Recovering from identity crimes can be daunting and take a toll on your entire life, not just financially and emotionally. Once someone gains access to one of your accounts, they can work to manipulate your friends and relatives as well.
Today’s guest is Eva Velasquez. Eva is the President and CEO of The Identity Theft Resource Center. She previously served as the Vice President of Operation for the San Diego Better Business Bureau and for 21 years at the San Diego District Attorney’s Office. She is an author, public speaker, and a recognized expert who has been featured on CBS Mornings, NBC Nightly News, New York Times, NPR, and numerous other media outlets.“We need to pay more attention to this victim population because they aren’t getting the help they need.” - Eva Velasquez Click To Tweet
- [1:02] – Eva describes her role as CEO and President of The Identity Theft Resource Center and what the organization does.
- [2:11] – Eva began her career in law enforcement and learned firsthand how dismissive we are of victims of identity crimes.
- [4:26] – The great majority of these crimes go completely uninvestigated.
- [5:48] – Your energy is best spent on recovering what you’ve lost rather than trying to convict the perpetrator.
- [8:03] – Identity theft isn’t the only identity crime.
- [9:47] – Most scams and data breaches at this time can be considered an identity crime.
- [11:06] – The majority of identity crimes that are reported at The Identity Theft Resource Center are caused by social engineering.
- [13:42] – If you see some unusual activity or communication on social media from someone you know, let the real person know.
- [16:17] – Chris shares a strategy for family passwords to verify their identity.
- [18:11] – There are several different types of identity fraud. A lot of it is credit cards, but it could be other types of loans or accounts.
- [19:54] – Identity fraud is complicated to solve.
- [21:00] – Eva shares the story of a victim who was car jacked and has had non-stop identity theft issues.
- [22:24] – People who are victims of identity theft may even have major problems in getting jobs.
- [23:42] – The number of victims who have felt suicidal after identity theft has increased year over year.
- [25:37] – The Identity Theft Resource Center is like AAA roadside assistance. Reach out to them.
- [28:00] – Eva shares that this is her life’s mission. She would love a world where The Identity Theft Resource Center wasn’t needed.
- [29:22] – Password management needs to be improved.
- [31:03] – Multi-factor authorization is absolutely necessary.
- [33:28] – If you ever get a call from someone claiming to be from your bank, hang up and actually contact your bank using the number on your card.
- [34:42] – We need to flip our view of “annoying” security measures.
- [41:57] – Safeguard access to all the accounts you have, even email accounts.
- [43:16] – It can take anywhere between a day and ten years to resolve identity fraud. It is very situational.
- [46:03] – It may also be possible for something to appear solved but then it is in remission.
- [47:20] – There is no shame in asking for help. It is very complicated.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- The Identity Theft Resource Center
- Eva Velasquez on LinkedIn
Eva, thank you so much for coming on the Easy Prey Podcast today.
It's my pleasure to be here. I am so glad we're going to talk about identity crimes.
This will be a great conversation. Can you give me and the audience a little bit of background about who you are and what you do?
Sure. I'm Eva Velasquez, President and CEO of the Identity Theft Resource Center. The ITRC is a 501(c)(3) nonprofit organization that provides free recovery services to victims of identity crimes and compromise. We do a lot of research in this area. We help educate lawmakers and the public. Everything that we do for the public is free of charge.
I know sometimes people are a little bit skeptical. I want them to embrace a healthy dose of skepticism for sure, but we are a legitimate charity organization. You could look us up at third-party accreditation services like the Wise Giving Alliance, GuideStar, Better Business Bureau, all of those places now that we've been around since 1999. We never charge the individuals that contact us for help, whether it's for recovery health, risk minimization, just wanting to learn more, and all of those good things.
How did you get into the field?
Goodness. There's a long story behind this. I started my career in 1986 in law enforcement. I spent 21 years at the San Diego District Attorney's office with the last 11 of those years investigating white-collar crime, with a particular focus on consumer protection. I was very much on the side of, “Let's get the bad guy.”
During that time, I learned and saw firsthand, honestly, just how dismissive we are of this crime type, this population of victims. We really didn't have any resources or services for these folks.
When the ITRC was founded in 1999, I was ecstatic. I had a place to send these victims who wanted and needed more from me than I was capable of giving them. I knew how to investigate fraud as a fraud practitioner, but I couldn't provide them with recovery services and a guiding hand. It just wasn't part of my job, or frankly, my skill set at the time.
