When Santa Rosa resident Lexie Pence received a notice in the mail from Cream’s Towing Company with information about how much it would cost and where to pick up her truck that was towed, she thought it was some kind of mistake. She didn’t have anything towed, and she didn’t even own a truck. She called Cream’s and was informed that the truck in question indeed was registered to her. All of a sudden, she put two and two together. She had lost her license a couple weeks earlier. At the time, she thought she had simply misplaced it, but later discovered she had accidentally dropped it, as well as a debit card, in a store parking lot.

Pence immediately tried filing a police report, but was told, given the registration still showed as pending, she would have to clear it up directly with the DMV. After a couple months of conversations with the DMV, as well as canceling her debit card, the problem appeared to be rectified although she vigilantly kept an eye on her credit over the next year to make sure other instances of identity theft didn’t emerge. While to her knowledge the thief hasn’t been caught and nobody knows the true motivation for registering the truck under her name, Pence suspects that perhaps the culprit had a warrant for arrest or no driver’s license, which would preclude the thief from being able to register a car.

Today, millions of Americans are affected by identity theft every year. According to a 2018 online survey done by The Harris Poll, almost 60 million Americans have been affected by identity theft. Javelin Strategy & Research data shows that in 2017, 16.7 million people were victims of identity theft, losing $16.8 billion dollars as a result of identity theft. This is up from 15.4 million people affected in 2016, taking $16.2 billion dollars. Clearly, identity theft is a pervasive problem that is getting worse, despite consumers being wiser to scam tactics and corporations being more vigilant in identifying red flags and installing safer transaction technologies such as microchips in credit cards and Apple pay.

Scam artists are getting wiser, too—using sneakier tactics and social engineering techniques to do their malicious acts. In addition, data breaches, in which a company’s customers’ records that may include private information such as social security numbers and medical records are accessed illegally, continue to grow in both quantity and severity. The Identity Theft Resource Center reports that a new record high of 1,579 data breaches occurred in 2017, exposing more than 178 million records. The largest one, involving Equifax, one of the three major credit-reporting agencies, had 147.9 million potential victims.

According to Maria Gregoriev, a financial advisor for Quest Capital, technical writer, as well as author of Identity Theft—Protect Yourself, Protect Your Client, a continuing education resource for insurance agents from “Infinity Schools,” says identity theft is a crime when someone steals your personal information without permission and when someone steals your identity, usually for economic gain. “Unlike fingerprints which are unique to you and cannot be given to someone else or used, your personal data can be given to someone else—your social security number, your credit card number, your bank account number, even your Medicare number,” she says.

The Federal Trade Commission distinguishes the most common types of identity theft as being employment or tax-related fraud, in which a criminal uses someone else’s social security number to obtain employment or file an income tax return; credit card fraud, in which someone uses a person’s credit card (or credit card number) to make purchases in person or online; phone or utilities fraud, in which a criminal uses a person’s personal information to open a wireless phone or utility account; bank fraud, in which a thief uses someone else’s personal information to take over a financial account or open a new account in someone else’s name; and loan or lease fraud, where, like bank fraud, a borrower uses someone else’s information to obtain a loan or lease. Lastly, another increasingly common type of fraud is government documents or benefits fraud, in which a criminal uses stolen personal information to obtain government benefits. Locally, there were many examples of this in last fall’s firestorm that hit the North Bay. Many people who applied for benefits from FEMA learned that someone had already applied and received funds using their information.

“There is nearly one victim every two and a half seconds,” says Gregoriev. “Four percent of U.S. adults, including more than 1.5 million people in California have been victims of identity theft. The fraudsters are getting smarter. They’re finding people who are easier targets and more creative ways of easier ways to defraud them.”

Any demographic is at risk of having their identity stolen—even children. It crosses all socio economic lines, and can affect any person no matter what neighborhood they live in, what job they hold or age. Especially with the use of computer phishing programs and malware, bots troll the Internet for IP addresses and do not distinguish between who they’re affecting. [See sidebar, “Top Speed Data”] That said, certain demographic groups have been more prone than others to become victims of certain types of identity theft. Disabled people and the elderly are often targeted, frequently by the people hired to take care of them. Fraudsters have been known to open bank or credit card accounts in their name, file tax returns in their name to get their refund, or even order medications not meant for them using their medical ID information.

Medication can be ordered with a Medicare number, says Gregoriev. “Can you imagine if your doctor’s records had medication that someone else is getting, how severe this is? People can be harmed.”

Younger generations are also a demographic that can be affected more than others because of their propensity to divulge information via social media and other online sources. Facebook already lists first and last names (and often maiden names as well). Filling out a simple, benign-looking questionnaire can inadvertently reveal other data such as your birthday, address, or other personal information.

