Preventing Identity Theft in Your Business
Page 3
A pervasive observation noted from working with identity theft victims is that, regardless of gender, age, or race, the psychological effects are experienced as a continuum of emotions similar to those suffered by victims of other forms of abuse.
Continuum of Psychological Effects
When victims learn of the identity theft, they have no way of knowing the extent of their potential financial losses and other consequences. They are aware only that some criminal, somewhere, has assumed their person and their resources. The initial response is shock: “This can’t be happening to me; it only happens to others” is a commonly reported sentiment. Some victims fear that the criminal may cause physical harm, as well, either to them or to a family member, and many victims panic when they realize the potential scope of financial losses and the range of possible future consequences caused by the unknown predator. Initially, the victims do not know how many or which bank accounts—checking, savings, retirement—have been accessed or the amount of the financial loss, or how many and what kinds of credit cards have been obtained, retail accounts opened, or other fraudulent transactions that may be under way or already completed.
These uncertainties, together with the realization that little or no recourse is available for the recovery of the financial losses, evoke in victims a sense of helplessness over their situations and a lack of control over how to stop or further prevent the crime. Without exception, victims soon become frustrated when they attempt to file fraud alerts with the credit reporting agencies and are able to reach only an automated machine or, worse yet, when they are able to reach a customer service agent, they find that employee to be negative, insensitive, and sometimes even argumentative, perhaps due to the employee’s own frustrations from dealing with overburdened identity caseloads. And frustration unresolved turns to depression and anger.
The intensity and gravity of these psychological effects on victims depends on the individuals’ personalities as well as on the relative amount of financial losses and other specifics of their personal situations. For example, in the case of a recently retired couple whose retirement savings had been wiped out, the husband became severely clinically depressed, and the wife, through a power of attorney authorization, was left to deal with the myriad consequences of the theft.
In another example, a single mother working to support herself and her young child was arrested on a warrant for a traffic citation she did not receive. Upon appearing in court to contest the charge, the victim was nonetheless fined and lost her driver’s license. When two subsequent warrants were served for other crimes she also did not commit, the victim lost her job and was about to be evicted from her apartment. Working with the chief judge of the district, the secretary of state, and other government officials, the MSU Identity Theft Crime Lab victim advocates helped clear the victim of the fraudulent charges. Doing so, however, consumed over 100 hours of time and cost the victim an estimated $5,000 in out-of-pocket expenses in addition to her emotional duress. (Note, however, neither the Michigan State University-Business Partnerships in Prevention nor the ID Theft Crime and Research Lab—outreach initiatives established in 1999 by the author—charges victims for assisting them.)
These examples are only two of many that serve to illustrate the range and depth of emotions experienced by some victims, whose problems can go on indefinitely.
Reconciling and clearing credit histories and accounts where fraudulent charges have been made are time-consuming activities that can take days, weeks, or months; sometimes the situation is insoluble. For some victims, the resulting frustration leads to anger and despair as they repeatedly must prove to credit agencies and businesses that they are not the offender.
Over time, most victims reach a point of acceptance—that a crime has been committed; it could happen again even though preventive measures have been taken to protect the future flow of personal information. The feelings of acceptance come, however, only in the last stage of a sometimes difficult and lengthy process of recovery. The continuum of emotions, ranging from shock to panic, fear, helplessness, and lack of control, even depression and anger, and to eventually acceptance, cannot be traversed overnight.
Experience working with executives from a major U.S. automaker whose identities were stolen by a contract worker on her last day of work revealed that people whose job tasks involve day-to-day problem solving and trouble-shooting recover sooner than do some others, such as those whose job tasks or daily life experiences are relatively more routine.1 These executives, perhaps because of their problem-solving skills and experiences, were able to quickly clear credit records and resolve related problems. They did not suffer the emotional consequences as intensively as do many other victims. Nonetheless, regardless of person, personality, or position, the recovery process, unlike the specific experience of victimization, is the same for all victims.
The process of healing begins when victims become involved in doing whatever they can do themselves to control their own situations. Victims’ feelings of helplessness are replaced with feelings of control once they first report the crime to the police, then go through the sometimes many steps to file fraud alerts with each of the credit reporting agencies—Experian, Equifax, and TransUnion—work with retail accounts and other businesses to clear credit records, place passwords on banking and other financial institution accounts, and take other precautions to prevent further victimization.
A victim’s personal involvement is a positive step and important factor that serves as a catharsis for recovery through the emotionally charged stages of shock, panic, fear, helplessness, frustration, and anger to, finally, acceptance. Unfortunately, accepting that a crime has been committed does not mean that all effects of the crime have been resolved.
