Identity Fraud and the Impact of Identity Crimes
Recovering from identity fraud, identity theft, and other identity-related crimes can be daunting. It’s a long, complicated, stressful process, and it takes a toll on your life. And this toll is not just financial and emotional. Depending on the crime, it can affect your life in different ways. And access to your accounts can let criminals manipulate your friends and family by pretending to be you.
See 10 Types of Identity Crimes with Eva Velasquez for a complete transcript of the Easy Prey podcast episode.
Eva Velasquez is the president and CEO of the Identity Theft Resource Center (ITRC). The ITRC is a 501(c)(3) nonprofit providing free recovery services to victims of identity crimes and identity compromise. People are sometimes skeptical that all their services are free – and Eva supports a healthy skepticism. But they are a legitimate charity, and you can look them up on third-party accreditation services like the BBB, GuideStar, and Charity Navigation. They have been around since 1999 providing identity fraud recovery help, risk minimization, and education.
Seeing the Gaps in Victim Support
Eva started her career in law enforcement. She spent twenty-one years at the San Diego District Attorney’s office, and the last eleven of those focused on consumer protection and investigating white-collar crime. She was on the side of “let’s catch the bad guys.”
But she also saw firsthand how dismissive we are of identity crimes and identity crime victims. There weren’t any resources for victims of identity fraud. When the ITRC was founded in 1999, Eva was thrilled because she now had somewhere to send people who needed more help than law enforcement could offer. Her job was to investigate fraud. She couldn’t provide recovery services or support – it wasn’t part of her job or skill set.
Looking at Eva’s career from the outside, it may seem like a dramatic change to go from working for a district attorney’s office to leading the ITRC. But it was really a natural evolution. From her time in law enforcement, Eva began to understand the victim experience, see how coercion was often used in identity fraud, and experience firsthand how victims weren’t getting the help they needed. When the founders of the ITRC retired, Eva jumped at the opportunity. She’s been running the ITRC for the last ten years.
Identity Fraud from a Law Enforcement Point of View
From a law enforcement perspective, identity fraud and identity crimes are so difficult because they’re often anonymous. The victim doesn’t know who stole their identity. There aren’t a lot of good leads. Most of the leads law enforcement can get lead back to the victim because the criminal is using their identity. Not only are most identity crimes not solved, most are not even investigated because there are no leads to follow.
The vast majority of these [identity] crimes… don’t just go unsolved, they’re not even investigated. The great challenge with this particular crime is it’s so anonymous.
Eva Velasquez
Eva is always telling her friend and colleagues in law enforcement that they need to do more. There needs to be more victim support and more resources provided to the visions that investigate identity fraud. But she also understand how hard it can be to investigate when there is nothing to follow.
She tells victims that focusing on getting their “pound of flesh” is not going to give the resolution they hope. The likelihood of even figuring out who did it is incredibly small. Getting a conviction is even harder. Even with convictions, the penalties just aren’t that strong. They vary between states and what exactly the criminal is charged with, but it’s rare to see an identity thief get years in jail. If they’re convinced, most sentences are less than twenty-four months.
Trying to hunt down the person who stole your identity and get them convicted just isn’t as satisfying as most people want it to be. Eva thinks your energy is better spent towards recovery.
A Broad Definition of Identity Crimes
At the ITRC, they have broadened the language. Instead of more common terms like “identity theft” and “identity fraud,” they group them all under “identity crimes.” That’s because there are so many different ways that an identity can be compromised and misused. The compromise piece is often forgotten because we don’t think of simple compromise as a crime, but it is.
There are so many different ways an identity can be compromised and misused.
Eva Velasquez
When Eva talks about identity crimes, she’s talking about a variety of situations. There are scams where criminals collect your info. They may trick you into thinking you’re talking to a legitimate business, a real government agency, or your real friend and convince you to “self-compromise” you information. That’s an identity crime. Data breaches are also a form of identity compromise. You gave an organization your information legitimately, but that data was taken, exposed, and sold. That is the actual theft part of it – your identity information has been stolen from where you gave it permission to be and given or sold to someone who doesn’t have your permission to use it.
Identity Theft or Identity Fraud?