When the opportunity presented itself for new leadership at the ITRC, when the founders retired, I just thought there was a natural evolution. It may look like I cobbled this together, but I really understand the victim experience. I understand the coercion as often a tool with a lot of these victims.
They are talked into sharing their information, responding to a text, an email, a phony website, or whatever the scenario is. But I understand that coercion piece just because of my own childhood and background. The experience in law enforcement was, “We need to pay more attention to this victim population because they're not getting the help they need.” Now I've been running ITRC for the last 10 years.
From the law enforcement perspective, while you were in the field, did a lot of these crimes go unsolved, or do a good portion of them actually result in a conviction?
The vast majority of these crimes don't only go unsolved, they're not even investigated. The great challenge with this particular crime is it's so anonymous. There aren't a lot of good leads that are going to actually lead you to the real individual. It always points back to the victim. They're using the victim's credentials. There's often just not enough to go on.The great challenge with this particular crime is it's so anonymous. There aren't a lot of good leads that are going to actually lead you to the real individual. It always points back to the victim. They're using the victim's… Click To Tweet
I'm always telling my friends and my colleagues in law enforcement that they need to do more. I want to see more support for victims, and I want to see them providing more resources for the fraud division, for the cybercrime division, or however they're structured within that particular agency. I also understand from firsthand experience just how hard it can be when you're going, “I have nothing to even follow.”
That’s an issue because I have a lot of people that will approach me on my website about, “Hey, I've been a victim of identity theft, and I want to go after the perpetrator.” In some cases, I don't have the heart to tell people, “I think getting your pound of flesh is going to be really, really hard. You're going to spend a lot of effort, time, money, emotion, and probably not going to be happy with the result that you're going to get. The best is to focus on recovery or getting back to life.”
Oh, my gosh. Have you been listening to our messaging? Because that is the exact same thing that I tell people. I even use that same term. Focusing on getting your pound of flesh is not going to give you the resolution that you think it will, and your energy is better spent. I want you to put that towards recovery and knowing that you can recover because the likelihood of even figuring out who did this is so small. And getting a conviction. It really isn't as satisfying as I think. A lot of folks would want it to be because even with the convictions, the penalties aren't that strong.
What are the typical penalties for identity crimes?
It varies from state to state. Of course, you're going to get different allegations. There could be some types of allegations where you can increase the penalties. It's really going to be wildly inconsistent, but it's a rarity when you see somebody get years. A lot of times, it's 18 months, maybe 24 months.
If it's really egregious and there was a high-dollar loss, then you start seeing more like the five and six years. But getting things like 20-year penalties for this crime, even if it's devastating a lot of people, it's very, very rare. I can't say it's never happened, but it's very, very rare.
That's unfortunate. I think we talked a lot about ID theft, and you're coming from a position of ID theft isn't the right terminology we should be using. We shouldn't be using identity crimes. Can we talk a little bit about the distinction of that, what that really means, and what is included in identity crimes?
The reason that we broadened our language internally at the ITRC is because there are so many different ways that an identity can be compromised and misused. We do feel that a compromised piece is often forgotten. We don't think of that as a crime, and we do.
When we talk about identity crimes, I am talking about scams where your information is collected. You think you're talking to maybe a business, a government agency, a friend on social media, or whatever the hook is. You've self-compromised that information. That’s a crime. That's a scam.
Data breaches. When our systems are attacked, and that data is exfiltrated, and your data is then taken, generally, it's usually exposed somewhere. It's up for sale on the dark web. Now we even see a lot of place's credentials are for sale on the public web. They're not even hiding in the shadows anymore. That's the theft piece. It’s been stolen. That's how all of our statutes are written.
The reality is, most of the time when people think of identity theft, they think of identity fraud. It's where their information, their PII or personally identifiable information, their credentials, like a driver's license number, Social Security number, and those types of things, are actively being misused. That's identity fraud.
We're not talking about somebody getting into my Facebook account or my social media accounts.
We are because username and password are identity credentials now. If you think about it, they're used a lot of times across multiple platforms. It's how you're authenticating yourself. Having someone access one of your online accounts without your permission, and then not only getting into it, but taking it over and using it, that's definitely an identity crime.
If you want to talk about social media account takeover, I got the surveys, and I got the stories. It has increased exponentially. We've talked to literally thousands of people who have had their accounts taken over and not through hacking. Not through technical vulnerabilities, but through social engineering and the hacking of our brains.
