Identity Theft and How to Avoid It

Quick Overview

Watch this video: http://www.youtube.com/watch?v=DNvpW5PjuxM

What is "identity theft"?

"Identity theft" or ID theft is the common name given to the practice of pretending to be someone else without their consent, usually for illegal purposes. The practice can range from unauthorized use of someone's credit card to completely assuming their identity, buying goods or obtaining credit in their name, and even giving the victim's name when arrested. In spite of the fact that the Identity Theft & Assumption Deterrence Act of 1998 makes ID theft a federal crime, recent studies indicate that millions of people are victimized every year with damage in the billions of dollars. Businesses suffer the greatest losses, but consumers also lose countless dollars and hours trying to clear up the mess.

Note to businesses: the Texas Identity Theft Enforcement & Protection Act (2005) includes punishment for actions that expose others to risk. For example, employees at a Radio Shack store near Corpus Christi got in trouble for dumping sensitive customer records in the trash in April 2007. Similar laws may be in effect in other states. Businesses that collect or keep sensitive data should seek the advice of information system security professionals for how to ensure that the data are kept safe.

What you can do to avoid trouble:

never give out your social security number, birthday, mother's maiden name, account numbers, passwords, PINs, or other private information to anyone who calls, e-mails, or otherwise contacts you. Legitimate businesses already know that information if you are a customer. If you are not a customer but want to be, you should contact the company.

scams asking for your personal information are very common and are called "phishing." Usually coming by e-mail, they look like a legitimate message from your financial institution, but they aren't! Similar attacks can also come by visiting malicious web sites, regular mail, cell phone text messages, and telephone calls.
even more dangerous are "spear phishing" attacks. Most ordinary phishing is sent out like spam, i.e., everyone gets the same message. With spear phishing, the thief directly attacks you, often using information learned about you from social network sites. Visit the Staying Safe on Social Networking Sites page for specific recommendations.
attacks are often directed at college seniors and others looking for jobs. Be suspicious if personal information is requested before an interview. It is best to visit the company to ensure that it is legitimate before giving out any personal information. Checking the company on the Better Business Bureau site is also a good idea, but beware: e-mails and phone calls can appear to be from a ligitimate business when they are not actually from that business!

you can reduce your chances of stumbling across phishing web sites by sticking to the major well-known sites.

it helps (if your browser supports it) to turn on phishing protection. In Internet Explorer 9, click Safety, SmartScreen filter (Tools,Phishing Filter in earlier versions). In Firefox 3.6, click Tools, Options, Security and check the applicable boxes.

some scams take a more direct approach: messages that threaten to kill you if you don't pay up! There are many variations, but there is little need to worry--the sender probably isn't even in the U.S.

related threat: "pharming." This term refers to one of several techniques to re-direct your attempt to log in to a legitimate site (particularly a bank or other financial institution) to a fake site that looks like the real thing but isn't! If you fall for the scam, your account, password, and possibly other information will be harvested and used to log into the real site under your name--and steal your money!

most commonly, these occur when your computer is infected with a virus that modifies your browser favorites to direct you to the fake site. See the web page Tips for Avoiding Computer Viruses and other Malware for the best prevention.
there have also been cases of DNS (domain name system) servers being infected, resulting in re-direction of everyone whose browser accesses that server (even though their computers are not infected).
Tip: if you aren't 100% sure whether the site you are entering is actually your financial institution, type in an incorrect account and password. If you are at a real site, it will tell you that your information is incorrect. If you are at a fake site, it will let you in (since it doesn't actually know your account and password).

