FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

• Immediately change your passwords at other online accounts/retailers where you have used the same password you used at Zappos.com,
• Change your online passwords every 90 days,
• Don't use the same password for all of your online accounts,
• Don't use passwords that are easily guessable, or match items on your profile page at Facebook or other social networking website,
• Learn how to create strong passwords,
• Don't use any passwords on this list, and
• Learn how to protect your sensitive personal information at public WiFi locations.

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.

Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

• Creativity and persistence of identity thieves,
• Efficiency of online forums where consumers' stolen personal data is resold and traded,
• Value of consumers' (digital) personal information, and
• Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.

BBB: Top 10 Scams Of 2011

Earlier today, the Better Business Bureau (BBB) announced the top ten scams of 2011. With these scams, consumers can lose their money, personal identity and bank information, or both. The leading scams were:

1. Job Scams: included secret shopper schemes, work-from-home scams, and phony job offers. Typically, the scammers seek to trick victims to reveal bank account information.
2. Sweepstakes and lottery scams: supposedly you've won a lot of money. The pitch often includes a bogus celebrity participation.
3. Social networking and online dating scams: scammers may pretend to be on of your "friends" or have hacked the online accoount of one of your "friends." Typically, the pitch is to get you to click on a link -- sometimes a racey video-- which downloads a computer virus that invades your computer and steal sign-in credentials for several social networking accounts.
4. Home Improvement scams: contractors visiting your neighborhood offer a low price for the work, accept your deposit, and then never complete the job -- leaving your home in worse condition than before. Sometimes, the pitches come after a natural disaster.
5. Check cashing scams: scammers use legitimate companies (e.g., Craig’s List, Western Union) offering to buy something you are selling online. The scammer's check is larger than the price of the item you are selling. The victim sends the scammer a valid check for the difference, and the victim deposits the scammer's bogus check in their bank account. Of course, the scammer flees with money from cashing the valid check, the bogus check bounces, the victim still hasn't sold their item, and the victim's bank charges bounced check fees.
6. Phishing scams: these can be offers via phone, email, or a fake website. The typical pitch is to trick victims into revealing sensitive personal and bank account information. When you visit the bogus website to "verify" your account information, the website installs a software virus on your computer to steal more information.
7. Financial scams: these target consumers in tough situations, and include bogus offers about debt reduction and home mortgage modifications. The promised services are never delivered.
8. Sales scams: these include "penny auctions" or ways to supposedly pay far less than standard retail prices. Usually, there is a fee to bid. The BBB states clearly that not all penny auctions are scams, so consumers should treat these as a gamble and inspect closely the website policy and terms before entering.
9. BBB scams: a bogus email that looks like it's from the BBB, claims that a complaint has been filed against your business. To reply to the complaint, the email includes a link which instead downloads a document that spawns a software virus that can steal banking information, passwords and other sensitive personal information.

Last month, I received one of these fake-BBB phishing emails, with the telltale bad grammar and other clues. So you are aware, here is the text of the phishing message:

Subject: Your customer complained to BBB
From: "Better Business Bureau"
Date: Tue, 20 Dec 2011 08:47:19 +0000

Good afternoon,
Here with the Better Business Bureau notifies you that we have been filed a complaint (ID 37975886) from a customer of yours in regard to their dealership with you. Please open the COMPLAINT REPORT below to find the details on this issue and inform us about your opinion as soon as possible. We are looking forward to your prompt reply.

Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Timeline Security Hoax Circulates On Facebook

If you use Facebook.com, perhaps you have seen the following status message:

"With the new 'FB timeline' on its way for EVERYONE, please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and uncheck it. That will stop my posts -- and yours to me -- from showing up on the side bar (ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. Thanks! (Click like on this post so I will know you unchecked.)"

Beware. This status message is a hoax -- an effective one too, since it trades on consumers' security fears. To learn more about why it is a hoax, visit Snopes and Facecrooks.

I can share this from personal experience. A couple Facebook friends sent this status message to me, and this hoax tricked me, too. The whole experience is reminder:

• Don't believe everything you read on social networking sites, and
• Verify claims before forwarding them as status messages to your friends.

A Wide Variety of Scams Target Senior Citizens

The Detroit Free Press reported about a local workshop to help seniors stay alert about a variety of fraud schemes run by scam artists:

"Michigan AARP says, based on a recent survey, that 79% of its members are concerned about fraud... Seniors are losing $2.9 billion a year nationwide to financial abuse..."