“You put your information out there, and you don’t know how it’s being used,” says Gregoriev. “In the long term, it’s going to be bad for the people who are more embracing of social media. People don’t feel it’s going to affect them. They don’t realize, or don’t understand how serious it is. It can ruin your credit. Someone can apply for a loan and not qualify for a mortgage because their identity was stolen and someone took out loans with their information.”

In some cases, children’s social security numbers were stolen and compromised and the individual never found out until they turned 18, or even later when they applied for a job, credit card or student loan. It’s no longer enough to protect your own identity, but also that of children and aging parents.

In extreme cases, crimes were committed using false identities leading the innocent party to deal with the repercussions, or going to jail.

“If a person commits crimes and gets another person in trouble, and if they’re using another person’s identity, now that person has arrest records,” says Evan Zelig, a criminal defense attorney in Santa Rosa. “It may eventually be cleared up in the courts, but now every time that person applies for a job they have an arrest record. Cleaning up identity theft once it’s happened to you is difficult. There are a lot of steps to go through. The worst cases are those in which there is more than just money that’s taken, where something such as a crime is put on another person’s record because of a stolen identity, or that person is found liable because of that. It can affect somebody for a long time and it’s hard to clean up.”

Unfortunately, with the exponential rise in identity theft, it’s more a matter of when, versus if, it will happen to you. However, there are many steps consumers can take today to protect themselves and minimize their chances of becoming a victim. Overall, people need to be continually vigilant. Read through bank and credit card statements to identify if there are any charges you don’t recognize. Likewise, be wary and follow up if statements or utility bills don’t arrive in the mail. Many credit card companies offer apps that will display notifications of every charge made on the card, allowing consumers to immediately see when a fraudulent charge has been made, versus waiting for a monthly statement to arrive in the mail.

“Keep an eye on your accounts,” says Zelig. “Once I was checking my checking account and there was a $40 Home Depot transaction. Someone had printed a check with my account number and had written a check at Home Depot. If you check your accounts regularly and see that, you can put alerts on it or change the account so they can’t continue to do that.”

Make sure important documents are locked away, do not take your social security card anywhere with you, and never give a social security number over the phone. Shred any documents or mail with personal information, including credit card offers, buy a locked mailbox, and if you leave town, put a temporary hold on mail and newspapers.

“Buy a good shredder and shred every piece of mail you receive that you don’t need or keep for a file,” says Zelig. “It’s easy and legal to go through somebody’s trash—it’s no longer their property. A lot of people just throw out vital, important personal documents with a lot of personal identifying information that they really shouldn’t be tossing into the trash. Trash is touched by a lot of people before it gets to its final destination.”

Military personnel going on active duty are advised to put an active duty alert on their credit file, so credit-reporting agencies will be alerted to fraudulent activity while the individual is out of the country. Some military IDs still use social security numbers, so military personnel are cautioned to be careful where and when they use that identification. Also, if you do need to give your social security number, at a physician’s office for example, usually giving just the last four digits will suffice.

Also, do not let yourself get deceived with promises of prizes, free offers, or alerts of packages you didn’t expect or order.

“If [mail or email] says you won something or you won the lottery, what I tell people is, ‘If you didn’t enter the lottery, how can you win it?’” says Gregoriev.

Lastly, be wary—a thief can be someone you know. Many people who carry out identity theft are not violent, aggressive thieves who you would expect to commit a crime. It could be a neighbor, a service provider or caregiver.

“This is unfortunate,” says Gregoriev. “Scammers can be family members, caregivers, professional service providers who you trust, attorneys, bank employees, doctors, clergy. It’s horrible. They can also act as handymen or contractors. It’s easier for someone to steal your information if you trust the person.”
What to do after a theft

If you find yourself a victim of identity theft, file a police report. It is proof of the crime and credit reporting agencies may need this police report to investigate fraudulent activity on your credit report. For tax return fraud, consumers should contact the IRS, which has a lot of resources and information on how to correct the fraudulent activity.

If the crime is related to your bank or credit card company, immediately call the company and change your account information, get a new card issued and use new personal identification numbers and passwords. You may also want to put a fraud alert on your credit report through the three credit reporting agencies: Equifax, Experian, and TransUnion. Work with these agencies to remove the fraudulent activity from your credit report. Generally if you contact the fraud alert department of one agency they will alert the other two. This prevents identity thieves from opening accounts in your name. Over the next year, regularly check your credit reports to ensure no new fraudulent activity has occurred.

Identity theft insurance is an option, and some insurance companies offer this as part of a home insurance policy. In some cases it can take a year or even longer for reports to be corrected and in certain situations an attorney, or other legal advice, may be needed.

