Guilty but Not Responsible
“Every day of my life for seven years, I’m on the phone with my fraud specialist trying to figure this thing out.”
Those are the words of Andrea Parker. Or I should say, those are the words of an identity theft victim whose name was changed to Andrea Parker in the media, because she was dragged through such an unmitigated hell she was scared the woman who scammed her—or worse, a new and even crueler fraudster—would decide that she makes an irresistible target.
Andrea is noteworthy because really every imaginable kind of identity theft happened to her. She was the victim of criminal identity theft—crimes were committed by someone using her name—and financial theft. On the monetary side of things, the damage was more than $40,000 in medical bills alone, but in terms of the way it impacted her life, the damage is simply unfathomable.
“It’s been hell,” she told a reporter in 2011, when she was working her way out of the morass created for her by a criminal.
The thief got a driver’s license and a passport in Parker’s name (her actual name), and committed felonies that entered the jurisprudence system using her name, so that every time she applied for a job, she failed her background check. A store got in touch with her about some shoplifting, and a bank called about some accounts that she neither set up nor knew anything about.
“Basically, she’s been doing everything and anything she can do with my name. She’s living as me,” she told Herb Weisbaum when he covered her story in his ConsumerMan column at NBC News.
Parker had never been arrested, but there were warrants out for her arrest in California for crimes she didn’t commit, and no way to go and defend herself without getting arrested in the process, since as far as law enforcement was concerned, there was only one of her, and she was a criminal.
“I never had a parking ticket,” she told Keith Yaskin, a reporter with the local Fox affiliate in Phoenix, Arizona.
Meanwhile, a twenty-nine-year-old woman named Debbie Miller was arrested in Florida and accused of misusing more than $34,000 worth of Social Security benefits. Miller was Andrea Parker’s identity thief.
This was a clean sweep. Every time she left her home, Parker had to worry about something as banal as a traffic stop, because it opened the possibility that her driver’s license would be run through a law enforcement database, her “record” would be discovered, and a call for backup to arrest her made. My company IDT911 helped her obtain special credentials so that if she was pulled over, police on the scene would have sufficient information to prevent an arrest.
Sarah Carr, Almost IRS Scam Victim
A voice mail was waiting for Sarah Carr one not-so-fine Tuesday morning. She was very pregnant—at the tail end of her third trimester.
Expecting any day, the hormonal perfect storm raging inside her, the last thing she needed was that threatening message informing her not only that the IRS had placed a lien on her property, but that the federal government was filing tax fraud charges against her.
To say she was beside herself would be an understatement—a mom-to-be going to jail.
There was no reason to doubt the threats were real. She reasoned that there must have been an error in her tax forms, but the IRS must have decided it was an intentional act of deceit. When she called the number that the IRS agent left, she was confronted in a way that had to be real, since the agent had the type of sensitive personal information that couldn’t possibly have been gleaned from the Internet—or so she thought.
If you get a call from any institution about a financial matter or an issue regarding your information security, ask for a phone number and hang up.
Confirm that the number is correct. Many scams will turn up if you simply enter the phone number in the search box of your Internet browser. But the simplest solution is to look up the number on the organization’s website—whether it is for the IRS or any other organization.
Pro tip: The IRS will never call you or send you an email. Their initial communication is always by way of snail mail.
Or did she think anything?
For most of us, when we get such a call, the last thing on our minds is that we are being scammed. The most common reaction is to panic, and point the finger at yourself. Scam artists bank on that. You’re much more likely to think “What did I do wrong?” than “Is someone out to get me?”
But that latter response needs to become your default setting.
Sarah Carr was lucky.
She panicked while the man on the line regaled her with seemingly hard-to-know facts about her life, including serious details about the three companies that she owned. In reality, he was providing a real-life illustration of why your name, phone number, email address, and even your various identities on social media (in this case, probably her LinkedIn resume) need to be understood rightly as so many elements of your discoverable personally identifiable information. The scammer Carr was talking to was using that sort of information to scare her into sending him money.
“You hear about scams all the time, and you think that you’re smart enough and you would recognize [it],” Carr told KUSA in an interview. “It was all just so real.”
Then, as Carr’s would-be scammer explained what was going to happen next, she started crying. It’s not a tactic that will do you much good ordinarily, but Carr got lucky.
