What Do Thieves Do With Your Information?

Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file a tax refund in your name and get your refund. In some extreme cases, a thief might even give your name to the police during an arrest.

Clues That Someone Has Stolen Your Information

Retail & Shopping

• Debt collectors call you about debts that aren’t yours.
• Merchants claim you owe them money for items or services you never purchased.
• Merchants refuse your checks.
• Merchandise arrives at your home that you didn’t order. 
• You get bills or statements in the mail for new accounts you haven't opened.
• You get increased direct mail or phone solicitations for expensive items - This could be the result of new high-ticket activity run on your account.

Credit and Subscriptions

• You haven't received one or more of your regular monthly bills or mail is missing. Thieves can file a change of address to reroute your mail or steal mail straight from your mailbox to retrieve important personal information such as account numbers and financial statements.
• You notice unfamiliar charges on your credit or debit cards. This could be for any size purchase as well as for a very small purchase to make sure your card is still active before selling it on an underground site.
• You find unfamiliar accounts or charges on your credit report.
• You are denied credit when applying for financing or new credit cards, even though your credit is good.
• You get a new credit card in the mail that you didn’t apply for.
• Your credit score is rising - a rising credit score can mean fraudsters are trying to extend credit in your name.
• An employer denies you a job based on a bad background check, even though you know your record is clean.

Online Accounts

• You see withdrawals from your bank account that you can’t explain.
• You can't log on to your email or social media accounts because your password has been changed by criminals who have gained access to the account and all your personal information stored in it.
• You get notice that your information was compromised by a data breach at a company where you do business or have an account.

Medical & Health

• Medical providers bill you for services you didn’t use or for medical procedures you haven't had done.
• Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit.
• Records show that you have already had a procedure done that was not done.
• A health plan won’t cover you because your medical records show a condition you don’t have.
• You can’t get coverage under a new plan because your medical record lists a condition you don’t have.
• You regularly receive treatment solicitations for health conditions you don’t have.

Government & Taxes

• Tax refund check arrives before you file, you receive a tax transcript in the mail that you didn't request or the IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for.
• Arrest warrants for crimes you didn’t commit. You may have been hacked by a fraudster who is committing crimes, traffic offenses and/or parking violations in your name.
• You receive tax documents from an employer you never worked for. 
• Your Social Security statement shows errors such as your reported earnings are inflated.

Identity theft on a child can go undiscovered for years. While parents may have a system of alerts and credit checks to protect their own credit, kids are easier targets. Identity theft on a child can go undiscovered for years. You may not become aware until your child is turned down for a job or loan due to a horrible credit history.

Signs that your child’s credit history has been compromised include:

• Being turned down for government benefits because the benefits are being paid to another account using your child’s Social Security number.
• A notice from the IRS saying the child didn’t pay income taxes, or that the child’s Social Security number was used on another tax return
• Collection calls or bills addressed to your child for products or services you didn’t receive.
• Your child is denied a bank account or driver’s license.
• Credit card and loan offers addressed to your child. Don’t immediately panic if you receive a credit card offer in your child’s name. Financial companies sometimes mistakenly send credit card offers to a minor but be on alert if you suddenly start receiving a lot of mail that would typically be for adults.

There are several things you can and should do in order to manage your social media identity, which may prevent social media identity theft.

What exactly is social media identity theft? It’s a form of cybersquatting using social media sites.

