While there is often an uptick in identity theft incidents during the holidays, identity theft can strike anyone at any time. Even hardened security professionals.
“I had a bad year, personally, as did a lot of folks” says 38North Director of Cloud Application Security Spence Witten. “First we had the DC Health Link breach. This one was particularly painful for lots of families, because young children got caught up in it as well. But I also had a spate of one offs, including the use of my identity to open accounts at a major cell service provider. It was a huge pain, not least because this well-known cellphone provider’s fraud department was especially difficult to deal with. So yeah, it was a rough year for me, identity-theft wise.”
Spence is not alone. 38North noted a substantial increase in identity theft attacks targeting employees this year. “Not long after I received notice of the DC Health Link breach, I discovered that more than 10 bank accounts had been opened in my name,” says another 38North employee, who wishes to remain anonymous. “The credit reporting agencies are responsive, and I’ve completed all the necessary steps to mitigate any damage. I fully intend to routinely track activity across several credit reporting agencies, and I’m grateful to work with knowledgeable cybersecurity experts who provide expert advice.”
But even our cloud security experts had a hard time navigating the modern world of ID theft protection. “Even as a long-time cyber pro, I honestly haven’t spent that much time thinking about identity theft,” says Spence. “Sure, I help large corporations secure cloud systems against breaches. But securing my own personally identifiable information (PII) is just not something I’ve spent a lot of time on. Until this year.”
Just as our colleagues have done, it’s time to up your game against identity theft with the preventive measures outlined in this article.
Freeze Your Credit, but Understand That’s Not Perfect
As a first step, you can take advantage of credit and identity monitoring protection services available through reputable credit reporting agencies. To prevent crooks from opening credit cards in your name, perform the following steps for each of these agencies, Equifax, Experian, and TransUnion.
- Create an online account. For most people, creating an account online will be more efficient than establishing the account by talking to a customer service representative.
- Freeze your credit. Click the freeze button found on the website for each agency. While the freeze is in place, you or others are restricted from opening a new credit account. If you need to apply for new credit, you can temporarily lift the credit freeze.
- Activate a fraud alert. This legally obligates a business to contact you and verify your identity before it issues new credit in your name. The alert prevents a loan from being created in your name without your knowledge. Typically, a fraud alert lasts one year at which point it can be renewed. Under certain circumstances they can last longer.
Note: Active-duty service members are eligible for free electronic credit monitoring.
“The bureaus have made this process relatively painless,” says Spence. “Everyone should probably freeze their credit, lifting the freeze only as needed. Please note that it’s not perfect though. I was supremely annoyed to learn that my cellphone provider only does a “soft check,” rather than a hard pull, when opening new accounts. Soft checks are not blocked by a freeze. Thus, my freeze did nothing to protect me from having three fraudulent accounts, with financed equipment purchases, opened in my name.”
The solution? Putting a fraud alert in place. “My cellphone company told me that a fraud alert would have prevented at least the equipment financing. I’m skeptical, because again they only run a soft check, but I’ve since added fraud alerts at the bureaus. Most folks should do the same.”
Guard Against Fraudulent Bank Accounts.
Just as you can freeze your credit, you can also freeze bank account creation, at least in the US. Create an account with ChexSystems.com, a nationwide specialty consumer reporting agency, and freeze your account. This blocks people from opening bank accounts in your name.
“I have to admit, when I first got on to chexsystems.com, I thought it was a scam,” notes an anonymous 38North employee. “It’s got a spammy feel to it. But it’s legit, and can help prevent the opening of fraudulent bank accounts in your name.”
Credit Report Monitoring
Once your credit and bank account situation is locked down, it’s important to regularly monitor your credit report to catch any malicious activity.
“I’ve been a part of so many breaches, starting with the Office of Personnel Management hit, that I’ve essentially got a lifetime of free monitoring from various services,” says another 38North employee. “I had a bad attitude about credit monitoring at first, But honestly this has been really helpful and has caught a few things that I probably wouldn’t have seen.”
If you do not have credit monitoring, don’t necessarily rush out and pay for a service. AnnualCreditReport.com is authorized by the US Government to issue you at least one free report for each of the bureaus, annually. Just be careful, as there many scam sites that masquerade as AnnualCreditReport.com, and sites that try to get you to pay for a free service. For more details, see this USA.gov site.
You’re a Victim of Identity Theft. Now What?
If you learn that you are the victim of identity theft, take immediate action to minimize harm. Having followed the best practices outlined in this article, the stage is set for your swift response.
- File an identity theft report with the Federal Trade Commission (FTC) at ReportFraud.ftc.gov. This online process requires making a sworn statement that you were in fact a victim. We recommend doing this as a first step after identifying fraud, because many of the subsequent phases will go smoother if you have already completed it. It takes about ten minutes and, at least by government standards, has decent, easy to follow online forms. Note: this account expires in a few weeks if you do not regularly access it, so make sure to export your report.
- Contact the account / credit issuer (e.g., financial institution) where the account was opened and inform them that it is fraudulent. Let them know that you already filed the FTC report. They may have a special process they need you to follow, so be prepared to jump through some hoops.
- Call the credit reporting agencies and dispute the fraudulent activity. Don’t trust the credit / account issuer to do this for you. Unfortunately, you will have to contact each one. Make it clear you did not open the credit cards or bank accounts and that you expect them to be expunged from your record. Having the FTC statement in hand will help here, as will having already reported the fraud to the organization where the account was opened.
- Consider filing a police report. Some organizations will require that you file a formal report with your local police force. This can be time consuming, so we recommend this step only if the credit / account issuer won’t accept the FTC statement as evidence of a sworn statement.
- Consider a Declaration Statement: Some attorneys recommend filing a personal declaration statement, itemizing the actions you’ve taken in response to the identity theft. Date this letter and seal it, or even consider mailing it to yourself for a formal date stamp. This can help prevent less scrupulous account / credit issuers from arguing that you did not adequately report the identity theft or take steps to protect yourself.
Never Forget: It’s Not Your Fault
ID theft is never your fault. “Look I didn’t ask to be swept up in DC Health Links, or Equifax, or OPM or any of the other countless major breaches I’ve been involved in,” says Spence Witten. “There is literally 1000% nothing that I could do, as an individual, to stop those. Not even having my credit frozen protected me from having fraudulent cellphone accounts opened. But there are tools to help you fight back, when the inevitable strikes.”
Featured image: Toptal
