I got lucky. The title of the article should probably be, “My Experience with Attempted Identity Theft,” however; I don’t know how this will end. I might still lose. For now though, I’m beating the person or people trying to steal my identity.
As a quick disclaimer – I’m not an expert on this topic. I haven’t studied it, I’m not credentialed to talk about it – I’m just a guy who went through the wringer on this, and somehow came out the other end dry for now. I’d like to share that experience with you. For me personally, hearing the experience of a normal person can teach me more than an expert theorizing about it. Even if you haven’t experienced this phenomenon yet, you should research it, and put in place as many safeguards as you can. A good place to start for basic information is the FTC site for identity theft.
Here is my story…
It All Started With Two Emails
When I wake up at 5am, that is my “adult” time. Usually Baby Breaking wakes up, I change him, hand him off to Mrs. Breaking for food, and they usually fall back to sleep. From 5am until about 7am, that is my adult time to drink my coffee, watch the news (ESPN and Fox), check email, do the finances for the day/week, and then workout. On this particular AM, I got two odd emails. The first was from the bank that manages my HSA. The email noted that my contact email address had been changed, and if me or my employer did not request this change, that we should contact them immediately.
That is odd – I rarely, if ever log into that portal, so I sure as heck didn’t change the email address.
The 2nd email was from the company that manages my auto loan. It mentioned that an attempt to change my password had failed, and I should contact them to address the conflict.
Again – odd – I haven’t recently changed that password.
At the time, I didn’t think too much about it, so I went to work, but kept those emails in my inbox as a follow up item when I had a down moment. Just to give myself a nice warm fuzzy feeling, I logged into my Infoarmor account (my identity theft protection service), and all appeared to be fine. I’d later learn that there can be a lag before the service is useful as a notification tool).
An Attack Against My HSA Card?
So, I logged into my HSA account using my current credentials, and sure enough, my email address had been changed to some spoofed version of my name and a personal ID number. This is an email address I’ve never made or used in my life. I was connected with a person in their fraud department, and we spent a good amount of time on the phone figuring out what happened. Per their phone logs, somebody did call in the day before and request a change of email address. I guess the perp had enough of my personal information to fake being me. The fraud agent and I wiped my account’s login, email, and password information, and started fresh. As we were doing this, the agent asked me if I currently had my HSA credit card on me. “Yes,” I replied. She said, “There was just an attempt to process your card in St. Louis.” Luckily, we were able to flag and stop that. And, we decided to kill that card, and send me a new one.
This added a whole new layer to the situation. I now figured my HSA card was at the center of this debacle. The thing about my HSA card is that I use it online to pay medical bills, and/or I swipe it at CVS to pick up medicine. That is it. BUT, earlier in the week, I did try a new healthcare professional, and swiped my card there. I’m not going to go into the details – I did that when I filed the police report the following week, but I have a strong suspicion that something is rotten in that office.
I finished the interaction with the HSA Bank folks sending a fraud alert to Transunion on my behalf. This would create a 90 day fraud alert, and the other two agencies would pick up on it as well. In theory, if any inquires are made in that period, I need to be notified to verify the veracity. I was then informed that by filing a police report, I could upgrade to a 7 year fraud alert for free. I put this on my to-do list.
The Red Herring
My next call was to the company that handles my car loan. I was now totally paranoid and figured this was a huge conspiracy against me. I asked to speak to somebody in the fraud department, and again, was connected pretty quickly. I explained that I got an email about some failed password stuff, and further explained that I might be under a hack attack. The agent was very helpful and connected us on a three way call with their IT support. We looked at the logs and didn’t see anything fraudulent. What we did see were some failed login attempts. Two to be exact. They were at odd hours in the morning, and pretty close together. Best we could surmise – my financial software (Mint.com) tried to refresh my stuff and the credit company’s own internal security flagged it and stopped it. So, good news on that front. Moral of the story – follow up on everything, just to be safe.
Here Comes the Credit Inquiries
I got a notification from Infoarmor (first) and a credit card company (2nd) that a new inquiry into my credit profile had been made. Something was CLEARLY afoot now as I haven’t applied for anything recently, and there is no reason for an inquiry to post. This is now three days after my phone call with my HSA bank. I called the number with Infoarmor to open the case (this is part of what they are supposed to do). I flagged the inquiry, and they were supposed to call me back within 48 hours to follow up.
The next day is when the credit card company’s notice arrived. The cool thing about the credit card company’s notice is that it provided me with the institution’s contact information for the inquiry. Having not heard back from Infoarmor, and being very new to this process (and scared shitless), I put on my detective hat and made a call. I asked to speak to somebody in their fraud department, and I was connected pretty quickly. I explained the situation and potential attack. They flagged the application as fraud, and stopped it in its tracks. I found out that the bank which filed the application is the same bank that issues the card for my HSA! That made me furious. I was now 99% sure that this problem originated with that doctor’s office visit the prior week.
Don’t worry – I shared all of this with the police.
The fraud agent did bring something up to me that scared her. She mentioned that my actual home address was used on the application. In her experience, this usually meant that the perp would file a change of address and route mail to a PO box (to get the credit cards and other collateral).
