This morning, a friend sent the following via e-mail:
"Just learned today that I was a victim of identity theft. My accountant tried to electronically file my income tax but it was rejected. The IRS told him I already filed. Since the early return is obviously fraudulent I was told I could not electronically file but had to file with paper. Spent the last couple hours notifying credit bureaus and the Federal Trade Commission. It doesn't appear they have applied for any new credit card yet. I wonder whether they got a refund in my name. I also have been involved in a couple big data breaches where the company who lost my data has provided free credit monitoring services. None of the services have detected fraudulent activities. It must've been through one of these that someone got hold my Social Security number. So far so good, but this is an extra headache I didn't need."
It was sad to read this e-mail message. Identity theft is always a major pain and inconvenience. I experienced this in 2007 after IBM, Inc. had its massive data breach. There's a lot to consider and to do. Most consumers have no idea what to do next. That’s why I started me blogging about identity theft, data breaches, and corporate responsibility. The blog has been a good tool for me to catalog what I've learned about what to do next.
Since my friend's sensitive information (e.g., name, address, phone, social number, and maybe more) are out in the wild, that means thieves will sell and resell it as long as they think the information is usable. The criminals now know enough about my friend that they will try to commit more fraud -- often by impersonating my friend to gain access to their financial accounts. Thieves may call the customer service departments at banks pretending to be my friend. While writing this blog the last 8+ years, I've learned that identity thieves are smart, persistent, and go where the money is.
I suggested that my friend do the following to protect their self:
- It seemed like my friend is already following the advice by Internet Revenue Service (IRS) for victims of tax-related identity theft and fraud. That’s a good start. Another good place to start is the Identify Theft site by the U.S. Federal Trade Commission (FTC). Follow the next steps recommended by the FTC.
- File a police report with the local police department. They’ll probably do nothing, but this will help my friend create a paper trail. Certain documents will be needed when filing claims with insurance companies.
- While my friend has already contacted the three major credit reporting agencies (TransUnion, Experian, and Equifax), don't stop with a Fraud Alert. That’s weak tea. Do a Security Freeze instead. That will prevent fraudsters from taking out new loans or getting credit in my friend's name. This will cost up to $10 for each.
- Call financial institutions and advise them of your identity theft. Follow any processes the banks have. Get new debit/credit card numbers if your card information (card name, account number, security code, etc.) was exposed in #6.
- Change online passwords for all financial accounts (e.g., checking, savings, mortgages, insurance, credit cards, 401-K, IRA’s, etc.). Notify them that your data has been stolen and used. Follow any procedures the banks have for reporting fraud. Don’t use the same password at multiple sites. Why? Thieves will use a stolen password at several websites, to see where else they can break in.
- Since one or more companies had data breaches that exposed my friend's sensitive information, my friend should notify each company that thieves have used their sensitive information for tax-related fraud. These companies will probably deny that their breach was the cause, but my friend is informing them of the consequences. If the breach was bad, there may be an upcoming class action, so I encouraged my friend to consider and join any class-action lawsuits. The financial rewards may be beneficial.
- Thieves will continue to use my friend's stolen information as long as they think it is useful. So, my friend will need to be vigilant. That means continuing to periodically monitor bank account statements and credit reports for fraudulent entries (if my uses only the Fraud Alert option). This sucks, but that is the reality in the digital information economy. When companies have data breaches, we consumers are usually left with the cleanup burden.
- If the companies in #6 offer free credit monitoring services, accept the offer and use it. Those monitoring services can help with #7. Plus, these monitoring services usually offer fraud resolution services: the detailed, time-consuming, and complicated process of cleaning up accounts and records muddled by thieves. If the corporate data breaches in #6 included my friend's spouse and/or dependents, be sure that any credit monitoring services cover these persons.
- Keep a solid paper trail. My friend will likely need some of this documentation later.
- Stay in touch with both the IRS and the Department of Revenue in the state where you live. The thieves may file fraudulent state tax returns, too. Both the federal and my friend's state tax agencies have fraud procedures. Respond to any notifications you receive from both; preferably in writing.
- If any of the companies in #6 was a health care provider and the breach included medical records, then my friend is at risk for both financial fraud and medical fraud. More steps apply for medical fraud and the resolution process is even more complicated. For example, the thief's blood type and other health data could be co-mingled with the victim's, introducing errors and other risks.
- Some criminals use stolen identity information to get bogus driver’s licenses. If my friend gets stopped by the police while driving, don’t panic. Explain to law enforcement the identity theft and and #2. My friend may have to get fingerprinted, since that is a good method to distinguish the fraudster from my friend.
- Some criminals sell stolen information to undocumented people to gain employment. So, my friend's stolen Social Security Number may be used by another person. When several persons use the same Social Security number for employment, there are plenty of consequences. (There's the infamous case of 81 persons using the same SSN.) The Identity Theft Resource Center recommends solutions for SSN fraud victims. See the Social Security Administration's process for reporting fraud. Check the contractual agreement for a credit monitoring service to see if its resolution services cover this.
- Keep the anti-virus software updated on all devices (e.g., desktop, laptop, phone, tablet) and run scans at least once monthly.
That was my advice to my friend. What might you advise?