Let’s follow the story of Julia to see how all of this works in the real world:
A Trip to the Mailbox
One morning, Julia took a walk to her mailbox and was surprised to find an envelope from a bank she did not recognize. Thinking it must be an advertisement she started to discard it, but something made her think twice. She opened the envelope. It was a letter from a collection agency asking for payment of a $5,210.00 balance for a credit card account she did not own. Julia’s first thought was that it must have been a mailing error and this letter must belong to someone else. She looked again and saw that the card account was in her name.
Julia called the issuing bank and was told that the credit card was opened 18 months earlier using her name and Social Security number, but a different address and telephone number. The card was used for transactions, and the balance was paid on time each month for a year. After the bank granted a requested increase in the credit limit the transactions got bigger and more frequent, but payments stopped coming. It was only after the account went into the collections process that it was traced back to Julia’s postal address through her Social Security number. This was a case of identity theft.
The timeline of this fraud is more than 2 years. Let’s see what might have been going on behind the scenes, although there is no way to know for sure.
We know that the criminals applied for a new credit card using Julia’s identity information, which means they had Julia’s name, address, Social Security number, and probably her driver’s license number. Julia could have been a part of one of any number of large data breaches in the past where names, addresses, Social Security numbers, and driver’s license information were lost or stolen, such as the Anthem Health breach (2015, 37.5 million people), Equifax (2018, 147.9 million), or First American Financial (2019, 885 million). But we want to propose another possible scenario that could have led to the theft of Julia’s identity.
What Might Have Happened?
Although she was not aware of it, in April of 2019 Julia was part of a data breach incident for an online invitation website which exposed her name, address, date of birth, email address, and password, along with the rest of its members. How harmless could this be? There were no account numbers or other personal information included.
Let’s take a look: Julia’s email address was her username on the breached website account and she used the same password as the password used for the email account itself. Last January, Julia sent tax return information to her accountant using her email account. In March, Julia sent a picture of her driver’s license by email to a utility company to set up new service, which was a workaround process due to COVID-19 restrictions.
Behind the Scenes
Criminals were able to purchase Julia’s email account information along with her password used on the online invitation website by using one of hundreds of black market storefronts on the Dark Web. With knowledge that the majority of people reuse their passwords (65% of people reuse the same email on multiple accounts, according to a 2019 Google/Harris poll), the criminals were able to log in to Julia’s email account and access all of her archived emails, including attachments. Now they had her tax documents which included her Social Security number and other personal information, and the picture of her driver’s license.
This is all they needed to establish a credit card account. They carefully “groomed” the account for months, making purchases and timely payments. Then they asked for an increased credit limit. Once the increase was obtained the criminals went on a spending spree with the result being over $5,000 in unpaid charges. In addition to opening this credit card account, the criminals could have established bank accounts, applied for government benefits, and even hijacked Julia’s 401(k) account.
Fortunately, Julia has a SESLOC HomeFREE Checking™ account with free Identity Theft Services1 , which means she has access to a professional Identity Theft Recovery Advocate who can help her get her life and her identity back on track. The Identity Theft Recovery Advocate can perform research to uncover other areas where fraud may have affected Julia’s accounts. The Advocate will perform all of the legwork it takes to dispute fraudulent transactions and other activity caused by the identity theft, helping Julia reverse the damage.
1 Identity theft insurance is underwritten by Lyndon Southern Insurance Company, a member of the Fortega familty of companies. The information provided is a program summary. Please refer to the Identity Theft Expense Reimbursement Evidence of Coverage forms for additional information including details of benefits, specific exclusions, terms, conditions and limitations of coverage. Coverage is currently not available to residents of the state of New York and may not be available in other U.S. territories or jurisdictions in the future.
Prepared by NXG|Strategies, Copyright 2020.