Seniors are vulnerable, since many live on a fixed income and seek ways to to increase their income due to financial pressures and fears. Scam artists use these fears.

FBI agents spoke to seniors at the Fraud Fighter College workshop at Marygrove College. Linda Cena, a securities manager at the Michigan Office of Financial and Insurance Regulation also spoke. Cena advises seniors to call her office to verify brokers and investments before investing large sums of money. Residents in other states can often find identity theft and scam resources in the division of insurance, secretary of state, or attorney general offices in their state government.

Typical scams targeting seniors include:

"... con artists promising a shopping spree in return for a small processing charge on a debit card to crooked financial advisers talking someone into shifting retirement money from a 401(k) plan into a self-directed IRA, and then putting that money into some fraudulent movie scheme. And, yes, a grandson or granddaughter on drugs can become a predator, too."

Experts warn seniors, and their caregivers, that the best defense against identity theft and fraud is to not disclose personal and financial information -- especially over the phone. Another tip: don't leave papers with sensitive information lying on tables around the home where visitors can steal valuable data like Social Security numbers.

How To File A Complaint About A Bank

Recently, a friend posted this status message on Facebook:

"How does Bank of America stay in business? They continue to threaten and harass even after I have been assured that all issues have been resolved! Issues, by the way, created by their own incompetence! Who do I lodge a complaint with?"

Consumers have several resources to help them with filing a complaint about a bank. Since my friend lives in Massachusetts, first I directed her to the Massachusetts Division of Banks, which regulates banks that operate within the state. This can include help with or submitting a complaint about abuses involving mortgage foreclosures or checking/savings accounts.

If your "banking" problem includes stock or securities fraud, then consumers should consider filing a complaint with the Massachusetts Secretary of State. The responsibility of this administrative agency varies across states, and is based upon the constitution and laws of your state. In Massachusetts, the Secretary of State's office manages several important functions including investment securities, deeds, registration of corporations, elections, and public records.

If you live in a different state, then you can search online for the consumer protection bureau or consumer complaint board within your state that regulates banks. Most states have one.

A second resource is the Federal Deposit Insurance Company (FDIC), which insures banks and financial institutions operating within the USA. The link to the consumer complaint form is conveniently on the FDIC home page.

Sometimes, the problem includes both a bank and a retail company. Then, it is appropriate to submit a complaint the U.S. Federal Trade Commission (FTC), which regulates the activities of retail companies operating within the USA. It is appropriate for consumers to file complaints about deceptive marketing tactics, scams, identity theft, and other topics. The FTC operates a very comprehensive complaint process and database.

If your phone number is registered in the Do Not Call Registry and you belive a company has violated that telemarketing law, then you should file a complaint at the Do Not Call Registry website.

Related articles in this blog which you may also find helpful:

• How To Check Your Insurance Company's Complaint Record
• Received Poor Customer Service? How To Complain Effectively

ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.

Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

The Los Angeles office of the Federal Bureau of Investigation (FBI) and the U.S. Attorney for the Central District of California announced that a former Countrywide Home Loan employee was sentence on September 28 to 18 months of prison and ordered to pay $1.8 million in restitution to Countrywide, now a unit of Bank of America.

Rene Rebollo, 39, of Pasadena, was arrested in 2008 after an investigation discovered that he had downloaded from Countrywide databases and sold the sensitive personal and financial information of about 2.5 million consumers. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena. He admitted that that he saved the stolen information to a personal thumb drives and distributed consumers' Social Security numbers in at least 50,000 instances.

"As a result of the data breach, Countrywide underwent considerable expenses, including notification of individuals whose information was improperly disclosed, at a cost of approximately $1.2 million, and providing free credit monitoring for those individuals at a cost of approximately $15.75 million. Countrywide has also estimated that it has expended approximately $13.4 million in civil litigation, including several class action lawsuits, arising from the data breach."

This is a classic case of insider identity theft and the costs companies can incur from a breach. The case also highlights the importance of companies, small and large, to adopt data security measures and comply with Red Flag Rules.

FTC Testifies Before Congress About Identity Theft And Fraud Affecting Children

On September 1,the U.S. Federal Trade Commission (FTC) testified before the House Committee on Ways and Means Committee Subcommittee about identity theft and children. At the hearing in in Plano, Texas, Deanya Kueckelhan, Director of the FTC’s Southwest Regional Office, delivered the FTC testimony.

