1. The crime of identity theft
Using a variety of methods, criminals steal Social Security numbers (SSNs), driver's licenses, credit and debit card numbers, and other pieces of individuals' identities such as date of birth. They use this information to impersonate their victims, stealing as much money as they can in as short a time as possible before moving on to another person's name and identifying information.
There are two primary types of identity theft:
- "Existing account fraud" or "account takeover fraud" occurs when a thief acquires your credit or debit card information and purchases products and services using either the actual card or the account number and expiration date. Victims may not learn of account takeover until they receive their monthly account statement.
- "New account fraud" or "application fraud" occurs when a thief uses your SSN and other identifying information to open new accounts in your name. Victims are not likely to learn of application fraud for some time, because the monthly account statements are mailed to an address used by the imposter.
This guide discusses strategies for reducing the risk of both types of fraud.
Identity thieves obtain your personal information through a variety of means:
- Data breaches in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
- "Dumpster diving" in trash bins for intact credit card and loan applications and documents containing SSNs.
- Stealing wallets and purses.
- Stealing mail from unlocked mailboxes to obtain newly issued credit cards, bank and credit card statements, pre-approved credit offers, investment reports, insurance statements, benefits documents, or tax information.
- Accessing your credit report fraudulently, for example, by posing as an employer, loan officer, or landlord.
- Obtaining names and SSNs from personnel or customer files in the workplace.
- "Shoulder surfing" at ATM machines in order to capture PIN numbers.
- "Skimming" your credit or debit card information at a point of sale terminal or ATM machine.
- Finding identifying information on Internet sources, via public records sites and fee-based data broker sites.
- Sending email messages that look like they are from your bank, asking you to visit a web site that looks like the bank's in order to confirm account information. This is called "phishing."
- Hacking into unsecured and unencrypted data files of financial institutions, retailers, and credit card transaction processing companies.
- Accessing unsecured web sites that contain sensitive personal information such as Social Security numbers and financial account numbers.
Generally, victims of credit card fraud are liable for no more than the first $50 of the loss. In most cases, the victim will not be required to pay any part of the loss. But debit card users have less protection against fraud. Not only are individuals' checking accounts wiped out, debit card users could be liable for the total amount of the loss depending on how quickly they report the loss to the financial institution.
Even though victims are usually not saddled with paying their imposters' bills, they are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, they have difficulty getting credit, obtaining loans, renting apartments, and even getting hired. Victims of identity theft find little help from the authorities as they attempt to untangle the web of deception that has allowed another person to impersonate them.
You cannot prevent identity theft. But you can reduce your risk of fraud by following the tips in this guide.
1. Reduce the number of credit and debit cards you carry in your wallet. We recommend that you do not use debit cards because of the potential for losses to your checking account. Instead, carry one or two credit cards and your ATM card in your wallet. Nonetheless, debit cards are popular. If you do use them, take advantage of online access to your bank account to monitor account activity frequently. Report evidence of fraud to your financial institution immediately. Learn more about the risks associated with debit cards.
2. Be vigilant when using your credit and debit cards at restaurants and stores. Dishonest employees have been known to use small hand-held devices called skimmers to capture your card data. The thief then uses the account data for Internet shopping and/or the creation of counterfeit cards. Likewise, examine point of sale devices and ATM machines for possible tampering.
3. Do not use debit cards at all when shopping online. Use a credit card because you are better protected in case of fraud. See our online shopping guide.
4. Keep a list or photocopy of all your credit cards, debit cards, bank accounts, and investments -- the account numbers, expiration dates and telephone numbers of the customer service and fraud departments -- in a secure place (not your wallet or purse) so you can quickly contact these companies in case your credit cards have been stolen or accounts are being used fraudulently.
5. Never give out your SSN, credit or debit card number or other personal information over the phone, by mail, or on the Internet unless you have a trusted business relationship with the company and you have initiated the call.
6. Never permit your credit card number to be written onto your checks. It's a violation of California law (Cal. Civ. Code § 1725) and laws in many other states, and puts you at risk for fraud.
7. Watch the mail when you expect a new or reissued credit card to arrive. Contact the issuer if the card does not arrive.
8. Order your credit reports at least once a year. Federal law gives you the right to one free credit report each year from the three credit bureaus: Equifax, Experian, and TransUnion. If you are a victim of identity theft, your credit report will contain the tell-tale signs – inquiries that were not generated by you, as well as credit accounts that you did not open. The earlier you detect fraud, the easier and quicker it will be to clean up your credit files and regain your financial health.
We recommend that you stagger your requests and obtain one report each four months. That way, you can monitor your credit reports on an ongoing basis. But if you are in the market for credit or are a victim of identity theft, order all three at one time. For more information on your free credit reports, visit the Federal Trade Commission website.
How to order your free annual credit report:
- By telephone: (877) 322-8228
- Online: www.annualcreditreport.com
- By mail. Print out the order form here.
9. Residents of seven states can obtain additional free annual credit reports under state law. These states are: Colorado, Maine, Massachusetts, Maryland, New Jersey, Vermont, and Georgia (two free reports per year in Georgia). If you live in one of these states, be sure to order both your free reports under federal law as well as state law each year – enabling you to even more effectively monitor your credit files on an ongoing basis.
