5 Pains from Identity Theft

5 pains from identity theft. Yes, identity theft is a pain. Before a family member’s recent experience, my thinking was “pain in the neck.” It’s inconvenient, for sure.

However as experienced by this family member recently and by me as the power of attorney holder, the pain comes on more levels than solely the inconvenient kind.

Pain Type 1: Shame

The family member, my mother, fell victim to a spoofing scam. The bad guys called her pretending to be AT&T. They convinced her to share the Multi-Factor Authentication (MFA) code which allowed them to steal her phone number. Although they were unsuccessful with her multiple times at first, it only took one convincing moment for her to cave in.

Three days later, they called me too. The AT&T logo appeared on my screen. I answered it, thinking it was AT&T calling about her phone. Fortunately when I heard the man with the Eastern European accent ask for Mom, I was hesitant. But it wasn’t until he hung up after 26 seconds that I thought, “Hey, wait a minute. I don’t think that was AT&T.” I even called the number back (1-855-419-7365 in case you want to try it) and it played an AT&T greeting. But it wasn’t AT&T.

I felt like an idiot at that point. Yet I was thankful I had not given them any information. Being a victim is nothing to be ashamed of. Professional criminals are skilled.

Pain Type 2: Violation

The first indication something was wrong were the multiple email alerts that changes were being made on Mom’s USAA profile on a Saturday night. I called to confirm she had not spoken with USAA. She had not.

“Hmm,” I thought, “We will have to call about this when they’re open.” I wasn’t alarmed.

Two days later, a holiday, the email alerts switched to her bank account. They were changing the password and changing the mailing address. Someone is breaking into the bank account and changing information? How did they even know where she had a bank account? How did they get the username and password? Now I was alarmed. When someone is in your bank account changing your personal information, it is and feels like a violation.

Despite the bank’s assurances over the next five days by phone and in person over multiple calls and visits, nearly every day they continued to successfully log in and change something back.

Every alert felt like another violation. The bank’s repeated hollow assurances began to feel like a violation. The bank’s pleasant disinterest in solving the root of the problem felt like a violation. The bank’s relief that she was closing all accounts and leaving after over 30 years as a customer felt like a violation.

Imagine someone taking your identity and doing as they please with it. And then having very nice people with smiling faces and pleasant voices assure you the problem is fixed when it’s not. I’m not sure which is more violating.

Pain Type 3: Hypervigilance

Over the next several days and sometimes every hour, more notices and alerts appeared. From an iphone in San Diego, they got in to her PayPal account (which neither of us knew she had) and opened credit. From there they ordered $8,000 of luxury goods in her name using her bank debit card and shipped them to addresses in Orlando, Miramar, Miami, and Lauderhill, Florida. Fortunately we had closed the account before those debits hit.

[The Lauderhill address was the same as on the bank account. (4160 NW 21st St., Apt. 246, Lauderhill, FL 33313-7001 in case you’re nearby and have a spare hand grenade, although I suspect it’s uninhabited.)]

Constantly, though, we were on the defense. Unsure where they would strike next and what they would gain access to, we wondered how far they would reach. Into Social Security? Her pension? Investment accounts? Although we had alerted all places we could think of, new alerts showed up with Apple and Amazon. We didn’t understand what that meant. What should we be doing that we don’t know to do? What exactly can they do with all this information they have?

The credit monitoring alerts began to pile up. New addresses reported. New phone number reported (239-398-6209). New credit applied-for. Credit freezes mysteriously lifted after being placed 2 days before.

For about two and a half weeks, it felt like something between whack-a-mole and a kind of war. Wondering where the next missile was coming from, where the next mole’s head would pop up, and whether the barriers we had hastily erected would hold. It was exhausting to be on high alert for so long.

Pain Type 4: Nuisance

We believe things are now at the nuisance level. This week, nearly 40 days later, they found a dormant Macy’s credit card and charged $1000. We missed that one.

Many people think, “Well, you are protected against fraud so you won’t owe the money, right?” Yes, right. But do you still want to watch $8,000 leave your bank account and then make a claim for it with the bank? Although PayPal and USAA have acknowledged the fraudulent charges, they are still sending bills showing balances due. I have a feeling when those balances are not paid she is going to start getting collections notices. And until the balances are “paid” we can’t close the accounts.

Further, they’re still trying to open new accounts – Neiman Marcus, for example. As long as the credit freezes and alert on her SSN hold, those should stop.