Well, that is scary as hell – what do I do?
I opened a fraud case with the United States Postal Service. I won’t go into gruesome detail because this part is underwhelming and disappointing. First of all, I learned that my situation is considered “attempted” identity theft since nothing was successful. Apparently, my vigilance kept this from being a real “crime.” And second, and this is WORST of all – here, in the year 2018, there isn’t any real security to keep a person from changing YOUR mailing address!
The entire process is managed online.
Your best hope is to talk to your local post master and let them know what is going on. At that point, the fate of your address is literally in the hands of the mail handlers. If you’ve notified the local post master about the potential fraudulent address change, that will “alert” them to not put that little yellow sticker on the envelope that would reroute your mail. Yes, this entire process rests on a person remembering to NOT put a yellow sticker on your mail. I’m not saying that USPS workers aren’t up to the task, I’m sayings JESUS FREAKING CHRIST – its 2018. Why is there less security against changing my address fraudulently than there is to unlock my damn phone?
Seriously USPS – do something. That is absurd.
Here Comes the Phone Credit Inquiries
“Hello, Brad we need you to verify some information about your recent credit application.”
This one was actually funny.
I paused for a moment, and said, “Wait – I don’t trust you, how do I know you are from a bank?”
He chuckled and said, “That is a fair question – you can call us back if you want, here is our number…”
I said, “Thanks, but why would I take a number from you if I think its a scam? Can I find a callback number on your website?”
“Yes – go to Citi.com, and find the number for customer service. Follow the prompts for credit applications.”
I wasn’t a jerk – I’m just paranoid as hell now. So, I go to Citi’s website, call the number and ask to speak with a fraud person. Got connected fast. Again. Seems like you don’t wait long when you allege fraud.
Same story – flagged the application as fraud. Offer to do the Transunion thing. Done already. Pretty much the usual playbook has been deployed. BUT, they did transfer me to their identity theft department. I must say – this is a cool service and great customer service. I don’t have an active account with this company, but now I have an identity theft agent I can call should I have any questions. She spent a lot of time walking me through the process. As it turns out, I had already checked a majority of the boxes through my own sleuthing, and put up as many walls as I could. She was kind of impressed. We did talk about filing a report with the FTC. I had not done that yet. I thanked her for her time, and logged her info should I need her services again.
In the next two days, I got two more calls from other banks. Rather than call them back, I just said transfer me to fraud. Same story – flagged and done.
We Don’t Do Anything About Attempted Identity Theft
I’m paraphrasing, but that is the spirit of what the FTC agent told me. They didn’t mean it in a bad way, they just meant – we don’t really do anything until there is a successful attempt and something to investigate. I guess I get that. But, again, in the year 2018, can’t I at least log this? You’d think there is some value in investigating any type of “attempted” crime. You’d think that the fear of the “attempted” dropping off and actual CRIME happening would trigger a desire for investigating the situation. Alas, I guess I’m wrong.
But, the FTC website is very useful for learning about Identity Theft. Here is the link again if you want it.
Yet Another Credit Application Inquiry – Snail Mail
At this point, I’m just really annoyed. Any time my phone rings, I think its a credit inquiry. Now the assault continues via my snail mail. I got a notice from a credit card company about an application, and they wanted to verify information. I called, talked to fraud, flagged, sob, the end. You get it by now.
Infoarmor Finally Calls Me Back
Remember when I said they’d call me back in 48 hours? Try quadrupling that. The lady called me, and this sums up the first 10 seconds of the phone call.
Yes, those words actually came out of my mouth. I was flabbergasted. And pissed. For two reasons. First – 48 hours my ass! Second, only one credit inquiry was flagged by your site. I’ve dealt with about 4 in the past week. What the hell is going on?
She did apologize for the delay in getting back to me. I explained everything that is going on, what I’ve done to date, and I want to know next steps. She seem kind of surprised by that unloading, so she put me on hold and talked to her supervisor. She came back and profusely apologized again. She admitted that there is no excuse for that kind of gap in follow up contact, and she’s mortified that I had to navigate this whole process by myself. I took a step back, took a breath, we reconciled, and I said – okay – what are our next steps? She said I had basically covered it all. That made me feel a little better. It seems like in my little journey, I basically checked all of the defensive boxes you can.
I still didn’t like the fact that they only hit on one of the inquiries. So, I pressed her on that. It was at this point that I learned something very valuable.
Basic coverage only monitors 1 out 3 three credit agencies. In essence you are 66% exposed. They can only notify you if Transunion posts the inquiry. Otherwise, you have no visibility into anything else.
As I was talking with her, I simultaneously Google searched these types of services to see how accurate she was. I’d recommend clicking on the link and checking it out for yourself. Here is a graphic that describes the “tiers” for Identity Force (one such service), for the purpose of this discussion…
Notice the red circled area. That 3 bureau screening is the premium tier. You have to pay up. As a result of this new learning, I talked with my benefits team at work the very next day to see if they could offer us the ability to up our coverage to a premium tier at Infoarmor. That request is still pending. But, I’m glad that I’m an informed consumer, know to make that request, and look for that in a service now. Based on this experience, I might actually ditch Infoarmor, and consider one of the three services on that search I provided.