avoid giving out the above personal information under any circumstances, although some will obviously be required to establish credit cards, bank accounts, etc.
shred documents containing the above personal information before throwing in the trash. That particularly holds for bank statements and cleared checks: a thief only needs the numbers on the face of a check to access your account!
avoid carrying your social security card or anything that has the number on it with you. Unfortunately, some businesses and government agencies use the SSNO for your account number, so this can be hard to do. More responsible organizations are shifting to non-SSNO ID numbers.
your personal information may be collected from your computer without your knowledge if it is infected with spyware. Read Tips for Avoiding Computer Viruses and other Malware for the best prevention.
never pay credit card bills without closely checking the charges. A common technique is to charge a small amount that is easy to go unnoticed.
when you receive your annual Social Security statement, make sure that all the wages reported are for jobs you know about!
if you are denied credit, obtain a copy of the applicable credit report ASAP (see below). The report must be provided free if you have been denied credit.
even if you are not denied credit, obtain a copy of your credit reports occasionally (more often is better, of course).
take steps to reduce the amount of spam you receive, since many phishing messages are sent in mass volume like spam.
don't let regular mail sit in your mailbox, and consider getting a post office box or other locked mailbox. Some identities are stolen by opening and checking mail.
sign up for the federal Do Not Call list at http://www.donotcall.gov and/or the equivalent state list for your state. The Texas signup is at http://www.texasnocall.com/ . Logic: if you get fewer calls, you are less likely to fall for a scam. And, if you do get a call while you are on the no call list, you know right away that it is suspicious.
have the Direct Marketing Association remove you from its mailing lists.
have the national credit reporting agencies block your account from providing information for pre-approved credit offers. You will still be able to get credit, but you will (eventually) stop receiving unsolicited offers for credit, which could be stolen from your mailbox. You can notify all of the agencies by filling in a form at one web site: https://www.optoutprescreen.com/
keep at least two credit cards but use only one of them routinely. That way, if an ID thief maxes out your card, you have something else you can use while you get the mess straightened out.
use credit cards, not debit cards, for most or all of your transactions. Two reasons: (1) if there is a dispute over the transaction, it is much easier to get your money back from a credit card transaction; and (2) if an ID thief steals your debit card, your checking account can be wiped out, thereby making all your checks bounce!
be careful what information you post on Facebook and similar web sites, blogs, etc., and be careful in responding to people who contact you via those sites. There are predators who use these sites to find victims for identity theft and other (sometimes more serious) crimes. Visit the Staying Safe on Social Networking Sites page for specific recommendations.
beware that you can be scammed even if it isn't your ID that has been stolen. An increasingly common approach is to hack into someone's Facebook, mySpace, e-mail, etc. to contact that person's friends and ask for money. One approach that works well is to take over the account of someone who travels a lot, then tell that person's friends (perhaps you!) that they are "stuck" in a foreign country and need money to get back home. So, before sending anyone money, make 100% sure who the person is!
watch out for "compact" URLs (web addresses). For example, bit.ly/16StNc leads to the Consumer Reports home page. While they are convenient for saving space in Twitter posts and other short messages, criminals often use them to redirect the reader to malicious sites.
visit the SFA Information Technology Security page, which lists current security threats (including identity theft threats) and how to avoid them.

If you are a victim:

If you find an unauthorized charge or otherwise suspect ID theft, contact the affected financial institution(s) immediately. It's also a good idea to contact the three big credit reporting agencies and let them know you have been a target (see below). Update: the Fair and Accurate Credit Transactions Act (FACTA) of 2003 allows you to contact any oneof the agencies, which must then contact the others for you. The act also allows a 90-day alert or a seven-year alert to be put on your records. If there is an alert on your records, financial institutions granting credit in your name must take reasonable steps to ensure that the credit is actually going to you and not to an imposter. A "freeze" as described in the next paragraph is even better protection but has some down sides. Note also that there is a procedure to get a FREE credit report once a year so you can make sure that no unauthorized accounts have been opened in your name (see below).

Important places to contact:

Credit reporting agencies. If you are denied credit, the agency providing the credit report must give you a copy for free. Otherwise you may have to pay a small fee. However, the FACTA requires all credit reporting agencies to provide a free report once a year. You can place a temporary "fraud alert" on your record if you suspect your identity has been compromised, thereby requiring anyone granting credit in your name to first contact you personally. For even more protection (but more inconvenience, if you need to apply for credit), you can place a non-expiring credit "freeze" on your record. Freezes must be placed separately with each credit reporting agency, and there is a small fee unless you can provide proof of being an ID theft victim. There is also a small fee for each agency to remove or temporarily "thaw" your credit report so you can get credit in your own name. The agencies are:

Equifax: 800-685-1111 or www.equifax.com (call 800-525-6285 to place a fraud alert on your record)
Experian: 888-397-3742 (same number for fraud alerts) or www.experian.com
TransUnion: 800-888-4213 or www.transunion.com (call 800-680-7289 to place a fraud alert on your record)
Site to request your FREE annual credit report: 877-322-8228 or www.annualcreditreport.com

Consumers Union's Guide to State Security Freeze Laws: http://www.consumersunion.org/campaigns//learn_more/003484indiv.html . This site has details on state laws allowing consumers to have a "freeze" put on credit records, which prevent identity thieves from opening accounts in the consumer's name.

Federal Trade Commission consumer help: 877-382-4357; ID Theft hotline: 877-438-4338 or www.ftc.gov/bcp/edu/microsites/idtheft/

Identity Theft Resource Center: www.idtheftcenter.org

Better Business Bureau (to check out a suspect business or file a complaint): www.bbb.org

Note: our server is Unix-based, so all url's are case sensitive.

Send comments and corrections concerning this page to:

wfisher@sfasu.edu

Last updated January 28, 2012