IDENTITY THEFT -- ARE YOU THE ONLY YOU?

By William R. Henry, Jr.
The CIMA Companies, Inc.

If an "identity thief" can pose as Tiger Woods, he can pose as you, which would make you one of the estimated 400,000 people a year who are victim to this fast-growing criminal enterprise. In just the past year, financial institutions have reported an increase of over 50% in identity thefts, according to the U.S. Treasury Financial Crimes Enforcement Network. Only 3 people in 1,000 will be robbed with a gun this year, but 130 in 1,000 will have their identities stolen for the purpose of fraud.

The biggest risk is not financial loss, although that can be substantial if you don't notice the drain from your bank account(s) for a while. A bigger risk is that the other "you" can ruin your credit; maybe even file for bankruptcy in your name. Someone who couldn't withstand a criminal background check for employment purposes might do fine, pairing your identity with his address. Once that's done, criminal history could become criminal present.

At a minimum, you'll have to straighten out one of the biggest messes you'll ever face if your Social Security number, bank account number, credit cards, or other financial information gets into the wrong hands. The Privacy Rights Clearinghouse (www.privacyrights.org) estimates that the average victim of identity theft spends 175 hours contacting financial institutions, credit bureaus, the department of motor vehicles and others to report the theft and curtail the fraudulent use of their identities for financial gain. Your legal limit of liability for unauthorized charges on your credit card is only $50 (the Truth in Lending Act, 15 U.S. Code 1643), but the time you will spend if the card is stolen and used by someone else is worth far more. You'll have to invest all that time quickly, too, to have a chance to stop fraudulent use before it starts or gets too far.

At this point, although more resources are available to consumers than was the case one or two years ago, you still are largely on your own to clear your name. And after it's over, you probably won't even know who was "you." They will have moved on by then.

You might want to share the information in this article with your employees, so they won't be victims themselves (and need 175 hours to recover from the experience.) There is a fair amount to do, but it's worth it if it helps make sure, as the song goes, there will never be another "you."

Prevention

Your problem begins when the thief obtains any of a variety of private information about you -- either directly from you or through a dishonest intermediary (such as a store clerk). Here are some of the things you can do to make that job much harder.

First, copy this article, including the Resources, so you won't have to remember later what to do or who to call.

"What's in your wallet?" as they ask in the Capital One commercial. Take a look. The more personal information you have in there, the more of a head start you will give to a thief if your wallet is stolen.

• If your driver's license number is the same as your Social Security number, go to the Department of Motor Vehicles and get the number changed. Never carry anything with your Social Security number on it in your wallet. Leave your Social Security card itself in a safe place
• Don't carry more than one or two credit cards at a time. Keep the others in a safe place.
• Don't carry receipts that have an account number on them.
• Never have a Personal Identification Number (PIN) for an ATM card, debit card, phone card, etc. in your billfold. You just have to remember those numbers. (More about PINs later in this article.)
• Photocopy your health insurance card, black out the identification number (which often is your Social Security number), and carry the photocopy instead of the actual card. You can simply give the medical provider your ID number if the need arises.

Once you are down to the bare essentials to carry in your wallet, lay the contents all out together on a photocopier. Copy both sides of everything.

Next, pull out recent financial statements -- bank, credit cards, phone company, utilities, and anywhere else you have an account -- and copy your account numbers and the phone numbers of those companies. (For your credit card accounts, copy the number for "billing inquiries.")

Next, go to www.consumer.gov/idtheft. This Federal Trade Commission site has an "ID Theft Affidavit" that is accepted by a number of financial institutions, companies that extend credit to their customers, and credit reporting bureaus. Print out a copy, including the "Fraudulent Account Statement."

Put all those things in a place where only you and those you trust will know how to find them. Consider putting a copy in your safe deposit box. (Not the original, because your bank might be closed when you lose your wallet.)

If your wallet is lost or stolen, you have all the phone numbers and account numbers you need, and are ready to start the calls that can stop the fraud.

Now, let's look at how to protect yourself day-to-day.

