I’ll never forget that moment. I’d finished my ConsumerAffairs work for the day and was scrolling through Netflix looking for something to watch when a call came in from an “unknown number.” I press Google’s call screener to find out who’s calling. “I’m from Rocco’s Jewelry and calling to confirm a purchase.” Hmm. I press the “tell me more” button.
“Yes, this is about a purchase that Reese Peterson made.”
“Reese Peterson” (not his real name) is my grandson. My 8-year-old, free-as-a-bird, Lionel Messi-idolizing mini-Me who lives three states away.
So, I press the “talk” button and the floodgate of fraud starts to pour out. Rocco’s tells me that “Reese” had purchased a $2,000 diamond pendant and was sending it to a “Stephen Peterson” (presumably a “relative”) who lived in Sterling Heights, Mich.,, another three states away in a completely opposite direction.
I smell scam and I’m p-o’ed.
The Rocco’s guy sends me a copy of the invoice and the Kentucky state driver's license that this “Stephen” guy sent when he asked for an ID, and well, it all looks legit. Name and address on a dead-ringer for a real Kentucky driver's license -- no doubt a Photoshop template the scammer bought on the Dark Web. The only thing that was wrong was the photo of "Reese" on the driver's license. But if a retailer tried to verify that by video messaging the scammer, they would see the same face that's on the driver's license, so the scammer's able to cover that angle.
Rocco’s had the proof necessary to cancel the order, but as I came to find out, “Stephen” was still out there buying things: more than $800 at Meijers and $50 plus with AT&T – all online purchases that my bank’s filters didn’t catch, but the bank was kind enough to reverse and issue a new debit card.
The reason I’m telling you this story is because I’m a real example of how bad identity theft has become and how slick these creeps are becoming. If I – someone who writes about this stuff for a living – can be hit, you can too.
I’ve taken the last two months to dig into what dangers each of us face and want to share two things: what you can learn from my experience and the best things you can do to keep yourself protected – at least for now.
Anyone can buy anything about you they want
There are three takeaways from my misfortune that each of our ConsumerAffairs readers can learn from.
One is that we are all in serious trouble when it comes to identity theft, thanks to the Dark Web. Don’t believe me? Go to HaveIBeenPwned, type in your email address, and see if your personal info has ever been stolen. If it has, Sift Trust and Safety Architect Rebecca Alter told me that some part of your personally identifiable information is likely for sale online, including:
Driver’s licenses and other forms of ID (scans and stolen copies)
Credit card details
Social Security numbers (SSNs)
Personal health information
Login credentials (such as online banking usernames and passwords)
Hacked social media or e-commerce account logins (such as Amazon or Facebook).
Dan Draper, founder and CEO of CipherStash, a data security company, shared a menu of what those personal information gems cost. You can buy a Chase Bank login for $500, a New York state driver’s license for $60, and a hacked Facebook account for $25. Nice, huh?
Things are getting worse by the day, too. Eva Velasquez, the president and CEO of the Identity Theft Resource Center (ITRC), told me that the number of data breaches exposing consumer identities is up 114% for the most recent quarter.
And the advancement of artificial intelligence (AI) is enabling scammers to buy enough customizable graphics – like drivers licenses and passports – to create “synthetic ID fraud.” That means even more problems for financial institutions trying to tell the difference between a real person and a synthetic person like this scammer did with my grandchild.
If you get hit, you’ll get hit hard
You should know you’re pretty much on your own when something like this happens. Banks will usually cover any losses if your account was defrauded, but they are busier than flies in a tarpit with all this nonsense. For one thing, because we consumers do so much shopping online, banks are having to up their game to detect the fraudulent nature of online transactions as opposed to geographic mismatches.
As an example, if someone uses our credit card in Milwaukee an hour after we used it in Kansas City, a bank’s detection system can flag that easier than if you buy something on Amazon, where everyone and their sister shops and there’s no way to pinpoint the location that the transaction came from.
And law enforcement? There’s simply too much of this stuff going on and the thieves are too slippery to make chasing them down worthwhile. As my local police told me, “Hey, you got your money back, so be happy!”
The truly sucky thing is that once your data makes it to the dark web, there’s little to no chance that you or Superman will get it off.