Other Effects on Victims
In addition to the continuum of common emotions, victims of identity theft and identity crime also suffer from other short- and long-term effects, such as the loss of productivity at work and at home. Time usually spent at work or with families and friends and on routine activities is now consumed with telephone calls, letters to creditors, and personal meetings to clear fraudulent accounts or criminal records. Depending on the complexity of the crime—the length of time the stolen identity was used, the number of identity crimes that were committed, and the number of states or countries involved in the identity network—the lost productivity at work and home and the time to recovery can be hours, weeks, or even months.
Further, even before reports that most identities are stolen in the workplace,2 victims seen at the MSU Identity Theft Crime Lab reported distrust of coworkers whom they suspected of being the predators. This distrust reportedly extends to various degrees of paranoia and even isolation from others at work—not very conducive for high job performance or for a healthy work environment.
At home, victims go to greater or lesser extents to restore and protect their privacy. Some measures are removing names from telephone directories and screening phone calls, sometimes after installing expensive but sophisticated technology; canceling credit cards and retail accounts, thereafter using only cash; and closing accounts and changing banks. One victim dropped her first name altogether and went to the time and trouble of replacing her first name with her middle name on all personal and work documents and records.
Victims frequently report strained relationships with spouses and family members due to the concentrated focus of attention on the financial problems resulting from the identity thefts, the unrelenting stress due to the disruptions at work, and the difficulties encountered in trying to resolve the identity crimes. There are, therefore, many consequences for victims of identity theft, and most victims suffer them all to one degree or another.
Resolving Normalcy
In most cases, the criminals are not caught, and, contrary to advertisements by some companies trying to sell prevention, stolen identities cannot be “found,” “reclaimed,” or “recovered.” Victims, nonetheless, move through the emotional stages toward
recovery as they protect themselves from possible future losses by placing passwords on bank, credit card, and retail accounts; taking precautions at restaurants, gas stations, and wherever they use credit cards; limiting or discontinuing debit card transactions; doing business with financial institutions, retail stores, and others that are known for having taken identity theft precautions; and otherwise securing their personal identifying information (see Chapter 20). Sooner or later, victims gain a sense of acceptance of their situations and are able to resume their normal home and work lives.
Some Victims Are Revictimized
Once stolen, a Social Security number, name, address, or other form of identity may be fraudulently used again and again. The first time around, criminals use the stolen identities to commit “primary” fraud—the fraudulent purchase of goods and services. Later on, after the victim has placed fraud alerts on credit reports to help prevent further fraudulent financial transactions, criminals use the stolen identities to commit “secondary” fraud.
In secondary fraud, criminals use the victim’s identifying information on credit cards, driver’s licenses, and other documents they falsely create and use only for “secondary” purposes of identification, such as to rent public or private post office boxes for the delivery of merchandise fraudulently ordered over the phone or on the Internet. Public and private post offices rarely if ever check the credit reporting agencies for credit histories of postal patrons.
Within the context of secondary fraud, identity crime is rarely a one-person offense. That is, the use of the one victim’s identity as secondary fraud typically occurs when a member of the crime network rents the post office box to receive fraudulent merchandise, which is purchased by another network member using yet a second victim’s stolen identity. In this case, there are (at least) two criminals and two victims—the primary victim and the secondary, unknowingly revictimized, victim. The technique by which each of several criminals is responsible for a different task in the chain of a crime is called “layering.” The trail of the crime is more difficult to trace, no one criminal is responsible for the entire crime yet all share in the rewards, and as accomplices, each criminal is beholden to all others.
In one case seen at the MSU Identity Theft Crime Lab, a victim in 1999 became and remained a secondary victim until at least 2001, when the U.S. Secret Service assumed the investigation. The “secondary” offense was discovered in an investigation of an identity theft case where a MasterCard was used as identification to open a post office box in California. The name on the MasterCard was traced to an individual in Illinois who, upon further investigation, was discovered to have been a “primary” victim of bank identity theft in 1999, when living in the East Coast. Secondary identity fraud, though common, is only one form of revictimization.
A common and perhaps more egregious form is the revictimization of a victim by unscrupulous businesses that capitalize on the psychological sufferings of identity theft victims. Many victims and nonvictims alike subject themselves to the pressures of identity theft by purchasing solutions for prevention from increasing numbers of insurance companies, prepaid legal services, Web site “help” desks that provide victim advocacy for a fee, and even financial institutions that charge their own customers for help. Susceptible victims and nonvictims alike fall prey to “protection-for-pay” plans they should not need. Unfortunately, today a growing number of businesses are seeking to capitalize on the emotions evoked by the threat of identity theft.
