In January 2018, I became aware that my identity was being fraudulently used after receiving a strange voicemail from an automotive financing institution asking about my loan application. While I reacted quickly upon discovering my identity was used to apply for a car loan, the whole situation escalated quite quickly when I received a phone call from a detective on the East Coast confirming that my identity was used to purchase a vehicle.
A few things have happened in the first few months of 2018 that I will not go into detail because I have no idea what the status is of the active case(s) that may exist regarding my specific situation.
What I do want to cover in an article is my advice to mitigate identity theft as well as how to respond to identity theft, at least to the scope in which I experienced it.
Note: Preventing identity theft is a whole different issue and frankly, you can do a lot within your control to prevent identity theft (e.g. paperless statements, shredding documents, strong passwords, etc.). The problem is that you are most likely going to be a victim of identity theft because some other institution allowed your data to be leaked (most notably: Equifax in 2017).
While I am an Information Security professional, I am not an expert in the credit industry and how credit bureaus operate. But the advice forthcoming is based on actual events that took place in my scenario and based on how I responded to those events.
The first piece of advice I can give to everyone is to freeze your credit.
A credit freeze or security freeze is essentially a restriction placed on your credit report with a credit bureau such that your credit file cannot be accessed (e.g. for credit checks) without your direct authorization.
Whenever anyone (including yourself) tries to apply for a credit card, financing / loan, or otherwise use your identity information for any sort of credit history check, a credit freeze will block that credit check from taking place.
Many people use the credit lock which essentially has the similar effect as a credit freeze with respects to a credit check. The problem with a credit lock is that it does not have extra protections to prevent it from being removed and that it is not a legally protected request. A credit freeze remains forever until you explicitly ask it to be removed (or temporarily lifted) by providing a unique PIN that you create when you request the initial credit freeze.
A credit lock is more convenient because each credit bureau makes it very simple to unlock a locked credit profile (e.g. using a website or app). Assuming the account(s) used to access the credit lock/unlock service for a given credit bureau can be multi-factor authentication enabled, this is probably going to be suitable.
Additionally, many people use the fraud alert mechanism which I actually had in place at the time my identity was being fraudulently used. A fraud alert on your credit file is supposed to require lenders or the credit checker to actually try to contact you to see if you are opening an account. This is worthless as I have come to find out.
Depending on how well the malicious parties are able to steal your identity and prepare / stage it for a significant purchase, they will be able to get a lender to contact them as opposed to you during the fraud alert verification procedures. Also, the lender may simply grant the application to the malicious parties if they cannot reach you, or simply ignore the fraud alert statement on your credit report altogether because the lender is too eager to grant the financial request. Fraud alerts also expire (usually after 90 days) and have to be extended every time before expiration.
A credit freeze is one of the best ways to mitigate identity theft damage. It’s not going to stop your identity from being stolen, but freezing your credit file will help prevent the thief from actually using your credit history to their advantage.
Note that since the time I froze my credit, a security freeze or credit freeze is now free thanks to Federal law. If I recall correctly, I paid $10 to each Experian, Equifax, and Transunion to implement the credit freeze. Technically, before the recent Federal law a credit freeze fee is waived with proof of identity theft. But when I was trying to mitigate the fraudulent identity theft activity, I needed to freeze my credit ASAP to stop any further attempts to use my identity, so I paid the $30 total.
The obvious negative of a credit freeze is that it prevents your intentional attempts to purchase something that requires a credit check (e.g. financing a house or car, applying for a store credit card, etc.). But you can unfreeze, apply for credit, and then refreeze credit (all for free now). It simply requires the effort to go through the steps and time everything accordingly when it comes to applying for a loan.
The second tip I have is to look at everything when analyzing your credit reports.
In California, we are allowed one free credit report per year from each of the three major credit bureaus (Equifax, Experian, and Transunion). I have been checking my credit reports every year for the past several years. The problem is that I was only focusing on the hard pulls when I checked my credit reports.
For those who don’t know what a hard pull is, there are two types of credit check pulls (or ‘inquiries’ on a credit report): hard and soft. Generally, a soft pull or inquiry occurs when there is a generic background check for loan pre-approvals or credit score check. A hard pull occurs when a lender actually checks your credit for the basis of an actual loan or lending determination. Soft pulls do not affect credit scores whereas hard pulls do.