When most of us think about identity theft, we’re actually thinking about identity fraud. The theft part is only where our information is stolen. It becomes identity fraud when your personally identifiable information, Social Security Number, financial information, or anything else is actively being misused. Usernames and passwords are even identity credentials now – it’s how we authenticate ourselves online. Having someone access your online account without permission is identity fraud.
Account takeovers especially are increasing exponentially. Eva has spoken to thousands of people who had their accounts taken over not through hacking or technical cyberattacks, like many people expect. They’re not even using credential stuffing, where they buy one username and password combination and try it on a bunch of different sites, hoping the victim reused passwords. Instead, they’re using social engineering. They convince you to share your credentials through false pretenses. Some of the reasons they give sound very legitimate, and it’s difficult to tell that they are fake.
Using Social Engineering in Identity Fraud
Account takeover spreads like wildfire because of borrowed trust. Once the scammers have access to a few accounts, they can commit identity fraud to use the real account owner’s identity to convince their friends they’re legitimate.
Say you’re friends with Eva on Facebook. One day, Eva sends you a message and says, “Hi! I lost my phone, and I have two-factor authentication set up on my account. Since I can’t use my number anymore, can I send my code to your number to get into my account?” If you’re like most people, you want to help out your friends. So you say, “Sure, Eva! Happy to help!”
There are two problems here. First, that’s not how two-factor authentication actually works. Eva wouldn’t be able to change what phone number the code goes to without successfully logging in first. Second, the code being sent to you is for your account. The scammer likely already has your login credentials somehow, and they just need to convince you to send them that two-factor authentication code. You send the code thinking you’re helping your friend Eva, and now your account is taken over.
Eva hears stories like this all the time. Often casual users don’t realize right away that their account has been taken over because they don’t log in very often. That gives the scammer more time to pretend to be you and scam your friends.
Go to the Source
Eva tells people to go to the source. With any incoming communication – a social media DM, an email, a text, a phone call, or anything that you didn’t initiate – where you’re being asked to provide data, send money, or spend your time doing something, go to the source and verify. If you get an email from your friend, pick up the phone and call them. If you got a call from your boss, walk down the hall and double-check in person. Verifying from the source can help identify if you’re looking at a legitimate request or identity fraud.
Some families have a “keyphrase” they use to verify. It’s something they wouldn’t normally say and that they don’t tell anyone else or put online. That way if Susan calls Mom and asks for money, Mom can ask for the keyphrase. If Susan can’t tell her, Mom knows it’s not actually Susan calling. This can be a great solution for some people. But it’s hard to scale up, so if you have several dozen extended family members, it may not be the best option. Not all solutions work for all groups, and that’s okay. Find the ones that work for you.
An interesting thing with social media is that Eva often hears that they don’t have a way to do this. The person making the request is a social media friend only, and they don’t have another way to contact them. In that case, question why they are asking you. Don’t they have friends and family in real life who can help them? It seems strange that someone you have never meet and don’t know outside of social media is asking you for your information, money, or time. Just say no.
The Challenge of Saying No
No one wants to say “No” to a friend who needs help, especially if it’s a kind of help you’re able to give. It’s even harder to say “Sorry, I can’t do this for you because I can’t verify you are who you say you are,” especially to someone we think of as a friend.
That’s what makes these kinds of identity fraud so unconscionable. Even if we are suspicious, we don’t want to say no to a friend. People have talked for years about how bad actors leverage our “lesser urges” like greed, fear of missing out (FOMO), and urgency. But now they’re also leveraging our altruism and our desire to help friends and family. It’s terrible, but it’s very effective.
Types of Identity Crimes
There are a wide variety of identity fraud, identity theft, and identity-related criminal behavior that can be included in the “identity crimes” umbrella. We commonly talk about financial crimes, like opening new loans and credit cards in someone’s name, and theft of social security numbers. But it goes beyond that, even to some areas we might not think about.
Financial Identity Fraud
Identity fraud is a broad term that covers misuse of identity credentials. Most of what we think of as identity theft is actually identity fraud. It’s not just financial, but the financial aspects are most well-known. A thief can use your identity to open new credit cards and bank accounts, take out bank loans, car loans, mortgages, or payday loans, or misuse any kind of financial instrument in your name.
