Identity Theft:
Reducing Your Risk

By Mark Durham

From its financial and legal systems to its intricate economies of celebrity and prestige, modern society is unimaginable without authentication—the ability to prove that people really are who they say they are. At the same time, we inhabit a world of mass production and interchangeable parts, where much of what we see, hear, and share takes the form of digital data, infinitely reproducible and instantaneously transmissible. Identity can be tough to prove—and easy to fake. Unfortunately, criminals have discovered a very efficient way to make that premise profitable.

Americans are only beginning to understand how widespread identity theft has become—and how personally and professionally vulnerable they are. The Federal Trade Commission found that nearly 10 million Americans were victimized by identity theft in 2002—an increase of 41 percent over the year before—at a cost to the U.S. economy of nearly $53 billion. According to newly released data from The Aberdeen Group, a market research firm, the worldwide cost of losses from identity theft to consumers, businesses, and government organizations in 2003 was expected to come to $221 billion. Worse yet, those losses are escalating at a jaw-dropping 300 percent compound annual growth rate, and could reach $2 trillion worldwide by the end of 2005.

Consider these recent news items:

Investigators in Georgia served 80 arrest warrants in a scam where identities of dead people were stolen to bolster the credit ratings of car buyers.

An inmate at the Tennessee Prison for Women, a University of Memphis basketball player, and six others allegedly used information obtained from prison data entry work to obtain merchandise, cash, and gift cards from various department stores.

The father of four-month-old Wyatt McVay tried to open a savings account with the contents of Wyatt’s piggy bank; the father’s credit union informed him that more than a year earlier, an identity thief had used Wyatt’s Social Security number to cash fraudulent checks. As a result the infant was unable to open a bank account. After some hemming and hawing, the Social Security Administration eventually agreed to issue Wyatt a new number.

In addition to the damage to their finances and reputation, victims often endure fear, anger, anxiety, and depression. Nor does the damage stop with the victim. Families and employers are also hit hard. Financial hardship, emotional turmoil, and the agonizing process of cleaning up the mess can take a heavy toll on family relationships and on workplace productivity.

Fraud experts distinguish between two main types of economic crime related to identity theft. Account takeover occurs when an identity thief acquires a person’s existing credit or bank account information and uses the existing account to purchase products and services. The scam is generally first noticed with the arrival of a monthly bill or bank statement.

In the far more serious case of true identity theft, on the other hand, the perpetrator uses a victim’s Social Security number (SSN) and other identifying information to fraudulently open new accounts, often using a false address to avoid detection by the victim. Victims often don’t discover that someone has tried to assume their identity until long after the original crime has occurred. Because the victim may be unaware of true identity theft for an extended period of time, the ruse—and the damage to the victim’s finances and reputation—may continue for months or even years, with victims’ information often passed on from criminal to criminal on the global black market. In many cases, it’s only when the victim’s credit history is reviewed (in the course of a home purchase, for instance)—or when a defaulted creditor arrives to collect the unpaid fraudulent account—that the scam finally comes to light.

For many victims of identity theft, trying to erase the bogus debt and rebuild a good credit history becomes a prolonged struggle. They’re shuffled from one government agency to another as they try to report and resolve the crime. Just when they think the nightmare is over, another charge pops up in their name, indicating that the perpetrator—or some new assailant—is still on the prowl.

One factor that makes cases of true identity theft especially intractable is the role that SSNs have assumed in our society. Used as a universal personal identifier for everything from educational records to health insurance, SSNs are treated as proof of identity—and required, de facto or de jure, in almost any significant financial transaction, from receiving a credit card to filing federal taxes. Once issued, a person’s SSN is nearly impossible to change. In those rare instances where the Social Security Administration relents, that person has a lifetime of explaining to do. Yet the very ubiquity of the SSN has made it notoriously easy to obtain. The resulting situation is something like leaving a house key under the doormat: the appearance of security combined with a very real vulnerability.

While SSNs provide an especially attractive target, identity thieves will make use of any information that helps them to impersonate a victim or provides access to a bank or credit card account. Stealing wallets and purses was once the most common way of obtaining SSNs, driver’s licenses, credit card numbers, and other identifying information. Today, identity thieves attack virtually every area of an individual’s life—wherever personal information is stored or sent. Among the currently favored methods:

“Dumpster diving” in trash bins for credit card statements, loan applications, and other documents containing names, addresses, account information, and SSNs

Stealing mail from unlocked mailboxes to get preapproved credit offers and newly issued credit cards, utility bills, bank and credit card statements, investment reports, insurance statements, benefits documents, or tax info

Gaining fraudulent access to credit files by posing as a loan officer, employer, or landlord

Getting names, addresses, birth dates, and SSNs from personnel or customer files in the workplace

“Shoulder surfing” at ATM machines and phone booths to capture PIN numbers

Culling personal data from online sources, such as public records and fee-based information sites

Hacked databases, packet-sniffing technologies, and “phishing” e-mail scams

Stolen personal data travels fast. A global black market for identity data has emerged. The potential rewards for criminals vastly outweigh the risks—which may explain the increased involvement by organized crime in scams based on identity theft. The rapid evolution of digital technology and electronic communications—which enable the instantaneous proliferation of stolen personal data and fuel a constant mutation in the techniques available to scammers—have also contributed significantly to making identity theft a truly universal threat.