Is the vast majority of what we would call credential stuffing, where the person has just reused the same password, is it more often that they've been tricked into giving up their password, or is it that they've reused a password from somewhere else?
Remember, this is all of the people that are contacting us. I don't think most victims are going to know if it was some credential-stuffing attack, so I don't know that they would contact us. But the vast majority of people that we've talked to, it's through social engineering. It's through them sharing those credentials with someone else under false pretenses, of course.
The reason sounds so legitimate. They're very confusing. A lot of people just were users, but we don't actually understand the technical aspect of these platforms that we're using. We don't get into the weeds. I can give you an example if you want.
Yeah, let's talk about some of the trends that you're currently seeing in attempts to solicit people's credentials from them.
I think that with social media account takeover, it has really been spreading like wildfire. I think the reason for that is that once a few accounts were taken over, now these scammers have borrowed trust, borrowed credibility because you actually think, “OK, I'm friends or follow Eva on social media. Now, Eva is reaching out to Chris and saying, ‘Hey, I DM’d you. Hey, you know what? I lost my phone. I'm so savvy. I have multi-factor authentication turned on, but I can't use that number anymore. Can I use your phone number and send you the code so I can get back into one of my other accounts?’” You go, “Oh, sure, Eva. I'd be happy to do that for you.”
Well, one, that's not how it actually works. And two, that code that's being sent to you, that's actually for your account. The scammer very likely already has your login credentials. Maybe they were purchased off the dark web. Maybe they were shared in some other way, but they just need that one more piece.
They know your username and your password. Now they need the MFA code to get in, and you share it thinking you're helping a friend. Boom, your account's taken over. That is a real-life example. We hear about that all the time.
I definitely have gotten those occasional, somebody I know were work acquaintances, and I get, “Hey, Chris. How's it going?” Direct Message. To me, that's like, “OK, you haven't reached out to me in years.” Initially, it's a little odd. And then some small talk that wasn't consistent with how they behave.
It was like, “Hey, I'm in a bit of a jam. Can you help me out with my electric bill?” I'm like, “No.” I'm trying to contact his wife, his friends. “Hey, his account's been taken over.”
Right. I think this that your account has been taken over, that's a really important step, because oftentimes for very casual users, they don't know because they're not in there that often. I also tell people to go to the source. If you get some incoming communication, whether it's a direct message on social media, an email, a text message, even a phone call, if you didn't initiate the contact, and you're being asked to provide something, whether it's your data, money, or even your time, go to the source and verify that.
The interesting thing with social media is that, often, some of the feedback we get on that is, “I don't have another way to contact that person. We're only friends on social media. We've never met. We’ve never actually talked to each other.”
My pushback on that has always been, “Why are they asking you for help? Don't they have friends in their real network, in their life, family members, neighbors, parents, people that they went to school with or work with, that they can ask those favors from? That seems really out of place that someone you've never met and have no other contact with, other than following them on social media, is asking you for money. I'd say no.”
I'm sorry, I have no way to verify who you are. Have a nice day.
I guess the challenge is no one wants to say that to someone that they think of as a friend.
That's so unconscionable about this particular hook. We've talked for years about how the bad actors will leverage it. Sometimes our lesser angels will leverage greed, FOMO. They create that sense of urgency. Gosh, darn it. Now they're leveraging our altruism. Now, they're leveraging our desire to help our friends and family. I think it's terrible. Unfortunately, it's very effective.
Some of the people that I know have a family password, so to speak. Not a password to an account password. “If you ever get a call from someone claiming to be me or message claiming to be me, that we have an agreed-upon phrase that we will use to authenticate, that we will never share online. If little Susie calls and says, ‘Hey, I've been kidnapped,’ she's going to say the phrase which authenticates that I'm really little Susie who's been kidnapped versus the scammer.”
That is very, very clever. I think it might be a little challenging. It would depend on how big your family is. It's one thing to get four people to remember a specific phrase. My husband comes from a very big Hispanic family. There are a thousand of them. He literally has seven siblings and eight million cousins.
I think if you try to scale it up, it's challenging. You bring up a really good point with this in that that's a great solution for some people. A smaller family, a smaller group, good idea. I would say, go for it. But not all solutions work for all people or all groups of people, and that's OK. You find the ones that work for you.
