By Thilina Karunathilake
Do you know that one in four people in the world has experienced identity theft?
Dayawathie, who lives in a rural area named Thirippane in Thalawa, Sri Lanka, has experienced it twice. In July 2016, she received an infringement notice from Victoria police in Australia stating that she must pay a fine of $ 325.60 for neglecting speed limits and ignoring traffic lights. A few years ago, she had received another infringement notice from Israel police too, surprisingly.
Dayawathie cannot be proven guilty, because she has never been outside the country. She attracted wide publicity at the local press, proving her innocence and asking the authorities how this could even be possible.
Dayawathie’s tale about stolen identity is long forgotten now. How can you be sure that you will not be a victim of a similar incident, just like Dayawathie? My personal dissatisfaction about the width of the discussions we had about this incident over the media drove me to present this piece of writing for you. I sincerely hope that this will prevent you from being another helpless victim of identity theft.
We all know that we need to protect our personal information. However, the wakeup call behind this scene has proven that the extent we must go up to, to protect our identities is way higher than what we assumed a few years ago.
What is identity theft? As defined by the US Department of Justice, “Identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.”
If that definition is too complicated, just think of it as something that might take everything you have, including your head. Do you know the story of the king who exchanged his identity with his doorkeeper? Though that was a deliberate identity swapping, the king who could not prove his identity was beheaded. Tragedy!
How could someone steal your identity? Criminals use various methods to mimic your identity. Here are some of the methods they use:
- Criminals dig into your trash. Your negligence in disposing information makes their lives easy. They search through garbage to find information about your identity and finance. This is known as dumpster diving.
- Criminals access your mails from your mailbox or from where you leave them.
- Criminals watch what you type in your mobile phone or laptop from a nearby location. They might be right behind you at the ATM, watching you keying in your PIN. This is called shoulder surfing.
- Criminals fix ‘skimmers’ to ATMs and credit card swipe machines to capture data from your card, so that they can create a counterfeit card with your data. They place small cameras to record you keying the PIN. In early 2019, several banks in Sri Lanka went under skimmer attacks.
- Criminals eavesdrop on what you say on the phone. (Who was around when you spoke out your mother’s maiden name?)
- Criminals steal your important documents such as birth certificates and passports. Your money and jewelry might not be the only things burglars are after. According to 9/11 Commission Report, for terrorists, travel documents are as important as weapons.
- Criminals pickpocket your wallet to steal your information. Margot Somerville, a vice president of a bank in the US, lost her wallet in 2006. Two years later she was arrested and charged with 19 crimes. Her identity had been forged to steal money from customers’ accounts.
- Criminals bribe to get your personal information. They might bribe your friends, colleagues, business partners or your bank. A help desk technician in a software firm in US was sentenced to 14 years of imprisonment for selling credit card reports of 33,000 customers to Nigerian fraudsters for $ 30 each.
- Criminals pretend like authorised parties such as government officials and bankers to collect your personal information. (What are the details you gave when your bank called you? How do you know for sure that the call was from the bank?)
- Criminals hack into your phone or computer to steal your information.
- Criminals attempt to obtain your sensitive information such as usernames, passwords and credit card details via phishing emails. In phishing emails fraudsters provide a link from which you are redirected to a legitimate-looking malicious website where you are required to key in your details. Once the details are entered, they get recorded, so that fraudsters can use them for their own purposes.
- Criminals use a tactic called pharm to ‘hijack’ domains, so that they can collect personal and financial information of the users who believe that they interact with the original web site. The entire online operation of one of the Brazilian banks was hijacked in October 2016.
- Criminals send spam emails offering money in exchange of your personal and financial information. (Have you received emails with poor grammar from a bank manager in an African country asking your personal information to transfer the wealth of millions of dollars left by one of your uncles in Zimbabwe who suddenly died in a plane crash? Have you received emails asking for the processing fee of the prize of a lottery you never bought? Have you been offered a discounted rate to an exotic destination which must be booked immediately otherwise the offer would get expired?)
- Not only yours, but also the identity of your business is vulnerable to identity theft. Once the signatures of high-ranked officials in an insurance company in Venezuela were forged to transfer seven million US dollars to a ghost company registered in Sri Lanka declaring that, it is a subsidiary of the Venezuelan insurance giant.
Victims of identity theft are hardly aware of its repercussions. What could a criminal do once your identity is stolen? The crime of identity theft has various dimensions apart from withdrawing money from your bank accounts and using your credit cards. Below are the financial crimes criminals could commit with your identity once it is stolen:
- Criminals can pretend to be you and gain access to your bank accounts to steal money. This is known as Account Takeover Fraud. Fraudsters gain access to your account by first changing the address and telephone numbers which you have given to your bank. Then they request for a new ATM card, PIN (Personal Identification Number) or a cheque book to retrieve money from your accounts. Since the telephone numbers are changed, verification calls from the bank will be received by them. Since the address is changed, new ATM cards, PINs and cheque books will be delivered to them.
- Criminals can use your credit history to obtain financial facilities like personal loans, mortgages, auto loans, overdrafts, etc. Then they file for bankruptcy in your name.
If you think that criminals’ intention is only to steal your money, you have massively underestimated them. When money is not what they are after:
- Criminals can use your identification details to commit acts of terrorism. They use stolen identities to enter and operate in targeted countries. The 9/11 hijackers have used fake passports created with the details of stolen identities to board the planes. (Can you imagine how it is like to be famous as a dead terrorist while you are alive and innocent?)