Account Takeover
This was discussed earlier in this article, but it is a type of identity fraud. A scammer gets access to your account, and depending on what kind of account they took over, they could end up with access to important areas of your life, or the ability to pretend to be you to compromise your loved ones’ accounts. Once they get in, they can even change the username, email address, and password to lock you out entirely.
Data Breaches
Data breaches are actual identity theft. You provided your information to a platform, system, or company. That platform, system, or company was compromised and your data was stolen. It is a crime, and it puts you at extremely high risk for identity fraud of all types.
Government Identity Fraud
In this type of identity fraud, criminals use your information to defraud the government. This includes benefits fraud, where they apply for benefits like unemployment or SNAP in your name, and tax fraud, where they file fake federal or state tax returns and get the tax refund due to you. Any time criminals use your information to scam government systems is government identity fraud.
Medical Identity Theft
In medical identity theft, criminals use your information to obtain medical goods or services. This can include things like prescription drugs and durable medical equipment.
Criminal Identity Theft
In criminal identity theft, someone being arrested provides your information to law enforcement instead of their own. It can result in you having a criminal record for something you never did.
The Struggle to Recover from Identity Fraud
Medical and criminal identity fraud are much less common than other types. Last year, only 4% of the ITRC’s cases were criminal identity theft and only 1% was medical identity theft. However, they are some of the most complicated to resolve and recover from because there aren’t standardized processes in place. In medical cases, it has to be resolved provider by provider and insurance company by insurance company because they don’t interface. In criminal cases, it’s complicated because there are so many law enforcement agencies and jurisdictions to deal with – in the United States alone, for example, there are 17,000 distinct law enforcement agencies.
This makes these cases especially difficult to deal with. In one case, a victim was carjacked in 2018 and had ongoing issues with medical and financial identity fraud. Recently she was arrested for a criminal case. She was released on bond due to having just had a C-section, but now is trying to prove that it wasn’t her. In another case, an immigrant to the United States found out in 1998 that an out-of-state driver’s license had been used for criminal activities in Florida. It has been twenty-five years and he still has not been able to get it resolved. He was unable to get a job in his field because he couldn’t pass the background check process. While his kids were at home, he was a stay-at-home dad while his wife was the breadwinner, but now that they’re grown he feels hopeless.
The Emotional Impact
The ITRC sends surveys to victims about the emotional impact of being a victim of identity fraud. The number of victims who are suicidal is growing. In 2021, it hit double digits – 10% of victims don’t see another way out. Part of it is because they have no support, and part is because they don’t see a path to a resolution. This is especially true of people who used the processes in place and the processes failed. They did everything they were supposed to do, and they still can’t escape the trouble of identity fraud.
I don’t think people understand how traumatizing this can be.
Eva Velasquez
Steps to Minimize Your Risk
If no one ever called us again because identity crimes were solved, I would die a happy woman. This has been my life’s mission. We’re not there yet.
Eva Velasquez
Many people find taking steps to reduce their risk of identity fraud daunting. There are lists out there of fifty different things you have to do, and that seems overwhelming. But Eva reminds people that they don’t have to be done at once. There may be fifty things that you can do, so why not pick one a month and make small changes? Some things are one-and-done actions, others become practices.
The IRTC calls it “identity hygiene” because it’s not just one thing you have to do. It’s a set of practices that you do on a regular basis for a great end result. If you go to your doctor and say, “What’s the one thing I need to do to be healthy?” they’re not going to give you just one thing. Instead, they’ll give you a list of things to do to varying degrees. Some, like getting your vaccines, only have to be done once or on an occasional basis. Others, like eating healthy, need to become habits. And that doesn’t mean every meal has to be perfectly healthy – just try for most.
You can look at identity fraud protection practices like that. There are some that need to be done infrequently, and some that should become habits. You don’t have to be perfect, but just making a consistent effort will go a long way towards protecting yourself from identity fraud. If you’re just getting started, Eva recommends a few places to start.
Good Password Management
We all need to upgrade our password game. It’s one of the identity fraud protection habits we should use every day. Use complex, unique passwords across all your accounts – even throwaway accounts and ones you don’t think are important. A lot of people put strong passwords on their financial accounts and the ones they consider important. That’s a really good start. But those accounts we think are less important can sometimes be used to access our more important accounts. To upgrade your security, use strong passwords across all accounts.