Absolutely. Let's take a step back and talk about some of the different types of identity crimes that happen. We've talked a little bit about social media accounts. I think, commonly, we talk about financial accounts, Social Security, or identity stuff. What other things that you consider identity crimes?
Definitely any kind of account takeover. We already talked about data breaches and data compromises, when you have provided your information to a platform, a system, an agency, or an entity. The other obvious type is data breaches, where your data has been compromised. It wasn't you, you provided it to a legitimate entity and they had to store it, but for some reason, their system was compromised and that data was exfiltrated.
When we talk about identity fraud, this is what I think most people think of: the misuse of your identity credentials. There are several different types in addition to financial. Now, far and away, most people think financial is credit cards, and it's a lot of it. Don't get me wrong, that is a lot of it. It's not just credit cards. It can be bank accounts, checking or savings accounts being opened. It can be other types of loans, car loans, mortgages, student loans, payday loans, any type of credit instrument falls into financial.
Taxes fall into government identity theft. Government, documents, and benefits fraud, that's what the FTC calls it. We just simply shortened it, we say government. That can be the IRS. That can be your state taxes. That could be unemployment. It could be other types of benefits like SNAP benefits. Any government system where your information is being misused.
There's medical, where your information is used to get medical goods or services. That includes things like prescription drugs or durable medical equipment. And then there are criminals. Criminal is where your information is provided to law enforcement either during or after the commission of a crime, and you now have that criminal record.
Those last two are generally much smaller as far as the scope of the crime. For us, 4% of our cases last year were criminal, and only 1% was medical identity fraud. But I do want people to realize that those are some of the most complicated to resolve and recover because we don't have good, uniform processes in place for those two types. It's done for medicals. It’s done for provider by provider insurance.
There are so many different insurance companies and they don't interface with each other. With criminals, there are so many different law enforcement agencies and jurisdictions that you're dealing with. There are over 17,000 law enforcement agencies in the United States.
Wow. I imagine the criminal one has really far-reaching consequences. You could end up in jail because of this. It's not just the inconvenience of, “Oh, gosh. I can't get a new credit card or I can't get an auto loan until I sort this out. I may end up in jail.”
I'm going to talk to you about two cases. These are just from yesterday. The first one was a case where the victim was actually carjacked back in 2018 and has had ongoing issues with medical identity theft, credit cards, loans.
Within the last week—10 days—they were arrested for a criminal case and decided that they needed to bond out in order to get this resolved because she had just had a C-section and could not be in jail with her health. They've paid the bond to get her out. Now they are trying to prove that this wasn't her.
The other one, was an individual who emigrated to the US in 1998 and found out right around that timeframe that his driver's license in another state, in the state where he first was residing—he's now in Georgia, but another state on the East Coast—was used for criminal activities in Florida. He has not been able to get this completely resolved with these criminal cases in Florida.
Since 1998, he has worked in IT, but hasn't been able to get a job in IT because he can't pass the background check. He essentially became a stay-at-home dad and his wife is the breadwinner. But now, he's older, the kids are grown, and he's feeling hopeless.
He's tried to go through the state. I don't really want to name it, but I want to name it. He has submitted his fingerprints and is working through that issue. One of the things he said was, “I feel like I don't have any value. I'm not providing for my wife and my family. The only thing that is stopping me from ending my life is my faith because it's a sin for me to do that.” He's so desperate. He's willing to end his life to get out of this scenario.We surveyed our respondents that reached out to us in the previous year, and we asked them about the emotional impact. The number of responses to “I felt suicidal” has been growing year over year. -Eva Velasquez Click To Tweet
I think that's something people don't understand how traumatizing this can be. We surveyed our respondents that reached out to us in the previous year, and we asked them about the emotional impact. The number of responses to “I felt suicidal” has been growing year over year. In 2021, for the first time, it hit double digits. Ten percent of people told us, “Yeah, when I was going through this or even still now, I feel suicidal. I don't see any other way out of this.”
Was it because they didn't feel like they were getting support from law enforcement, family, that there just really wasn't support for people in their position?
I think that's a part of it. I think the other part of it is they don't see a path to resolution. This is especially true for people who have availed themselves of a process that's in place, and then that process has failed. They're looking at it going, “I did everything that I was supposed to do, but I still can't seem to get out of this.”
