To be or not to be—Is that the question?
“We are letting you know that your card may have been part of a compromise at an undisclosed merchant. That doesn’t mean that fraud has or will occur on your account.” That information came by letter and e-mail in mid-August. The chills that came with this letter and email are surpassed only by those caused by the phone calls from a different credit card’s “fraud team” in March inquiring whether it was me currently shopping in Arizona and New Mexico since I was answering my home phone in southern Illinois. And these chills were surpassed only by the ones caused by the letter from the Internal Revenue Service in late January or early February saying that either I, or someone pretending to be me, had filed a 1040EZ online seeking a refund and the IRS wondered if that was in fact me. They kindly gave time to object before they would process the electronic refund. Since, in reality, I have been filing a joint return with my spouse for 34 years and cannot recall ever filing an EZ return (or ever getting a refund), the IRS had indeed been contacted by someone pretending to be me. How can this happen, asks this and potentially other judges, lawyers, or perhaps clients who do not take major risks gambling, putting personal information on social media, or otherwise inviting the outside world to try to steal?
Of course, who among us has not received letters over the years from Target, Schnuck’s (local grocery chain), a medical provider’s office and others that “your information may have been compromised” and offering to pay for a year of credit monitoring? (I concede I never took advantage of any of those offers.) But this year has been serious. What gives? I wanted to share what I experienced with others who may have my luck in the future and tell you what 2016 has been like for me. The goal is to give you information, a laugh, a scare, and some advice. It may be useful to the readers personally or to at least be able to give immediate practical advice to a client who has become a victim of identity theft.
It wasn’t about me
First, emphasize that the victim is not alone in being picked as a target. According to the U.S. Department of Justice’s Bureau of Justice Statistics published in September 2015, 17.6 million Americans suffered identity theft in 2014. So roughly 7% of U.S. residents over the age of 16 have been victims. The Bureau of Justice breaks the statistics for identity theft down into categories so that the 17 million of us may feel better:
• 86% suffered from misuse of their credit cards or bank accounts;
• 4% had their personal information stolen and actual fraudulent activity occurred (such as opening a new account or perhaps trying to file an IRS EZ return online);
• 7% were the stars who suffered more than one type of identity theft (so nice to be in that group of sufferers, of course).1
While not being the only victim will not cause one to be reassured, at least it helps people to learn what steps can be taken to resolve the issues.
Additionally, it may be helpful to point out that some people can actually solve the problem in a day. The Bureau of Justice Statistics found that 52% of the victims were able to find out about the misuse of their identities and correct all the problems that quickly. Most of those were the ones with a credit card or bank account that was compromised because it was a simple matter of cancelling the card or contacting the bank and getting the thief shut out. Of course, 9% of the people who had their identities stolen needed more than a month. Not surprisingly, those with more than one type of identity theft needed longer to try to fix the problems (39%). The longer it takes the more difficulties the victims encounter—identity theft victims who took 6 months or more to resolve the financial and credit problems caused by the identity theft also reported that they experienced severe emotional distress (29%). The Justice Department comfortingly notes in its report that victims of violent crime more often felt severe emotional distress than did victims of identity theft. Id. (That last observation may not be useful to communicate if you are assisting an actual client with resolving their financial and credit problems caused by the identity theft.) So let’s forge ahead to figure out what the victim can do.
