Invasion of the Identity Snatchers, Part One

Many say that identity theft is unavoidable, undetectable, and unstoppable. But fraud examiners can use their skills to fight this ubiquitous crime. 

Sam and Cindy were looking for a home healthcare worker to help them with their son who had physical disabilities. Sam, an experienced fraud investigator, did his research and hired Simon through a supposedly reputable service. Despite his best efforts, however, the couple opened the door to an "identity predator."

A few months after Simon began working at Sam and Cindy's home, creditors began calling the couple to demand that their son pay for past due auto and insurance payments. One day Simon didn't report for work. An insurance investigator then told Sam and Cindy that Simon was not only working under an alias but he had a long history of seeking employment that would give him access to personal records that he could use to steal identities.

Fortunately, Sam and Cindy didn't have to pay for the $23,000 car loan but they did have to spend hours preparing affidavits and explaining to creditors that their son's identity had been snatched. And their frustrations mounted when local law enforcement told them they wouldn't pursue the case because the home healthcare worker had purchased the car and insurance in another state. Meanwhile, "Simon" had slipped away to undoubtedly find some fresh victims.

Identity theft is often at the top of media reports and is always a hot subject for public forums. The characterizations of identity theft as "unavoidable," "undetectable," and "unstoppable," by government and law enforcement officials send chills down the backs of those who investigate and try to prevent this rampant crime. But as fraud examiners, we should know the latest on this ubiquitous crime so we can use our skills to fight it.

Scope of the Problem
Although there are steps that can be taken to minimize the risk of becoming the victim of identity theft, the Federal Trade Commission (FTC) has reported that one out of eight victims who call the commission's identity theft hotline report that they have been victimized by someone they know - either a family member, a neighbor or workplace acquaintance, a person employed by a financial institution with which they do business, or someone else they know.1

An identity thief needs the valuable possession of a potential victim - a social security number (SSN). The SSN opens up a whole world of nefarious opportunities for the identity thief. The Social Security Administration's Fraud Hotline received 16,375 calls from Oct. 10, 1997 through March 31, 1999. Of those calls, the Office of the Inspector General estimated that 13,345 (81.5 percent) involved identity theft.2 According to the analysis, the elderly aren't necessarily targeted; victims from the ages of 20 to 49 had the greatest frequency of occurrence. Some of the other categories of fraud related to identity theft listed by the analysis are summarized in the chart below:

The Federal Trade Commission (FTC) is probably the most reliable source for identity fraud statistics. The FTC is compiling a centralized database, known as the Data Clearinghouse, for all federal, state, and local agencies as well as credit-reporting agencies and the general public. The most recent data publicly available covers the period from November 1999 through June 2001. Following3 are the available statistical categories (figures are displayed on pages 33 and 39):

• total victims (Figure 1);
• number of victims by identity theft type (Figure 1);
• age demographics of complainants (Figure 2);
• number of ID theft reports by state (Figure 3) and per capita (Figure 4);
• cities with the highest number of complaints (Figure 5) and suspects (Figure 6);
• relationship to suspect (Figure 7);
• time difference between occurrence date and crime identification date (Figure 8);
• credit bureau contact (Figure 9);
• financial institution contact (Figure 10);
• law enforcement contact (Figure 11); and
• police report rates by state (Figure 12).

The FTC reports 69,370 victims from November 1999 through June 2001. More than 30,000 victims reported that most of the offenses involved credit card fraud. The FTC data showed that the average age of an identity theft victim was 30, while the average age of consumers reporting complaints was 40 years of age.4 (Table 1)

Table 1

The largest number of complaints came from California, New York, Texas, and Florida, in that order. Cities with the largest number of complaints were New York City, Chicago, and Los Angeles, in that order. About 68 percent of the complaints to the FTC's Identify Theft hotline identified suspect information. The largest number of suspects came from New York City, Chicago, Miami and Detroit, in that order.

The FTC reported that 21 percent had a personal relationship with the suspect (Table 2).

Table 2

Converse of this is that in the vast majority of cases - 79.3 percent of those reported - the victims didn't know the suspects. The average time span between the date of the identity theft and the date the victim realized that he or she had been robbed was 12 months.5

Identity Fraud Methods 

From the Internet
The FTC has noted a rapid rise in the number of consumer complaints related to online fraud and deception. In 1997, the commission received fewer than 1,000 Internet fraud complaints; a year later, the number had increased eight-fold. In 2000, more than 25,000 complaints - roughly 26 percent of all fraud complaints logged into the FTC's complaint database, Consumer Sentinel, by various organizations that year - were related to online fraud and deception. Following are the various ways thieves are using the Internet:

• Victims receive e-mail requests supposedly from their Internet service provider (ISP) stating that "account information needs to be updated."
• Fraudsters access personal information indiscriminately shared by the victims on the Internet.
• Victims respond to "spam" - unsolicited e-mail - that promises benefits but requests identifying data.
• Computer technology is used to obtain information given on the Internet. Thieves sometimes can do this even if a site claims to be secure.
• Individuals create Web pages and pose as legitimate businesses only to use the site with the intent of acquiring individuals' credit card numbers and other personal information.
• "Page-jackers" make exact copies of legitimate Web pages, including the imbedded text, to defraud consumers.