Your Social Security Number -- Every time you are asked for the number, ask why, and keep going up the chain of command until you get a plausible explanation (and, ideally, an alternative to providing your number). One good question to ask: "What law requires me to give you my Social Security number?" Remember, anyone who has your number can impersonate you. That includes any employee working at a financial institution, doctor's office, pharmacy, retail establishment, or anywhere else you provide your number.

Don't let merchants write your Social Security number (or a credit card number) on your checks.

Annually, get your Social Security Earnings and Benefits Statement, to make sure no one but you is using your number. (See Resources for contact information you will need to follow all the guidance in this article.)

As mentioned earlier, if your driver's license number and Social Security number are the same, get a new license number. The National Insurance Crime Bureau reports an increasing number of frauds that play out like this: Identity thieves contact the department of motor vehicles, posing as someone else whose license plate number they know. They report a change of address. New registration cards are sent to the "new" address -- cards that include the driver's license number, which often is the same as the Social Security number. Now the thief has your Social Security number -- the keys to your financial world.

If you have a good driving record, identity thieves also can get auto insurance at favorable rates. At that point, possibilities of bogus claims, such as staged "accidents" or even claims for accidents that never happened, stretch to the horizon. Your insurance claims history could be one more casualty of identity theft.

Your credit -- Never give a credit card number on the phone unless you initiated the call and are sure who you are talking to.

Review each credit card statement carefully to make sure all those purchases were yours. (Same with your phone bill.)

Every year or 18 months, get a credit report from each of the credit reporting bureaus listed in the Resources, to make sure no one else is pretending to be you and getting away with it or making inquiries about you under false pretenses. The reports cost $8 each. The Federal Trade Commission estimates that a year goes by before the average identity-theft victim even discovers he or she has a problem. Recently, the Supreme Court ruled that victims of identity theft have only two years to file suit against credit reporting bureaus that disclose their credit histories that include false information. The two years begins when the credit bureau discloses the report.

See Cure on what to do if your credit report shows unauthorized charges, accounts you did not open, or bogus inquiries.

When you complete a credit application, ask (and keep going up the chain of command until you get a plausible answer) how the company safeguards confidential information. Federal privacy legislation enacted in recent years is designed to prevent unauthorized sharing of "nonpublic personal information," but many privacy advocates complain that the legislation has too many loopholes.

Keep or shred credit card receipts. Don't just throw them into the trash.

Pay with cash at restaurants, instead of providing a credit card number that can be stolen (and perhaps sold, or even put into an Internet database of stolen numbers).

Never use a credit card to prove your identity. Again, you are showing the number to someone who might misuse it.

Your mail -- Deposit outgoing mail only in a Postal Service box (not in your own mailbox for the carrier to pick up). Otherwise, it can be intercepted. This can be particularly bad if you have checks, and the "return this portion" part of your bills in the outgoing mail. Consider picking your mail up at the post office, too, instead of having it delivered. There is a tradeoff between convenience and security.

When you receive unsolicited applications for credit or loans, don't just throw them away. Tear them into small pieces or shred them. Otherwise, someone could complete them and just provide a different address. You would never know there was another "you" until you got a bad report later because of all "your" bad checks.

If you really want too reduce the number of unsolicited applications, and therefore reduce the scope of this risk exposure, contact the numbers shown in Resources, to have your name removed from direct-marketing mailing lists.

Merchants have no legitimate reason to ask for your address unless they are mailing you something.

If you do not receive bills on time, call and inquire to make sure they were not intercepted by someone who wants to provide a change of address to the vendor and pretend to be you.

When you order new checks, arrange to pick them up at the bank instead of having them mailed to you.

Your bank accounts, passwords, and account numbers -- When your bank statement arrives, reconcile it as soon as you can. Although banks have some responsibility if they cash forged checks, it is the consumer's responsibility to review cancelled checks so that forgeries can be identified.

Never use part of your Social Security number as a password or PIN. If the thieves have your Social Security number, you've made it easier to access your bank account. Don't use your birthday, your children's names or their birthdays, or your mother's maiden name, either. Use something that exists only in your own mind -- something quirky -- to help you remember it.