Any vulnerability can be a pathway into those other accounts that you consider more important.
Eva Velasquez
A strong password should be twelve character or longer. It should not have repeating patterns, it should be used on only one account, and it shouldn’t be something easy to guess, like your dog’s name, your kid’s birthday, or your favorite car. We share a lot of stuff on social media, and that information is a lot easier to find than we think. Pick something no one else would know and that you haven’t shared on social media. (And if you don’t want to spend the effort to memorize all these unique passwords, consider a password manager.)
Two-Factor Authentication
The other identity fraud protection habit we should use every day is two-factor authentication (2FA), also called multi-factor authentication (MFA). It’s already mandatory on some platforms, especially financial platforms. Banks did a really good job getting us to buy into it – it’s inconvenient, but we know it makes our accounts more secure and very few of us complain.
We should be using 2FA every time, even when it’s not mandatory. Eva encourages you to enable it anywhere that’s an option. It adds an extra layer of security if your credentials are breached or if you self-compromise. Without that code, a criminal can’t get access even if they have your password.
The important thing to remember here is that you should never share that code with anyone. It says in that text or email you get that you shouldn’t share it – listen to that. Social engineering is good at coming up with really compelling reasons to send the code, and they sound legitimate. But they aren’t. Don’t share it.
There is no legitimate reason to share that [two-factor authentication] code. None.
Eva Velasquez
A Note on Two-Factor Authentication Methods
There are three common methods that a 2FA code can be delivered. One is via an SMS message or email, another is through a dedicated app, or a physical token or key which either displays a code or which you plug into your device to get access. Security experts agree that SMS/email is the least secure way to get these codes, so some say that it’s pointless to do it that way. Eva disagrees. She looks at things in terms of good/better/best. In her opinion, an app is best. But they’re not necessarily intuitive and not for everybody. She hopes that if people hear that’s the best, they may put in the effort to learn.
What she doesn’t want is people thinking, “Well, the app is best, but I don’t get it and I don’t know anyone who can teach me, so I’m not going to do it at all.” 2FA through SMS or email still provides good protection against identity fraud, even if it’s not “the best.” If SMS is the one that you will use, use it – it’s better than nothing. Just be sure that if you’re using SMS or email that your phone or email account is secure. Put a passcode on your phone, and guard your email like you would a financial account, because anyone who has access to those can get access to almost anything.
Guard Your Email
Some people say they don’t care if someone gets into their email account because they’re not talking about anything important. But these people aren’t thinking about the risks of identity fraud. Is your bank account connected to your email? With email access, someone could change your bank password, change the bank account email, and delete the emails about the changes. Now you’re locked out of your bank account and don’t even know how.
In the future, email will probably become even more important than your Social Security Number. Your SSN is a necessary credential, but it’s static data. Email has so many access points and is being used in a variety of different ways. If you have a main account for important stuff and a “throwaway” account, that’s not a bad idea. But safeguard both. People might still know it’s you, and it can be used to perpetrate scams and identity fraud against your loved ones.
Examining an Attempt at Identity Fraud
In one scam, the scammer pretends to be calling from your bank. They know what bank you use, so at first it sounds legitimate. They tell you that someone got into your account and are trying to transfer money out, but they need you to send them the code they just texted you to verify your identity. That code is really the 2FA code for your bank. They got your username and password, and once you send them that to “verify your identity,” they now have access to your bank account.
Then they tell you that they are going to disable outbound transfers. You’ll get a confirmation text, and all you have to do is type “1” to confirm. In reality, they know your bank’s transfer process sends you a text before the money will transfer. By pressing “1,” you have actually authorized the transfer to the scammer’s account. This works because they get you afraid – someone’s in your account and trying to steal your money – and they use that fear to keep you reacting fast and not reading the texts your bank is sending.
If you get a call from someone pretending to be from your bank, you have an ace up your sleeve – you know how to contact your bank! Hang up and call the number on the back of your card, or log in through the bank’s app or website and talk to them there. You will know they’re really your bank because you initiated contact. Then you can confirm if that was really your bank on the phone.
