Identity Theft - A Primer

Identity theft has been called "the crime of the 21^st century." It claims millions of victims across North America each year. Total losses from this crime are in the billions.

A single piece of your mail can be invaluable to a thief, who can use it to begin impersonating you and committing crimes in your name. Fraudsters use stolen names, addresses and birth dates to apply for credit cards and loans, and to open bank accounts in your name.

The impact on victims can be devastating. They can be left on the hook for debts that are not theirs. They often wind up spending hours and hours trying to clear their good names. Identity theft is an enormous violation of an individual’s privacy.

What is identity theft?

Identity theft – or perhaps more accurately, identity fraud – occurs when someone uses your personal information, your Social Insurance Number (SIN) or birth date, for example, to pose as you and then apply for credit cards and loans, open bank accounts to write bad cheques and to get new government documents such as driver’s licences and SIN cards.

In an extreme form of identity theft, crooks pose as homeowners and forge phoney documents that they use to either sell a home or obtain a second mortgage – completely unbeknownst to the real owner.

Another newer type of identity theft is medical identity theft, where the crook impersonates someone else to claim their medical benefits.

Identity thieves steal personal information in many different ways. Dishonest employees sometimes obtain personal data from organizations where personal or financial information is stored. Hackers have also tapped into databases to steal personal information. In other cases, fraud artists steal wallets or take documents from mailboxes, dumpsters or recycling bins. Sometimes they impersonate someone to trick organizations into providing that person’s information. They can also illicitly gather information about victims online or trick people into revealing personal information with spam e-mails designed to look like they come from legitimate organizations such as banks.

Some fraudsters have developed particularly creative techniques to vacuum up personal data. In an Ottawa case, thieves created phoney job ads and asked people who submitted resumés to provide a date of birth, driver’s licence number, SIN and home address. The information was then used to fraudulently obtain credit cards, driver’s licences and SIN cards. In another case, thieves sent out e-mails promising tickets to the Oprah Winfrey Show to those who replied with their personal information.

A very serious e-mail scam used by identity thieves is known as "phishing". A fraud artist sends an email that appears to come from a reputable company or business. The message indicates a problem with the recipient’s account, and asks for account numbers and other personal information to "correct" the file. This information is then used to commit fraud.

People are beginning to catch on to "phishing" scams, so some crooks are now sending e-mails asking people to call a telephone number – set up with a message system that sounds legitimate. This relatively new tactic is called "voice phishing" or "vishing."

How big is the problem?

It is difficult to pinpoint the number of victims, because not everyone reports the crime, and those who do often contact different organizations. As well, crimes such as credit card fraud often get lumped into the same category

PhoneBusters, a police task force set up to tackle telemarketing fraud in Canada, received calls from some 7,800 identity theft victims reporting losses to themselves and to businesses totalling more than $16 million in 2006. However, PhoneBusters estimates those numbers represent only a small percentage – perhaps 5 per cent – of the actual figure.

Nine per cent of Canadians – or 2.7 million people – have fallen victim to identity theft at some point in their lives, according to the findings of a 2003 Ipsos Reid survey.

In the U.S., the FBI estimates identity theft costs American businesses and consumers $50 billion a year and affects some 10 million victims annually.

How can I avoid becoming a victim?

The best thing you can do is protect your personal information and be cautious whenever anyone asks you for it. Information such as your address, your Social Insurance Number (SIN), birth certificate and your mother’s maiden name can be more valuable to a thief than the money in your wallet.

It is clear that many people are leaving themselves vulnerable to identity theft by making their personal information too readily available. According to recent Canadian surveys:

• Nearly six in 10 Canadians carry their SIN card with them at all times.
• Almost one in three people don’t shred personal documents before tossing them in the garbage.
• Over 60 per cent do not review their credit report at least once a year to check for fraudulent activity.

Sometimes we are too quick to comply – too polite, perhaps – when someone asks for our personal information.

A research project by cyber security specialists in Britain is a case in point. A trio of phoney interviewers claiming to be conducting a survey on theatre-going habits convinced virtually everyone who stopped to talk to them on a street corner to reveal vital personal information. Nine of every 10 people who took part in the bogus questionnaire provided their names, dates of birth, and mother’s maiden names – the kind of information that could be used to break into bank accounts or open new ones.

Everyone needs to learn to ask questions about why information is being collected, how it will be used and how it will be protected. If you are not comfortable with the answers, you should decline to provide the information. You should also take steps to verify that people asking for your personal information – particularly over the phone or via e-mail – are actually representing the organizations they say they are.