In FTC v. Carlos Pereira d/b/a atariz.com, the defendants allegedly made unauthorized copies of 25 million pages from other Web sites, including those of Paine Webber and the Harvard Law Review.6 They would make just one change - hidden from view - on each copied page and insert a command that would redirect an unsuspecting surfer to another Web site that contained sexually explicit, adult-oriented material. Once at the adult site the defendants "mouse-trapped" consumers by incapacitating their Internet browser's "back" and "close" buttons. Instead of exiting, they'd be sent to additional adult sites in an endless loop.

Through the use of fleeting Web sites, falsified domain name registrations, and false names, cyber fraudsters victimize scores of users in a short time and leave no trace of their true existences.

Internet fraudsters also use "pretexting," or "social engineering," which includes impersonation of legitimate individuals from government agencies, law enforcement groups, charitable organizations, and businesses (such as banks) to obtain confidential information from individuals.

Next issue: More identity theft methods, federal laws, and ways to combat the problem.

John Langione, CFE, CIA, is a senior manager with Ernst & Young's New York office. Dr. Craig Ehlen, CFE, CPA, is professor of accounting at the University of Southern Indiana. Dr. Robert E. Holtfreter is Distinguished Professor of Accounting & Research at Central Washington University. Dr. Thomas Buckhoff, CFE, CPA, is EideBailly Professor of Forensic Accounting at North Dakota State University. Amy Southwood recently received her master's of science in accountancy. 

Appendix 

Methods to Protect Private Information  

• Don't load purses or wallets with credit cards.
• Never leave purses or wallets in cars, even if they're hidden.
• Never carry social security cards or birth certificates in purses or wallets.
• Don't keep ATM personal identification numbers (PIN) or other passwords in purses or wallets.
• Avoid using easily discovered passwords or PIN number/codes, such as birth dates, phone numbers, or addresses.
• Keep a list or photocopy of all of your credit accounts and bank accounts in a secure place, such as a safe, lock box, or locked file cabinet.
• Keep tax records, canceled checks, and paid bills in a secure place, or shred them before throwing them away.
• Be careful when ordering something over the Internet. Make sure the server is secure.
• When purchasing items with a credit card, always keep credit card receipts. Never toss them in a wastebasket.
• Don't let others see an entered ATM password.
• When approaching an ATM be aware of others near the machine.
• Don't leave printed receipts behind at bank machines or gas pumps.
• Don't speak or press credit card or bank account numbers over a wireless or cordless phone unless it's equipped with encryption technology.
• Change passwords and PIN numbers regularly.
• Consider purchasing a home paper shredder.

Methods to Secure Mail 

• The U.S. Postal Service (USPS) has recently initiated changes to deter false changes of address.
• Cut up, shred, or otherwise destroy pre-approved credit offers that you don't intend to accept before putting them in your trash or recycling bin.
• When mailing bills, letters, applications, and other papers containing personal information place them in a secure outgoing mailbox.
• Don't write personal account numbers on checks or the outside of envelopes you are mailing.
• Install locked residential mailboxes.
• When ordering new checks, don't have them sent to a home mailbox but pick them up at the bank instead.
• Check with the post office if mail delivery suddenly stops.
• Don't leave mail accumulating in the mailbox while out of town.
• Inexpensive mailbox inserts - boxes that fit inside standard mailboxes - have slots for mail and must be unlocked with a key.

Methods to Check and Secure Accounts 

• Use an ID Theft Affidavit from the FTC's Web site to alert companies when a new account is falsely opened in your name.
• Order credit reports from each of the three credit bureaus at least once a year to ensure accurate information.
• Register credit cards with a credit card protection agency, and then place that agency's stickers on the cards.
• Check credit card statements and immediately report unauthorized purchases.
• Contact the issuer if a new or renewed credit card doesn't arrive.
• Request a copy of the Social Security Personal Earnings and Benefit Estimate Statement at least every three years to be sure the information is correct.
• Add a fraud alert to credit files that signals the three major credit bureaus - Equifax, Experian, and Trans Union - to inform credit givers to call for verification of any credit applications.
• Read all bills carefully and call creditors to dispute any charge not made or authorized.
• Equifax currently provides several levels of service that allow consumers choices in receiving information about their credit histories. These options range from being notified of significant changes to credit files to being sent a copy of their current reports and scorings.

Identity Theft Web Sites
Following are some good sources of identity theft information: 
www.consumer.gov/idtheft/
www.ustreas.gov/enforcement/nsit.html#Panel 2
www.clarkhoward.com/library/tips/identity_theft.html

Endnotes
1 Prepared statement of the Federal Trade Commission on "Internet Fraud" before the subcommittee on commerce, trade, and consumer protection of the committee on energy and commerce, United States House of Representatives, Washington, D.C., May 23, 2001 by Eileen Harrington, associate director of the Division of Marketing Practices in the FTC's Bureau of Consumer Protection.
2 Analysis of Social Security Number misuse allegations made to the Social Security Administration's Fraud Hotline - August 1999, A-15-99-92019 - Management Advisory Report from the Office of the Inspector General.
3 Federal Trade Commission, "Identity Theft Victim Complaint Data," October 2001.
4 FTC theft complaint data - "Figures and Trends on Identity Theft - November 1999 through June 2001."
5 FTC theft complaint data - "Figures and Trends on Identity Theft - November 1999 through June 2001."
6 FTC v. Carlos Pereira d/b/a atariz.com.