Ask the bank to add an additional code to your account passwords -- a number or word you provide that makes it that much more difficult to access your account without authority.

When you use an ATM, shield the keypad with your body to foil "shoulder surfers" who might be watching (even a hundred yards away, with binoculars).

Your company information -- Review how you protect "nonpublic personal information" on your customers, employees, and others, and how you dispose of it. Remember that "dumpster diving" is still one of the most popular and effective ways for thieves to get this information.

Other -- Never leave personal information visible in your home where a delivery person, contractor or burglar can spot it easily.

Cure

If you lose your wallet or know or suspect that someone else is using your personal financial information for fraudulent purposes:

Retrieve the information that you stored in a safe place (see Prevention).

Complete the ID Theft Affidavit you downloaded from www.consumer.gov/idtheft.

If you haven't done so already, make several copies of the "Fraudulent Account Statement" that accompanies the affidavit. You will need one copy of the Fraudulent Account Statement for each creditor or bank you are going to contact because you will provide each recipient only the information that pertains to that account. More about that step in a moment.

Next, contact your local police department. Ask them to take a report and either give you a copy of the report or its number. Get the name of the officer you talk to. The police report is necessary to demonstrate to credit reporting bureaus and financial institutions that you exercised due diligence to prevent fraud. Give the police department a copy of your completed theft affidavit.

Next, call the three credit reporting bureaus listed in Resources to place a "fraud alert" on your name and Social Security number. Then follow up in writing. The bureaus have slightly different procedures, which you can review on their Web sites before you contact them. But your main message, both on the phone and in writing, should be: "My identification may be used to apply for credit fraudulently. Contact me by phone (give them your number) to verify all applications." Order credit reports from the bureaus when you call (they must provide them free if you have been a victim of identity theft and make your request in writing).

You can obtain the reports online. If you have them sent by mail, there is more to do while you are waiting.

• Call your existing credit card issuers (using the "billing inquiries" number), tell them what happened, and arrange for them to issue you new cards and account numbers. Tell them to process your old accounts as "closed at consumer's request" (not as lost or stolen, because you might not know for sure which was the case). This will prevent identity thieves from calling the issuers and changing "your" address. Ask them what documentation, such as the police report and/or the Federal Trade Commission's ID Theft Affidavit, they require at this stage. (Requirements might differ, depending on whether there is evidence at this point that someone else has used your card.) Follow up the calls in writing, with whatever documentation is required.
• Call your bank, and ask for the security department or anti-fraud department. (Make sure you are in the right department before going on.) Tell them what happened. Ask if they accept the FTC's ID Theft Affidavit, and ask what other documentation they require. Cancel your checking and savings accounts, and destroy all blank checks from your old checking account. Cancel your ATM card. (Note: The Electronic Funds Transfer Act limits your loss to $50, if you report a lost or stolen ATM card within two business days.) Open new accounts with new account numbers and passwords.
• Contact anyone you have written checks to who might not have cashed them yet, explain the situation, and arrange another way or another time to pay.

Back to your credit reports, which you are receiving either online or by mail:

• When you receive your reports from each of the three credit bureaus, look for accounts you did not open (in the "inquiries" section), or unauthorized charges to accounts you did open.
• Check with your family members or others who are authorized to use your accounts, about any unfamiliar accounts or charges. Look closely at the "inquiries" to see if they include contacts by anyone impersonating a creditor, landlord, mortgage loan officer, prospective employer, etc.

If you believe that fraud has occurred, do the following:

• Contact the police officer who took your initial report, and ask him or her to add whatever new facts you have. At this point, arrange to get a copy, whether or not you got a copy initially.
• Send the affidavit and Fraudulent Account Statement to each creditor, bank, or company that provided the thief with unauthorized credit, good, or services. The Fraudulent Account Statement should include only the information pertaining to the company where you are sending it. Send them by certified mail, return receipt requested. Take this step now to close the window of opportunity for anyone to use your stolen identity.
• Next, write to each of the three credit bureaus to report the fraudulent information (certified mail, return receipt requested). Describe the problem in a letter, referencing specific sections of the credit report, and attach a copy of the report with those sections circled. Include copies (not originals) of any supporting documentation and a copy of the ID Theft Affidavit.

