The persistence game – a real life identity theft attempt
It is late afternoon and I am frantically working to meet a deadline when the phone rings in my office. I answer without thinking, pop the phone between my left ear and shoulder and keep typing.
“Hello, Palmer* speaking.”
“Good afternoon, my name is Charlie and I am calling about an important personal business matter. May I speak with Mr Palmer?”
Fatal error. My name, Kerry, spelt with a y, is typically the male spelling so it is an easy mistake to make, but this incorrect assumption, and perhaps also his accent, reveals him to be an overseas telemarketer, or so I think.
“There is no Mr Palmer here. And I’m busy. Goodbye.”
Several years earlier, I had signed up for the Do Not Call register. I am brutal with those who ignore it.
Later that evening, Charlie calls again. This time, he asks to speak to Ms Palmer. Although I am already a little suspicious, I give him the opportunity to explain the purpose of his call.
“I am calling about an important personal business matter,” he explains again. I momentarily ignore the contradiction in terms.
“Firstly, I need to verify that I speaking to the right person. Ms Palmer, I understand you were born on the 7th of June*. Is that correct?”
“Very good. I just need to verify the year you were born for identification purposes.”
Charlie’s not having a lucky day. I have been working in the media industry for years, and have recently written a lot about privacy legislation around the world.
“I am not going to give you that information, you should know it already. Where is it you are calling from again?”
Let’s just say it’s Smart Business Solutions. It doesn’t really matter, I had never heard of the company.
“I am calling about an important personal business matter and you must verify your identity before we can proceed.”
It’s been a long day, I am worried I might miss a deadline and, most importantly of all, I am worried about my partner’s health. It’s just the sort of call that might tip me over the edge.
“How can it be both a personal and business matter?” I ask, failing this time to hide the irritation in my voice. “It’s either one or the other. And I am not going to tell you the year, you tell me.”
“I am not authorised to give you that information, I may not be speaking to the real Ms Palmer.”
“Well then, there’s no point continuing. Goodbye.”
I hang up again.
…but the harassment continues
Over the next few days and weeks, “Charlie” calls again at least a dozen times and I begin to notice something rather odd; each time, he has a slightly different accent. He also appears to have no recollection of our earlier conversations. On some occasions, I hang up very quickly. Generally, I am starting to feel really harassed and, if I’m really honest, even a bit paranoid. Why I am I being targeted? When will this ever end?
On one occasion, towards the end of a good day when I have succeeded in not letting the small stuff worry me so much, I feel mischievous and try another tactic.
“Can you tell me more about this important personal business matter?”
“No, miss, you must tell me the year you were born.”
I hang up, again. Then he calls again the following day.
“I am busy right now, call me back in half an hour.”
Amazingly, it appears to be the same Charlie when he calls back, and this time, it is he who is feeling frustrated. I achieve a break-through.
“Listen, I know a lot about the privacy laws in this country, and I am not obliged to tell you the year I was born. But if you tell me what your records show, I will happily confirm the details.”
“1986?” he asks tentatively.
“Ha! Bad luck Charlie, goodbye.”
I end the call, feeling slightly chuffed that he’s just shaved more than a decade off my age.
By now, it was clear “Charlie” wasn’t going to get anywhere with me, but I continued to marvel at “his” persistence. He even leaves me a message on my voicemail, telling me his name and company again, and asks me to call him back on a toll free number. It sounds like a legitimate number.
Out of curiosity I dial the number. Not surprisingly, an automated voice system advises that the number is incorrect or out of service. But it just goes to show the level of duplicity (or desperation?) involved in identity theft.
Identity theft is a type of fraud that involves using someone else’s identity to steal money, make unauthorised purchases from your bank accounts, take out loans or carry out other illegal business under your name. Phishing, when the scammer tricks you into handing over your personal information, is one of the most common types of identity theft.
I am pretty careful about the personal data I share online. I only ever post information about myself that I would be prepared to tell people on a radio or TV broadcast or publish in a newspaper or magazine. I am vigilant when it comes to checking my privacy settings on the social media platforms I use. I never publicly share the year I was born or my street address.
It soon became pretty clear that Charlie was grasping at straws. He knew my full name, day of birth and month of birth (probably from Facebook) and was calling to fill in the gaps. I vacillated between outrage and frustration. But Charlie was incredibly persistent. Many scammers and identity thieves use automated voice dialling, but Charlie was always a real person on the end of the line and because of this, even Charlie got frustrated from time to time. One day he tells me, his voice shrill with exasperation:
“You have a bad debt. I am authorised to recover the debt on behalf of my client.”
For a moment, I felt a sinking feeling in my guts. But then my rational mind took charge.
If only Charlie could see where I worked – by myself, in a small home office in my garage, with a handful of clients, many who had become close friends.
“That’s impossible, I don’t believe you.”
In many ways, Charlie was unlucky getting someone like me who was immediately suspicious but it still didn’t explain why “he”, in all his incarnations, persevered. If I had been a typical computer user I might have fallen for it, or felt intimidated.
Luckily, Charlie didn’t call again – so the mystery remains, why was I targeted? I’ll never know for sure, but I know I’m not alone.
Identify theft is the fastest growing crime
According to the US Federal Trade Commission, identity theft is the fastest growing crime (as reported on scambusters.org). Experts estimate that about 10 million people become victims each year. That means every minute, about 19 people become new victims of identity fraud. scambusters.org also note that the US Department of Justice have determined that drug trafficking is being replaced by identity theft as the number one crime.