“I blurted out, ‘I’m nine months pregnant. I’m supposed to have a baby in three weeks. I don’t know what I’m going to do,’ ” Carr told KUSA, “And then he says, ‘Wait, wait, wait, wait, you’re pregnant?’ And I said, ‘Yes!’ And he goes ‘I’m sorry. I’m sorry. I’m sorry, this is a scam. You’re OK. We’re scamming you. We were just trying to get money out of you. Please stop crying.’ ”
And so Sarah Carr slipped the noose.
Tragically, the IRS scam is becoming more and more common, but like a good punch line, it’s all in the delivery. If the right swindler gets your number, you’re going to need some serious muscle memory (hang up, check the number, call back) to avoid getting got.
Nudegate
Remember when the Internet was nearly trampled to death in a digital stampede for nude celebrity photos, including pictures of Jennifer Lawrence, Ariana Grande, Mary Elizabeth Winstead, Kate Upton, Rihanna, and others? More than one hundred celebrities made that particular list of Hollywood Who’s Who.
The pictures found their way online—as in the public part of the Internet—because there was demand, and a cool problem set for a hacker to solve. Most likely, the hackers exploited one of the key elements of celebrity: that everyone knows everything about their favorite stars. With a little online searching, you can find loads of seemingly innocuous information about your favorite pop star, like a sister’s first name or the name of their elementary school. Identity thieves are all too happy to have it. The hackers who got ahold of the nude photos didn’t need fans to grab the adored one’s Social Security number. They just needed to know the name of their childhood friend, their first dog’s name, the first street they lived on, or their mother’s maiden name. From there, armed only with an email address, the hackers were able to penetrate each affected star’s Apple iCloud account by answering security questions. Sad but true. The pictures were reportedly floating around on the deep web for a week before they hit the broader information highway.
While the FBI began investigating how the pictures found their way to the public, millions of people were feverishly searching for ways to view the purloined photos. It became harder to find the most sought-after photographs—Jennifer Lawrence topped that list—when Perez Hilton’s eponymous site took them down and issued an apology—though not before a bunch of dough was made on page views.
You can probably spot a phishing email in your sleep, and you would no sooner respond to an email about suspicious activity on your credit card than you would leave your wallet in a crosswalk in Times Square.
However, best practices often fly out the window when it comes to salacious material about our favorite celebrities. Think about it this way: As you wander in the darker alleys and backstreets of the Internet, where the risks should outweigh all other considerations, are you willing to forego sensible web behavior, when the likely outcome will be catastrophic?
The first threat is malware. You can expect it to wind up on your computer if you decide to search the less safe parts of the Internet for material that was never meant for your eyes anyway. It may be something simple, like code that turns your computer into a spam distribution center, or a more serious app that will record your keystrokes (including when you log in to your bank account). There’s no way to know what you’re getting yourself into. The best course of action is to use your imagination—or possibly even your sense of what should be off-limits. Malware can often lead to identity theft.
If you tend to chase breaking news stories and like to download the ephemera related to them (eyewitness photographs, blog posts), you may want to do a malware scan of your computer. As a matter of fact, this kind of scanning should be a part of your habit of monitoring your various points of contact with the outside world—your attackable surface—regularly for signs of fraud. And of course, the very least you can do is make sure that your devices are protected with highly reviewed antivirus and antimalware software that is kept up to date.
Katie Smith, Credit Card Fraud Victim
According to a report released by the U.S. Justice Department in December 2013, 45 percent of identity theft victims found out when they were contacted by a financial institution. That’s how Katie Smith learned that her identity was stolen.
“They went to an outlet mall,” Smith recalled, “and you could look on a map and see that they went from store to store to store to store.” The miscreant who hijacked Smith’s identity had it down to a science; he or she spread $18,000 worth of fraudulent charges across fourteen stores at an outlet mall.
“You feel very vulnerable. You feel out of control and someone else has stolen something from you. And it’s not like they stole your car. They stole who you are. They’re out there misrepresenting you, and there’s definitely an emotional component to it that I didn’t realize until weeks into it.”
