Tag Archive for: identity theft expert

Fraud Report: SMiShing Identity Theft

Identity Theft Expert John Sileo’s Latest Fraud Report

Just as you wouldn’t want to give any personal identity information to someone via email, you want to use the same practices via text message. There is a new wave of fraud that tries to trick you with text messages appearing to be from your bank.

According to Wikipedia, SMiShing uses cell phone text messages to deliver the “bait” which entices you to divulge your personal information. The “hook” (the method used to actually “capture” your information) in the text message may be a web site URL, like it is in phishing schemes. However, it has become more common to received a texted phone number that connects to an automated voice response system. One version of this SMiShing message will look like this:

Notice – this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####.

In many cases, the SMiShing message will show that it came from “5000” instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, instead of being sent from another cell phone.

Once you take the “bait” and pass on your private information, it can be used to create duplicate credit/debit/ATM cards. There are some documented cases where the information an unsuspecting victim gave on a fraudulent website was used within 30 minutes…halfway around the world.

To minimize your risk:

  • Approach all text messages asking for your personal information with a great deal of skepticism (Hogwash, to those in the know).
  • Understand that no bank, business or financial institution will EVER ask you to divulge or confirm your personal banking information over email or SMS text message.
  • If you have any question at all that the text is legitimate, contact your bank or financial institution directly using a published phone number (on the back of your card, for example).

John Sileo became America’s Top Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about bringing John to your next meeting or event, contact him directly on 800.258.8076.

Uncovering Business Identity Theft

While the majority of identity theft schemes prey upon individuals, small-businesses and organizations are increasingly becoming targets. Business identity theft is a serious threat, but it mostly flies under the radar simply because companies are embarrassed to discuss.

Although most companies are protected by copyright, patent and trademark laws, smaller companies lack the higher IT security measures that large companies have. According to recent studies by Javelin Strategy & Research this makes them 25% more likely to be victims of business identity theft over larger businesses.  Not only do small businesses and business owners typically have larger lines of credit open than an individual, but they are unlikely to detect the fraud for six to eight months making them a prime target.

Business Identity has not been completely defined yet, but it definitely has been stolen. California has become the leader in offering identity rights to organizations and in 2006 they expanded the definition of ‘person’ in identity theft laws to include associations, organizations, partnerships, businesses, trusts, companies, and corporations. These types of amended laws have proved to deter business identity theft and provide greater assistance to those companies that have been hit.

Most commonly criminals assume the name of a business, rent out office space in the same building and order everything from corporate credit cards to hundreds of computers and equipment. In one instance the culprit billed a law firm for $70,000 in purchased equipment, hired a moving truck and disappeared from the building before the fraud was ever detected.  This has been not only costly, but timely. If businesses had the same protection as individuals this would have been quickly resolved and the victims would have moved on. Credit card companies have also followed suit and began to remove the distinction between business identity theft and individual identity theft.

The lack of publicity on this type of Identity theft is solely due to a lack of reporting by companies. Businesses are required by federal law to notify consumers who’s personal information has been hijacked, but not if their businesses identity has been stolen. In order to save face, most business owners would rather not own up to such a breach to avoid looking like the pawn in a criminals scheme. Without incentives and assistance to a company who has experienced this type of transgression there is little reason for them to come forward.

Until businesses and their owners come forward to help uncover business identity theft there will be less laws in place to deter criminals and small businesses will remain vulnerable.

For more information on this issue check out BusinessWeek.

John Sileo provides identity theft training to human resource departments and organizations around the country. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.



Data Breach Security: TJX is Our Fault!

The TJX security data breach is our fault.

TJX Cos. has been ordered to pay $9.75M in a data breach security lawsuit. The data breach settlement will be awarded to 41 states because TJX failed to protect customers’ financial information from a massive computer breach announced in 2007 that exposed millions of customers’ personal and credit card data to hackers.

The settlement amount is probably the largest ever, and it is comically low.

TJX lost somewhere between 40 and 90 million customer records, and there is a good chance yours was one of them if you shop at T.J. Maxx, Marshalls, HomeGoods or A.J. Wright. If only 10% of those breached records were ever used to commit identity fraud (let’s say 7.5 million records, to be conservative), at the average cost of identity theft recovery ($700), the damage to you and me is approximately $490 Million. So TJX paid about a 2% penalty for failing to protect our data. They value the safety of our being a customer at about 2%. They care about their own profits about 98%.

And it’s our fault! Why? Because even after their lax data breach security (they didn’t encrypt their wireless routers in the store, letting our information float, unprotected, in the airwaves), even after their loss of 40-90 million records; even after an expose on 60 Minutes, we continue to do business with TJX Cos! If the guy mowing your lawn stole from you, would you continue to hire him? No! And yet when a $300,000 identity is at stake, we shrug and let apathy take over. Because it is virtual, digital and seemingly unreal. But when it happens to you, and you spend your time and money repairing it, it quickly becomes real. Shame on us for going so quickly back to those who erode our trust. Until we take our role in data breach security seriously, organizations will continue to get off lightly.