Like this gentleman that called who said, “I have contacted all of these jurisdictions. I have the police reports. I've provided my fingerprints. They still won't get these off my record. That is what is stopping me from getting employment because of the type of work that I do. I can't have a criminal record.” He has this criminal record that really isn't even his.
The longer that time goes on, it gets harder and harder to prove because people go, “Why didn't you take care of this before?” He's going, “I tried, then I gave up. I decided to focus on my kids, then I tried again, then I decided to focus on the kids, and now here I am. This season in my life with no skills that I can use to earn money, and I can't even seem to recover my identity.”
That's awful that it would get to that and be that extreme in someone's life. That's distressing. What services does the ITRC provide in terms of helping people recover from identity crimes?
I often tell people, we're AAA for roadside assistance. We're there for identity assistance, so keep us in your back pocket. When you need us, reach out. That can be before you make a decision. You can call our toll-free hotline. You can live chat with us on our website. You can search on our self-directed help center on the website.
If you have to make a decision, maybe you have had a breach. Maybe you're applying for a job, and it's like, “How do I verify that this is real? What should they be asking me?” If somebody tells you, “Hey, you qualify for this grant. You won Publishers Clearing House.” Side note, Publishers Clearing House scam is making a resurgence. Who would have thunk it? But it's happening.
Other than that, they go around giving people money. Does anyone even know what Publishers Clearing House actually is?
People of a certain generation, yes. The younger people aren't falling for that because they're like, “I don't know what that is.” People our age are like, “Oh, yeah. I remember Ed McMahon coming with the big check, everybody waiting for the doorbell to ring, and have those balloons there.” It is still a real thing.
It is actually still a legitimate sweepstakes, and that's what makes it really challenging for people as they Google it or they look it up, and they're like, “Oh, they really do do that.” But they're never going to ask you for money upfront to pay a processing fee or to pay the taxes. That's a big one. You have to pay the taxes.
Folks, if you ever win a prize, you pay the taxes out of the winnings. You don't have to pay for it upfront. Most people don't have any exposure to that process because they've never experienced it before. Newsflash, most of us never will.Folks, if you ever win a prize, you pay the taxes out of the winnings. You don't have to pay for it upfront. -Eva Velasquez Click To Tweet
You haven't won the lottery six times like I have?
I won the lottery by being on Easy Prey today.
Oh, you're too kind. There are things that you could do to help people on the backend after something's happened, as well as a sounding board for someone who's like, “I'm not sure about this.” What should we be doing on not that I don't want people to avail for them to use your services, but you'd be happy if no one ever needed to use your services?
Oh, my gosh, yes.
What can we do to help people?
If no one ever called us again because identity crimes were solved, I would die a happy woman. This has been my life's mission. We're not there yet, but I would prefer that people just do a couple of things to minimize their risk.
I know it can be really daunting, especially when people think, “Oh, there are 50 things I have to do.” There are 50 things you can do; how about you tackle one a month? How about you make a couple of changes that then become a habit? Some are one-and-done, and some are practices.
I call it identity hygiene because it's not one thing. It's a set of practices that you do on a regular basis that then have a great end result. If you went to a doctor and said, “Hey, doc. What's the one thing I have to do to be healthy?” He's not going to go, “Oh, brush your teeth or wash your hair.” He's going to go, “OK, hold on.” He's going to give you a list of things to do to varying degrees.I call it identity hygiene because it's not one thing. It's a set of practices that you do on a regular basis that then have a great end result. -Eva Velasquez Click To Tweet
Eat healthy. Doesn't mean you have to do that every meal, every single day for the rest of your life. No, just try to do most of the time. In a lot of ways, we can look at identity practices in that way. There are a few of them that I do need you to do every day, every time. One of those is good password management. Please upgrade your password game. Use a complex and unique password across all of your accounts, even your throwaway accounts, the ones you don't think are that important.
A lot of people will do this with their financial accounts, the ones they think, “Oh, that's my money; that's really important.” Good. That's a good start, but let's do that across all of your other accounts, because any vulnerability can be a pathway into those other accounts that you consider more important. Twelve characters or longer. Please don't repeat it, and don't make it something easy to guess, like your dog's name or your favorite car. People know that.