They still are charging videos on her Amazon account. We’re unable to close it because Mom couldn’t remember 4 of her most recent purchases, and that’s how Amazon verifies you. Without verification, can’t do anything on the account. So we have disputed and blocked Amazon charges on her credit card, but the credit card company says that any recurring charges can still be put in place by the merchant. Probably going to require a letter on that one.

Overall, as long as they aren’t getting into existing accounts and only trying to open new ones, it feels like a giant mosquito buzzing around. We’re hoping it doesn’t get worse.

Pain Type 5: Anonymity, Mistrust –> Isolation

Settling in for the long term, it seems the best strategy is to be anonymous. I’ve discouraged Mom from giving out her new number or email to anybody for anything. The downside to anonymity, however, is isolation. The old phone number, the one she has had since cellphones were invented, has been replaced with a new one. Old acquaintances haven’t been told yet (working on it). Friends may not be able to reach her.

Ditto for the email. Part of the criminals’ strategy was “subscription bombing.” To bury the alerts going to your email address, they sign you up for thousands of junk newsletters. The email account now has 44,000 unread emails. It’s trashed. Almost impossible to receive messages unless you know the messages or sender you are looking for.

So the small circle of friends and family who have her new number will grow slowly. It doesn’t feel very good to not trust anyone with simple information like a phone number and email address.

The 5 pains from identity theft might subside with time, but the memory of them will not.

What Do I Need to Know?

Because I have been posting about the saga and frustration (on LinkedIn, see link below if you are interested in the dirty details), many want to know, “Is it resolved yet?” The short answer is that the most important stuff is. The higher levels of pain subside. The others may be here for a while.

Some have asked, “What should I know that I may not know?”

I divide this in three parts: a) what everyone should be doing and why; b) what to add if you have Power of Attorney (POA) for someone else; and c) what victims should do once you know you’re hacked.

Four things I, a non-expert, believe everyone and POAs should be doing (not an exhaustive list):

a) Make passwords long and diverse (letters, numbers, symbols) and do not have similar passwords or for heaven’s sake, same passwords.

My IT guy suggests long phrases using symbol and number substitutes. I have used a password manager, DashLane, for about 15 years. Highly recommend.

Why: “Credential stuffing.” Once the bad guys have a good combination of data (for example, SSN-DOB-email address) they run programs (AI, anyone?) that try usernames and possible passwords at websites. All they have to do is let the program run until they get a hit (or two or twelve). One stuffing technique uses a dictionary so that’s why one-word passwords are a no-no.

POAs: Use a password manager for all your person’s credentials at all sites.

b) Always always have multi-factor authentication (MFA) on.

(That’s where you are sent a code or prompt on your phone or email to continue logging in.) Never take the shortcuts that turn it off.

Why: Once they’ve got a successful hit on your credentials, if you’ve got MFA turned off, they are in.

POAs: Use your email and phone number for the MFA codes. It’s a pain when your person wants to log in, I get it. But because I had my number as the MFA on some accounts (unfortunately not all), the bad guys actually called me on Day 3 (their number showed up as AT&T) and asked for Mom. I spoke with them but didn’t understand what was going on at the time. They hung up quickly. Nevertheless this slowed them down. Consider having a separate email for your person’s affairs.

c) Change the passwords frequently.

Why: Some data breaches leak passwords.

d) For every account that is important to you, make sure “Notifications” are on.

Any changes to mailing address, email, phone, authorized users, should be sent to you immediately. Think outside of financial accounts. Think Apple, Amazon, cellphone carrier, stores that have your card on file, USAA profile, PayPal/Venmo. Close dormant accounts.

Why: Several days or weeks could go by before you are aware someone is in your account.

POAs: Same as above re: email and phone number for notifications. If you open a separate email for your person’s affairs, will you remember to check it frequently for notifications? Do what works best for you naturally.

This episode has been an education in understanding which companies truly have your financial security in mind, and which ones are only paying it lip service. For a list of grades given to over a dozen organizations, see posts on my LinkedIn timeline at: https://www.linkedin.com/in/hollypdonaldson.

For more forthcoming tips and hopefully some humor coming out of this painful experience, subscribe to the monthly e-letter, “The View From the Porch,” at https://bit.ly/3t2uwfn.

Continue Reading5 Pains from Identity Theft