• If you’ve ever attempted to join a social media, more commonly known as a social networking site, or applied for an email account, and found that your first and last name were already taken, that may or may not have been social media identity theft, or cybersquatting.
• There may be someone out there who shares your exact name and happened to register first, or else there is someone out there who took your name so that you can’t have it, or who wants to sell it back to you, or wants to pose as you and disrupt your life. These are all possibilities.
• The most damaging possibility occurs when someone wants to pose as you in order to disrupt your life. This disruption can take on many forms. They may pose as you in order to harass and stalk you, or to harass and stalk people you know. Or they may steal your social media identity for financial gain. The thieves use a combination of email and social media to extract funds from others, or to open new accounts.
• There are hundreds, or maybe even thousands, of social media sites, web-based email providers and domain extensions. Then there are all the blog portals, such as WordPress and Blogspot. Even your local online newspaper has a place for user comments, and most people would want to register their own names before someone else comments on their behalf.
• Social media websites offer the option to provide your real name as well as a user name. The user name may be a fun chat handle or an abbreviation of your real name. The key is to give your real name where requested and also to use your real name as your user name. Even if you don’t plan on spending any time on the site, or to use the domain or email, you want to establish control over it.
• The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters. This strategy won’t prevent someone else from registering with your name and adding a dot or a dash, but it trims down the options for a thief.
• Some names are very common, or are also owned by someone famous. If that applies to your name, you can still take actions to manage your online reputation. If there is any uniqueness to your name or the spelling of your name, it’s still a good idea to claim your name in social media and work toward managing your online reputation.
• Understand that your name is your brand. Your name is front and center on every document you sign and every website that shows up when your name is searched. The phrase, "All I have is my good name," has never rung truer than today. If you are a writer, blogger, personality of any sort, or anyone who "puts it out there," you probably already know enough to do these things. But there is more to do.

Manage Your Social Identity

If someone, perhaps a potential employer or mate or client, searches your name on Google Web, Google Blogs or Google News, what will they find? Will it be someone else posing as you? Will it be a picture of you doing a keg stand? Or will it be you in your nicest outfit, accepting an award for an accomplishment? Either way, you need to manage your online identity and work toward preventing social media identity theft.

• Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
• Set up a free Google Alerts for your name and get an email every time your name pops up online.
• Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
• If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.

Medical identity theft is when someone steals or uses your personal information (like your name, Social Security number, or Medicare number), to submit fraudulent claims to Medicare and other health insurers without your authorization. A thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.

Signs of medical identity theft include:

• a bill for medical services you didn’t receive
• a call from a debt collector about a medical debt you don’t owe
• medical collection notices on your credit report that you don’t recognize
• a notice from your health plan saying you reached your benefit limit
• a denial of insurance because your medical records show a condition you don’t have.

How medical records get compromised:

Your medical records can be a mix of a criminals information and your stolen personal identifiable information (P.I.I.).  Data breaches and the Dark web marketplaces are the most common sources of stolen medical information.  Breaches of unsecured protected health information affecting 500 or more individuals are reported to the U.S. Department of Health & Human Services.

Tips for Consumers

• Don't give out unnecessary information - It may not sound like a dangerous request, but allowing your doctor's office to photocopy your driver's license or credit card is not a smart move, and often isn't even required to receive services. If you're asked by the front desk to provide anything other than your insurance card, ask why it's needed and how the office plans on protecting your information. If you're not comfortable with their answer, then don't give them your ID or credit card.
• Read every explanation of benefits - These statements are documents sent by your insurance company which list medical services you received and how those services were paid for.  They are complicated and can be difficult to interpret, especially for those with multiple health conditions and frequent visits to providers. Look at things like dates of service or provider names. If you see something you don't recognize, follow up right away. Velasquez said.
• Get a copy of your medical records - Under the Health Insurance Portability and Accountability Act (HIPAA), you are legally entitled to a copy of your medical and billing records held by health plans and providers.  Once you have these records, keep it somewhere safe and add new information each time you visit a doctor. This way you'll have proof if it was altered if someone begins using your information illegally.

Some hospitals, doctors’ offices and clinics may provide access to a website that stores the personal medical records of their patients. Depending on the websites’ features and functions, you may be able to view your test results or a list of your medications, access your medical records, schedule appointments, obtain follow-up instructions, pay bills and refill prescriptions. Check with your providers or physicians to see if they offer online access to your medical records. Terms sometimes used to describe electronic access to these data include "personal health record," or "PHR" or "patient portal."

• Ask for corrections if there are errors in your health information:
  Write to your health plan and medical providers and explain which information is not accurate. Send copies of the documents that support your position. You can include a copy of your medical record and circle the disputed items. Ask the provider to correct or delete each error. Keep the original documents.  Send your letter by certified mail, and ask for a "return receipt," so you have a record of what the plan or provider received. Keep copies of the letters and documents you sent.
  
  The health plan or medical provider that made the mistakes in your files must change the information. It should also inform labs, other health care providers, and anyone else that might have gotten wrong information. If a health plan or medical provider won’t make the changes you request, ask it to include a statement of your dispute in your record.