Defending Against Identity Theft
Established personal habits and lax credit industry practices make it relatively easy to commit this crime. Nonetheless, there’s a lot you can do to reduce your risk. For starters, three things are essential:

Scrutinize your credit report at least twice a year

Sign up for a credit monitoring service

Periodically check other personal records, such as your DMV file

That said, every potential target of identity theft—and that means anyone with a credit card, a bank account, a driver’s license, or an SSN—should minimize his or her risk by following the five steps described below.

1. Know your personal information—and your vulnerabilities.
our personal information is the key to proving that you are who you say you are. This makes it immensely valuable — and not just to you. Here are the pieces of data identity thieves covet most:

Your SSN

Your driver’s license

Your credit card information

Your bank account information

Your mother’s maiden name

Your home address and phone numbers

Any other information that helps an imposter pretend to be you

Your SSN, in particular, is a prime target for criminals. Release it only when absolutely necessary. Don’t carry your Social Security card unless it’s truly required, such as your first day on a new job. Likewise, avoid carrying cards that display your SSN—health insurance cards, for instance—and never have it printed on your checks.

Your home address, in the wrong hands, can create two vulnerabilities: mail theft and burglaries that target your personal information. As for your mother’s maiden name, people still accept it as proof of identity, so do your best to protect it.

2. Reduce your exposure.
Here’s a checklist of specific areas where you can make your personal information less vulnerable:

Your wallet or purse. Don’t carry your Social Security card, birth certificate, passport, or extra credit cards except when truly necessary. At work, store your wallet or purse in a safe place.

Credit cards. Minimize the number of cards you actively use, and carry only one or two in your wallet. Cancel unused accounts—their account numbers are recorded in your credit report, providing a tempting target. Keep a list or photocopies of your credit cards in a secure place to expedite reporting if they’re lost or stolen.

Checks . Pick new checks up at the bank instead of having them mailed to your home. If you have a post office box, use that address on your checks. Store canceled checks in a safe place. In the wrong hands, they can reveal a lot—your account number, your phone number, and sometimes your driver’s license number.

Passwords and PINs. When creating passwords and PINs (personal identification numbers), don’t use the last four digits of your Social Security number, your mother’s maiden name, your birth date, your pet’s name, or anything else that could easily be discovered or guessed. Password-protect computer files containing sensitive personal data, using alphanumeric passwords that combine six to eight characters and mix uppercase and lowercase letters.

Marketing lists. Remove your name from the marketing lists of the three credit reporting bureaus — Equifax, Experian, and Trans Union — by calling (888) 5-OPTOUT. Add your name to the National Do Not Call Registry. Sign up for the Direct Marketing Association’s Mail Preference and Telephone Preference services, which will add you to name deletion lists used by nationwide marketers. Say no to sharing of your financial data by your bank, credit card companies, insurance companies, and investment firms.

Postal mail. To deter mail theft, install a locked mailbox at your residence, or use a post office box or a commercial mailbox service. During extended absences, have mail held at the post office or ask a trusted neighbor to pick it up.

E-mail and websites. Shop online only with companies that provide transaction security protection and have strong privacy and security policies. When paying with credit cards, be sure secure transmission and storage methods are used. Avoid opening spam and other e-mail from unknown sources—it may contain viruses or other programs that will make your computer vulnerable to intrusion.

Phone calls. Never give out your SSN, credit card number, or other personal information over the phone, by mail, or on the Internet unless you have a trusted business relationship with the company and you have initiated the call.

Document storage. Store personal information securely in your home, especially if you have roommates, employ outside help, or have service work done in your home. Install a firewall between your home computer and your connection to the Internet (DSL or cable modem). Install virus protection software—and keep it updated (daily if possible, and weekly at the bare minimum)—to prevent a worm or a virus from causing your computer to send out files or other stored information.

3. Make your data useless to criminals.
Whenever possible, digital data that you send or store should be encrypted. Document destruction is also critical. Trash is a prime target for identity thieves, so buy a crosscut or confetti shredder. Find out how your loan or credit applications are disposed of—some auto dealerships, department stores, car rental agencies, and video stores treat customer applications carelessly. Finally, before disposing of a computer, remove data by using a strong “wipe” utility program to scrub your hard drive.

4. Review your information regularly.
Order your credit reports twice a year to check for errors and fraudulent use of your accounts. Use credit monitoring to alert you to suspicious credit activity and possible fraud. Each month, carefully review credit card and bank statements and phone bills (including mobile phones) for unauthorized use. Examine your Social Security Personal Earnings and Benefits Estimate Statement each year to check for fraud.

5. Act fast if trouble strikes.
If you are hit by identity theft, time is of the essence. Assess the situation—but do it quickly, preferably with the guidance of someone who knows this complex terrain and is committed to seeing you through the whole process. Then determine what needs to be done and begin reclaiming your identity.

These tips will be invaluable both for you and for your clients. But other issues related to identity theft may arise with respect to your practice. If you have staff, they are potential victims as well as potential perpetrators or enablers of identity theft. Database compromise, too, is a significant concern, especially in states such as California that mandate disclosure to affected parties of suspected, as well as actual, security breaches.

You, your clients, and your colleagues can all expect to face increased risk as the incidence of identity theft and related fraud continues to rise. Incidents of database compromise, too, will increase. Your clients will be looking to you for solutions. When they do, make sure you’re ready.

Mark Durham ( is Communications Director of Identity Theft 911, LLC (, headquartered in San Francisco, California. Identity Theft 911 is the only company offering comprehensive identity theft resolution services, including one-on-one counseling and advocacy, to U.S. consumers.

Back to Top