The theft and fraud involving children's Social Security numbers is a growing problem. Identity thieves can access and steal Social Security numbers from children’s records in schools, doctors offices, social services agencies, and other sources. Sometimes, family members who have fallen on hard economic times use the identities of their children to obtain credit they couldn't obtain otherwise. Experts explore the problem recently in the Stolen Futures forum, hosted jointly by the FTC and the Department of Justice’s Office for Victims of Crime.

For adult identity theft, the Bureau of Justice Statistics reported in its National Crime Victimization Survey Supplement that about 11.7 million persons, about 5% of all Americans ages 16 or older, were identity-theft victims during a two-year period ending December 2008. The financial of that theft was $17.3 billion.

For child identity theft, a study by ID Analytics found 142,000 instances of identity fraud each year in the United States where children are the victims. Another study by the Carnegie Mellon CyLab of 40,000 children who had been enrolled in an identity protection service found that 4,311 of those children -- about 10.2 percent -- had loans, property, utility, and other accounts associated with their Social Security numbers.

In her testimony, the FTC's Kuechelhan describe another aspect of the child identity theft:

"... a child’s unused SSN is uniquely valuable to a thief because it typically lacks a previous credit history and can be paired with any name and birth date. In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit..."

Kuechelhan also described the identity protection problem:

"... fraud alerts, a key tool used by adult victims of identity theft to warn potential creditors of possible identity theft, are premised on the existence of a credit file. Parents ordinarily cannot place a fraud alert on their child’s credit file if the child has no such file. Further, remedies available under federal law such as extended fraud alerts, access to documents underlying the theft, and blocking of erroneous debts typically require a victim to obtain a police report to document the crime... children victimized by parents or guardians are often reluctant to file a police report naming a loved one or a source of financial support as the perpetrator."

Read the FTC testimony (PDF).

What is a parent to do? First, concerned parents should understand the available credit file protection tools: fraud alert, credit-file freeze, and the differences between the two tools. Second, investigate a credit monitoring and identity protection service to cover both parents and children in your family. Several services exist, which I will explore in future blog posts. Shop around because monthly prices and features vary.

Third, teach your children, tweens, and teens about money, credit, the sensitive personal information they must protect, and their responsibility when they become adults to monitor their credit files produced by the major credit-reporting agencies: Equifax, Experian, and TransUnion. You can find plenty of information in this blog.

In my opinion, a broader solution to the problem would be for credit reporting agencies to automatically place a free Security Freeze on the credit reports of all children. This freeze would automatically be lifted (for free) when the child turns 18. Parents could temporarily lift the freeze for children younger than 18 for instances to apply for education loans for that child.

What do you think of child identity theft?

iPrank = iPad Scam

Do you think that two guys selling a couple Apple iPads in a McDonald's fast-food restaurant is legitimate? Say, they offered each iPad for $300. Would you buy one?

A South Carolina woman did, and sadly found out that when she arrived home that she had bought "a brick in a box." More precisely, the 22-year-old woman, Ashley McDowell, bought a fake Apple iPad made of wood and painted with an Apple logo on it. You can view a photo of this fake iPad at the Smoking Gun website.

Ashley offered and paid the scam artists $180 for the iPad, which was sealed inside a FedEx shipping box:

"But when McDowell drove home and opened the FedEx box containing the iPad, she instead discovered the wood with the Apple logo. The “screen”--which was framed with black tape--included replicas of iPad icons for Safari, mail, photos, and an iPod."

Police are searching for the two scam artists.

A word to the wise: if an offer sounds too good to be true, it usually is. Or, at least inspect the device before you hand over the cash.

How To Recognize Disaster Related Scams

You have just survived a natural disaster event. Perhaps you have some damaage to your home. Nobody wants to be victimized twice: once by the natural disaster and then by scam artists and identity thieves.

To help consumers and businesses deal with disasters and the scam artists that often follow, the U.S. Federal Trade Commission (FTC) operates the Disaster Recovery website. The website contains a variety of content including emergency preparation tips and advice about scams.