- Criminals can provide your identification details to the authorities to avoid prosecution. This is known as Criminal Record Identity Theft. (This might be what happened to Dayawathie. Yes; reading this might save you from being imprisoned for a crime you never committed.)
- Criminals can use stolen personal information to create identification cards to gain access to various locations.
- Criminals can create a passport in your name to bring someone into the country for illegal reasons such as human trafficking, prostitution, etc.
- Criminals can use the stolen identity to prevent someone else from detecting the criminal history. This is known as Reverse Record Identity Theft. A fraudster can use your identity to apply for a job because he wants to hide his criminal history from a prospective employer in background checks.
- Criminals can use your identity to create fake accounts in social networks or gain access to your existing accounts with the intention of ruining your reputation or impersonating you for a financial or non-financial gain. You can report such incidents to the relevant social network and gain your access back based on the successful verification of your personal details. But sometimes it may take days. After identifying suspicious account activities some networks like LinkedIn ask for a copy of your photo identity for verifications. (Wait! Did you securely dispose that photocopy of your ID?)
Below points elaborate how you can take extra precautionary actions to protect your identity:
- Dispose your confidential waste securely. Tear your cancelled cheques, expired credit cards and unprocessed loan applications into tiny pieces. Cut off your signatures from documents before throwing them off. Do not try to save paper by reusing the other side, if you have confidential data in it. It would be a good idea to invest in a shredder machine, if you have bulks of confidential waste to be disposed regularly.
- Request your bank to send statements via email. Apart from saving trees, e-statements help you eliminate the burden in physically storing documents securely.
- Know when your bills and bank statements arrive. If they are late, find out why. It may have fallen into the hands of a fraudster.
- Lock your mailbox to prevent access from unknown parties.
- Be vigilant about the outside environment when you use your mobile phone or laptop in public.
- Minimise the number of occurrences where you use someone else’s phone or computer to check your private information.
- Politely ask for more privacy, if the person behind you in the ATM is standing too close to you.
- Be vigilant at ATMs. Look for devices fixed to the ATM. Know where you swipe.
- Excuse yourself from others and go to an isolated area when you need to speak out your personal information over the phone.
- Keep your important documents such as birth certificates and passports under a lock and key.
- Block the debit and credit cards as soon as possible in case you lose your wallet.
- Do not hesitate to ask for the identity information of any personnel who request your personal information. If you are in doubt, hang up the phone and call them yourself at a number you know.
- Use updated anti-virus software in your computer.
- Do not click on any links in an email, if you are uncertain about the legitimacy of the sender.
- Think twice when grammar of the email sent by your bank is poor and the language is casual. In early 2016, perpetrators’ attempt to withdraw an amount close to $ 1 billion from the central bank of Bangladesh had been unsuccessful because Colombo branch was able to notice a misspelled word in payment instructions. Perpetrators had issued 35 fraudulent instructions using a malware, out of which one transaction worth of $ 20 million, making a fictious NGO in Sri Lanka the beneficiary. The NGO’s name had been misspelled as ‘fundation’, instead of ‘foundation’, triggering suspicion
- Do not trust emails offering you millions for nothing. Nobody loves you like that. Do not exchange personal information for money. You are not the next of kin of an African who died leaving a wealth of millions of dollars and how could you win a lottery you did not even buy?
- Do not share your mobile phone with anyone. It is your personal property. Do not leave it unattended.
- Minimise your public Wi-Fi usage.
- Do not check your personal information in internet cafés.
- Do not leave your bank statements and other documents with confidential information unattended, even at your home. There can be servants, mechanics, electricians, carpenters and plumbers at your home who might be sophisticated enough to see a monetary value of confidential data. They might also sell your confidential information to someone who is sophisticated enough to misuse them for their advantage. Never underestimate someone’s ability to commit a white-collar crime, though they do blue-collar jobs.
- Make sure the web address of the page you carry out financial transactions with starts with ‘https’. All communications between your browser and the web pages start with ‘https’ are secured. Most of the web browsers display a padlock icon in the address bar to visually indicate the same. Malicious web sites may look identical to the legitimate site, but there can be differences in the domain, such as '.net' instead of '.com' or small variations in spellings in the web address.
- Obtain a credit report from the Credit Information Bureau at least once a year. You may never know; someone might be enjoying a credit facility granted under your name.
- Do not carry debit or credit cards with you unless there is a necessity, so that your risk is less, in case you lose your wallet.
- Cancel debit and credit cards you have not used for a long time. Open credit is an open invitation to fraudsters.
- Go through your bank and credit card statements at least monthly to check whether there are unusual transactions.
- Set alerts to your phone whenever a transaction is occurred in your account.
- Collect your debit and credit cards and PINs from the bank whenever possible. Avoid getting them delivered to you. There is a risk in delivering them.
- Do not ‘distribute’ your CV. Forward your CV only to company email addresses, unless you know the receiver in person. Upload it only to recognised websites. Delete your profile once your job hunt is over. Do not make your personal information available in cyber space unnecessarily. In 2009, Monster.com, one of the most trafficked employment websites, was hacked and personal information of millions of users was compromised.
- Do not share passwords and PINs. Keep all your passwords and PINs only in your memory. Do not write them down. Use a combination of letters and numbers as passwords which cannot be guessed easily.
- Format your hard drives and reset your phones before transferring the ownership to someone else.
- Set a Google Alert for your name, so that you receive an email notification when Google finds a new result that involves your name.
- Learn about various forms of identity theft; so that you can protect your own identity, as well as educate others to protect their identity.
The writer holds a MBA and is a KYC Analyst and can be reached via [email protected].)