Identity theft is the unauthorized
acquisition of a person's personally
identifiable information (PII). The unauthorized
acquisition may occur if the individual does not
safeguard their own personal information. It may
also occur if an organization that stores the
PII does not have sufficient or effective
How safe is your social security number? With
your name and birth date, someone may be able to
buy your Social Security number on a web site
that sells numbers to businesses that conduct
background checks. Since many individuals
obtained their social security number when they
started their first job, all an identity thief
needs to do is ask the individual where they
were first employed. On June 25, 2011, Social
Security changed the Social Security Number
assignment process. Prior to that date, an
individual's social security number was based
upon where they lived. For example, if the
individual lived in Wyoming, the first three
digits of the social security number were 520.
If the person lived in North Carolina, the
individual's social security number stared with
232. Bingo, simply by knowing where you first
worked, the thief had three of your nine digits.
How many times does someone ask for the last
four digits of your Social Security Number? Now
the thief has seven out of the nine digits. It
won't take long to get (or guess) the remaining
Once your personal information is obtained,
identity fraud can occur. Identity fraud
- Unauthorized use or attempted use of an
- Unauthorized use or attempted use of PII
to open a new account.
- Misuse of personal information for a
Identity Theft Protection For Individuals
By following some basic procedures individuals
can help to minimize their risks and protect
against identity theft and subsequent identity
- Inventory. Prepare a list that includes
account numbers, entity name, expiration
date, contact information, etc. This list
will come in handy should a wallet be stolen
or the person becomes the victim of identity
- Wallet. Only carry the minimum amount of
cards and IDs in a wallet. Don't carry a
Social Security card in a wallet.
- Credit. When applying for credit ask how
the information will be used and with whom
it will be shared. If possible, opt-out of
the sharing process. Find out how they
safeguard personal information.
Using electronic equipment
- Computers. Ensure computers have updated
anti-virus (anti-malware) software. Verify
the firewall is turned on and active at all
times. Make sure the e-mail service has good
spam filters. Don't open an e-mail message
unless the sender is known.
- Mobile devices. Make sure your
smartphone or mobile device requires a
password at start up. Follow these
additional smartphone security tips.
- Passwords. Choose long and strong
passwords that are not easy to guess. Use
different passwords for financial accounts
so even if one account gets compromised, a
thief doesn't have access to other accounts.
Do not save (remember) passwords on a
computer or mobile device.
- Internet. Do not access financial
accounts when using public Wi-Fi hotspots.
Many public connections are not secure.
- Social media. Don't disclose a birth
date, home address, or other personal
information on social media sites.
- Text messages. Consider using software
such as Cyber Dust that manages your risks
related to text messages. The software can
automatically deletes messages after they
are read by the recipient, retract messages
that were sent, and block recipients from
making a screen capture of the message.
- Phone number. Consider software such as
Burner that provides disposable phone
numbers. The disposable phone number will
ring on your phone and the temporary phone
number can be discarded when no longer
- Phone calls. Signal software encrypts
phone calls so sensitive conversations
cannot be heard by others even if they
intercept or tap into the call.
- Authentication. Authentication is the
processing of identifying yourself,
typically via an ID and password, to allow
access to a system. The system can be your
computer or a web application such as
on-line banking. Some systems allow two
factor authentication, using two out of
three of the following - something you know
(e.g. a password), something you have (e.g.
a token, card, or code), or something you
are (e.g. biometric fingerprint, retina
scan, voice). For example, a web site
recognizes that you are using a new device
(e.g. computer, phone) to access the
application. The application then sends a
text to your smartphone. You enter you logon
credentials (ID and password) plus the code
sent to your phone. In the future, the
system will recognize the device and won't
require the code to be entered. The
combination of ID/password plus the code
sent to your phone makes it harder for a
thief to gain access to your information.
- Phone calls. Hang up if you receive an
automated phone call. Don't respond by
pushing buttons that may notify the caller
that the phone is active. By responding to
the automated system you may receive more
phone calls or end up on more marketing
- PIN number. Don't use birth dates,
street addresses, or zip codes as a PIN
number. The more information provided, the
easier it is for the bad guys.
- Credit cards. Use one credit card for
retail purchases and another for other
expenses. This way if a retail credit card
is compromised, it doesn't impact other
activities. Use credit cards instead of
debit cards since a fraudulent debit card
transaction is withdrawn out of your account
and may take time to be reimbursed.
- Data entry. Ensure someone can't see
your PIN, zip code, or password as it is
- Shred. Shred any hard copy materials
that contain personally identifiable
information. For example, shred pre-approved
credit card applications.
- Disposal. Securely dispose of any
electronic equipment (e.g. computer hard
drives, flash drives, mobile devices, backup
media) that has reached the end of its
- Mail. When away from home for an
extended period of time either place a mail
hold with the postal service or have a
trusted person collect mail. Contact
financial institutions and ask that
statements not be mailed. Instead, obtain
financial statements on-line.
- Social Security. Check Social Security
Administration earnings statements on an
annual basis to ensure it agrees with other
If You Are a Victim of Identity Theft
Take the following steps if you become a victim
of identity theft:
- Accounts. Contact the organization that
issued you the compromised account number.