Unfortunately, several types of disaster-related scams target consumers:

• Debris Removal Scams: The FTC advises consumers to get a written work estimate from any company promising to remove debris from your property. Don’t make the final payment until you have inspected the job and are happy with it. Shop around and compare prices to make sure you are not overcharged.
• Fake Disaster Officials: Some scam artists claim to be government officials offering assistance to qualify for disaster relief payments. A “processing” fee is often included. Others masquerade as safety inspectors or utility repair workers who claim that immediate repair work is required. Some claim they can get you FEMA funds, for a fee. FEMA does not charge application fees. In fact, no government agency charges application fees. Always ask for identification from any officials who visit your home or your temporary shelter. Call the local agency office to confirm the person's identity.
• Home Repair Scams: often the scam artists claims that the work must be done "now or never." Collect phone numbers to verify identities. Demand the time to consider the offer overnight. Before selecting a contractor, get at least two bids, get references, get the contractor's business license, check the Better Business Bureau website, deal with established vendors, don't give out personal financial information (e.g., credit card numbers), and structure payments in installments (e.g., upfront, 50% of work completed, 100% of work completed). The U.S. Federal Emergency Management Agency (FEMA) operates a Disaster Housing Program to help homeowners who have been forced out of their homes by disasters. This includes Disaster Home Repair Assistance, which provides grants to homeowners for minor but necessary disaster-related repairs. Call the FEMA Disaster Helpline at 1-800-621-FEMA. The U.S. Small Business Administration makes low interest loans of up to $200,000 to homeowners to repair or replace damaged or destroyed real estate.

To learn about more types of scams, visit the FTC Disaster Recovery website. Often, many of these scams lead to identity theft and fraud. The website recommends when you should and should not disclose your sensitive personal information (e.g., bank account numbers, credit card numbers, Social Security number, birth date, mother's maiden name).

Identity Thieves Target Phishing Attack On Users Interested In Cloud Computing

Interested in cloud computing? Want to store your files and documents in the "cloud?" Considering the Apple iCloud service? Identity thieves have adapted a phishing email for cloud computing services.

The good folks over at Sophos Naked Security blog reported a new email phishing attack which targeted at prospective Apple iCloud users:

"The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices)."

Many consumers consider Apple products relatively immune to malware and phishing attacks. You have been warned. Be alert for phishing emails about cloud computing.

KPMG Survey: A Typical Corporate Fraudster Is...

KPMG recently released its 2011 Who Is A Typical Fraudster? report, describing the profile of a typical corporate fraudster, the impacts and amounts stolen, industries where fraud tends to concentrate, and the conditions which enabled the fraud. The report included 348 events in 69 countries. The fraud events included "white collar" crimes such as:

"... misstatement of financial results, theft of cash and/or other assets, abuses of expenses, and a range of other fraudulent acts."

The report excludes acts of no material value and misconduct.The report does not mention names. The average duration of the fraud was almost three and a half years from the start until its detection. In 74% of the incidents, fraudsters exploited weak internal controls. Companies fail to read and act quickly on the warning signs:

"The number of fraud cases preceded by a red flag rose to 56 percent of cases in 2011, from 45 percent in 2007... Just 6 percent of initial red flags were acted on in the 2011 analysis... Rarely is an act of fraud a one-off... In 2007, 91 percent of fraudsters were repeatedly fraudulent, compared with 96 percent in the 2011 analysis."

The average loss was $1.4 million in Asia Pacific, $1.1 million in the Americas, and $900k in Europe. The report described the following as one of the most interesting cases in the United States:

"At a U.S. financial institution, a larger-than-life chief executive surrounded himself with an inner circle of "yes men." The fraud, which involved subterfuge and complex bundling and unbundling of loans and transactions to make bad loans appear good... The investigation quickly uncovered conflicting stories told by the CEO's inner circle and the people working with the loans and customers. This case illustrates, in particular, how dominant and bullying behavior can coerce others to participate in fraudulent activity."

The corporate fraud includes identity theft. A case from Switzerland:

"Fraudsters attempt to extract money from dormant accounts or they assume the identity of a customer to trick advisers into making payments or transfers. Often this involves the collusion of an external party with an internal ally..."

I also found the consequences interesting:

• Disciplinary action: 40% of cases (54% in the Americas; 23% in Asia Pacific)
• Regulatory, legal enforcement: in 45% of cases
• Civil recovery: 23% of cases
• Resignation/voluntary retirement: 17% of cases (25% in Asia Pacific)
• Out-of-court settlement: 6% of cases
• No action taken: 3% of cases

The profile of a typical corporate fraudster:

• Male (87% were men)
• 36 to 45 years of age (41% were ages 36 to 45; 33% were ages 45 to 55)
• Committed the fraud against his own employer (90% committed the fraud against their employer)
• Works in the finance function or in a finance-related role (32% worked in finance; 26% were CEOs; 25% were in operations/sales)
• Holds a senior management position (29% were in management; 53% were in senior management)
• Employed by the company for more than 10 years (33% employed more than 10 years; 29% employed 3 to 5 years; 26% employed 6 to 10 years)
• Committed the fraud in collusion with another employee (61% acted with others)

The report mentioned this about collusion:

"... male perpetrators (64%) are almost twice as likely to collude than women (33%). After taking account of male dominance in the perpetrator group, collusive females account for just 4 percent of activity. Perpetrator groups are most typically all-male or mixed gender."

