How I Became a Reluctant Expert On Identity Theft

I’m changing the facts around slightly in these stories to protect the innocent. Around 15 years ago, my father passed away, and it caused a financial crisis in my family of origin. Money was tight, and I helped out when I could. However, that was not enough. At one point, a family member threatened me and started acting on it. I realized that he knew everything about me to apply for credit in my name. For those things he didn’t know, he could ask Mom. Think about it. Any family member could apply for credit in your name. They even know the answers to those “security” questions like best man at your wedding or where you graduated from high school. That’s when I froze my credit and never looked back.

Fast forward to about three years ago, and I got a strange email from an insurance company I did business with a long time ago. I had a life insurance policy with them but canceled it years before. Then I got a password reset email—that kind of bothered me. As a tech expert, I could examine the origin of the email and the URL. It all looked legit. I logged into that account, and suddenly, I had a large home and three cars insured with them. Moreover, my social security number had changed. I panicked that someone had stolen my identity and had apparently done it for years! Human error at the insurance company merged my data with another David Greenbaum’s. I almost canceled this guy’s insurance policies. Finally, a few years ago, I lost my wallet. All the typical things were in there, like my driver’s license, ATM card, credit card, business cards, health insurance card, in-case-of-emergency info (ICE), and some cash. I had to replace it all.

Equifax Stole Your Wallet-So What?

According to Equifax, the  information about you that was probably leaked includes the following:

Your NameYour Social Security NumberBirth DateAddressesDriver’s LicenseCredit Card numbersCredit History

Guess what? Your wallet probably has most of that information. That’s not meant to minimize the hack but instead put it into perspective. You might not have your social security number or credit history in your wallet, but everything else is there. In my case, it also had health insurance info, my spouse’s name, and both of our places of employment since we had work numbers. For an identity thief, that’s probably more information than the Equifax hack.

Who Else Has That Information? Everyone!

Look at that list again of what was stolen and think about, besides your wallet, where else that information is stored. The most obvious places are your company’s HR department. The only thing they might not have is your credit history. How secure is your company’s HR database? Is it subject to social engineering hacks like in Mr. Robot? I’ve seen hiring managers haphazardly leave things like I-9 forms – which have all that information – on a desk. You won’t read about those hacks in the news. I’ve already discussed family members who have that information. In a messy breakup, your significant other probably has most of that information too. Your child who is struggling to make ends meet in college has that data. The college would have that information, too, especially if the student applied for financial aid. Once you freeze your credit as I did, you start learning who has your personal information and runs credit reports on you.

Protecting Yourself and Your Family, Regardless of the Hack

Step 1: Freeze Your Credit Everywhere, Even If You Have To Pay

We’ve already explained in another article how to freeze your credit at all three major credit reporting agencies. However, keep in mind that credit freeze rules vary by state. In most cases, they all allow you to freeze for free if you’re a victim of identity theft. If Equifax says your stuff was stolen, I’d say you’re a victim. I’m not an attorney, but it seems to me you should be able to file a report in this case. If your local police department doesn’t accept a report, you might be able to file an affidavit with the FTC. They allow that affidavit if you’ve ever had a fraudulent charge on your credit card (who hasn’t?). Your circumstances and mileage will vary. In my case, I didn’t file a report because I didn’t want to get my family member in trouble. I paid about $15 per agency to create the freeze. I also have to pay if I want to unfreeze it. If you file a police report, both the freezing and unfreezing are free. You can’t change it later, so although my cards have been used, and I could file an affidavit, my freeze will always be chargeable. It should be obvious, but you must freeze your credit with all the major agencies: TransUnion, Equifax, and Experian. Scammers can use the information from Equifax or any other sources to get goods or services in your name. A credit freeze prevents people from pulling your report without the special PIN; it’s the closest thing we have to 2FA for credit. It doesn’t impact any other aspect of your life. Your credit cards and loans work just the same. It only impacts future applications after the freeze. If you already have a credit card and ask for a credit limit increase, they’ll pull a report, and you’ll need to “unfreeze” your credit.

Special Note: Unfreezing Your Credit

Unfreezing your credit is a minor pain, roughly about as hard as changing a password. A few minor hoops to protect yourself long-term. They’ll often run a credit report when you’re trying to shop for a house, get a new credit card, or even a job. It’s easy to unfreeze your credit (although, in my case, it costs me about $15). Ideally, the company requesting the report can tell you what agency they’re using. Rarely do they know this. It isn’t until you’re denied goods or services that they say they couldn’t pull a report from an agency. Over the years, I’ve seen companies better understand what a freeze is. I suspect after this hack, even more, will understand. You don’t get a “bad” credit report. They just get a notice there is a problem. Credit card experts tell me it’s like they have the wrong social security number or name. Unfortunately, somewhere along the line, someone might read “no report” as “bad report.” That’s happened to me more than once. I’ll just explain, “This is due to my credit freeze, and please tell me what agency you use.” Most agencies let you set a period for the unfreeze. Some also let you unfreeze it until further notice from a particular company. I’ve never had that work. I always have to do a blanket unfreeze for a few days. All you do to unfreeze your credit is go online, enter your PIN, and then enter the unfreeze period. It’s that easy. If you lose your PIN, you have to request a new one through the mail. I keep my stuff in 1Password and the originals in my safe at home.

