Thursday, December 19, 2013

Only You Can Prevent Identity Theft!

So, are you worried about the security breach at Target?

Me, I bought something with my credit card on December 15, the last day that cards were said to be vulnerable. So far, I haven't noticed any fraudulent activity, but I'll keep checking regularly for several weeks.

If anything, the news about Target underscores how vulnerable all of us are to identity theft. I found this out the hard way last spring, and in light of the Target news, I want to share with you what I learned about protecting yourself from identity theft.

My hope is that this post is very practical, very useful. Therefore, I strongly encourage you to read it, or at least skim it, and then bookmark it, in case you ever need to go back and access the information that I have included in here. Email me if you have questions.

My story:

On the last day of February in 2013, I got a call from an unknown number. When I answered the phone, the man on the other end introduced himself as a staff member with a collection agency on the East Coast. He was calling about payment on a credit card that I had taken out nearly a year ago, late in May 2012. More than $700 was owed on the card. 

Problem was, I never took out the card. 

Trying to figure out what was going on, I asked a few more questions about the card: What were the last four digits? What address was it associated with? What information did they have on me? and I listened as he read out, correctly, my full name, my date of birth, and my social security number. 

At that point, I thanked him, hung up, and called my father at work. "I think my identity's been stolen," I said. 

It was nearly four months, mid-June, before I learned that the banks and credit reporting agencies had recognized the card as fraudulent. During those months I spent hours (sometimes entire days, especially over Spring Break) on the phone with various financial organizations. I spent hundreds of dollars on postage, sending in whatever official documents I could use to prove that the card was, in fact, fraudulent, that I wasn't trying to weasel out of paying a $700 balance. I closed and re-opened all my banking accounts, sometimes twice. 

Yet some time during those four months, something odd happened: I called my father for advice one day and discovered that he was asking me for advice about protecting himself from identity theft. Somewhere during all the phone calls, all the paperwork, all the Internet research, I became the family expert on protecting yourself from identity theft. 

In fact, thanks to the stress of those four months, I've become somewhat of an evangelist on protecting your personal information. I will tell you if I think the information you're posting on Facebook is too personal, and I reminded the school where I work to take students' Social Security numbers off paperwork whenever possible. And, I'm writing this blog post: Here's how to protect yourself from identity theft, and what to do if happens anyway. 

Protect Yourself: Take Precautions, Especially online.

Various people worried about Target's security breach are recommending a move back to cash and checks. It's not a bad idea, especially the cash part. Yet with an increasing array of online purchasing and banking options, it's not feasible to stay cash-only, all the time. Here are some ways to protect yourself.

Obviously, be very, very careful about your Social Security number. Don't carry it around in your purse. Don't take it on trips. Lock it up somewhere. When you give it out to someone, make sure that person has an actual need for the number and may already have the number (most banks, credit bureaus, and employers fall into this category.) When I traveled to Argentina this summer, I had to fill out a health form. At the top of the health form was a place for my SSN. There was absolutely no need for my SSN on that form: No one traveling with me needed access to my credit report, nor did they need to hire me for any reason. Ultimately, I chose to simply leave that space on the form blank.

Online,  don't use the Internet Explorer browser. Right now I'm using Chrome, but Firefox is safer still. Download this and use it regularly and exclusively.

Set your browser to delete cookies whenever it's closed, then close your browser regularly. Cookies stored on your computer can be used to enable a phishing scam and steal passwords. You can Google how to delete cookies.

Be aware of any website that looks as though it may have been tampered with - for instance, a new home page, or something missing on one of the pages. Such minor changes can signal a phishing scam. If you suspect phishing, place a call to the owner of website immediately and ask.

Choose your passwords carefully, and don't use the same password for more than one site. If you're like me, meaningless strings of numbers and letters are difficult to remember, so follow this trick: Write a relevant sentence about what you use the website for, then choose the first letter from the sentence. So for instance, your iTunes password might be based on this sentence: The only Christian artist I like is Michael Card. That means my password would be this: T o C a I l i M C. You can then add relevant numbers to the set of letters, to make the password even more difficult to guess.

Protect Yourself: Checking Your Credit Report

Most of you probably know this, but your credit report is a list, provided by the three major credit bureaus (Transunion, Experian, and Equifax), of all credit accounts you've ever opened: any credit cards, any mortgages, any loans. Your credit report also keeps track of your public records, such as any payments made to collection agencies, and of organizations that have checked your credit score. 

That means, if someone has been using your credit fraudulently, their activity will show up on your report. The first thing I did when I discovered my identity theft was order my credit report, and sure enough, there was the bad card, its $700 charge heading my accounts. The credit report confirmed the theft gave me the information needed to clear my name. 

