By John Wilson
Realizing a cybercriminal has used your personal information to attempt fraud is like a punch in the gut.
I’ve spent my career working to stop scammers in their tracks and educating businesses and individuals alike on how to protect themselves. Now I’ve become a victim myself. I feel violated and vulnerable.
My job as senior fellow for threat research at Fortra is to track down fraudsters, figure out how they’re running their schemes, and help the authorities shut them down. From common scams to well-coordinated campaigns sponsored by foreign countries, I’ve seen enough in my career to make your head spin.
The Situation: Legitimate or Scam?
Here’s how it began. A few months back, I received a voicemail from a random number. The caller, Amy, said she was with the fraud team at a bank where I no longer have an account, and had received an application for a credit card. They’d had to deny it because the address information was incorrect, and I needed to call in to discuss the situation.
The whole thing felt dicey. Why would I receive a call from the fraud department of a bank that I hadn’t done business with in several years?
On the other hand, I knew this type of swindle was commonplace. I hadn’t applied for a credit card, and I couldn’t tell offhand if the call was legitimate. One way or another, I knew some low-life had all my information. They’d probably only paid a few bucks for it too.
As I always tell anyone who will listen to me, the first step toward looking into potential fraud is to find the phone number to call using a second avenue of verification in case it’s a phishing or vishing (voice phishing) scam. Never call the number given in the voicemail or email. You can use your physical card or the institution’s website to find the right one.
I found the bank’s fraud reporting webpage. The number I’d been given was nowhere to be seen. Suspicious. I did, however, have a close contact in the bank’s fraud detection department who I’ve worked with professionally for many years. So, I called him.
“Believe it or not,” he said after I’d filled him in, “The call you got was legitimate. It came from our fraud team, and someone did try to open a credit card in your name.” (Here’s where I must recommend that organizations should promote their fraud reporting phone number front and center on their website!)
My next step was to write to the bank to request a copy of the application the scammers submitted, something anyone can do under the Fair and Accurate Credit Transactions Act of 2003 Provision 151. Sure enough, the perpetrator had it all—my name, birthdate, social security number, email address and phone number—just not my actual mailing address. They’d used one across the country, which is why the application didn’t go through. To be fair, I’m sure they had my home address as well, but sending a new credit card to my home address wasn’t part of their plan.
After doing a little digging, I found that the building the scammer listed actually exists, and my guess is the criminal has acquired a master key to the suite of apartments there to retrieve incoming mail related to these schemes.
I reached out to one of my FBI contacts, and he told me they’d received several reports of attempted credit card fraud at that same address. Case solved, suspect arrested, tried, and convicted in 60 minutes including commercials. Well, not exactly. This is the real world, and the FBI doesn’t have the bandwidth to investigate every would-be identity theft.
Credit Freezes Are Critical: Get Them in Place Pronto
My bank urged me to freeze my credit reports immediately, which I did. This is important to prevent scammers from using your information to take out mortgages, apply for loans, or establish bank accounts or credit cards in your name. Once they do, they will destroy your credit. The sad part is, if I’d simply followed my own advice, the identity thief would have been stopped dead in their tracks during the application process and I likely wouldn’t have ever received the call that started this whole story. Do as I say, not as I did!
By law, you can request a free copy of your credit reports every year from each of the three bureaus (Equifax, Experian and TransUnion). You have to call each agency individually, and they’ll either let you select a PIN or assign one to you. Then it will be your job to remember the PIN to unlock your credit when you need to have it checked for any reason.
The Messy Truth: Our Personal Information Is Already Out There
As a cybersecurity professional, I know how easy it is for threat actors to purchase “Fullz,” full sets of personally identifiable information (PII). They can get thousands of records as easily as buying milk at the store. It’s just a matter of time before each of our tickets gets pulled and someone decides to act on the information to wreck our good names.
What I didn’t know though, was how I’d feel about it when it happened. And I was ticked. That’s the G-rated version of how I actually felt.
I was also concerned about the impact of this application on my credit score. Fortunately, when I contacted the credit bureaus, they used the proof of fraud to remove the “hard inquiry” from my reports, so it won’t affect my scores.
My best guess is this resulted from the Equifax breach of 2017, when sensitive data was exposed for 147 million people. I’m lucky the bank denied the application. Had they not, I wouldn’t have frozen my credit, and the scammer could have applied for 20 different cards in my name. Some may even have been approved, and I wouldn’t have known until I defaulted on paying for something I’d never had anything to do with in the first place.
Resources for Reporting Fraud
If you find yourself in a similar situation, contact the Federal Trade Commission or the FBI’s Internet Crime Complaint Center, IC3. Depending on the nature of the theft, you may also want to involve your local authorities.
About the Author
John Wilson is a Senior Fellow, Threat Research at Fortra.