With the recent breach at Equifax which exposed personal information including social security numbers and addresses for 143 million people, identity theft is a daily concern for most of us. Did you know that every two seconds another person in the United States falls victim to identity fraud?
How do criminals gain access to your personal information?
There are a number of methods used, including hacking organizations that may be storing your information, but one of the most common strategies today includes sending spam e-mails directly to you requesting identifying information. Another common tactic is dumpster diving for pre-approved credit card applications from an individual’s discarded mail (make sure you are shredding all mail with sensitive personal information!). Criminals may even publicly steal information from you by shoulder surfing and watching you type in personal details into a terminal or eavesdropping on your telephone conversations.
Once criminals gain access to a victim’s personal information, they can then use the stolen identity to: Open new bank accounts, obtain loans, open new credit card accounts and make fraudulent purchases in person or online (and then not pay the bills). They have also been successful with larger expenses like renting apartments or purchasing vehicles, or setting up new services with cable tv, utilities, or phone companies.
What can you do to prevent identity theft?
Because most identity theft occurs with existing account that you created and own, one of the best strategies for protecting your information and safeguarding data online is to utilize secure passwords and two-step or multi-factor authentication (MFA). As defined by the PCI SSC website, MFA is a “method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a mobile phone), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).” You should also choose all identity-verification questions and answers carefully; don’t use
information that is easily found on your social media accounts. Make it difficult for anyone else to access your account.
How do you know if you are a victim of identity theft?
Nearly 50% of fraudulent activity is discovered by the victims themselves by monitoring their own bank accounts and credit scores, so it is important for you to remain vigilant. Monitor your current accounts to make sure all charges were made by you. If you notice something suspicious, report the suspected fraud immediately; you can significantly reduce the time and cost it takes to recover if you are able to identify fraudulent charges right away. Set up alerts for new credit activity and check your credit report regularly.
If you suspect fraud on an account, notify the companies where fraud occurred immediately and explain that someone has stolen your identity. Ask them to close or freeze the accounts, so no new charges can be made. You should also change all logins and passwords to any related accounts. It is also recommended that you place a fraud alert with one of the three major credit bureaus so your identity must be identified before any new accounts can be opened. You may also want to notify the FTC and file a report with your local police department.
While some identity theft victims are able to resolve problems quickly, others can face countless hours of frustration trying to repair damage to their credit history. Victims spend an average of seven hours resolving problems associated with identity theft. The good news is that since banks and credit-card companies typically reimburse people for unauthorized account use, only 14% of victims lose money.
To repair any damage, you will want to close any new (fraudulent) accounts that have been opened in your name. Ask the business to send you a letter confirming that the fraudulent account isn’t yours, you aren’t liable for it, and to remove it from your credit report. Call the fraud department of each business from which bogus charges were made to your account and explain that your identity was stolen and ask for the fraudulent charges to be removed. It is important to always document who you spoke to at each organization, the date/time, and the actions that are supposed to take place. Once you have contacted all of your account holders, you can contact the three credit bureaus and ask them to remove any information related to fraudulent charges from your credit report based on the proof you have collected.
How can we apply this information within our organization?
As an organization, you are responsible for protecting all types of sensitive information (e.g. social security numbers, addresses, account numbers, credit card numbers, etc.). However, sometimes staff can become rushed and begin to circumvent procedures for shredding sensitive information, locking cabinets, logging out of applications, etc. How can you keep employees motivated and ensure they are following security procedures on an on-going basis? Everyone can relate to identity theft. Most of your employees have most likely identified a fraudulent charge made on their credit card or received a letter
notifying them that an account had been breached. Ask them to put themselves in the shoes of the consumers whose information they are now responsible for protecting. This can help them realize the importance of safeguarding this information like it was their own.
Some additional guidance from our Security Advisor team below:
[Campbell]: In today’s world of seemingly daily, or at least weekly, breach announcements, you might want to take advantage of the ability to proactively “freeze” your entire credit profile with each of the three major agencies: Equifax, Experian, and TransUnion. There is also a smaller, fourth agency: Innovis. A “freeze” means that nobody (including you) can run a credit check, and most lenders will not extend new credit without knowing how to rate the risk of extending new credit, thus foiling any would-be identity thieves.
Please note that while this can protect against the most serious events, like buying a car with your credit, it doesn’t prevent all forms of identity theft. In most states, unless you already have proof of identity theft, there is a modest charge to place a freeze. $5 per agency is a common value. Each time you need to “unfreeze” and “refreeze,” such as when you legitimately need to request a new loan, you will have to pay the same fees for each step. Finally, having freezes in place does NOT prevent you from requesting your free annual credit report, which I also strongly encourage.
For more details about the freeze process, and clear instructions on how to request freezes, the US Public Interest Research Group (US-PIRG) has an excellent guide.