Part 2
By William Simon, Guest Blogger
Today, we present the conclusion of our two-part weekend blog on Identity Theft.
AJ doesn't mind talking about his "job", once he gets going. "I'd moved into an apartment complex," he explains, "and the previous tenant hadn't bothered to file a change of address card. I got one of those 'You've been Pre-Approved' things from a credit card company addressed to the old tenant. I was stoned, and thought it would be a hoot to fill it out and send it in. So I did. Less than two weeks later, they sent me a card." Based on the previous tenant's credit rating and history, AJ now held a little piece of plastic in his hands worth $11,000.00. AJ promptly "blew the card out" in a one-day shopping spree. "What did I care?" he asks rhetorically. "It wasn't my money. Only one store asked me for a drivers license. I slapped my pocket, said I'd left my wallet home, and the cashier shrugged and completed the sale anyway. Walked out with two new laptops and all the toys. Free. To me, at any rate."
AJ bought two high-end laptops, new CD's, a few new movies on DVD, and took his girlfriend out for an extravagant lunch. On the way home, AJ flipped the now useless card out the window. He promptly sold one of the $3,000 laptops for $1,000 cash.
From that point on, he realized how much Easy Money was out there. One night, again as he says "for a gas, man", he created a fake web site replicating a site for a Major Banking Institution and posted it on a server in Finland, using the bank logo and other information. He was able to cut and paste the needed graphics, logos, and language from the existing website.
Then he created a sham email from the Major Banking Institution, explaining that there had been a security breach and customers were being asked to verify their identities. He routed it through an anonymous server in Belize, hit the button, and out went five thousand emails. Within a day, he'd received eighty-five legitimate responses. Out of five thousand spam emails, eighty-five people responded with legitimate personal information. "That was the keys to the kingdom, man," AJ says. Once he had that information, getting new accounts was a snap. Total cost to AJ? Thirty five dollars for the fake web site server space, and four hours at the computer. His net? Almost half a million dollars in credit cards.
From a "friend of a friend", AJ found a connection for phony drivers licenses. In order to avoid questions, it was easy to get fake licenses to match the name on the credit cards.
After that, it was just a matter of time before AJ was recruited into an organized gang of identity thieves.
AJ is not alone.
Reports from England have revealed a disturbing trend. College students majoring in computer science have been approached by organized crime rings, and offered free tuition and expenses for their education, on the proviso the students then "work" for the gang for a minimum of two years. Two students reported this recruitment pitch to authorities, but it begs the question how many accepted? Potentially, a generation of highly educated professionals, trained and experienced in every nuance of computers, networks, the Internet.
Working for the Bad Guys.
According to the U.S. Department of Justice, one in thirty-three households in the United States alone have been the victims of at least one type of ID theft in the past six months, ranging from credit card fraud to check forgery. Conservative estimates treble that figure projected over the next two years. Estimates put the crime in the billions of dollars; that's billions with a capital 'B'. Conservative estimates state that every hour, one in nineteen people have their personal information compromised.
Police agencies are swamped beyond comprehension. City, state, and federal computer crime investigators learn to ruthlessly triage their cases; there's a world of difference between credit card fraud and some of the other crimes being committed online. Under-funded, under-manned, under-trained, and overwhelmed, on any given day between one and two hundred complaints are filed. Doing the math, conservatively speaking, the average computer crime squad is running eighteen to twenty months behind. That's if they're lucky. (What you see on a show like "CSI" or one of its clones is vastly removed from a real life investigation of a computer crime, or any crime, but that's another story.)
How did I meet AJ? I interviewed him as he was being held in Federal Detention. "I screwed up, man," he says. "I got cocky, and didn't pay attention, and I [messed] up." A little probing revealed he'd gone to make a sizeable purchase for a home theatre system and accidentally presented a different drivers license; the names did not match. Through a quirk of fate, the manager of the store was ringing the transaction, and he'd just received a corporate memo on paying attention to such things that very morning. Stalling AJ by explaining he was having trouble reaching the delivery crew, the manager gave him a cup of coffee and chatted with him long enough for police to arrive. When they found three different licenses in AJ's wallet, he was taken into custody for questioning. The total amount of his fraudulent actions kicked the charges into the stratosphere. At the age of twenty-six, it will be many years, if ever, before he is a free man again.
AJ got caught. AJ got arrested. AJ got prosecuted.
How many other AJ's are out there?
What have they done in the time it's taken to read you to read this?
Names have been changed and specific details have been altered or deliberately left out.