We post so much about ourselves on social media. It's really easy to see that stuff. Just make it a favorite line from a poem or a passphrase, something that nobody else is going to know and that you haven't put out on social media.The other one that we want you to practice and really do everyday, that's MFA (multi-factor authentication). It's mandatory on some platforms, particularly financial platforms. -Eva Velasquez Click To Tweet
The other one that we want you to practice and really do everyday, that's MFA (multi-factor authentication). It's mandatory on some platforms, particularly financial platforms. I think the banks—I'm going to give them some credit here—really did a good job in getting us to buy into that. I don't hear people complaining. They're like, “Oh, yeah, I got a new phone. When I sign into my bank account, I'm going to have to use multi-factor authentication.”
I think we should be doing that every time. You should just be doing that every time. Even when it's not mandatory and it's optional, I really encourage people to enable it anywhere that it's an option. It's that extra layer. Even if your username and password are breached, or you self-compromised them, without that code, someone cannot get access to your account.
One big caveat here: Don’t ever share the code with anyone. It says right on the instructions, regardless of what form you're getting it—email or SMS text—it says don't share it, but really heed that. The social engineering that's going on right now, people are getting these reasons that sound so legitimate. They sound so legitimate, but they aren't. There is no legitimate reason to share that code, none. Don't share it.
I've heard of some amazingly good bank account takeovers where the scammer would call the individual and say, “Hey. Basically, I'm calling from your bank,” because they knew which bank they were getting into. “It appears that someone has gotten into your account. They're in the process of setting up external accounts to transfer the money out. I'm going to send you a token for you to prove that you're the person I'm talking to and that I haven't called the wrong number, so I need you to give me the token number.” The person gives them the token number. “You're going to get a text message. I need you to press one to authorize me to disable outbound transfers.” That was the one that actually was enabling them to authorize the transfer.
They knew all the steps in the process and were social engineering the person on the phone to go through the steps just by approving the steps and distracting them from actually reading what was going on in the messages.
Because you're afraid. “Somebody's going to steal my money. Oh, my God, somebody's trying to steal my money. I need to listen to this. This is my bank.” That is terrifying. For anybody that's listening that thinks that's so complicated, I would never be able to tell the difference.
The ace up your sleeve is you don't have to talk to that person. If you get a reach-in purporting to be from your bank, you know how to get in touch with your bank. Hang up immediately and contact your bank. Call the number on the back of your card.The ace up your sleeve is you don't have to talk to that person. If you get a reach-in purporting to be from your bank, you know how to get in touch with your bank. Hang up immediately and contact your bank. Call the number on the… Click To Tweet
If you actually have the app in your phone, log in to the app and talk to customer service through the app. If you usually go to your laptop or your desktop and log in online, do it that way. But make sure that you are initiating the contact with your bank, and then you can ask them, “I'm so and so. This is my account number. Are you trying to get in touch with me?” You will know that you're talking to your bank because you initiated the contact.
It's the unfortunate don't trust anyone who's initiated contact with you.
I don't want to fear-monger. I know that sometimes people go, “Oh gosh, Eva. You're so paranoid.” Yeah, but there's a reason to be. We are just deluged with this. Sometimes you just have to say, “No, I'm not going to engage.”
The other thing I tell people is if you tell someone on the other end of the phone, “No, I have to verify and know who I'm talking to. I'm going to call my bank.” If it's legitimately your bank, they're not going to start yelling at you.
They're going to say, “OK, call us back because this is important.” They're not going to start yelling at you. That's a huge red flag when they shift from the fear tactics to the bullying tactics. Legitimate companies want to keep you as a customer. They're not going to bully you.
Yup. There was one time I was doing an international wire transfer. I got a call from someone claiming to be from the bank. “Hey, we just saw you doing the wire transfer and we want to verify some stuff.” I said, “OK, I'll call you back. Do you have an extension?” She's like, “Yeah, here's my extension. Call the number.”
She didn't even give me a phone number. She said, “Call the number on the back of the card. Ask for the fraud department, and I'm at extension […].” She was so happy that like, “Oh, my gosh. No one ever does that. They just start talking to me. It's like, what's wrong with them?”
Yeah, see? That's the reaction you're looking for, folks. If you want to make sure that this is a legitimate reach-in to you, it's that kind of reaction, especially in the fraud department. Her fraud practitioner heart was singing when you said, “No, I must verify.” She was like, “This is beautiful.”
Me being on the receiving end of it, I was super excited because she was giving me the third degree. “Who were you sending this money to? Why are you sending to them? You just opened up this account. Are you sure that it's a family member that you're sending the money to? How did they reach out to you?”