The Internal Revenue Service
Dealing with the Internal Revenue Service identity theft issue was a priority, of course. Apparently, at least according to Consumer Reports, the most destructive type of ID theft is having your name, birth date, and Social Security number used to open credit accounts, tap your health insurance, or file a tax return in your name to steal your refund. Kudos to the IRS for having software programs that red-flag unusual filings. That letter from the IRS telling about the potentially false 1040EZ directs the recipient either to call a phone number that will eventually be answered or to go on-line to deal with the problem. Except when going on-line and putting in the code numbers on the letter, some recipients are informed they must telephone.2 And telephone repeatedly. Eventually, someone answers the phone. The caller must have the letter and his or her most recent tax return in hand when making the call so that you can answer background questions correctly and have all the information straightened out, according to the IRS Web site. Seems like once the agency answers and the caller is holding the required information for reference it would be a simple conversation: “I got the letter. Here are the code numbers on the letter to find me in your system. I did not file a 1040 EZ. Please reject that return and do whatever it is you do to find the culprits.” Of course it is not. Perhaps the wrinkle was that this particular caller is not the “primary taxpayer” on the joint return. When filing our first joint return after we got married, we put my husband’s name first. Then each successive joint tax return is always filed by listing the taxpayers in the same order. Perhaps the wrinkle was that he and I do not have the same last name.3 Perhaps I answered something in a tone of voice that caused it. Who knows?
Whatever the cause, the end result of my phone call experience was that I was required to visit an IRS office in person with two forms of identification, one a photo id, in order to convince them that I did not file the 1040 EZ that they had red-flagged and written me about. Here in southern Illinois, we are not lucky enough to have an IRS office in every county. The nearest one, when called for an appointment, advised it is open Monday through Friday from 8:30 am to 4:30 pm and is closed from 11:30 am to 12:30 pm each day. At least I can take vacation days a half-day at a time. So I made my appointment on an afternoon when no hearings were scheduled and visited the IRS in person. I produced my two forms of identification and my letter from the IRS. I had our most recent tax return with me. The agency’s employee couldn’t have been nicer and agreed to remove the offending return from my account to be placed into their ‘fraud’ pile for investigation less than ten minutes from my arrival. I did express to the agent that one explanation for my required personal visit could be that the IRS computer system is sexist since the phone agent had seemed disturbed that I was not the primary taxpayer on our joint returns and so it is not my social security number that comes first and that my last name was different. The agent smiled and offered to include that observation in my file folder. I declined. Finally, I was advised my husband and I would have to file a paper return and that I could get an Identity Protection Personal PIN Number to use when we file the return to increase our safety. The agent told me to get that on-line on the IRS website. Ironically, when I went on the website to get my PIN number, the website told me there had been a security problem and they were not currently providing Identity Protection Personal PIN Numbers. The area of the website advised to just file a paper return with a copy of the letter that told about the fake return. Hopefully, if a reader or client of a reader experiences the fraudulent tax return problem in the future, the IRS will have the ability to provide the personal PIN number.
There is an entire website (at least one) dedicated to identity theft. The IRS gives recommendations on actions to take that will be listed later in this communique.
The credit card experiences really can be lumped together whether one experiences fraudulent charges or the problem is a data breach but no charges have occurred. For fraudulent charges, first, bless the companies for having fraud teams who get suspicious when credit cards are shopping in out-of-the-usual ways or locations. These teams have been around for years. I know.
My first experience with a credit card fraud-alert team happened while I was at ‘New Judge School’ in 1999. My wallet was either lost or stolen Sunday evening at dinner on the first night of my arrival in Chicago for the week-long training of new judges. The restaurant where I had my wallet said to report it to building security and they would keep looking via a cleaning crew. Security said they would call the hotel if they found the wallet and if the cleaning crew had not found it by the next afternoon they recommended the police and told me I could then assume it was probably stolen and not lost. I went off to my first classes the following morning. At mid-afternoon break, there was a post-it note on the bulletin board outside the room to call my husband. (Yes, this was before cell phone usage in my area of the world and life.) My home phone had been called and my husband was asked if the credit cards being used in the Chicago area were valid charges or should be blocked. His first question was “Where?” He tells me if it had been Macy’s or Bloomingdale’s he would have said of course it was me. But it turns out the cards were buying televisions in some suburbs. He was pretty sure new judge school was not going to allow that kind of latitude, plus I had flown up to Chicago on Southwest Airlines so I really could not pack a bunch of TVs.