There are a number of ways you can lower the risk of becoming a victim of identity theft:

• Keep key documents that you don’t need on a regular basis – your birth certificate and SIN card, for example – in a safe place such as a safety deposit box.
• Put a lock on your mailbox. Keep track of when credit card bills are supposed to arrive and call the company if they are late.
• Don’t give credit card numbers over the phone unless you are sure who you are speaking with.
• Review all credit card and bank statements as soon as they arrive to check for discrepancies.
• Shred or burn all papers with personal or financial information, including statements, bills, receipts and credit card offers.
• Immediately report the loss or theft of credit and debit cards and government documents such as SIN cards, birth certificates, driver’s licences, and immigration papers.
• Educate yourself about online security and privacy measures, including firewalls and virus protection.
• Be suspicious of e-mails from financial institutions and other organizations asking you to provide personal information online. Reputable firms never ask for personal information in this manner. Look up their telephone number in the directory and call. Never click on any links in the e-mail or cut and paste them into your browser - the link may take you to a fake website.
• Check your credit report from a credit reporting agency once a year to ensure it is accurate and doesn’t include debts you haven’t incurred.

For more tips, see the OPC’s Identity Theft Checklist.

While you can reduce the risk by taking care with your personal information, it is impossible to eliminate the risk of identity theft entirely.

We all depend on the numerous legitimate organizations that collect information – stores, banks and government departments, for example – to keep that information safe. Unfortunately, as demonstrated by headlines about large-scale data breaches, they are not always successful. This is why checking your statements and regularly looking at your credit report is so important.

What should I do if my personal information is compromised by a data breach?

If an organization that has collected your personal information notifies you of a data breach, there is a risk it will be used by identity thieves. To protect yourself:

• Contact the fraud departments of the two major credit bureaus. Request that a "fraud alert" be placed in your files. Order copies of your credit report, and repeat this step in six months.
• If your credit card information has been compromised, contact the credit card company to discuss whether the card should be cancelled and replaced.
• Watch for credit card and other bills as well as bank statements to arrive in the mail and follow up if they don’t come on time.

What are some of the signs my identity might have been stolen?

• Your bills and account statements don’t arrive when they are supposed to.
• Collection agencies or creditors call about accounts you don’t have or bills that you have already paid.
• A credit-granting institution informs you that you have been approved or denied credit you have not applied for.
• Your banking statements show withdrawals or other transactions you didn’t make.
• You are denied credit even though you believe you have a good credit record.
• Your credit report shows debts that are not yours.

What should I do if I’m an identity theft victim?

It is important to act quickly to prevent a thief from opening more accounts or borrowing more money in your name.

You should contact:

• Local police. Ask them to take a report and ask for a copy so that you can provide it to the organizations that you will have to contact later.
• Every organization, such as a credit card company, where credit may have been fraudulently obtained in your name. Provide details of what happened, ask them to investigate and take appropriate actions such as closing accounts or cancelling cards.
• Major credit reporting agencies. Ask for a copy of your credit report and discuss whether your file should be marked with a fraud alert, which will advise creditors to contact you before opening or changing accounts.
• PhoneBusters, a police organization that collects information about identity theft and offers advice to victims. 1-888-495-8501. info@phonebusters.com
• Reporting Economic Crime Online (RECOL), a partnership involving international, federal and provincial law enforcement agencies. www.recol.ca
• Any government offices that issued any documents stolen or misused as part of the identity fraud.

You should also:

• Keep a detailed log of who you have called and what was said and document any expenses you incur as you clear your name and re-establish your credit.
• Be cautious about using "credit-repair" companies. There is usually nothing they can do, and some have been know to propose a solution – establishing credit under a new identity – that is itself fraudulent.
• Close your bank accounts and open new ones. Insist on password-only access to them.
• Get new bank machine and calling cards with new passwords or personal identification numbers (PINs).
• Get a new driver’s licence.
• Tell your telephone, cable and utility companies that someone using your name could try to open new accounts fraudulently.

A detailed guide for identity theft victims is available from the Consumer Measures Committee, a federal-provincial group working on ID theft. The group’s web site, http://cmcweb.ca, includes a log sheet to help victims keep track of who they’ve contacted and an identity theft statement form, which victims can provide to financial institutions, credit card issuers and other companies.

When should I complain to the Office of the Privacy Commissioner of Canada?

The Office of the Privacy Commissioner can investigate data breaches, which may lead to personal information being used to commit identity theft. In this way, our Office can identify weaknesses in the systems of a private-sector organization or government department and help it to close gaps and prevent further data breaches.

Some provinces have adopted their own private-sector privacy laws, which are enforced by provincial privacy commissioners:

Quebec http://www.cai.gouv.qc.ca

Alberta http://www.oipc.ab.ca

British Columbia http://www.oipc.bc.ca

Online ID theft information

• Consumer Measures Committee
• SafeCanada.ca – Identity Theft Questions and Answers
• PhoneBusters
• Reporting Economic Crime Online
• Privacy Rights Clearinghouse (U.S. non-profit consumer group)
• The Anti-Phishing Working Group

Links to Online ID theft quizzes

• Onguard-Online Identity Theft Quiz
• Council of Better Business Bureaus ID Fraud Safety Quiz
• Privacy Rights Clearinghouse Quiz: Identity Theft IQ Test
• Privacy Rights Clearinghouse Quiz: Identity Theft IQ Test – Interactive Version
• SonicWALL Phishing IQ Test

March 2007