While being annoyed, I was also really happy at the same time. I'm like, “This bank is doing the right thing. They've got my back.” I was actually surprised by how much she was pushing back and not just like, “Oh, OK. Thank you. Have a nice day.” She pushed back pretty hard, and I was like, “Wow. I wish more and more entities would do that.”
I know we're going down a rabbit hole here, isn't that what podcasts are for? I think that we have to flip this convenience versus security, or friction and frictionless interactions on its ear.
A lot of folks—customers—will say that they value their privacy and cybersecurity. They want to make sure that their information and their accounts are secure. Yet when presented with just a little bit of friction, they react the same way and that they disengage, they leave, or they don't. I really want to encourage people to rethink that.When you encounter friction at your bank, at a retailer, any place you're trying to do business, say thank you. Thank you for protecting my credentials. You actually don't want to say, “I don't want to do business with you because… Click To Tweet
When you encounter friction at your bank, at a retailer, any place you're trying to do business, say thank you. Thank you for protecting my credentials. You actually don't want to say, “I don't want to do business with you because you made it too hard.” It’s the opposite. Oh, I want to keep doing business with you because you're making it really hard for someone else to pretend to be me. That gives me a level of trust.
That's a super weird attitude to have. It's my attitude. I still grumble. Also be like, “Ah, I have to go get this information, or I have to go do this.” To your point, you're like, “I was annoyed,” but you reflect on it. You go, “Man, you have my back.”
Yeah, and I think that's where the criminals are really trying to take advantage. They're exploiting our desire to have frictionless transactions. The best way to stop fraud is adding friction. Whether we're adding or we've got things in place that add friction, that's good.
Talking about adding friction and inconvenience. MFA, two-factor authentication purists will say, “SMS is absolutely worthless. It's as good as not having MFA at all. You should have a hardware token. You should have an authenticator app. If you're not doing that, it's pointless.” What's your position on this?
I disagree that it's pointless. I tend to look at these types of activities as good, better, best. Using the authenticator app is, in our opinion, the best way to go, most secure. It's not for everybody. It is not necessarily that intuitive.
I hope that maybe some people listening will go, “Well, if that's the best, maybe I should investigate that, look at that, and see if I can learn how to use it.” But what I don't want people to do is go, “Well, the gold star is the authenticator app, and I don't get it. I don't know anybody who can teach me how to do that, so I'm going to do nothing.” No, go ahead and use the SMS. Use the email. Have the code sent over to you because it is absolutely better than nothing.
There are caveats to that. Again, don't share the code if you're getting it on your phone. Make sure you're practicing good device hygiene and that your phone isn't accessible to a lot of different people that you've got it in some way password or biometric-protected.Please guard that email account like you would a financial account. It really is the key to the kingdom. It could reset all your passwords. -Eva Velasquez Click To Tweet
The same thing with your email. Please guard that email account like you would a financial account. It really is the key to the kingdom. It could reset all your passwords. Make sure you’ve got a pretty darn hard-to-guess, complex password on that email account. Just get curious. Get curious about how these things work. I'm not going to be a purist about MFA, except in the sense, use it. Enable MFA. Please enable MFA.
You were talking about guarding your email address.
Yeah, access to your email account. I definitely had people who were like, “Oh, that's OK if they get access to my email. I'm not talking about anything important.” I'm like, “Is that the email account that you use to log into your bank account, because they could do a password reset from it. Get access to email, change the password to your bank account.”
Any account that you have access to.
Any account that you have access to, and then they can delete all those emails. Then they can change the email address. Now you no longer have access to your bank account at all, and you don't even know how it happened. These days, for people in the US and probably all over the world, email is much more important than Social Security numbers.
Almost. I think if it hasn't already, it is going to become more important. Social Security number, while it’s a necessary credential to do a lot of these activities, it's static data. Your email just has so many access points. You're using it in so many different ways.
I've told people if you have one email that you use for important stuff and one that you use your throwaway email, OK, that's probably not a bad idea, but I would still be careful with safeguarding access to those accounts. Even though you're like, “Well, I don't use this for my bank or whatever,” people might still know it's you. It could be used to perpetrate scams against people that you know. I would still guard email accounts, whether it's a really important one or a throwaway one, using a strong password, unique, not the same on both accounts.
Before we wrap up here, I wanted to ask about the recovery process for helping people recover from ID crimes. As an expectation, what are the normal timetables of getting people back to where things are resolved?