So we immediately cancelled my cards and had one company mail me a replacement one on an expedited basis to the hotel so I could check out at the end of the week, and a kind and thoughtful co-worker (Judge Clarence Harrison) endeared himself to me forever by covering for my lack of cash and credit.4 I had to fill out and send affidavits to the cards that had been used and get verification that I had reported the missing cards to a security desk in the building where the restaurant was housed. It took some time to scrutinize bills to make sure that the only charges we paid were ours.
Anyway, back to our current story. Not long after the IRS issue, a credit card team called and we reviewed some charges from out west that were not mine but were very tiny amounts. I learned from the card company that thieves will sometimes start with small charges to see if anyone notices. If those small charges go unchallenged, then larger ones will be made. I had my card in my possession (because I have been more alert since all those years ago). I had, however, used the card at a hotel. Apparently ‘scammers’ can be everywhere. Or maybe the card fraud was done by the same thief who had filed the fake tax return. There is no way to be sure. The company did not argue about the charges that were not mine, I filled out a form on those and a new credit card arrived in the mail. A companion card was also cancelled and re-issued, I think just to be safe.
Again, there are recommendations to be made about taking steps when a card has been subjected to fraudulent charges. I followed up with some of those. Several months have gone by without any credit upheaval to my knowledge until this week’s letter. It of course advises me to be watchful and that a new card is on its way. When there is a data breach at a place a potential victim shops, the credit card company will often just close out the card that could be at risk and issue a new one. Some merchants offer to pay for a credit-monitoring company to watch out for the potential victim. While having no personal experience with one of those companies other than seeing commercials, this author will accept the credit-monitoring the next time it is offered.
Be afraid, be very afraid, but take action!
There are things an individual can do besides sitting at home afraid to go anywhere. Just avoiding charge cards is probably impossible, and anyway the IRS identity theft was different than the credit card problems, so taking steps to prevent or deal with identity theft is the preferable route. A victim should consider some or all of these suggestions compiled primarily from the IRS and the Federal Trade Commission sites.
Request a free annual credit report from each of the three major credit-reporting bureaus—Equifax, Experian, and TransUnion—by going to www.annualcreditreport.com. Experts suggest you ask for one report every four months by rotating among the three bureaus. If you need one faster because you are in that lucky hot zone of fraud along with me, a victim is also entitled to a free credit report from each bureau after he or she places a 90-day fraud alert with one of them (remember, one bureau immediately tells the others for you). The fraud alert should be activated upon being notified of a security breach, or if one’s wallet has been stolen or lost, or if one detects other red flags of ID theft such as small charges on a card that were not placed there by the cardholder. Again, once there is an alert made to one of the three bureaus, that bureau will tell the other two. The fraud alert warns lenders and card issuers to verify applicants with a little more care. A person can place a new fraud alert every 90 days or every time word of a problem is received. If the reader or client is like me, that just means every 90 days. I recommend noting on a calendar when the first fraud alert is filed because it is hard to remember the date of the first one when it turns out identity theft or data breaches happen constantly! The information to make these reports follows:
• File paperwork with the Federal Trade Commission at www.consumer.ftc.gov or the FTC Identity Theft hotline at 877-438-4338 or TTY 866-653-4261. That website will also help with a plan for repairing any credit or other issues.
• Contact one of the three major credit bureaus to place a “fraud alert’ on a victim’s accounts:
• Equifax – www.equifax.com 800-525-6285
• Experian – www.experian.com 888-397-3742
• TransUnion – www.transunion.com 800-680-7289.
• Close any accounts that have been tampered with or opened fraudulently.
• All victims of identity theft should consider following the recommendations of the Federal Trade Commission including to file a report with the local police.
Professionals will also tell all persons to shred junk mail and any important documents, to have really good computer passwords on bank and credit card accounts, to monitor credit scores and credit reports regularly, and maybe invest in one of the services that claim to protect you. This victim may consider doing all of this. Undoing identity theft can be hard. Your effort to protect and repair your financial history can range from the simplest data breach one-day to cancel accounts through more than six months of effort to contest charges and file affidavits. This author and victim wishes everyone luck. I may not be positive of the correct question to ask to avoid identity theft. One thing is certain. To be vigilant is the only answer.