Smith had access to a dedicated fraud resolution expert who ushered her from panic to peace of mind. After about six months, all of the credit and reputational issues caused by the $18,000 shopping spree were resolved. The process would have taken far longer had she tried to resolve each of the fourteen fraudulent accounts on her own, since it requires a significant amount of time and effort to report the crime to law enforcement, communicate with the fraud departments of the credit reporting agencies, develop the requisite documentation, and then sort everything out with the various retailers where she got got.
Kathryn Birmingham, Two Cases of Identity Theft
In 2001, Kathryn Birmingham learned that someone had been using the address of a property that she and her husband owned. They weren’t living there at the time. There wasn’t even a house.
Whoever did it used the address to set up a number of credit accounts in the United States. Changing a physical address is the most common way fraudsters take over an account.
Kathryn discovered the situation when a number of bills were delivered to her actual residence because there was no deliverable address on the vacant property. She then began the arduous process of investigating what had happened.
“Over the next year,” Birmingham said, “many bills and different connections for this one individual were established for this one property. So, I started trying to unwind it and try to do that on my own and I found that the institutions would not speak to me because I didn’t have that individual’s Social Security number. He had mine.”
Birmingham hired a lawyer, and spent the better part of three years trying to sort out the situation, clear the property, and repossess her own address.
“It was very frustrating,” she said.
“I found out that our IRS account had been hacked and I found out that it had occurred several years before and the government was just informing us of what had occurred.”
The first time around, she had to sue corporations to get them to stop allowing a criminal to use her address. The second time around was easier, because she had access to a fraud resolution service through her insurance company. It’s also worth noting that some time had passed—as the various crimes associated with identity theft increase, so has the ability to fight those crimes.
The most important take-away is that it’s necessary to follow the Three Ms if you want to catch fraudulent activity associated with your name, Social Security number, or other personally identifiable information.
Ebony Walton, Married to a Stranger for Eighteen Years
“I now pronounce you husband and lies.”
That was the first line of the New York Post article about Ebony Walton’s shocking discovery. The thirty-five-year-old New Yorker had applied for a marriage license, having decided it was time to finally tie the knot with her high-school sweetheart and boyfriend of eighteen years. But it wasn’t to be—or at least, not right away.
There was some shocking news. A clerk told Walton that she was already married, according to public records. In fact the nuptials in question had occurred eighteen years earlier, on December 10, 1997. It was an impossibility, but when she tried to tell that to the powers that be, she got nowhere.
At the time of the surprise wedding that she knew nothing about, Walton was eighteen years old and living with her boyfriend, her mother, and two cousins in a Harlem apartment. She had never heard of the person authorities said she had married, a man who hailed from Gujranwala, Pakistan. But as she came to terms with the fact that something happened, she started piecing together how it could have come to be.
A big chunk of identity-related scams are crimes of opportunity. The people who have the best shot at acquiring the kinds of information needed to pull off a caper like the one perpetrated against Ebony Walton are often those closest to us, like family and friends. That was the case here.
It was a decidedly low-tech scam. One of Walton’s cousins looked enough like Walton to use her identification. There was nothing more to the matter. The unwitting wife of eighteen years readily admitted that she left her identification unprotected in the home she shared with her cousins. The cousin in question had a drug problem, and had stolen Walton’s identification to register for a marriage license in a green-card marriage scam. She got the money, and Walton got the problem.
In this instance, it wasn’t too difficult to unravel. Judge John Spooner of the Office of Administrative Trials and Hearings in New York found that Ebony had been a victim of identity theft and green-lighted her marriage.
Yehuda Katz, NYPD Auxiliary Cop Scam Artist Supreme
This is not a common scam, but it’s a cautionary tale that illustrates what should be an axiom by now: We are beyond the point of “trust but verify” when it comes to unsolicited phone calls.
Today the credo should go something like, “Assume the worst, and remain suspicious even when you’re relatively sure—having hung up, poked around the Internet, called the main number of whatever organization allegedly called you, and asked yourself, ‘Does this make sense?’ ”
Yehuda Katz drove to and from work in a black Cadillac with the custom license plates, KATZILAC. He was an NYPD auxiliary deputy inspector based in Brooklyn and the epitome of what you might imagine an ambulance chaser to be—but he wasn’t a lawyer. He was nothing short of a parasite.
That said, he was a clever parasite.
Yehuda Katz hacked into the NYPD computer and law enforcement databases to get information associated with people who had been involved in traffic accidents. He grabbed their information from police reports and contacted them, claiming to be a lawyer.