Victims Need Not Pay
Victims do not need to pay for help or protection. Today there exists any number of freely available sources of assistance for victims of identity theft and identity crime. Police departments are becoming increasingly more involved in identity crimes and in advising victims of the necessary steps they must take for protection. There also are many nonprofit agencies or programs staffed by trained professionals who specialize in identity theft and identity crime victim advocacy. The Identity Theft Resource Center in San Diego is one such program; another is the MSU Identity Theft Crime and Research Lab.3 Both the Resource Center and the Research Lab, affiliated only by their common interest in identity theft advocacy and prevention, have Web sites that provide step-by-step instructions to help victims of identity theft, and one-on-one counseling is available online or in person. Some banks and credit card companies now also provide, without charge, identity theft and crime assistance for their customers. Many independent businesses also attempt to help customers who have been victimized, and many businesses also become victims and suffer the effects of identity theft.
At least one federal agency, the Federal Trade Commission (FTC), has a Web site that provides identity theft victims with detailed instructions, and victims may report their crime to that agency by completing an online complaint form.4 The FTC does not investigate the crime, but the information that victims volunteer is used to track identity crime trends and practices, for purposes of prediction and prevention. The FTC also will mail anyone a manual with instructions on whom and where to contact in an effort to prevent further, or any, identity abuse.
EFFECTS ON BUSINESSES
Businesses suffer in at least three ways from identity theft.
Financial institutions, retail businesses, and service providers bear the burden of the costs for fraudulently purchased merchandise or services using the stolen identity of an employee, customer, or patient.
A business’s own identity may be used to fraudulently purchase merchandise or services from other business entities.
Criminals fraudulently use business identities as their modus operandi for obtaining the identities of people, such as when criminals clone and then use a business Web site to collect personal identities from the legitimate business’s customers—a scheme known as phishing.
Examples of Business Identity Theft
An example of phishing is the case in which the International Chamber of Commerce uncovered a global Internet banking scam involving about $3.9 billion.5 The identity thieves had set up fake Web sites that were identical to the sites of original businesses. By mimicking legitimate banking businesses, the criminals obtained customer Social Security numbers and bank and credit account numbers. The motive was to obtain cash, and the modus operandus, or method, was the phishing scam.
Identity theft criminals also impersonate a business when using its name to telephone customers under the auspices of updating accounts or verifying account information, with the underlying motive of obtaining the customers’ SSNs, credit card, bank, or other identifiers.6 This example is an adaptation of phishing (by telephone) whereby the criminal impersonates the business so as to impersonate an individual.
The “business identity” also may be a company’s credit card account number, bank account number, payroll information on employees, and one or more federal or state tax numbers. The business identity also can be passwords and access codes for buildings, offices, and departments where financial records are maintained and for computers and computer server systems.
At a major U. S. automaker, for example, employees or individuals impersonating employees used the company’s pass code—considered proprietary, identifying information—to gain access to Experian Credit Agency credit reports on as many as 13,000 consumers.7 Credit reports contain names, SSNs, birth dates, account numbers for American Express, Visa, Discover, and other credit cards, department store credit account numbers, bank names and account numbers, and numerous other pieces of personal information that can be, and are, used to commit crimes of fraud and facilitate acts of terror.
Another large-scale business identity theft occurred at a national computer company where identity thieves stole a company laptop to access names and Social Security numbers of over 700 employees.8 In another reported case, three Florida men used stolen personal identities to obtain temporary employment at several businesses for the purpose of stealing business identities—the businesses’ banking account numbers, which they then used to create and print
counterfeit checks. By the time the crimes were detected, the men had fraudulently purchased more than $250,000 in merchandise using the bogus business checks. In a separate but similar case, inside criminals obtained and used corporate payroll information to create and cash bogus payroll checks. Additionally, in Fisher’s Landing, Washington, perpetrators broke into the mailbox of a real estate company to steal outgoing checks, which they then reproduced.9 This theft is one form of mail fraud used increasingly to obtain both individual and business identities. Unsecured residential and business mailboxes are easy “picks.” Criminals case the neighborhoods and business locations, know who is and who is not at home or at work and the time the mail is delivered, and simply retrieve a victim’s mail containing SSNs, bank information, and other identifiers. One minute on a computer from any location turns such identity thefts into identity crimes when the criminal accesses a business (or personal) bank account or makes fraudulent online purchases of merchandise.