The credit bureaus also have certain obligations under the Fair Credit Reporting Act, as independent agencies providing information to potential creditors, to help you. As mentioned, they must give you a free report if you believe fraud has occurred and you make your request in writing. Also, they must remove any "inquiries" resulting from fraudulent use of your identity and correct anything else that is in error, at no charge. If you challenge something in your credit report, the bureau must contact the provider of that information. The provider is obligated to investigate and report its findings to all the credit bureaus it reports to. The credit bureau must give you the results of that investigation in writing. If there was a change in your report as a result of the investigation, they must give you a new report free. At your request, the credit bureau must send a copy of your corrected report to anyone who obtained your report in the past six months (or the past two years, in the case of employment applications.)

If the credit bureau cannot prove that certain information in your credit report belongs there, they must remove it. If a dispute cannot be resolved, your statement about the dispute must be included in your file and in future reports. The providers of the disputed information also must include your statement in any report they provide to any credit bureau in the future, if you so request in writing. (See Resources for more information available from the Federal Trade Commission about credit laws. Note: Credit bureaus, creditors and consumers all have certain obligations under the law; one is that reporting be done quickly. You might lose your rights under the law if you delay reporting incidents of fraud.)

Avoid companies that offer to "repair your credit" for you. If you want it done right, do it yourself.

• Report the incident to the Federal Trade Commission identity-theft hotline.
• Alert the phone company and utility companies that someone might try to open a new account in your name. Again, the drill is the same: phone call followed up in writing.
• Keep copies of all correspondence or e-mails, and notes on every conversation, including the date and the person you spoke to. Ask for verification that correspondence was received. Certified mail, return receipt requested, is the surest verification, but you might not need to go that far in all cases. You might get confirmation by e-mail, for example. Keep those e-mails.

Contact information for the following agencies is included in Resources:

• If your Social Security number has been stolen, contact the Social Security Administration. (Note: In most cases, it is not going to be necessary or desirable to change your number just because someone has used it fraudulently. For one thing, changing your number would mean attempting to have records of both identities in your credit report, or starting a new credit history from scratch.)
• If you suspect your mail has been stolen, contact the U.S. Postal Inspection Service.
• If identity fraud has been perpetrated via the Internet, contact the Justice Department's Internet Fraud Complaint Center.

Some insurance companies offer products designed to provide some assistance for victims of identity theft, but it is a much better risk management strategy to apply all the prevention tactics mentioned in this article.

Privacy Rights Clearinghouse (www.privacyrights.org) -- You will find extensive helpful information on preventing identity theft (and on keeping telemarketers away) and links to other resources. There is a good quiz, "Are You At Risk For Identity Theft" at www.privacyrights.org/itrc-quiz1.htm.

Federal Trade Commission -- The toll-free identity theft hotline number is 1.877.IDTHEFT (1.877.438.4338) or www.consumer.gov/idtheft. There are about 1,500 calls a week to the hotline. For information on credit laws, call 202.326.2222.

Credit reporting bureaus

Equifax -- Report fraud at 800.525.6285, or Box 740250, Atlanta GA 30374. Obtain a copy of your credit report at 800.685.1111, or Box 740241, Atlanta GA 30374 or www.equifax.com ($8 for most states).

Experian -- Report fraud at 888.EXPERIAN (888.397.3742), or Box 1017, Allen TX 75013. Obtain a copy of your credit report at 888.EXPERIAN or Box 2104, Allen TX 75013 or www.experian.com/consumer ($8 for most states).

Transunion -- Report fraud at 800.680.7289, or 888.4213, or Box 6790, Fullerton CA 92634. Obtain a copy of your credit report at 800.888.4213 or Box 390, Springfield PA 19064 or www.tuc.com ($8 for most states).

Consumer Credit Counseling Service -- 800.388.2227. They can advise you on removing fraudulent claims from your credit report.

To opt out of "preapproved" credit card offers and other offers -- 888.5.OPTOUT (888.567.8688). All three major credit bureaus use this service. Opting out will remove your name from the lists that the major credit bureaus sell to direct marketers, but will not remove you from other lists that marketers might buy.