Katz’s calls and letters included statements like, “I can advise you with 100% confidence that I can resolve this claim in your favor.” While it is unclear how he made money, the disgraced cop logged a lot of calls to medical clinics, law firms, and chiropractors that pointed toward some kind of kickback racket.
All told, the Katzilac-driving lout made more than 6,400 searches between May and August 2014 by hacking into computers at the seventieth precinct in Brooklyn, where he had installed a camera so he would know when he could enter the system without being detected. The discovery of that camera was his undoing.
What about the people he duped? They learned the Bad Lieutenant version of the NYPD public messaging, “Courtesy, Professionalism, Respect,” where all it takes is one cop to protect his car payments by self-serving in a poorly protected law enforcement information trough.
Catphishing
While we’re running the gamut here, there really are two main categories of vulnerability when it comes to identity theft: finance (which should be self-explanatory) and romance.
Nowhere is the romance category more an issue than online.
Studies have shown that more than 80 percent of all people lie (not to mention use Photoshop-primped pictures) in their online dating profiles. For those of you who haven’t yet dipped your toe into the tepid water of online dating, trust me. Most dating site users can tell a tale of woe regarding a less-than-forthcoming digital love interest who, when a face-to-face encounter occurred, wasn’t everything he or she seemed.
A little white lie here or there during the courting phase is standard operating procedure for many, but it’s also a common tactic for people who are looking for something other than love. Scammers who lie about who they are—and their romantic intentions—solely to get access to someone’s PII are a growing problem, and they certainly can be added to the roster of other notable phishing scams.
One of the more famous catphishing victims is Notre Dame football star Manti Te’o, whose heart-wrenching story of a love gained and lost was splashed across television screens from one end of the country to the other. Straight out of a Disney script, they met in Palo Alto after a game and fell in love. There was a car accident, a diagnosis of leukemia, love letters written, countless unending phone conversations, and then a tragic death.
According to Timothy Burke and Jack Dickey of Deadspin, the object of Te’o’s affection was a catphisher. There is no record of her birth, no record of her being a student at Stanford, no record of her car accident, no record of her death, no obituary, and the only photographs that identify her are snapshots from a social media account of a twenty-two-year-old living in California who is still alive and has a different name than the woman Te’o professed to be in love with.
Former Denver Nuggets star Chris Anderson faced a criminal investigation after a woman pretended to be him online and scammed and blackmailed more than a dozen victims (including a woman with whom he had a real-life relationship). A mother-daughter team in Colorado squeezed more than $1 million out of more than three hundred women around the world by pretending to be American soldiers who needed a few bucks to buy a phone or a plane ticket.
As the Better Business Bureau has warned, these scams are on the rise, in part because they’re cheap and easy. Many online dating sites are free to users, fake photos are easy to find, and a little investment—whether in time spent or in flower deliveries, neither of which requiring that a person be present—can net more in financial returns from the charmed women or men who fall under a catphisher’s spell.
So how do you make yourself somewhat invulnerable to catphishing? Psychologist Jack Schafer warns people to be wary of truth bias, our innate belief that most people are telling the truth in the absence of evidence to the contrary.
But there are some more concrete tips you can follow if you want to be safe from catphishers.
We have all been in situations where romantic flights of fantasy can lead us on journeys that may not have fairytale endings. When the tiny alarm bell starts going off in your head, listen carefully, lest your love boat turns into the Titanic.
Military Scams
There is a special circle of hell reserved for those who would perpetrate identity theft on active duty personnel.
For years the military has used Social Security numbers for everything from identifying duffel bags to checking out a rifle at the shooting range. Based on a directive issued a few years back, our armed forces are beginning to kick their SSN addiction. However, there are lingering effects, and the crime of identity theft can represent a huge problem for our service men and women.
The Three Ms are very important for our service men and women. There is just too much of their information flowing through too many hands. Many members of the military, as well as civilian contractors who work for the military or the U.S. government, must access classified information, and to do that they must obtain specific levels of security clearances—and they are not easy to pass. To join the ranks of this relatively elite group of people with serious access, an employee has to authorize the government to do the equivalent of a PII/PHI strip search (as well it should be), including the right to vet a candidate and to examine their employment history, medical history, and any criminal records and personal finances. All that information is potentially gettable, and if it gets got, the person with whom it is associated is in big trouble.