We live in this NCIS, CSI world, where we think court cases get resolved in two hours or less, or in 30 minutes because it took 30 minutes to figure out who perpetrated the crime. Now we have to convict them in 30 minutes. What expectations should people have in the timetables, whether they have the skills and the resources to do it themselves, or they're working with an entity like you guys? How long can this take?
You’re going to hate this answer, and so are your listeners. It can take anywhere from a day to 10 years. I would say the majority are going to take less than a month, but it is very situationally dependent. Existing financial account fraud, like a credit card, that's relatively easy. Most of the time, depending on the card and what transpired, you can get that resolved in a day.
Even that is shifting a little bit because the banks right now are in long conversations about authorized and unauthorized payments and what their requirements are under the law to reimburse folks for unauthorized payments. They're stepping back and going, “Well, if you actually authorized this payment, even if you thought you were talking to somebody else, but you authorized it, we're not going to reimburse for that.”
If you Zelle someone, Venmo someone, or Cash App someone money.
Right. Zelle because that's in the banking platform. Other platforms have a whole different set of regulations, but Zelle is what belongs to the banks. That's actually cash. We could have an entirely new episode on the different payment types and what are the safer ones to use.
To get back to your original question, it can just be so wildly inconsistent because with the different types of identity theft, it really depends. How many incidents are we looking at? How many entities are involved? How long has this been going on?
One or two incidents, recently discovered, all financial, you're probably talking a week, maybe. Before, you might have some follow-up stuff, but maybe a week. When you start throwing in things like government, criminal, medical, now we're definitely talking months. That's going to take months.
If you have a persistent thief, someone who has a lot of data about you, it just keeps trying every different way to monetize it, even if you're like, “I froze my credit. I locked down all of my accounts.” They're just going to keep trying. It might come in the form of unemployment benefits in states you don't live in, filing fraudulent tax returns in states you don't live in.
They can be so creative in the ways that they monetize it. It's almost like the case goes into remission, and then it pops up again. It's really hard to pinpoint. Has recovery actually occurred, or is this remission? I told you you weren't going to like that answer.
I think it's important to set people's expectations. The last thing you want is someone who's like, “Hey, I think I can get this solved in a couple of days,” and it turns out to be years. Or someone who thinks, “Hey, this is going to take years,” so they don't try to resolve it when it could have been resolved in a couple of days.
You're never going to know until you take the first step of discovery and find out what you've got in front of you. There are places like us. I'm always going to encourage people to contact the ITRC, but you've got the Federal Trade Commission. They have a hotline. They have a lot of great resources. You can get your identity theft affidavit in lieu of a police report sometimes.
Most of the time, you're going to need a police report. But sometimes, it'll serve depending on the entities involved. AARP Fraud Watch Network for seniors. There are some really good, legitimate free resources out there. That's probably a great message and note to wrap up because I know we've been talking forever.
There's no shame in asking for help. This is really complicated. You are in the weeds like me. We do this for a living, and I'm still learning new things every day and seeing these things more. Somebody who's not in this space day in and day out, they're going to be really confused.
No, don't be embarrassed. Reach out for help. Have someone show you, “OK, here's your path to recovery. I'm going to be with you every step of the way,” which by the way, is how we operate. There's no limit to the amount of time you can talk with advisors, to how many calls you can have, or how long it takes. We are there with you until you're done, until you let go and say, “I think I'm good. Thanks, ITRC.”
How can people get a hold of the ITRC?
You can go to our website, which is idtheftcenter.org. You can also call our toll-free number, which is 888-400-5530. Please remember that's an 888 and not an 800 because it goes to a very shady number. We've had this number for 20+ years, so we're not changing it. If you go to the website, you can live chat with us. That is a real advisor that you'll be talking to.
Not a chatbot.
No. We have an after-hours chat bot that would try to help guide people to resources and things like that. But during the day, it's a real advisor. If you contact us after hours, you can leave a message and an advisor will reach back out to you when we're back in the office.
Awesome. We'll make sure to include the link to that and the phone number in the show notes if people don't want to try to write it down while they're driving and things like that. We don't want people to be unsafe and make sure that those are easily accessible.
Eva, thank you so much for coming on the Easy Prey Podcast today.
It really was my pleasure. I hope folks learned a few things. I'm happy to come back and do a deeper dive into any of these topics because we did cover a lot of ground.
We did. Love to have you back.
It was a great conversation. Thank you.