As a member of the Association of Certified Fraud Examiners I receive a magazine called, appropriately, Fraud Magazine. In the most recent issue there was an article* about the latest identity theft crimes. I read about W-2 spear phishing that gives a criminal access to someone’s W-2 and other personally identifiable information (PII). The criminal then uses the information to file a tax return in the victim’s name for a refund. Another very recent ploy is using that same PII to hijack a person’s smartphone. I am always amazed and appalled at schemes criminals come up with to take what isn’t theirs.
A few days later I was at lunch with some friends. We were catching up on events in our lives when one mentioned a letter that arrived from the IRS. The letter was inquiring about a recent tax return that had been filed in their names. It pointed out that this most recent filing was very different than ones that they had filed in the past. It asked them to contact the IRS immediately. Someone had accessed their PII and used it to file a fraudulent tax return seeking a refund. Unfortunately this scheme must happen frequently enough that the IRS now looks for anomalies in tax returns between filing years.
Then they brought up another event. One of their smartphones stopped working so they called the company to report the issue. The representative mentioned that he could see where they had recently upgraded their phones and changed their address. This was a red flag and they paid a visit to the nearest provider’s store. After having their identities verified that representative revealed that one phone had been compromised and its SIM card deactivated. A second phone had been purchased and was being mailed to an address in a different city. Fortunately the SIM card for the second phone had not been activated yet. The phones had been purchased at an authorized third party dealer.
The good news is that neither of these instances created long term problems for my friends. There were still the hassles of dealing with the IRS and the phone provider but in the end no one but the third party dealer and the Federal government lost any money. The problem is that there have been so many data breaches that it is likely that all of us have our PII exposed somewhere and are vulnerable to attacks like these.
The website breachlevelindex.com tracks known data breaches worldwide. There were 4,023 known data breaches in the United States from 2015 through 2017. Those breaches revealed data for 2.8 billion accounts. Since there are roughly 330 million people in the United States assume that everyone’s PII has been revealed and is floating in a sea of data that fraudsters fish in.
If all of us have had our PII released there are certain defenses we can take especially regarding phone hijacking. If any of these three occur contact your phone provider immediately:
- Your phone stops working
- You did not order a new phone but your phone bill includes charges for one
- Your provider sends you a “changed password” message and you did not change it
In our cyber-world it seems acceptable that our personally identifiable information will be available to criminals so we must maintain stout defenses. It is crucial to use strong passwords and use different ones for different websites. Reviewing bills and messages from vendors should be taken seriously and handled on a timely basis. Use two factor authentication whenever it is available. You may never know which breach is the one that revealed your PII or if a fraudster may choose yours but staying vigilant is your best defense.
*Thanks to Dr Robert Holtfreter and the Association of Certified Fraud Examiners of Austin, Texas. Taking Back the ID, July-August 2018, Fraud Magazine.
If you have been a victim of fraud let me know if you are willing to discuss it with me. It would be helpful to others to hear about real life examples of fraud, loss and recovery.
Let me know what you think………