• Periodically review credit reports.
• Maintain control of medical identity cards. Lost or stolen Medicare and Social Security cards should be reported right away to the Social Security Administration. 
• Review everything - This includes medical benefit explanations, medical bills, and prescription invoices and report questionable charges or fraud.
  Questionable Charges?  Contact your health care provider first to see if it's a mistake. If your issue is not resolved by your provider, report the questionable charges to 1-800-MEDICARE or contact your local Senior Medicare Patrol for assistance: 1-877-808-2468 or www.SMPResource.org.

Compared to a one-off theft, account takeover offers a better and longer return on investment. Compared to a credit card hack, the consequences and hassles for consumers are higher with account takeover. Federal laws and most issuers' zero-liability policies mean you usually don't have to pay fraudulent charges.

What to do if an account is hacked:

• View and verify account activity. First, go through your account activity to confirm any changes or fraudulent charges. Keep in mind that some legitimate transactions may seem fraudulent if the company does business under a different name.
• Update your system and delete any malware.  The first thing you should do if your account gets hacked is to run an end-to-end antivirus scan. This means skipping the "quick scan" setting in favor of a deep scan to identify and eliminate not only all forms of malware (including Trojans and spyware to keyloggers that could be tracking your keystrokes even after the hack has been identified) and potentially unwanted applications.  It's important to make sure you're clean before you change any of your other sensitive information to avoid restarting the cycle.  Also, set your security software, internet browser, and operating system to update automatically.
• Review Social Media Accounts.  Look for changes your social networking sites, look for changes to the account since you last logged in.  Look at your personal details, review any third-party apps connected to your account, and check your security questions and answers and your backup email addresses and/or phone numbers. If you think your hacker had a chance to scan your security questions and backup accounts, try to change these on the compromised account and on any other account that relies on the same information. This will prevent the bad actor from using your personal details to breach other accounts in the future.
• Change Your PINs & Passwords.  Once your computer is free of malware, it's time to change your password. If you've lost access to your account, you may need to contact the company directly, prove who you are and ask for a password reset. Choose a new password that is very different from your old one and make sure it doesn't contain strings of repeated characters or numbers. Your password should be unique for each account, complex (i.e., a mix of letters, numbers and special characters) and at least 15 characters long.
• Contact Other Online Services.  It's critical to change your passwords with other payment-based accounts such as Amazon, Netflix, LinkedIn, credit card companies, etc. Make sure you use different passwords for every online account.
• Notify People You Know.  Tell your friends, family and anyone else on your email contact list that they might have gotten a malicious link. During the period when attackers had control of your account, they could have sent dozens or even hundreds of fraudulent emails to everyone you know, in turn giving them access to a new set of victims. 
• Change Your Security Questions.  While your password was the most likely attack route, it's also possible that hackers broke into your account after answering your security questions. Many users choose the same answer to common security questions.  In order to further protect your email, be sure to employ the multi-factor authentication that many providers allow to gain access to your password, including using secondary email addresses or text messages, since security questions alone are not enough.
• Report the Hack.  If you haven't already, contact your financial institution, email provider, or other company and report the hack. This is important even if your hacked account didn't cause you to lose access since it helps providers track scam-based behavior. If possible, freeze your bank account online, on the app or by speaking with customer service.  In addition, your account provider may be able to offer details about the origin or nature of the attack.
• Contact Credit Agencies.  Contact the three credit reporting agencies TransUnion, Experian and Equifax to monitor your accounts in the months after you've been hacked.
• Consider Your ID Protection Options.  If you've been hacked, another idea worth considering is an ID protection service. These services typically offer real-time email and online retail account monitoring, in addition to credit score reporting, and personal assistance in the event of an identity theft. Your financial institution will offer this program for a small monthly fee.
• Review All Email Accounts.  If the breach affected a service that includes email, such as your Google account, check the email account for sent messages or for new filters. For example, clever hackers can set up filters that forward all incoming mail to an address you don't recognize. Delete such filters to prevent people from worming their way back into your account in the future. This is particularly important because you can reset many other accounts' passwords, and receive notifications about suspicious activity, over email. You don't want an eavesdropper to nab those recovery messages.  Also, check that your email signature and "away" message don’t contain unfamiliar links or forwards. 
• Create a New Email Account.  Sometimes it's not worth picking up where you left off. If this isn't the first time hacked email has been a problem, or if your provider doesn't seem to be taking steps to mitigate the amount of spam you receive, it may be time for a switch. Look for a service that offers default encryption of your emails and solid customer service in the event of an issue.