If a member of the military becomes a victim of identity theft, his or her world can be thrown into disarray. A single case of criminal identity theft—such as that experienced by Andrea Parker—can mean that security clearances are denied or revoked. According to my colleague Eva Velasquez, president and CEO of the Identity Theft Resource Center, if an enlisted person is in the process of applying for a new position, he or she will be disqualified from consideration. A bad credit score can do the trick. This is why it’s so crucial to observe the Three Ms.
When a person’s identity portfolio has been compromised, a background check can reveal a resume that has been turned into a rap sheet—arrests, tax crimes, and credit scores hammered by late payments and maxed-out payment cards. The entirety of who you are (on paper at least) can be laid waste by identity thieves moving about the country, doing whatever they damn please while leaving a trail of PII crumbs that lead back to an innocent victim.
Velasquez wrote a fascinating article about the case of an Air National Guardsman in Alabama. Major Zane Purdy made six figures a year working for a defense contractor until his identity was stolen and sold to a tax fraud ring. The result was the loss of his job and suspension from the National Guard. Obviously, his security clearance was also revoked. His next job, working at a restaurant, paid $7.25 an hour.
The issues that face enlisted men and women when it comes to identity theft and identity-related crimes are many. In response to the threats out there, the Department of Veterans Affairs created an identity theft education program to bring military personnel up to speed on what they need to know to stay safe.
The military is no stranger to breaches. Over the years there have been a number of incidents reported at bases around the country. Thieves have accessed databases of active duty personnel deployed in Europe, Iraq, and Afghanistan. There have been compromises of government contractors that do background checking for various military and government agencies.
The Identity Theft Resource Center recommends that military personnel take the following actions to protect their identities and their security clearances:
If you are in the military, there is only so much your employer can do to help you after your identity has been stolen and used. That’s why you need to be proactive in your defense, have a monitoring process in place, and know how to contain the damage if the worst happens.
Identity Theft’s Senior Moment
According to the AARP, statistics show that senior citizens are tasty targets for identity thieves. Perhaps more so than other age groups.
According to my colleague Brett Montgomery at IDT911, the Florida Times-Union reported that one reason seniors are so attractive to identity thieves is that many find checkbooks preferable to debit or credit cards, and, of course, online purchases are completely anathema to them.
So what’s this about back checks? The humble back check (your check cashed and canceled and returned with your monthly statement) is a cornucopia of personally identifiable information: name, address, bank address, account number, and routing number. This may not exactly be the Holy Grail for criminals who are looking to set themselves up to do fraudulent electronic wire transfers, but it’s pretty good.
The Times-Union article went on to warn that receiving a check can be a problem—one that many seniors may overlook. What can look like a refund or reward is actually a contract of sorts. Read the small print on the check, because it might tell you precisely what sort of misdeed is about to be done by cashing it. It could be the recipient is confirming their enrollment in some type of plan that automatically deducts money from their account each month, for just one example. Checks are not a one-way street when it comes to personally identifiable information.
Look at the back of a deposited check—one of your own—and you will see both the account number and routing number of the recipient—another clever way to gather personal information from an elderly mark.
Oftentimes scammers will contact seniors by phone. They will pose as someone calling from the government, a charity, a retailer, or law enforcement—all that can vary wildly—but one thing all these callers will have in common is that they will either ask for money or the types of personal information that put a senior in harm’s way—or, more often, they will ask for both. Simple advice: No senior—or anyone else, for that matter—should provide any information to anyone who calls looking for it. They should only authenticate themselves if they make the call and are in control of the conversation.
Another soft spot in a senior’s attackable surface is the frailty of old age itself. There have been a variety of scams perpetrated on seniors by their home healthcare providers. As an elderly person peacefully dozes off in their favorite chair, the fraudster can go rifling through files, combing through drawers, looking through the mail, and grabbing sensitive documents, checkbooks, or Social Security checks.
Not only should seniors or their families ask home healthcare agencies to confirm that they have thoroughly checked the backgrounds of anyone they send to their homes, children should consider convincing their elderly relatives to activate credit freezes whenever they put themselves under the constant care of another. That is particularly important when a senior goes into an assisted living facility.