by Dave Moore, 3-22-2020
Taking measures to prevent scams and identity theft, as covered in preceding columns, is the best route to take in your digital life. What do you do, though, if you’ve never taken any precautions at all, and wake up one day to discover your life is being ruined by identity theft criminals? What then?
In the professional information security world, you begin processes called mitigation and recovery. The more popular term for mitigation is “damage control.” You have been damaged, and need to stop further damage immediately, before things get completely out of hand. Here are some proven ways to start.
1. If you are a phone scam victim (see Part Two of this series), contact your carrier’s fraud department and report the fraud. Insist that any charges be removed, as you had no knowledge of and did not authorize any number transfers, phone purchases or account changes. Store employees are supposed to ask for valid ID and other identifiers (last four of SSN, PIN number, etc.) before authorizing account actions. Can they prove they did so? If not, the scam’s success was their fault, not yours.
2. Ask your phone carrier about extra porting and/or “port out” security. All major carriers can provide extra security, such as PIN numbers, codes or security questions. Tell them you want all the security they can offer.
3. Assume that if one account has been hacked, all accounts have been hacked. Login to all online accounts, and change passwords, security questions, add extra security codes and PIN numbers. Enable extra security where they text you a code before you can sign in. Set up alerts, so you get a text every time there is a charge. Change all online accounts: phone, bank, credit card, TV, Internet provider, medical, eBay, Facebook, Paypal, Snapchat, Instagram, Twitter, email, bill paying, etc. They all matter.
4. Mail a letter to your phone carrier saying you are an identity theft victim, and request detailed daily phone logs going back to the date of the original scam. Explain that Section 609(e) of the Fair Credit Reporting Act requires they provide business records related to identity theft to victims within 30 days of receiving a written request, and enclose a copy. Closely review the records for clues as to what exactly happened, and who was responsible.
5. Order copies of credit reports from www.annualcreditreport.com, and obtain other current financial statements. Get a copy of your Early Warning Consumer Report at earlywarning.com/consumer-information. Place Extended Fraud Alerts (Not three-month alerts) at all four credit bureaus. Put a “Freeze” (not a “lock”) on your accounts at all four major credit bureaus (Experian, Equifax, Transunion and Innovis).
6. Report identity theft to the Federal Trade Commission (FTC) at identitytheft.gov. Obtain a FTC Identity Theft Report. The FTC is the lead federal agency for reporting and prosecuting identity theft, and there is a wealth of great information and advice on their website.
7. After you obtain your FTC Identity Theft Report, make a thorough list of all personal data and accounts, i.e., SSN, bank/credit card numbers, email addresses, user names, passwords, etc.
8. Notify the fraud departments of all your creditors and financial institutions in writing of the ID theft, and all details you know about. Request accounts be flagged. Request up-to-date statements. Guidelines and sample letters are on the FTC website. Enclose a copy of your FTC Fraud Report.
9. Review all statements for suspicious activity: loans, investment accounts, property rentals, utilities, etc. Demand bogus charges and accounts be removed and closed. Ask for a letter stating those things have been done. Contact credit bureaus and correct credit reports. Include a copy of your FTC Identity Theft Report, and proof of ID, like SSN, copy of driver’s license, copy of a utility bill, etc. Request blocking of incorrect and fraudulent information. See identitytheft.gov for more.
10. If the U.S. Mail Service was involved in the identity theft, or your mail was stolen, report the incident(s) to the United States Postal Inspection Service at www.uspis.gov/report/
11. If you suspect your SSN has been used by someone else, review your work history at socialsecurity.gov/myaccount. Report errors to your local Social Security Administration office. Do the same thing for other government benefits you may receive (VA, etc.).
Next week: Scams and identity theft, part six: more damage control.
Dave Moore has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.com