“Once data has been breached, there is little chance of recovering the information with any certainty,” Draper said. “If a copy has been found on the dark web, there are almost certainly other copies (and no way to verify if a copy is the only copy).” And, while law enforcement has taken down a number of darknet portals, the information those sites held simply popped up somewhere else the next day.
This might be hard to swallow, but Draper said the best approach when our ID gets stolen is to change any passwords, cancel and reissue credit cards and IDs and even change phone numbers. But there are two things that he said can’t be reclaimed if they land up on the dark web: your home address and your date of birth.
The most important things you can do to protect your identity
To wrap up my journey through identity theft hell, I turned up the most important things an adult consumer can do for themselves and parents can do for their children to protect themselves from what happened to me.
Wallet apps over plastic cards: The first word to the wise is one I picked up from Velasquez – and that’s to use phone “wallet apps” like Google Pay or Apple Pay instead of using a physical credit card when making purchases. Many people think that those payment methods are intended to be a convenience, which they are. However, their true value is in their security.
Physical credit cards can be skimmed or stolen, and during a transaction, valuable information is sent from merchant to bank that is like gold in the wrong hands. But with Google Pay or Apple Pay, you have to biometrically (your fingerprint) open the app and when you initiate a transaction, a one-time “token” is issued that evaporates the moment the transaction is complete.
You’ve got your bank/credit card notifications set too high: Another gem that I learned too late was that I – and probably most everyone who reads this – don’t have my bank transaction notification settings on or, if I do, I have them set too high. Most people set it to $100 thinking that’s what fraudsters are going to try and hit us for at a minimum, but Velasquez told me that cybercrooks these days float a small – like $10 – transaction first.
Then, if that goes through, they keep on dinging our accounts in small increments to stay under the radar. I now have mine set at $1 and even though I now get several notifications a day, at least I’m on top of what’s going on. And I feel a lot more secure.
Your – and your child’s – SSN is no one’s business: A person’s Social Security number is the single most valuable asset to an identity thief. And if a thief gets possession of someone’s – especially a child’s – and wants to “synthesize” it, that person’s financial life could be irreparably damaged without anyone even knowing it.
The best thing you can do for your child is check to see if they have a credit profile on Experian, TransUnion, and Equifax. If they do, then “freeze” the account. That way, their SSN is sealed off from prying eyes.
Then make a vow to never share that SSN anywhere. There’s no summer camp, no school activity, no doctor’s office has to have that number.
The Social Security Administration has your back in this, but it cautions that the company requesting it can refuse its services if you do not give it. PrivacyRights.org says those situations include:
Becoming an employee or independent contractor for a business
Engaging in a banking, financial or real estate transaction
Applying for group health insurance through your employer
Applying for credit
If push comes to shove over your SSN, “you can always speak with a manager or ask if there’s an alternate ID you can provide such as a driver’s license number,” PrivacyRights suggested.
As far as schools are concerned, the Departments of Justice and Education also have your back regarding the sharing of SSNs and all the rights are on the side of the parent. For example, schools can’t bar your child from enrolling if you choose not to provide your child’s Social Security number.
But don’t stop there. Think about who may have your or your child’s SSN and ask that it be removed from their records. With the number of cyber breaches that have happened – more than 39 million individuals impacted by healthcare data breaches in the first half of 2023 alone and more than 1,600 school system incidents in the last seven years – no one can play it too safe.
Proactive vs. reactive help
Until fraud detection systems can get in front of fraudsters and outsmart their every move, you are basically left to your own devices. There are several reputable companies who offer pay-for identity theft services and peer reviews might help you decide which one is worth its salt when it comes to being proactive. Some credit cards (such as Chase) also come with Dark Web and identity theft monitoring as part of their membership offerings.
But, if you decide to play the odds and take the free, come-what-may route, the one organization that’s proven it can help a person remediate what an identity breach has laid to waste for free is the ITRC.
Thanks in part to a grant from the U.S. Department of Justice, the non-profit provides no-cost victim assistance to the public throughout the United States. Its call center provides direct assistance via phone, email, and postal mail to victims and consumers who have experienced identity theft or possible risk of identity theft.