Each credit bureau (Transunion, Experian, and Equifax) are required by law to supply you with a free copy of your credit report once a year. (You have to pay extra for the credit score.) The only place you should order a copy of your credit report from is this website: This website is the one recommended by the Federal Trade Commission (FTC), the government branch that deals with identity theft. Pro tip: When you access the website, be sure you're on a computer connected to a printer. You will download PDFs of your credit report and print them out, and while it's possible for you to save them, it's easier to simply print everything right then.

When you get your credit report, look it over carefully for accounts that you haven't opened. If you find nothing, then Congratulations! Your identity has not been stolen. If you do, well . . . you might want to read the section below on cleaning up after identity theft. 

Protect Yourself: Credit Monitoring Service

If you're particularly worried, consider signing up for a credit-monitoring service. For a fee, such a service provides you with regular access to your credit report, maybe once a month, maybe unlimited. You can Google 'Credit Monitoring Service' to get an idea for what services are out there, as well as read consumer reviews on the various services. 

Of course, checking your credit report is like checking to see whether your front door is closed when you come home from a trip: good to know, but not actually effective in preventing identity theft. Thankfully, there are ways to "lock your door" when it comes to your credit. 

Protect Yourself: Fraud Alerts, Freezing Your Credit

Usually, you will only add a fraud alert to your credit report, or freeze your credit, after you've been the victim of identity theft. However, for a fee you can do both without having ever had your identity stolen, just as a protective measure. 

A fraud alert is like a little flag on your report, which should prompt the credit bureaus and lending agencies to contact you before opening new credit in your name. A freeze prevents agencies which have never had access to your credit score before (for instance, a bank issuing a new credit card, or a bank starting up a mortgage with someone who claims to be you) from gaining access to your credit agency. Neither is completely foolproof; like a lock, they can be picked, but you're safer with them than without them. 

To put a fraud alert on your credit file, you contact each of the three credit bureaus in turn. To freeze your credit, you contact your state attorney's office first and ask whether there is a fee to freeze your credit. Then you contact the three credit bureaus (Protecting your identity, and cleaning up after it, means you spend a lot of time on the phone with our friends, Experian, Equifax, and Transunion.) The FTC has further directions here.

Cleaning Up Identity Theft: Immediate Steps

If you discover identity theft, here are the first things to do:

  • Contact all three credit bureaus and place a fraud alert on your accounts. The first fraud alert is good for 90 days; after that, you can get one for 7 years. 
  • If you haven't done so already, order an official copy of your credit report. If you are getting a copy through a credit monitoring agency, you'll want to actually contact the bureaus, or go to, and get the real thing. While the monitoring agency report should be accurate, you'll be using your credit report to prove that the fraud occurred, so it needs to be as official as possible. 
  • Contact the police and FTC to report the identity theft (more on this below).
If the fraudulent account is still open, contact the moneylenders to get it closed as soon as possible. If it's closed (mine was closed due to non-payment of the bill), you will still need to contact the business. More on this below, in the section on contacting credit bureaus and businesses.

You will also want to keep a journal of sorts, a day-to-day record of whatever progress you make towards cleaning up identity theft.

The FTC lists these three steps, along with other helpful information, here.

Cleaning Up Identity Theft: The Police Report

When my identity was stolen, I filed a police report as a matter of course. It was just one of many things listed on the FTC's "To Do" list, so I ticked it off, and didn't think anything more of it. Turns out, the police report is incredibly important. It's like your passport into the world of "identity theft victim": This is what you'll use to prove, over and over again, that you are in fact the victim of identity theft.  Credit bureaus will ask for it, and the lending agency implicated in the fraud (as in, the agency responsible for the bad card, the bad loan, the bad mortgage, whatever) will ask for it. 

To make my police report, I simply called the local police department, and I set up a time that an officer could come over to my house and take the report (As I remember, it was snowing, and it was easier and safer for the officer to come to my apartment, than for me to go downtown.) You could, however, simply show up in person and make the report. Whichever you choose, it is critical that you get a copy of the police report.

Clearing Up Identity Theft: Report it to the FTC

Like the police report, the identity theft affidavit through the FTC is proof that yes, you really are a victim of identity theft. You will want to make the report as soon as possible, then keep track of the affidavit. Even if you don't have all the information in about the identity theft, go ahead and call the FTC. They can update your affidavit as you go along.

The link to the Identity Theft Report is here.

Clearing Up Identity Theft: Reporting Fraud to the Credit Bureaus, Credit Card Business

Once you have your police report and FTC report, you're ready to report the fraud to the various responsible agencies.