The next time an organization makes you part of a privacy breach, penalize them by ending your relationship. That will send a message loud and clear.

Identity Theft Expert John Sileo is America’s top identity theft speaker. His clients include the Department of Defense, FDIC, Federal Reserve Bank, Pfizer and organizations around the world.

Stop Identity Theft of a Deceased Family Member

I’ve just visited the fountain of youth. Have you ever had one of those experiences where you meet a person or a group of people that renews your faith in all that’s good in the world? I delivered a speech on identity theft prevention to AARP South Carolina (a chapter of the American Association of Retired Persons – an amazing organization that you should be part of if you are over 50) yesterday morning, and met a group that actually makes me look forward to growing up. Doris, Barb, Leigh Ann, Patrick, Lynda, Bill, Ridge, Charlie, Emily (I could name 50 more)… these are the people that greeted me like I was part of their family and treated me like someone special. They are some of the youngest spirits I’ve ever met. And I learned a great deal from them…

AARP had asked me to speak at their annual meeting as a thank you to their incredibly dedicated core of volunteers. These are people who put their muscle where their mouth is. And they paid attention and were so engaged that it was like giving a motivational identity theft speech. They inspired me! They must have had fifty additional great questions after the presentation that I didn’t have time to answer because they were headed into additional sessions. Given that, I’d like to take a few minutes to address a few of the items that pertain specifically to identity theft prevention for retirees and people over 50. Instead of re-inventing the wheel, let me point you to the resources on identity theft prevention that AARP provides on their website. They are extensive and geared to the retiree population.

But I want to elaborate on a question that one member of the audience brought up after the speech: identity theft of a deceased family member. This has to be one of the most callous, horrific forms of identity theft. Here a spouse is having to deal with the loss of their soul mate and a criminal takes advantage of their distraction and grief to profit from the deceased’s identity. Here are 5 steps to take after a loved-one has passed away to make sure that their identity rests in peace:

  1. Short Obituaries. Make sure that you don’t include too much identifying information when you write the obituary. Identity thieves use this information (mother’s maiden name, address, ancestry, occupation, birth date, death date) to set up new accounts, licenses, etc. in the deceased person’s name. It is important to honor the person, just don’t give away all of their personal information.
  2. Protect Death Certificates. Guard the death certificate like you would a birth certificate or other piece of identity. You will need to fax this document to certain organizations in order to prove that your family member is deceased, but only send it to trusted institutions who absolutely won’t take the name off of the account without it. When you are done with the death certificate, store the original and all copies in your SentrySafe where you keep other identity documents. Be forewarned that for securities sake, many organizations are requiring an original copy of the death certificate as proof, so ask for 10-12 originals copies when you request the death certificate.
  3. Notify Credit Bureaus. Immediately notify the three credit reporting bureaus that your family member has passed away. Request that the credit report is flagged with the note: Deceased, Do Not Issue Credit. Request a copy of the decedent’s credit report so that you will have a list of all of the accounts you need to modify/close (see Step 4). The procedure varies by credit burea, so the numbers to contact them are as follows: Experian – 888-397-3742; Equifax – 888-766-0008; TransUnion – 800-680-7289. Don’t wait for the Social Security Administration to notify the credit bureaus – it takes them too long! And make sure to log all correspondence and conversations and send documents via certified mail so that you have proof of delivery, should you ever need to dispute a claim of non-receipt.
  4. Notify Financial Institutions. Notify all banks, insurance companies, credit card companies, stock brokers, mortgage companies, loan/lien holders, etc. about the death of your family member (if it was a joint account OR an account under their name). The executor or surviving spouse will need to resolve all outstanding debts and how they will be dealt with before the account can be closed or the deceased person’s name is removed from the account. Also notify the Social Security Administration, Veteran’s Administration, Department of Motor Vehicles, professional license associations (Bar Association), membership programs (Costco, Sam’s, Blockbuster, etc.) and any creditors or collection agencies with which the deceased had an account or membership. This is a difficult time to put in all of the work to protect an identity that should be left alone; but the current reality is that the identities of deceased individuals are easier to steal and abuse than those of the living.
  5. Share Wisely with Family Members. Unfortunately, many cases of deceased identity theft are committed by a member of the deceased’s family. It might be a relative who is in financial trouble, a friend who has a costly addiction or a child that feels he or she was wronged in the will or estate planning. For that reason, the identifying information of a deceased family member should be kept to as small a circle as possible. It seems to work best when one family member is the point-person for collection of documents, closing of accounts, checking of credit, etc. Generally this is someone other than the person who organizes all of the other events that surround the death of a loved one.

This is a heavy topic on the heels of such a wonderful encounter in South Carolina. But as any one who has survived the death of a spouse knows, the responsibility and respect for that person continue long past the date of their death. I hope that these suggestions make that burden/blessing a little bit easier.

John Sileo is an an award-winning author and keynote speaker on identity theft and cybersecurity. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.