The Challenge of Trust
It’s unfortunate that you can’t trust anyone who initiated contact with you. Eva doesn’t want to be paranoid or fearmongering, but there is good reason to be. We are deluged with scams. With so much identity fraud happening, it’s difficult to know who is real and who is a scammer.
If you tell someone on the other end of the phone that you need to verify they’re legitimate so you’re going to hang up and call directly, a legitimate business won’t start yelling. If the person you’re on the phone with is really from your bank, they will appreciate your commitment to security. They may offer you an extension number or tell you what department to ask for, but they won’t get upset. That’s the kind of reaction you want. If they get upset, try to convince you not to hang up, or start bullying you, that’s a huge warning sign that they’re not who they say they are.
We have to flip the convenience versus security dichotomy on its ear. A lot of customers say they want security. But when they’re presented with a little friction to improve their security, they disengage or leave. Criminals are exploiting our desire for frictionless, convenient actions. Eva encourages people to rethink it. When you encounter some inconvenience verifying your information at your bank, a retailer, or anywhere you are trying to do business, you should thank them. They’re protecting your credentials.
Identity Fraud Services from the ITRC
You can think of the ITRC like AAA. Where AAA helps you out with car-related problems, ITRC helps with identity fraud and other identity issues. Keep them in your back pocket, and reach out when you need them. You can even reach out before you make a decision. Maybe you’re applying for a job and want help verifying it’s not a job scam. Maybe you were told you qualify for a grant or won a sweepstakes and aren’t sure it’s legitimate. The ITRC both helps people who have gone through identity fraud and want support recovering, and operate as a sounding board for people who aren’t sure if they’re looking at a legitimate opportunity or a scam.
The Identity Fraud Recovery Process
It’s hard to make general statements about the process of recovering from identity fraud. If you had only one or two incidents, they were all recent, and they were all financial identity fraud, that can probably be resolved in about a week. But once government, criminal, or medical identity fraud are involved, now we’re talking about months. If you have a persistent thief – someone with lots of data who keeps trying new ways to monetize it – it’s even harder. Even if you froze your credit and locked down your accounts, they’re going to keep trying. It’s almost like the identity fraud goes into remission and then pops back up again. It can be difficult to determine if you’re fully recovered or if the identity fraud is just in remission.
Depending on how early it was caught, what kind of identity fraud it was, how many incidents there were, and how many entities are involved, resolution can take anywhere from a day to a decade. It’s very situation-dependent and wildly inconsistent. You’re never going to know how long it will take until you do discovery and know what you have in front of you.
Support is Available
The good news is, you don’t have to do it alone. There are some great, legitimate resources out there. The FTC has a hotline and resources, and they offer the ability to get an identity theft affidavit that can help with legal processes. The AARP has a Fraud Watch network for seniors. And there’s always the ITRC. There’s no limit to the amount of time, number of calls, or amount of effort the ITRC spends on your case. They can support you every step of the way.
There’s no shame in asking for help. This is really complicated.
Eva Velasquez
Identity fraud recovery is complicated. Eva has been doing it for years and is still learning new things. There’s no shame in asking for help and looking for resources, especially if you’ve never done it before. Reach out for help and have someone show you the path to identity fraud recover.
You can reach the ITRC on their website at idtheftcenter.org, where you can chat with a live advisor during business hours. You can also call them toll free at 888-400-5530. After business hours, you can leave a message and an advisor will reach out to you.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
The Right to be Forgotten: The U.S. Privacy Paradox
Have you ever posted something online that you later regretted? Maybe an embarrassing photo from college or…
[Read More]AI Regulation and Why We Need Laws About Tech
Very few people are ready and willing to say that what we need is more regulation. But…
[Read More]Top 10 Fastest VPNs of 2024: A Complete Guide
When it comes to choosing a VPN, speed is often a top priority for users – and…
[Read More]How to Safely and Anonymously Stream Content Using the Best VPNs for a Fire Stick
Imagine traveling back to the 1990s and explaining streaming services to someone. “Streaming is like cable, but…
[Read More]Choosing from the Best VPN Trials of 2024: Which One is Best?
Whether you are shopping for a VPN for the first time or you are ready to make…
[Read More]Guide to Types of AI Models and How They Work
When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…
[Read More]