10. Individuals nationwide are able to "freeze" their credit reports with Equifax, Experian, and TransUnion. By freezing your credit reports, you can prevent credit issuers from accessing your credit files except when you give permission. This effectively prevents thieves from opening up new credit card and loan accounts. In most states, security freezes are available at no charge to identity theft victims and for a relatively small fee for non-victims. Beginning in September 2018, freezes will be free nationwide.
- The California Department of Justice’s Privacy Enforcement and Protection Unit provides a guide on security freezes for Californians.
- For other states, see Consumer Action's resources.
- Brian Krebs' post How I Learned to Stop Worrying and Embrace the Security Freeze is a primer on what you can do to avoid becoming a victim of identity theft
While a security freeze may be the best available deterrent to new account fraud, it may not be the best solution for everyone. It can be cumbersome for individuals who frequently apply for credit, are contemplating a new mortgage, or who plan to change jobs. On the other hand, a security freeze is particularly well-suited for seniors who are no longer in the market for new credit. Consumer's Union and Consumer Reports provide more complete discussions of the pros and cons of security freezes.
11. Many companies, including the three credit bureaus, offer credit monitoring services for an annual or monthly fee. They will notify you when there is any activity on your credit report, thus alerting you to possible fraud. We do not endorse credit monitoring services because we believe that individuals should not have to pay a fee to track their credit. If you decide to subscribe, be sure to choose a service that monitors all three credit reports on an ongoing basis. A security freeze (above) is a much better alternative for many individuals.
12. There are many identity theft insurance products available to consumers. We do not recommend them unless they are available as a free or low-cost rider on an existing insurance policy.
1. When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother's mother's maiden name, your birth date, middle name, pet's name, consecutive numbers or anything else that could easily be discovered by thieves. It's best to create long and complex passwords that combine upper and lower case letters, special characters and numbers.
2. Ask your financial institutions to add extra security protection to your account. Many will allow you to use an additional code or password (a number or word) when accessing your account. Do not use your mother's maiden name, SSN, or date or birth, as these are easily obtained by identity thieves. If asked to create a reminder question, do not use one that is easily answered by others or one that might be ascertained from social networks such as Facebook.
3. Memorize all your passwords. Don't record them on anything in your wallet. Consider using a password manager if you can't remember all of your passwords. Never reuse passwords. Each account should have a unique and complex password.
4. Shield your hand when using a bank ATM machine or retail point of sale terminal. "Shoulder surfers" may be nearby or a pinhole video camera could be recording your keystrokes.
1. Protect your Social Security number (SSN). Release it only when absolutely necessary (like tax forms, employment records, most banking, stock and property transactions). The SSN is the key to your credit and banking accounts and is the prime target of criminals.
If a business requests your SSN, ask if it has an alternative number that can be used instead. Speak to a manager or supervisor if your request is not honored. Ask to see the company's written policy on SSNs. If necessary, take your business elsewhere. If the SSN is requested by a government agency, look for the Privacy Act notice. This will tell you if your SSN is required, what will be done with it, and what happens if you refuse to provide it.
If possible, do not provide the SSN on job applications. Offer to provide it when you are interviewed or when a background check is conducted. Read PRC's guide My Social Security Number - How Secure Is It?
2. Do not have your SSN or driver's license number printed on your checks. Don't let merchants write your SSN onto your checks because of the risk of fraud.
3. Do not say your SSN out loud when you are in a public place. And do not let merchants, health care providers, or others say your SSN out loud. Whisper or write it down on a piece of paper instead. Be sure to retrieve and shred that paper.
4. Do not carry your SSN card in your wallet except for situations when it is required, the first day on the job, for example. If possible, do not carry wallet cards that display the SSN, such as insurance cards, except when needed to receive healthcare services. A California law places restrictions on the display and transmission of SSNs by companies. For more information, read the California Department of Justice’s Privacy Enforcement and Protection Unit guide on SSN "recommended practices."
1. Each month, carefully review your credit card, bank and phone statements for unauthorized use.
2. Convert as much bill-paying as you can to online payments. With fewer account statements and bills mailed to your home, you will reduce the risk of mail theft and identity theft.
3. Do not toss pre-approved credit offers in your trash or recycling bin without first tearing them into very small pieces or shredding them with a cross-cut shredder. They can be used by "dumpster divers" to order credit cards in your name and mail them to their address. Do the same with other sensitive information like credit card receipts, phone bills, bank account statements, investment account reports, and so on.
4. Store sensitive personal information (including checkbooks) securely in your home, especially if you have roommates, employ outside help, or have service work done in your home. Use a locking file cabinet or safe.
Credit Reporting Agencies
(888) EXPERIAN (397-3742)
Federal Trade Commission
- Phone: (877) IDTHEFT (877-438-4338)
- FTC's comprehensive identity theft guide "Taking Charge: What To Do if Your Identity is Stolen."
- FTC's interactive identity theft guide.
Identity Theft Resource Center
- Phone: (888) 400-5530
- Web: http://www.idtheftcenter.org