William Simon had originally planned to be a combination of Simon Templar, Peter Gunn, Alexander Mundy, and Napoleon Solo when he grew up. Instead he is the owner and lead investigator for Abberline Investigations, a licensed investigations company that deals exclusively in computer crime. William publishes under the pseudonym 'Will Graham'.
Shit. That is a real inside look at some scary information.
I'm going out to buy a shredded today. I kept hearing about how it was a good idea, and now I know why.
Thanks. William.
Posted by:JJ | February 25, 2007 at 07:53 AM
Wow - what an interesting profession. And thanks for sharing the inside scoop with us.
I've been using a shredder for years because of work. I'm going to be more diligent about my personal stuff.
And I know not to respond to goofball e-mails like the Prince of Zimbabwe or whomever has all that money he needs to invest in the US, but the stuff from a Bank? That scares me.
Good ending, William, even with no one one from Dallas.
Does anyone else remember who did shoot J.R.?
Posted by:Kathy Sweeney | February 25, 2007 at 07:58 AM
Really well done, William. This is a complex subject to try to cover in a blog.
And he has only touched on the tamest of these activities.
If you haven't really started paying attention to protecting your identity, you need to start immediately.
Everything from keep your receipts and be smart about not letting people see you enter your PIN numbers to NEVER giving out personal information.
If you think you've received a message from your Bank, call them first, before you respond.
Then ask where you can forward the possibly fraudulent e-mail. It can sometimes help those of us inside track down these crooks.
Posted by:Kimmie | February 25, 2007 at 08:29 AM
Thank sir for the story, you must have many of them that are just as scary.I work in retail and see many chapters of stories like this everyweek. I dont think any of the people I see or have helped catch have been as well rounded as your guy but they still take a lot of money out of good honest pockets.The thing that scares me is that if I take the things that happen everyday in my store and times it by how many stores the company has, OMG the amount of crime is HUGE! And that is just one company ! EDUCATION,EDUCATION,EDUCATION ! Learning how to protect yourself nowdays is the thing I want to learn more about. I do a few things, I dont mail anything from my house, I take it all to the post office. I dont send money in cards or letters. Found out about that one the hard way! I have received the Nigerian Scam email and a few telephone calls from people trying to get SSN numbers ,but I caught it right away thankfully.I think your story has triggered something in me that is going to make me do more to help myself and so I thank you again for the great post. BTW did you get the name of your company from the investigator in the Jack the Ripper Case? SusanCo
Posted by:SusanCo | February 25, 2007 at 09:00 AM
JJ - Get the one that produces confetti, not long zig zag strips.
Kathy - God forgive me, but it was Kristen who shot JR. And man, am I embarrassed I knew that.
Kimmie - Thank you again for the very kind words.
SusanCo - You're one of the few who has ever caught that. I'll tell you the whole story one day...:)
Posted by:William Simon | February 25, 2007 at 09:32 AM
Very informative post.
When I worked retail you would not believe the number of people that did not sign their credit cards and then got angry when asked for I.D.
I get upset over the number of entities that feel entitled to my social security number. Really Doctors office, come up with your own method of identification.
My drivers license has the state generated number and everything goes in the shredder, especially credit card offers and cash advance checks.
Now I don't feel so paranoid, just a little better defended.
Posted by:Cheryl | February 25, 2007 at 09:52 AM
Great blog, but now I'm afraid to answer any e-mails.
So the million dollar (or was it billion) question is -- How can you tell if they're legit or not?
Posted by:Sue L | February 25, 2007 at 09:55 AM
William - are you into the Ripper? Because that case still makes me crazed.
As for a real question - all those online shopping sites that tell you that your credit card information is Secure - is that true?
Who can you trust online at this point?
Posted by:NJ Joe | February 25, 2007 at 09:58 AM
Had to go back and read yesterday's - great blog, William.
So I've got to echo someone else - how can you tell if an e-mail is legit or not?
And Kathy - they want you to think it was Kristen, but I've always believed it was Lucy, regardless. That little firecracker was trouble with a cap T.
Posted by:Mike | February 25, 2007 at 10:25 AM
A little hummingbird told me a Man was blogging here - and what do you know, it's William.
Great blog, great warnings. Most people have no idea how dangerous the Internet can be, even for simple things like credit card fraud.
The serious dangers are even worse. I'll just say that if you have children, and you aren't keeping a constant watch on what they are doing online, you need to have your head examined.
Posted by:Susie Q | February 25, 2007 at 11:12 AM
To easiest way to guard against phishing is to not click on the link in any email. If you think it might be a legitimate email from your financial institution and you want to follow up, then open your browser and type the link yourself.