What types of crimes can be committed by criminals with your information?

• Phishing:  Mobile, Email, Web Site & Social Media phishing rely on social engineering tactics to fool you into either clicking on a link, sharing a link, downloading a file or entering information into an online form.  Having more of your personal information makes it easier for criminals to convince you that the "phish" is legit.
• Stolen or Compromised Credentials:  Armed with stolen, up-to-date PII data, criminals can more easily impersonate you in order to get into your account.  Stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, tax refund fraud, social security, government benefit fraud and retirement accounts. Call centers and online systems rely on these pieces of information to verify account holders.  Criminals can use this information to correctly answer the call center knowledge-based authentication questions.
• Passwords: Reused passwords multiply consumer risk  Once a fraudster hacks one of your accounts, the next account often is easier to crack if you use the same username and password combination.
• Email Account: With access to an email account, the fraudster can reset site passwords on commercial websites using your trusted email address. 
• eCommerce Account: Once a fraudster accesses your e-commerce account, they now have access to all of the payment methods linked to that account.  You may have a stored account where you have linked a few of your credit cards and PayPal account to easily use when you check out.  Gaining access to this account is far more lucrative to a hacker as they now have access to your multiple stored payment methods versus trying to use a list of one-off stolen credit card numbers, which may or may not be valid.
• Rewards accounts: Another goldmine for fraudsters is rewards points stored online in retail store accounts.  Thieves who get access to those accounts can use the stored information to buy expensive items. 
• Banking: If a fraudster cleans out your bank account or takes out a loan in your name, your money is gone.  One way that this can happen is if click on a link that downloads keystroke logging malware onto your computer. That keystroke logging tracker will note that every time you click on your bank’s website and record the user name and password.  The malware sends the login info to the fraudster’s network. The malware works in the background and van be very difficult to detect. 

What can you do:

1. Reconcile or balance your bank account every month. The beauty of online accounts is that you can monitor them almost in real time. That means you can catch crooks long before a statement arrives in the mail.
2. File your taxes promptly.  While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS
3. Be extra careful about emails and attachments.  Avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from any company connected to a data breach. 
4. Use Two-factor authentication.  Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. 
5. Check your Credit Cards accounts often. Reviewing your recent account activity is fundamental to credit card safety—and it’s easy. You can do it online or by phone. If your credit card issuer offers email or text alerts about unusual activity, sign up to receive them.
6. Monitor credit reports.  Check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free, from each of the three national credit reporting agencies — Equifax, Experian and TransUnion — every 12 months from http://www.AnnualCreditReport.com. Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day. 

Data breaches will help phishers trick you.

The likelihood that your personal identification is in the hands of criminals increases with every new data breach.  Data breach information goes way beyond just login credentials and credit card numbers.  Here are all the types of personal identification information that can be stolen during a data breach:

• Social Security Numbers.
• Date of Birth.
• Credit Card Numbers.
• Telephone Numbers.
• Public records of criminal and civil cases.
• Your credit history (current and previous loans, credit cards, credit card balances & utilities).
• Transaction history and length of accounts.
• Bankruptcy filings.
• Companies with which you have an existing or prior relationship.
• Your medical information or payments.
• Drivers license number and driving records.
• Work Records.
• Current & previous addresses, and property ownership.
• Voter registration.
• Professional licenses.
• Associates.
• Family, relatives, and neighbors.
• Car, homeowners, and renters insurance claims.

Data breaches may not play out for a really long time as hackers might not use stolen data right away.  The following suggestions should become habits that last well into the future.  This way if hackers are sitting on your information to use it in the future, you'll know.

What to do:

Order specialty free reports outside of the big three credit reporting agencies.  Specialty reporting companies may disclose information that can help prevent fraudulent accounts and other identity theft crimes:
LexisNexis Full File Disclosure. It’s one of the more comprehensive databases out there, containing all the information LexisNexis gathers to create its various reports about you. And, like credit reports, you can order one free copy per year.