KPMG is a tax, auditing, and advisory firm operating in 144 countries. A KPMG auditor caused a data breach in May 2010 when the auditor lost a flash drive containing 4,500 unencrypted patients records.

Data Breach At A Retailer Has Affected BofA and Citi Customers

A data breach at a retailer has affected cardholders at both Bank of America and CitiBank. Both banks have deactivated some credit cards. According to American Banker, the banks have not disclosed the name of the retailer. According to Bloomberg, Bank of America sent several debit card customers new cards as a precaution after a possible breach. The banks have not disclosed the name of the retailer.

From my view, the two events are related and the retailer's breach is significant. A reader wrote to me yesterday:

"Wow. This morning BOA contacted me about suspicious activity on my debit card...3 transactions at some international art market. On the 3rd transaction, BOA caught it and declined the card. The rep said she thinks they had a fake card made. But wow! What the hell? Do you think this is a coincidence or could it be related?"

It's probable that this reader's debit card information was skimmed and cloned. It's great that BofA acted proactively and notified the reader of these suspect transaction, but the fraud has already happened. This reader's bank account information is out there among identity theft and fraud criminals. Now, this reader needs to get a new bank account and replacement debit card; plus update all of her online bill payment settings.

I encouraged this reader to use credit cards instead of her debit card when shopping at online and brick-and-mortar retail stores. Sure, debit cards are convenient, but the risk is just too high. When breached, it gives criminals direct access to your bank checking account.

Think of it this way: every time you shop with your debit card at a retail store, you are trusting that retail store and its employees to:

1. Protect your sensitive bank account information,
2. Protect their customer databases from hacks,
3. Protect its point-of-sale terminals from skimming devices,
4. Encrypt wireless transmissions of purchase transactions between it and its banks,
5. Implement a "red flag" program to controla ccess to sensitive customer data and to discover insider identity theft,
6. Comply with state laws to protect and delete certain transaction information within the appropriate deadline, and
7. Comply with merchant guidelines (e.g., from Visa International, MasterCard)

So, the next time you enter a brick-and-mortar store, look around and ask yourself if you feel comfortable that that particular establishment has the resources, skills, and commitment to do #1 through #7 to protect your sensitive bank account and payment data. If the answer is "no," then use cash or a credit card. At gas stations, use your card inside and not at the pump. Learn how to avoid being a victim of skimming. Learn more about whether to shop with cash, debit, credit, or a charge card.

Me? I use my debit cards only at my bank's ATM machines.

If you are a Citi or Bank of America customer, were you affected by this latest breach? Did you receive replacement debit/credit cards, or did you have to demand them? If so, please share your experience below.

10 Dangerous Habits Consumers Still Do Online

Based on a recent Symantec survey, the ZDNet Security blog posted a list of ten dangerous habits consumers still do online. The list can be summarized into two broad behaviors:

• Consumers trade convenience for security
• Consumers ignore online risks they are aware of

The list of detailed dangerous habits:

1. Sharing too much information in social networking websites
2. Trusting company websites to protect their information
3. Assuming the links in email, text messages, and social networking posts are safe to click on
4. Not educating themselves enough about the threats and ways to protect themselves
5. Not updating the anti-virus and malware software on their computers and mobile devices

My pet peeve is number four. Regarding number three, every Facebook user should follow the alerts from websites like Facecrooks, which greatly helps you learn about which links to avoid.To view the complete list of dangerous habits, visit the ZDNet Security blog.

Analysis: Several States' Online Consumer Forms For Filing Phone Scams Complaints

[Editor's note: this is part three of a three-part series about telemarketing or phone scams.]

Yesterday, I described my experience with filing online complaints with the U.S. Federal Trade Commission and with the Attorney General office in the state where I live. Today, I want to share my findings about how well several states' Attorney General websites allow consumers to file online complaints about phone scams.