Even in a small country like New Zealand, where I currently live, identity crime (which includes creating false identities) may cost the New Zealand economy as much as $209 million every year, with as many as 133,000 New Zealanders falling victim to identity theft annually. The New Zealand Government notes that, by its very nature, identity theft is a crime that is difficult to prosecute people for (it may have been committed overseas or online) and it can also take a long time to resolve. Yet while it’s a global problem, the government believes people living in New Zealand could be particularly vulnerable because we tend to trust others, making this country appear to be a soft target. The NZ Department of Internal Affairs says this is why vigilance and awareness are vital. This is particularly important around tax time.
New safeguards to avoid identity-theft related tax fraud
Forbes recently reported that several American states (including North Dakota and Illinois) have advised that tax refunds will take longer to process this year, in a bid to avoid identity-theft related tax fraud. The Internal Revenue Service (IRS) reported that it had identified 163,087 tax returns with more than $908.3 million claimed in fraudulent refunds during the 2015 filing period. Luckily, it stopped the issuance of approximately $787 million (86.6 per cent) of fraudulent refunds last year.
The IRS has just introduced new safeguards for 2016 that will help prevent fraudsters from taking over the accounts of tax payers – and as a consumer or client we are well within our rights to insist that other organisations do the same. These include:
- New password standards to access tax software will require a minimum of eight characters with upper case, lower case, alpha, numerical and special characters.
- A new timed lockout feature and limited unsuccessful log-in attempts.
- The addition of security questions.
- Out-of-band verification for email addresses, which is sending an email or text to the customer with a PIN – a common practice used throughout the financial sector.
To mark Tax Identity Theft Awareness Week in the US (25 to 31 January 2016), We Live Security published a useful list of ways for both consumers and small businesses to protect themselves from tax identity fraud.
Like hacking (when a scammer gains access to your information by exploiting security weaknesses on your computer, mobile device or network), malware and ransomware (when a malicious program is placed onto a victim’s computer that will allow the hacker free reign to all of their files) and document theft, phishing can be avoided by security software. Emsisoft Anti-Malware has been built with a layer of automatic Surf Protection. We keep a running list of known fraudulent websites from all across the Internet – such as the ones involved in this latest iteration of the Google Drive phishing scam – and we feed it to Emsisoft Anti-Malware multiple times per day. As a result, if you’re running our software and you try to navigate to a malicious website, you will be prevented from doing so.
Review your passwords
There are also things you can do to make it much more difficult for your personal details to be stolen.
As well as being very careful about protecting personal data that could serve as the missing piece of the jigsaw puzzle (your full date of birth in particular), it’s critical to regularly update your passwords. And, like many people, I have in the past had a tendency to re-use my passwords. Writing this story has been a timely reminder that I shouldn’t use the same password for multiple accounts. At least I use a combination of letters, numerals and punctuation and don’t create passwords that are easy to guess. (If you want a laugh, check out Splash Data’s list of worst passwords in 2015.)
Keep a close eye on your Uber and PayPal accounts
Scambusters.org notes that subscriber fraud is the biggest cell phone identify theft scam, which costs the industry an estimated $150m a year in the United States as well as and causing “untold anguish to the victims”. These doesn’t just apply to cell phone accounts, but also to many other online accounts and it seems that peer-to-peer platforms like Uber and PayPal are particularly vulnerable.
Interestingly, credit cards are worth less to crooks these days than these types of accounts.
“Banks and credit card issuers have developed more sophisticated fraud detection systems, rending stolen cards worthless very quickly,” Forrester research analyst Andras Cser recently told CNBC.
According to CNBC, stolen Uber account information on underground marketplaces sells for an average of $3.78 per account. PayPal accounts — with a guaranteed $500 balance — were worth $6.43 and Facebook accounts were worth $3.02. By contrast, US issued credit card credentials, sold in bundles, were listed for no more than 22 cents each.
CNBC reports that, as a result, Uber is testing its version of two-step authentication in some markets, so when a user logs on from an unknown device, they are prompted to enter additional credentials. And perhaps this is why experts like Andras Cser believe the time has come to move away from passwords. So there may soon be some more sophisticated technological solutions to prevent identity theft.
“They should be looking at behavioral biometrics solutions to authenticate users — how the user actually behaves, how they hold a phone, how big their fingers are and how hard they press the touch screen,” said Cser.
In the meantime, the best advice I can offer is to share your own stories and suspicions. This will help others learn from your experiences – and it builds a detailed profile of criminal activity that will help governments and businesses to develop solutions. In my situation, which took place when I was living in Australia, I reported my case to scamwatch.gov.au, a great service operated by the Australian Consumer and Competition Commission (ACCC). There are similar services in many countries – check out what’s available in your country by searching for the keywords “report a scam” on Google. And of course, feel free to post your comments below!
For other excellent ways to prevent identity theft, check out the following two blogs we’ve previously published:
- Hacking Identity Theft: Entry points, tools and prevention
- Hacking Identity Theft 2: More Entry Points, More Tools, And More Prevention
* To protect my privacy I have used an alias for my surname and a fake birthday
Emsisoft Anti-Malware wins one more VB100 Award!