Pay Day Loans – The Wild Wild West
This one scares me a lot. As it turns out, pay day loan places aren’t required to check with or report to credit agencies. If you ask me, that is kind of stupid on their part, but, whatever. I was doing some reading, and it is possible for a fraudulent pay day loan to be opened in your name. In my brief research, I haven’t found a way that you can 100% prevent this from happening. If all rivers flow through you getting notified via a credit inquiry, this type of transaction would fly completely under the radar. However, you can file a fraud alert with ChexSystems, and you should get notified about bank account activity in your name. You can also get a report to show bank account activity in your name. Again – this isn’t 100%, but it is another layer to protect you.
As of this post, I don’t know how this will shake out. I think I have all of the possible walls in place to protect my identity, protect my assets, and protect my credit. I think that is what this process comes down to – become educated about it, and put whatever layers of protection and security in place that you can.
All I can do is just keep monitoring the statuses of these items on a regular basis, and if I notice something goofy, take swift remedial action.
I hope that you found this post to be informative. I certainly feel better about my situation now than I did the first couple of days into it. Below I listed some “action items” that help create those layers of protection I was talking about. Please take a look, and implement whatever you think fixes a vulnerability you might have.
- Don’t use the same passwords for stuff
- Use complex passwords with special characters, numbers, and different cases (upper/lower).
- Try to use passphrases, but substitute numbers for letters:
- For example – instead of “Mydoglikesmeat” try “Mydoglik3sm3at”
- In this case, I subbed the number 3 for the letter E in the sentence “My dog likes meat.”
- For example – instead of “Mydoglikesmeat” try “Mydoglik3sm3at”
- Keep your passwords secure
- I don’t know enough about cloud based password vaults to endorse them. Maybe that is a worthwhile thing, and you can check it out. I really don’t know. Me personally, I keep my passwords on a jump drive separate from my computer.
- Don’t share your passwords with anybody (friends, family, etc)
- Don’t GIVE your passwords to anybody
- If somebody calls you on the phone (or emails you) claiming to need your password to do some type of service or maintenance to your account – DON’T DO IT!
- Check your credit report FREQUENTLY
- Look for new inquiries that you didn’t initiate or approve and investigate immediately
- Look for errors either in open accounts, or payment statues on open accounts
- Be vigilant about fixing any errors you find
- Consider enrolling in an identity theft protection service
- NOTE – being in such a service will not stop identity theft attempts, nor will it 100% guarantee that somebody won’t steal your identity. These services offer ways to monitor and be notified when you are under attack.
- If you choose to enroll, consider the enrollment tier that monitors ALL THREE credit bureaus
- Usually the lower default tier only monitors one of the three credit reporting agencies. Lack of coverage on the other two may delay your notification of an attack.
- Limit the amount of information you put on social media
- If you completely fill out your profiles on Facebook, LinkedIn, and other such services, you are providing identity thieves with an ORGY of information to steal your identity. You can still post photos of your cat frowning even though you left your hometown and birth date out of your profile.
- If your credit card company offers credit monitoring services, you should consider doing it
- I pretty much have one primary credit card I use for my day-to-day life. I pay the balance at the end of each month, and reap the whirlwind of benefits from the points I accrue. This card also offers (as a courtesy) a credit monitoring service where you can see your credit score, request copies of your credit report from the big three (Transunion, Experian, Equifax), and also get alerted if something new posts to your credit profile (like, and INQUIRY).
- Use two-factor authentication when available, and/or use password questions as a layer of security
- If you can set up two factor authentication with your accounts (meaning you either get an email, phone call, or text message when an attempt is made to login to your account), DO IT.
- If your financial service offers password questions as a form of secondary identification, DO IT. Both of these add an extra layer beyond a basic password that will make it more difficult for a perp to pretend to be you.
- If you notice fraudulent activity, FILE A POLICE REPORT
- This serves two purposes – first, you can benchmark the date you are saying that your identity has been compromised. This might help in future investigations if bill collectors are coming after you for something you didn’t do. Second, it allows you to file for a 7 year fraud alert on your credit profile FOR FREE. When you contact the credit bureau to file a fraud alert, they do it for free for 90 days. You can upgrade to the 7 year alert with a police report.
- Be proactive. Make phone calls. Follow up on emails.
- If you get notices about stuff that shouldn’t be happening, make the call immediately. Ask to speak to a person in their fraud department, and explain the situation. You need to let them know that the application or inquiry is fraudulent. Don’t just assume it will fix itself.
- If you get an email about something goofy (inquiry, password change, email change, etc) – follow up and make sure nothing has been changed without your consent!
- If you suspect identity theft, open a case with the USPS, and talk to your local post master about potential fraudulent attempts to change your mailing address.
Do you have any special information that can help protect against identity theft? Have you ever experienced this before? If so, please let us know about it in the comments. Thank you! If you found this article informative, please “like” and share.