Hacked and Hijacked! What to Do if Your Identity Gets Stolen
Symptoms:Imagine the pit in your stomach: finding charges on your credit cards or bank statements for items you didn't buy; applying for credit or a mortgage and being denied due to delinquencies on accounts you didn't open. The amounts for the previous year's reported income on your annual Social Security statement is incorrect, and for more than you earned. Or you get a letter or call from the IRS attempting to collect on back taxes for income you never made. Or you've stopped receiving credit card statements in the mail -- even when you have a balance due. Even more frightening, you may also have recently had issues with your PC, or been unable to log into online financial accounts. Maybe you've found that your e-mail or social networking accounts have been compromised.
Diagnosis:While credit agencies and lenders are far from faultless, and do make errors, finding a hiccup in your statements or credit reports is a pretty good sign there's mischief going on. Credit card scammers and identity thieves made off with more than $37 billion last year in the U.S. alone. (Yes, that's a "b" as in billion.) Although that's actually a dip compared to 2009, more than 8 million Americans were stung by some form of identity theft last year. Thankfully basic credit card fraud is usually resolved for little to no expense with a few phone calls and perhaps a letter to your lender. Things get dramatically hairier, though, when your identity is used to initiate new credit accounts.
If a criminal successfully applied for credit in your name, you may not become aware of it for weeks or even months, making recovery all the harder. In the interim, the indentity thief could establish credit card and bank accounts with overdraft privileges, get a driver's license in your name, get a mortgage or student loans, buy cars or boats, apply for disability -- even rack up crazy debt, and then declare bankruptcy. In fact, so-called new account fraud represented the largest amount of fraud in the U.S. last year -- to the tune of $17 billion.
The horrifying and tremendously unfair result is that, depending on the cleverness and ambition of the criminal and the severity of the damage, you may deal with the ramifications for years to come.
If you've caught things early in the process, though, you may get lucky. But time is of the essence.
Causes:Criminals certainly still rely on the many trusted, old-school ways for pilfering your identity -- by intercepting your mail, stealing your wallet or purse, and using social engineering skills, which is the jargon-y way of saying manipulating people to give up information or access they shouldn't.
The rise of the Internet and digital systems has created a playground for con artists. Before, an enterprising thief would generally have to physically take action; today, he only needs a computer with Internet access, a little know-how, and a random stranger who doesn't practice safe online behavior.
As we detailed previously in our PC safety guide, there are thousands of types of malware that can be snuck onto your PC, snagging the log-in info for all the sites and services you use, and forwarding it to a hacker without your knowing. You might get infected with one by visiting a site that deliberately (or, if it has been hacked, unintentionally) installs malware. Or, you can accidentally install malware by clicking on links in a friend's tweets or Facebook posts, or from spam that contains attachments.
Or you might even be fooled into giving your login information away by phishing attacks; generally, you're sent an e-mail from what seems like your bank or credit card company with a link leading to a spoofed website that has you input your password.
It's also possible that one of the companies or services with which you do business has had its network hacked, and your information was stolen -- which is far from uncommon. While the feds still haven't passed a law, some states require companies that have had customer data stolen to notify victims quickly, and, in most cases, provide them with credit counseling and access to free credit reports or monitoring.
Treatment:No matter what method was used to nab your identity, there are a few things you're going to want to do in the next five minutes. We'll give you the brief version, but definitely read the Federal Trade Commission's full breakdown of the steps you're going to need to take -- again, as soon as possible.
- Immediately call whatever institution that you know has been scammed, such as your credit card company or bank, tell them what happened, and ask them to go over any charges that seem suspect. If your debit/checking card was hit, it's possible they'll put a freeze on your account for a few days while they investigate, so you may want to hit an ATM first. It's likely that you will end up having to close the account and start a new one. For added safety, call all your other credit card, banking and financial institutions, and check to see if anything is fishy. Also be sure that all your account information hasn't been changed. That includes address, PIN code and contact phone numbers.
- Go to a local police station, and insist that they file a report. You may also end up filing reports with other agencies like the FTC or the FBI, depending on the types of crimes that unfold.
- Call one of the three main credit agencies, listed on the FTC's help site above, to put a fraud alert on your credit report. Be sure to list a cell phone number, so that, if the thief attempts anything again, you can be notified immediately.
- You're entitled to a free credit report from the three agencies. Check them, and look to see if any new lines of credit have been established in your name, and if any old lines of credit have been used as well.
Having locked things down, you'll then have to do a technological assessment. If, for instance, you know that you've recently fallen prey to a phishing scam, that possibly means that the problem is somewhat contained. If you don't know how your identity was stolen, it's not a bad idea to assume that it was accomplished using the Internet.
- If you own a Windows PC, have used one to access any financial sites, or have used one for any business transactions, you're going to have to fully scrub your computer to make sure it isn't infected with malware. Click here to see our suggestions on how best to do it. If you're using a Mac or Linux box, you can assume you're most likely clean, but a virus scan wouldn't hurt. Don't log into any websites until you've done this first.
- Once you are positively sure that your PC is clean, log into all of the financial sites you use, and check to see if any of your account information has changed. Definitely change your passwords, and use a different one for each site.
- Also check your e-mail and social networking accounts to look for changes, as well; if your account has been infiltrated, it's possible that useful personal information has been harvested from old messages or your profile. Again, change your passwords; make them strong and different. (Click here to see how to lock down your e-mail, and what settings to check to make sure it's safe.)
- Make sure you document everything (e.g., what accounts have been compromised, what the ramifications were), and keep a physical folder with all of the information for use as evidence if anyone is ever caught. For more info on what you can do to recover your life, click here for a detailed explanation by the FTC.