Step 2:  Never Give Your Social Security Number

If your email password is stolen, you get to reset it. I can reset my password on IRS.gov, but I can’t change my username, aka my social security number. Social Security numbers stay with you for life. You can’t change them like you would a username—it’s possible but not easy. A social security number in itself is a valuable tool for theft. People have been filing fraudulent tax returns for years and stealing people’s refunds. Many companies that ask for that number don’t really need it. For example, one time, an orthodontist wanted it. I said no, and they denied the appointment. The reason was they wanted to do a credit check on me. I refuse to give it to my medical doctor after that. Most places that ask for a Social Security Number want to do a credit check. You’ll find that in the weirdest of places. Applying for a loan seems obvious, but getting a mobile phone is not. Anytime someone wants to give you something with the hopes of payment, they might do a credit check. Another place that burned me was utilities. Switch ISPs, and they might want to run a credit check. When you have your credit frozen, you learn all the places that run credit checks.

Companies might need a social security number to register the payment if you freelance or do contract work. After all, the IRS wants its fair share. Instead of using that number, get a Federal Employer Identification Number (FEIN). That’s linked to you with the IRS but is a separate entity from your SSN. If you’re self-employed, you can get one, you don’t actually need employees. You’re your own employer.

Step 3: Don’t Ignore Glitches In The Matrix

In The Matrix, Neo sees a cat twice and thinks of Déjà vu. That minor detail reveals a major problem in the virtual reality he was living in. That’s how you need to approach your financial transactions, don’t ignore the deja vu or other weird occurrences. Little details are tip-offs to big problems. Minor details could be major problems. Take, for example, an unexpected collection letter. You never did business with the company, and they’re asking for a small amount of money. You’d either ignore it or pay it. Do neither! Ask for documentation of the debt under the Fair Debt Collection Practices Act. It could be human error—for example, you share the name of a debtor. Or it could be that initial glitch. That’s why you need to track it down. These glitches include debt collectors calling or just weird bills or charges on your credit card. I once got a water bill for a David Greenberg at my address. When I signed up for service with the city, the person saw that our names looked similar enough that he had just merged the records. The problem was David Greenberg owed the city a ton of money. Ouch. Special Notice to couples and families: you need to be open and transparent about charges to know the difference between your spouse buying something and not telling you and a fraudulent charge. That might ruin the surprise of a gift. I’ve had that happen to me more than once. To protect that, we just say to each other something like, “There is a charge that’s going to come through that is related to a gift…can you wait a few weeks before looking at the credit card statements.” I know it kills the romance, but fraud isn’t sexy.

Step 4:  Get a Credit Report From Every Agency, Every Year

Hopefully, you file your taxes every year like clockwork. The next thing you do after sending them off is ask for your Annual Credit Report. That link is the legit one. Other companies do free credit reports for you, but Annual Credit Report, as they say, is the “only source for your free credit report authorized by Federal Law.” Each year look it over for any glitches (see Step 3). No matter how small of a glitch, pursue it aggressively. You still get a free credit report even if you freeze your credit.

Step 5:  Ignore Monitoring and Other Services; Stick to the Freeze

Some of these services are total scams; some are legit. Anytime there is a hack, companies offer free credit monitoring to put you at ease. That’s the last thing you want after a hack! Equifax offers credit monitoring. Maybe I’m pessimistic, but I’m unlikely to trust it. Don’t delegate the monitoring of your credit to some service. They won’t see the tiny errors that you see. They might find nothing wrong with a small charge or bill, but you know you didn’t shop there. All credit bureaus allow you to put a “fraud alert” on your account. Anyone pulling your report can see that, but it does nothing to stop a scammer. It’s a polite suggestion, but nothing more. They usually last about 90 days. If you’re truly a victim of identity theft and can prove it, they’ll keep the alert on for seven years. However, it again doesn’t stop someone from using the information, so you’ll still need to do steps 1 – 5. After a publicized hack like that, scammers try to trick people into giving out information. Don’t. Stick with the steps in this article. Never give out or confirm any information over the phone, email, or in writing. If you get an unexpected bill or letter, treat it like a phishing attempt. Call the company directly with a number you already know, not the number on the letter. One exception here is identity theft insurance from your homeowner’s insurance company. It’s only a few bucks a year, and they’ll help you pay if you need to fight debts created by a thief in your name. That was my first call when I thought David Greenbaum stole my stuff. Step 6 (Optional): Fight To Have the Laws Changed Not to be political, but if you think credit freezes should be free (or even default), contact your state and federal legislators. They’re the people that can change these rules. Some states have frozen (and unfrozen) free.

You Don’t Have to Be A Victim

Your personal and financial information will leak out from all sorts of sources. You can’t prevent that, but you can surely minimize the harm it will do with these steps. But, you say, how will I know who is creditworthy? The answer is simple: ask the applicant’s current creditors. You say there aren’t any? Taking risks is part of business. You don’t want to take risks? Close your business. Make up your mind. Business comes with risks. You can reduce the risk by getting a job. Comment

Δ