift of all: peace of mind.