There are some services such as LifeLock, which is an identity theft protection system that monitors your personal information for a variety of identity threats. In addition, a more comprehensive system, which also covers the rebuilding of one’s credit status should identity theft occur is LegalShield, whose mission is to “make access to trusted legal counsel possible for everyone.”

“Identity theft is not only happening now, but will continue to happen, as the information is already out there,” says Judy Samson, regional manager of LegalShield. “You want to make sure that the identity theft service that you’re paying for covers restoration, complete restoration, counseling and advice. Identity theft includes medical identity theft, financial identity theft, social media identity theft, criminal identity theft, dmv identity theft and more. So, having access to assistance and advice by licensed professionals is critical. Read the fine print.”

LegalShield’s identity theft program is underwritten by Kroll, the largest risk management organization. Coupled with LegalShield, it gives the consumer access to the different areas of law that perhaps was affected by an Identity Theft issue. 

“When you hear about identity theft you always think it’s for financial gain, but it wasn’t necessarily,” says Pence. “It also made me realize that when you do have an issue arise, you have to be your own advocate. If the police department doesn’t want to take a report, you still have to try and do what you can to contact people to let them know what’s going on, not just wait and see what happens. I’ve started looking at identity theft in a broader way, of how many different ways your identity may be useful to somebody, not just for monetary gain.”

Samson advises leading with caution. “Take it seriously,” she says. “Do your due diligence on the many different programs out there.

Top Speed Data: Protecting your workers, protecting your company

Besides personal identity theft affecting millions of consumers worldwide, cybercrime that affects both employees and the companies they work for is also growing exponentially every year. More online services and technologies have given hackers more accessible technology to gain information and commit fraud and other crimes. It has gotten so ubiquitous that companies who deal with protecting other organizations say it’s not a matter of if a company will get hacked, but when and how. Even firms with multiple levels of security, like Equifax, have gotten hacked. Therefore, instead of just defending against a breach, it is advised that companies should also have a plan in place to detect and neutralize intruders when they attack. Network monitoring and detection services are increasingly a vital component of business survival.

“With cyber security we look at it from the IT perspectives on how to try to stop it,” says Glenn Illian, senior vice president of Petaluma-based Top Speed Data Communications, which provides no-cost comprehensive technology advice and brokerage services by leveraging relationships with over 200 different technology providers. “One of the things that people don’t realize anymore is you have to look at your network from multiple different facets. Ten years ago, everybody worried about whether or not they had a good firewall on their Internet, and that seemed to be enough,” he says. “And then we talked about anti-virus and how we handle that. The bad guys have gotten much more sophisticated over time. So companies today have to layer on multiple different aspects of cyber security to keep their businesses safe.”

A popular device for hackers today are phishing programs in which an attacker, often masquerading as a trusted entity, even an internal executive, tricks a person into opening an email, instant message or text message.

“The phishing programs that are out there—people coming in and sending emails to employees—is probably the most common way people are getting their identity stolen,” says Illian. “They’ll say ‘You won a Starbucks card—please fill out this form.’ By filling out the form you’re giving bits and pieces to the hackers. All they have to do is have you fill out a couple forms, and each form will have different information, and that way they can access into personal identity. Those are the most common ways people are getting their identity stolen, is by answering questions to people they have no idea who they’re answering questions to.”

For the company, if the recipient is duped into clicking a malicious link, it can lead to the installation of malware (software that is designed to damage or gain unauthorized access to a computer system), the revealing of sensitive information and a completely compromised network, or the freezing of the system as part of a ransomware attack. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid—usually through an untraceable method such as bitcoin. Illian recalls one instance where a hotel in Europe had a hacker break into the company facilities system and lock all the hotel rooms. Guests could not enter their rooms until the hotel paid the ransom.

“There are two basic ways in respect to corporate IT security that networks are breached,” says Allan Jaffe, vice president of Top Speed Data Communications. “One is there are bots that probe IP addresses. They are machines that are working all the time looking for holes in companies’ firewalls. They don’t necessarily know the identity of who they’re trying to probe and attack. Once they find a hole they exploit it. Most companies are breached at some point. The other way in which most networks are brought down is social engineering—sending phony emails to company employees, which then launch malware.”

Since bots probe all IP addresses, small and medium-sized companies are just as much at risk as large ones and it is therefore recommended to find professional network monitoring as part of a security strategy. Companies are also advised to train their employees on social engineering programs like malware and how to protect themselves such as looking at the return address on an email before opening it, being aware when on a public network and not opening any sites that require passwords, and not plugging in thumb drives unless they know where it came from.

“The company has a little more responsibility than just protecting their network,” says Jaffe, “because they also have to safeguard the identities of their employees and their customers.”