Remember, the the FTC Phone Fraud website instructs consumers to file complaints at both the FTC Complaint Assist website and at their state Attorney General website. After having difficult at the Massachusetts AG website, I reviewed several states' AG websites. I wanted to know if other states presented online complaint forms that made it easy (or difficult) to file complaints about phone scams.

I reviewed and compared the online complaints form for six (6) states. I chose four states (California, Florida, New York, and Texas) with large populations since that would include the probable online experience for a large percentage of the US population. I also included my home state (Massachusetts), and one state (Alabama) that does not have any laws requiring the notification of consumers affected by data breaches:

#	State AG Website	Online Complaint Form
1	Massachusetts	https://www.eform.ago.state.ma.us/ago_eforms/forms/piac_ecomplaint.action
2	California	http://ag.ca.gov/contact/complaint_form.php?cmplt=CL
3	Florida	http://myfloridalegal.com/Contact.nsf/Contact?OpenForm&Section=Economic_Crimes
4	Alabama	http://www.ago.state.al.us/consumer_form.cfm
5	New York	http://www.ag.ny.gov/bureaus/consumer_frauds/filing_a_consumer_complaint.html
6	Texas	https://www.oag.state.tx.us/forms/cpd/form.php

Remember, the FTC website linked to the National Association of Attorneys General (NAAG) website, which lists all Attorney General websites in the 50 states, plus the District of Columbia, Guam, and Puerto Rico. So, many consumers will arrive at their state's AG website with the goal to complete this specific task: file a complaint online about a phone scam. Given this specific task, I used three criteria to evaluate the AG websites:

1. Did the AG website main page present a link or button for consumers to file a complaint online, that was prominent and easy to find?
2. Did the AG website allow consumers to actually file a complaint online?
3. Did the state's online form allow for the submission of phone scams?

There are many other criteria one could use to evaluate AG websites. I chose these three criteria because they directly relate to the specific task. I looked for variations of the "File a Complaint" phrase and not necessarily the same words. My findings:

1. Many AG websites made it difficult for consumers to file complaints. 50% (3 of 6) of the websites reviewed contain a link or button on the home page that was prominent and easy-to-find. Prominent and easy means that the link/button is immediately displayed when the page loads. So, half of the websites (e.g., Florida, New York, and Texas) evaluated didn't provide a link/button.

AG websites typically present information about news releases and the services available to consumers and businesses -- all very valuable information. The lack of a "File a Complaint" link or button on the home page makes the website needlessly more difficult to use. This forces consumers to hunt for the complaint form page.

Several example highlight this forced hunt. First, the online complaint form is buried in the Florida AG website under the Consumer Protection website section. That fom location may be a logical place for frequent website visitors, attorneys, and AG office staff, but not necessarily for first-time visitors or consumers. Second, the Texas AG website has a "Report Fraud, Waste, and Abuse" link on its main page, but that link is narrowly focused on complaints about state government agencies. Consumers looking to file a complaint about a non-government organization still have to hunt for the online complaint form.

Third, the New York AG website locates its complaint forms under the Consumer Frauds Bureau and Identity Theft sections. Again, frequent visitors, attorneys, and AG office staff may know to look there, but first-time visitors won't.

When hunting for a form, there are several time-consuming strategies that consumers may use: site-search mechanism, click on various navigation links, and/or read the page content.

2. Most AG websites present interactive online complaint forms. 83% (5 of 6) of the websites reviewed present online complaint forms. The only website that didn't -- New York -- presented static forms in Adobe PDF format, which consumers must download, complete offline, and submit via surface mail.

3. Not all AG websites allow consumers to submit complaints about telemarketing/phone fraud. 60% (3 of 5) of the websites with interactive, online complaint forms allow consumers to file complaints about phone scams. (Remember, the New York AG website had PDF forms instead of interactive forms.) That is, the complaint forms are flexible enough to allow consumers to enter the data elements they may have.

In my online experience, the form in the Massachusetts AG website requires consumers to submit all of the following data elements about the phone-scammer: company name, address, city, state, ZIP Code, and phone number. With phone scams, consumers won't necessarily have all of these data elements. I didn't. The complaint form at the Texas AG website also contained the same usability problems as  the Massachusetts AG website form.

While it is a fairly simple task to add a "File a Complaint" link on the home page and to edit an online complaint forms to make more company data elements optional rather than required, there probably are backend database considerations. The online databases must contains sufficient categorization and tagging to identify phone fraud complaints as such, and not as partially completed complaints.

If you have submitted complaints at your state's AG website, what was your experience?