For example, if your Driver's License Number
was obtained by a thief, notify your local
Department of Motor Vehicles. Notify your
financial institution if a credit card or
bank account number was compromised. Close
any accounts that were compromised or opened
without your permission. Submit a letter to
the institutions requesting that they
furnish you and your investigating law
enforcement agency with copies of
documentation including fraudulent
applications, transaction records, etc..
Federal law (FCRA § 609(e)) gives you the
right to obtain these documents. Bank
account information was compromised or set
up fraudulently in your name, request your
financial institution to report it to
ChexSystems, a consumer reporting agency
that compiles reports on checking accounts.
Put stop payments on any checks not written
by you. If your checks are rejected, contact
the check verification company that the
- Brokerage accounts. Refer to your
account agreement if the thief targeted your
brokerage account. Report the compromise to
your broker as well as the Securities and
- Police Report . Contact your local law
enforcement and file a report. Make sure the
police report lists the compromised or
fraudulent accounts. Get a copy of the
- Identity Theft Report. Contact the
Federal Trade Commission (FTC) to file an
Identity Theft Affidavit and Identity Theft
Report. You may file on-line
by phone 877-438-4338, or by mail to the
Consumer Response Center, Federal Trade
Commission, 600 Pennsylvania Avenue,
Washington DC 20580. Together, the police
report and the FTC Identity Theft Affidavit
combine to create your Identity Theft
- Credit Agencies. Notify a credit agency
(Experian, Equifax, and TransUnion) to put a
fraud alert on your account. A fraud alert
requires lenders and creditors to take
additional steps to verify your identity
before extending credit. With a fraud alert
you only need to notify one of the credit
reporting agencies, they will then notify
the other two agencies on your behalf. A
stronger alternative is to put a security
freeze on your account. A freeze prevents
creditors from accessing your credit report.
With a security freeze you will need to
contact each of the three agencies. Note
that you must have evidence of attempts to
open fraudulent accounts and an Identity
Theft Report to establish a seven-year
alert. You may cancel the fraud alerts at
- Social Security. If your social security
number has been compromised you should
contact the Social Security Administration
(800) 269-0271. Notify the Social Security
Administration Inspector General if you are
a victim of Social Security benefit fraud,
employment fraud, or welfare fraud.
- Internal Revenue Service. Contact the
Internal Revenue Service (800-829-0433) if
you believe the thief used your information
that resulted in a tax violation. For
example, the thief used your social security
number to file a tax return and obtain a
fraudulent refund. Complete IRS Form 14039,
Identity Theft Affidavit.
- Postal Service. Contact the Postal
if you believe the thief used U.S. mail to
perform identity theft. Also contact the
Postal Inspection Service if you believe the
thief submitted a false change of address
- Debt collectors. Debt collectors may
contact you regarding unpaid bills on
fraudulent accounts. Obtain the collection
company's name, name of the person
contacting you, their phone number, and
address. Notify the collector that you are a
victim of identity fraud and are not
responsible for the debt. Ask the collector
for the name and contact information of the
referring creditor, the amount of the debt,
account number, dates of charges, and any
additional information. Ask if they will
accept the FTC Identity Theft Affidavit.
Write a letter to the debt collector firm
summarizing the events, actions taken, and
confirm that any amounts are not owed by you
and that the account has been closed.
- Passwords. Change your passwords for any
accounts that have been compromised.
- Documentation. Create a log of all
telephone calls, letters written, and action
taken. Create a file of all communications
and documents. Prepare a list of important
dates including deadlines, action items, and
- Statements. Check your monthly
statements to ensure no unauthorized charges
were applied to your account.
- Credit Report. Check your credit report
on a regular basis.
A variety of resources are available to you to
report fraudulent activities.
- Attorney General. File a complain
with your state Attorney General's office.
You may also want to file a complaint with
local law enforcement.
- Consumer Financial Protection Bureau
complaints to be filed when you have been a
victim of ID theft, questionable business
practices, loans, banking services, etc.
- Do not Call Registry
www.donotcall.gov. Register up to
three phone numbers per e-mail address.
Once you have been registered for 31 days,
you can file a complaint on this same site
if you receive unwanted phone calls.
- Federal Trade Commission (FTC) Complaint
identity theft and most types of fraud.
When you file a complaint, keep the
reference number they provide you in case
you need to contact the FTC with future
- Internet Crime Complaint Center
www.ic3.gov/complaint allows you to file
complaints regarding Internet based
activities including hacking, social
engineering (phishing), false e-mails.
- United States Postal Inspection Service
postalinspectors.uspis.gov can be used
to report mail crimes, theft, vandalism, and
Reduce Future Risks
The bad guys will try and find out information about you before they perform identity theft. By reducing the amount of information available, you reduce
the likelihood of a future attack.
- Mail fraud. Opt out of unsolicited mail at www.dmachoice.org.
- Internet sites. Sites such as www.familytreenow.com/optout allow you
to remove your information.
- E-mail. A national e-mail preference list eMPS allows individuals to remove their e-mail address from national lists.
Note, this list is for individuals, not business e-mail addresses. Also, You will continue to receive email from groups or advertisers who do not use
eMPS to clean their lists.
Individuals and organizations need a proactive
approach to managing threats related to identity
theft, identity fraud, and data breaches. We
also offer suggestions on how to
business from a security breach that can
lead to identity theft.
Security Blog menu
Tags: identity theft | id theft | identity
data breach | cybersecurity