The most important agency for you to report to is the one who issued the card in the first place, the one who is providing financial backing for the cards. Usually this is not Mastercard or Visa, but the bank or lending agency responsible for the card. The one opened in my name, for instance, was opened through a national bank, and so I contacted that bank to report the card as fraudulent. Ask the agency to either close the account, or if it is closed, to clear the fraudulent charges.

Incidentally, the Federal Trade Commission will tell you that the first step is to contact the bureaus. It's not. Once you've set up your fraud alert with the bureaus, contact the agency backing the card. Last spring, I very nearly missed this step because I didn't realize it was important; had I missed it altogether, I would have wound up paying the $700. Once you've contacted that agency, then you can contact the bureaus and report the card as fraudulent.

So, how do you make these contacts? What do you say?

The point of contacting the business and bureaus is to dispute the account and its charges. The FTC offers sample forms to contact the business backing the card, the credit bureaus, and even a collection agency here. I found the forms extremely helpful, and followed them to the T.

Whenever you contact the business or the bureaus, you'll nearly always include several things:

  • A copy of your police report and your FTC affidavit (Remember, these are proof that you're really the victim of identity theft)
  • Any information on the fraudulent account, such as an account number and the amount of money on the account
  • Copies of your credit report, with the fraudulent account highlighted and personal information blacked out
  • Whatever documentation you can use to prove that you did not, in fact, open the fraudulent card (such as proof that you regularly pay bills on time, or proof of address if the account was opened in a different state)
You may also be asked to submit proof of identity, including a copy of your driver's license and Social Security card. This is normal.

Before you submit all this paperwork, be sure you call the agency, business or bureau and ask workers to describe exactly what you should turn in. What they want from you varies from place to place. Nearly every place, for instance, was interested in the police report, but some of them didn't feel a need for the FTC affidavit, and not all of them wanted me to prove my identity. When you call, you should ask for the address to send your material to.

Before you mail the paperwork off, make copies of everything that you send. Keep this readily accessible during the whole affair. I eventually purchased a separate file case just to keep track of the identity theft documents.

When you do submit the paperwork, send it return certified registered mail. Yes, this is expensive, but it's also a guaranteed way for you to track the material and make sure that it arrives where it's supposed to. I also encourage you to follow up with your mailings: Call the business or bureau and confirm receipt of your paperwork, then call them again several weeks on to see if they're making progress on your claim. By law they have to process your claim in a certain amount of time, so they should be making some progress.

A final warning: Some credit bureaus will offer an online form for disputing fraudulent accounts and charges. Do not use this form. The form will not allow you to submit paperwork documenting your claim, which means that disputes begun via online form are rarely resolved in your favour. The only way to dispute the charges is by mail.

Cleaning Up Identity Theft: Other Recommended Actions

Whenever you hear back from the business, a bureau, or someone else involved, keep whatever mailing information they send you. You will especially want copies of your extended fraud and security freeze information, as well as any information about the account that they send you.

Especially if your social security number was fraudulently used, you should contact your local social security office to determine the extent of the fraud. For instance, people can sometimes find employment under your social security number and name. Set up an appointment with the social security office, go in, and check on your account. (You will not, incidentally, be able to get a new social security number, even if yours is stolen. That happens very, very rarely. Your goal is to make your Social Security number unprofitable, by setting up fraud alerts and freezing your credit.)

Contact your bank and any investment agencies and explain the situation. Depending on the kind of account, they may be able to freeze your funds, they may put an alert on the account, or they may advise you to close out your current account and open a new one.

You may want to notify the IRS that you suspect identity theft. They cahere.
n then take this information into account when processing your taxes. The form to do so is

 Random Tips and Questions:

The big question is probably, Do I sign up for an identity protection service, or identity theft insurance?

Ultimately, it's up to you, but I chose not to. Here's why. ID theft protection services, such as Life Lock, receive fairly poor ratings from users. More importantly, however, they don't actually do much you can't do yourself, for free. Yes, Life Lock provides you with a copy of your credit score, but you can get your own copy of your credit score. You can put a fraud alert on your own account. Essentially, you're paying to be lazy. See Consumer Reports review of Life Lock here:

Second, when you call the large credit bureaus, use the right phone numbers. The numbers listed on the bureaus' website and on the FTC website will get you to a phone tree, not a real person, and you will get lost. The most recent numbers I have for the three bureaus are these:

  • Transunion's Fraud Department, 800 - 680 - 7289
  • Equifax, 877 - 784 - 2528
  • Experian, 877-870-5640
Note that the phone numbers change fairly regularly, so they may no longer work. If not, Google "how to get a real person at Transunion / Equifax / Experian" and the phone numbers should pop up. 

Incidentally, with some major organizations you can ask to be transferred to the American office. Sometimes this will get you out of the Indian office, and sometimes the customer service representative will take offense. But it's worth a try.

No comments:

Post a Comment