While you're doing that, think about the link you are typing. Wells Fargo Bank has links that start with www.wellsfargo.com, not some IP address. A link that looks like http://10.15.43.210/www.wellsfargo.com/account/login.php is a red flag. The very first thing after http:// or https:// should be the proper domain name of the website you want to reach. Every legitimate financial institution doing business on the Internet has and uses a domain name similar to their business name. If you find one that doesn't, they're not smart enough to deserve your business.
Even if the link you see in the email looks good -- even then -- don't click on it. Take the time to type it out. If you get email in HTML format, then what you see on the screen is not necessarily where your browser will end up. It's just like the links over there in the left column of this page. That link that says About makes you think you'll end up at a page describing this blog (and indeed you do, because this is a nice, well-behaved website), but it's the web designer who makes that happen. She could easily have made that innocuous looking link take you off to some completely different site, which is what the phishers want to do.
Posted by:Cathy | February 25, 2007 at 11:21 AM
Cheryl - Thank you. I'm happy to see you're aware!
NJjoe - One day, if I get back East, we'll sit down and have a long discussion over big steaks and talk about Saucy Jack...:)
Mike - I'm making a list of questions I'm getting here on the Blog and via email. With the indulgence of the Ladies of the Blog, I'll post them.
SusieQ - When it comes to the dangers children face online, that's another blog all together. I've been asked to keep this one light and friendly, so I won't go into that subject, but you're correct. Active Parenting is the best solution.
Cathy - You summed it up quite nicely! That's one of the single most dangerous things the Bad Guys do. Nicely said!
Posted by:William Simon | February 25, 2007 at 11:44 AM
OK, that conclusion was worth waiting for.
Really great blog, William - I learned a lot. So I'm going to buy a confetti shredder today too.
Cheryl - that makes perfect sense, but unless someone points it out, it wouldn't occur to most people.
I used to use PayPal with a dedicated checking account that has very little in it - but I got so much crap about "We need you to verify A, B, and C or your account will be inactivated" that I ditched it.
William - I'll be back to check on your Q&A.
Posted by:Carol | February 25, 2007 at 11:44 AM
Great blog and great advice in the comments from everybody too.
William - do you do seminars on this stuff?
Margie - I owe you, babe, for turning me on to a good blog. Add it to the list.
Posted by:Christoper | February 25, 2007 at 11:56 AM
Carol - Thank you. You made a wise choice with the PayPal hassles.
Christopher - Yes, I do give seminars on this and other subjects dealing with computer crime. Feel free to contact me off list. Please mention the Blog in the Subject Line.
Posted by:William Simon | February 25, 2007 at 12:26 PM
William - way to represent the Men of the Blog, or whatever they call us.
So I already have the cross-cut shredder and I only use a shell credit card account (low credit line, P.O. Box Address, etc.)
Any other advice?
Posted by:Jake | February 25, 2007 at 03:29 PM
I've received several emails from readers of the blog asking for advice. So, with the kind permission of the Tarts....
1) No matter how legitimate it looks, no financial institution will ever contact you via email if there's a problem with your account. Again, in *Big Bold Red Flashing Neon* letters, no legitimate bank or credit card company will contact you via email if there's a problem. Not one.
2) Buy a personal shredder and use it. Target has a perfect home model for $49.95. Make sure it does not shred the paper into strips, but get the kind that produces confetti. Kids and cats may cause a lot of grief with it, but you'll sleep better at night.
3) Once a year, examine a copy of your credit report. For a small fee, you can check it every three months or so. Do this. Make sure it is complete and accurate, and double check your accounts to make certain none exist that you are not aware of. Do not waste the money and effort dealing with a "credit monitoring service." You can do it yourself. Yes it's a process, yes it's a hassle, yes we have better things to do, but blowing one weekend a year doing this beats the alternative.
4) The credit bureaus offer the option of sealing your reports in some states. If you have that option, use it. You will have complete control as to who accesses your personal information, when they do it, and how they do it. Something well worth looking into.
5) Online databases and "information brokers" have exposed our lives in ways we never imagined fifteen years ago. *STOP* using your mother's maiden name on accounts. Sit down and call the credit card companies you use and demand they change that information. Use another name, make one up, or when applying for a new account do not give a true name. If the company refuses to cooperate, threaten to close the account. If they still won't cooperate, close it.
6) If you receive a phone call from someone claiming to be with a bank or CC company, give nothing but the last four digits of your SSN, and month and date of your birth leaving out the year. If the call is legitimate, they already have that information and are only trying to confirm it is indeed you they are speaking with. If the caller refuses to cooperate, demand to speak to someone higher up.