If you believe your mail has been stolen, contact the U.S. Postal Inspection Service (www.usps.gov/websites/depart/inspect or www.usps.com/postalinspectors).

Social Security Administration -- If your Social Security Number has been used fraudulently, report it at 800.269.0271, 800.772.1213 or www.oig.hotline@ssa.gov. Order your Earnings and Benefits Statement at 800.772.1213. Other good resources are at www.ssa.gov/pubs.

If checks have been stolen, contact the following major check verification companies:

Check Rite -- 800.766.2748
Equifax-Telecredit -- 800.437.5120
NPC -- 800.526.5380
Tele-Check -- 800.366.2425
Chex Systems -- 800.328.5121.

If you believe an identity thief has tampered with your securities investments or a brokerage account, contact your broker or account manager and the Securities and Exchange Commission: Office of Investor Education and Assistance, 450 5th St. NW, Washington DC 20549-0213; 202.942.7040; www.sec.gov/complaint.shtml.

To have fraudulent long-distance charges deleted from your phone bill, contact your telephone provider, or the Federal Communication Commission at 888.CALLFCC (888.225.5322.)

If someone has used your identity for tax purposes, contact the Internal Revenue Service Criminal Investigation Unit at 800.829.0433; www.treas.gov/irs/ci.

If someone has filed for personal bankruptcy in your name, contact the Bankruptcy Administration, listed in the U.S. Government, Department of Justice listings in your blue pages, or go to www.usdoj.gov/ust to identify the U.S. Trustee for the city where the bankruptcy was filed. Contact that trustee, and also the FBI office in the city where the bankruptcy was filed.

If identity fraud was perpetrated on the Internet, contact the Internet Fraud Complaint Center (www.ifccfbi.gov). The site includes useful tips on prevention, as well.

To remove your name from mail and phone direct marketing lists (Note: You will need to repeat your request about every year for it to remain in effect):

Mail Preference Service, Direct Marketing Association, Box 9008, Farmingdale NY 11735-9008. Include your name and complete home address.

Telephone Preference Service, Direct Marketing Association, Box 9014, Farmingdale NY 11735-9014.

To remove up to three e-mail addresses from direct marketers lists, go to www.the-dma.org/consumers/optoutform_emps.shtml.

The Direct Marketing Association also offers premium services, for a subscription fee, that will scrub your name from lists more frequently than you can have done with the free (written request) or nominal fee (online request) options. For more information, go to www.the-dma.org/consumers/dmasponsorship.html.

Also, some credit card issuers make it a selling point that they will not provide information about you to telemarketers.

Current federal law also requires that companies who call you remove your number from their database at your request. You can make that request when the call comes in.

Information on how to protect your bank accounts is available from the Federal Deposit Insurance Corporation (www.fdic.gov/consumers) and the Office of the Controller of the Currency (www.occ.treas.gov/customer.htm).

More privacy resources (CIMA has no relationship with these providers; this list does not imply any endorsement):

The Privacy Network (www.privacy.net) has a number of resources, including call-screening and blocking devices, and a good section of links to other resources.

www.privacyguard.com offers subscription services you might find useful if you need to access your credit report very frequently.

If your credit cards are stolen, www.nationalcardregistry.com will, for a fee, provide a central repository for all your credit card account information, and help with the legwork described in this article.

www.junkbusters.com offers a variety of services to enforce your "right to be let alone."

Electronic Privacy Information Center (www.epic.org/privacy) offers resources on topics ranging from biometric technologies (e.g., "face recognition" for identity verification) to cryptography and legislative proposals for national "identity cards."

To simply bother telemarketers when they call, the "Tele-tormenting" section on www.antitelemarketer.com has some good come-backs for the telemarketers' opening lines.

 

William Henry is director of communication for The CIMA Companies, Inc., an independently owned insurance broker and risk management firm with offices in Alexandria, VA; Baltimore, MD, and Atlanta, GA. More information is available at www.cimaworld.com. William Henry can be contacted at bhenry@cimaworld.com.