7) I won't even address the "Dear Sir/Madame, my name is [John Smith] with the First National Bank of [Whoville], a small province in [Seussland]" emails asking you to set up a bank account and receive thirty million dollars, five of which you keep for your trouble. That particular scam is the second highest income producing activity in some Third World countries. (I was once contacted by a national magazine looking to interview someone who had actually gone overseas, recovered the stolen money, and returned home. As tactfully as possible, I explained to the reporter he had me confused with someone usually played by Sean Connery or Roger Moore; sorry, ladies, but who knew Daniel Craig at that point in time?) While victims of that particular scam have indeed tried to get their money back, the results were not at all pretty; in one case, machetes were involved. Delete that one and move on.
8) ATM cards that can be used as credit cards are terrific conveniences, but every time you use it you are exposing yourself and your information. In a throwback to the Old Days, I've become a cash and carry kind of guy. Sure, sometimes it's inconvenient to have to dash to the bank, but it sure beats the alternative.
9) Do not ever use your ATM card for an online purchase. I have one credit card with a deliberately requested small credit line that is used exclusively for online shopping. Each and every monthly statement gets combed through. Major companies such as Amazon, Barnes and Noble, Netflix have intense security in place, but nothing is foolproof. Be very cautious about something like Dapper Dan's Discount DVD's.
10) If you ever are a victim of Identity Theft, file a formal police report IMMEDIATELY. Insurance companies will want it, the bank will want it, the card companies will want it, and if you have a police report in hand any and all fees are waived.
The single biggest problem at this point is the horses have already fled the barn, and all we can do is stand there and watch them run into the sunset. Locking the door and putting bars on it is useless; standing guard is the best we can do in the future.
((Many thanks to the Ladies of TLC for inviting me to write a blog.))
Posted by:William Simon | February 25, 2007 at 07:32 PM
William - on behalf of TLC and the Book Tarts, thanks a million for a great weekend blog!
Posted by:Rebecca the Bookseller | February 25, 2007 at 09:06 PM
The Tarts are fond of all the Men of the Blog, but sincere sloppy kisses to William for this brilliant weekend contribution. And we owe you a drink, babycaxe.
Posted by:Nancy Martin | February 25, 2007 at 09:25 PM
I'm shredding! I'm shredding!
Thanks, William!
Posted by:Harley | February 25, 2007 at 09:35 PM
Great blogs, William. You rule above the fold! Sorry I'm checking in so late -- just got back from South Carolina.
I can't resist -- how much time did AJ get? I'd be shocked if he got any. Sentencing for these types of crimes is virtually non-existent, even for repeat repeat offenders.
Posted by:michele | February 25, 2007 at 09:50 PM
Rebecca - Thank you!
Nancy - I'll hold you to that...:)
Harley - Keep the kids and cats away from it. Trust me on that one.
Michele - Welcome back. "AJ" got hit with ten years. The figures involved went into double digit millions, and they had to do something.
Posted by:William Simon | February 25, 2007 at 10:09 PM
William - I offered to thank you in my own way, but they threatened to fire me. So, you know, consider yourself...thanked.
Posted by:Margie | February 25, 2007 at 10:31 PM
I have been dealing with a fake account started in my name with Sprint (and a painful fall caused by loose tile at the Police HQ, for which I'm also going to blame Sprint). The police officer who took my report (Bless him!) had some choice words for the Sprint “fraud” department (10 full-time people just to take reports, not do anything about them) on the fact that their sloppy work in accepting fraudulent applications is really responsible for the fraud (making them co-conspirators?), and that their subsequent actions in placing the responsibility for correcting THEIR mistake on me is completely wrong. The
first notice I received was a collections call for Sprint, never a single bill. I’ve never had Sprint, never entered into any relationship with their company, but now I have to send them copies of driver's license, social security card, utility bills (to prove where I live). They are asking information from me that they should have gotten from their customer but were too sloppy to get. Also they won't release information on this account to me or to a police officer without a subpoena (privacy laws) and admitted they will be doing nothing to find the real culprit.
A neighbor told me of Charter sales reps starting up accounts with fake credit info, giving free cable in order to earn commissions, and again, when he called Charter, the response was, "What do you expect us to do?"
There should be legislation making them pay for the time, expenses, and aggravation of consumers; perhaps then they would be more careful when opening accounts (and letting them build up to $1000!) The credit report shows two other outstanding accounts (I have NO debt to anyone), two addresses I don’t even recognize, and no employment history since 1980. It’s such a total scam. Equifax even tried to sell me aninsurance policy for fraud (“protection” money?? Sounds a bit like the mob?) I'm ready to renounce the whole pack of scoundrels!
Posted by:Mary | February 26, 2007 at 03:49 PM