I was more concerned about the actual hard pulls and if someone was actually getting loans or credit in my name. The problem is that malicious soft pulls will happen more often than a hard pull. Why? Applications for accounts for cellular phones, insurance, rental agreements, etc., can all technically trigger a soft pull on your credit report and your credit profile is still being used as the determining factor to issue those accounts.
Someone can technically use your identity to apply for car insurance and the insurance company will check your credit history to determine whether or not to grant the insurance for the malicious actor, yet it will not affect your credit score (cause a hard pull).
In my specific situation, there were several soft pulls in the months leading up to the big ticket identity theft use. But I was not paying attention to these soft pulls. Had I looked closer and realized those soft inquiries were suspicious, placing a credit freeze sooner in response would have prevented the malicious vehicle purchase using my credit history.
Translation: Soft pulls matter. Look at the soft pulls and see if there are companies you do not recognize. Soft pulls will often occur when financial institutions you already do business with (or have done business with) check your background to see if they want to send you an offer (e.g. new credit card), so even if you see a soft pull, it is not necessarily malicious.
The fact that soft pulls will occur without your permission by banks as a way to advertise new services to you makes soft pull monitoring more difficult. But if you see a soft pull for a rental company when you own your own home, odds are your identity was used to establish a renter’s agreement and you definitely need to freeze your credit.
Note that if you enact a credit freeze, this will block both hard and soft pulls of your credit. But in the case of a soft inquiry, there are a few times when a security/credit freeze will not block a soft pull including:
- Credit check by banks you already have accounts with (e.g. for credit limit increase)
- Information check by Collections Agencies
After a credit freeze, watching soft inquiries is imperative because it will alert you of any accounts (not necessarily financially related) opened using your credit profile, and also of possible collections agency notices that will appear for accounts fraudulently opened in your name that have defaulted (because the identity thief had no intention of paying the bill).
Also, look for any strange addresses, phone numbers, or employment information that appear on your credit report.
If you find anomalous data on your credit report, dispute as soon as possible.
The credit bureaus can accept credit report disputes online for some fields, but the more critical ones such as inquiries / pulls will require a written letter. Disputing incorrect / suspect information such as unknown affiliated addresses and phone numbers can be done relatively easily.
But when you start seeing more serious incorrect data (and possibly fraudulent), it will lead you down the path of actually filing a police report and/or filing an extended fraud alert (which lasts seven years).
A fourth piece of advice is oriented towards anyone whose identity was fraudulently used: File a police report.
The reason why you want to file some sort of report with an enforcement agency is so you have documentation to provide to the credit bureaus to contest fraudulent transactions. This will become more important when responding to collections agencies that are seeking collections of debts on fraudulent accounts in your name.
The Federal Trade Commission (FTC) operates the https://www.identitytheft.gov website which can be used to report and document identity theft cases with the FTC. This alone is supposed to be sufficient for a police report within the context of identity theft for proof to credit agencies. I did file one of these immediately upon becoming aware my identity was being used maliciously.
In my specific situation, a police report documenting my identity theft as it related to a fraudulent vehicle purchase was opened by a law enforcement agency and provided to me. I feel that this police report was far more authoritative and valuable than my self-submitted FTC report when I reported my identity theft to the credit bureaus, as well as responding to and contesting collections agency notices.
If you are the subject of confirmed identity theft, file a report on the FTC https://www.identitytheft.gov website, but try to get a police report filed with the law enforcement agency in the area where the fraud took place. If you are having difficulty with this, try to file with your local law enforcement agency.
My last piece of advice is also oriented towards anyone whose identity was fraudulently used: Stay calm and document.
It is very easy to have a knee jerk reaction and try to handle everything immediately. Go by the numbers. Freeze your credit. Get your credit reports and go through each one in full detail. File the FTC and/or police reports. Prepare your packets for each of the credit bureaus. When I say packets, this is going to include at the very least:
- Letter explaining the identity theft claim and summarizing all the items (if any) on your credit report you are contesting as false and/or fraudulent, and a request to get monthly credit reports for the next 12-months (free by law for identity theft victims).
- Copy of the credit report for the respective bureau with identifiable marks on each line that you are contesting
- Copy of each police report
- Copies of identification document(s), if required
Mail your packets to each credit bureau via Registered Mail.
Prepare a generic template to respond to any possible collections notices. This will include a (cover) letter with text that identifies the collection notice (usually has an internally used identification or case number) and your text explaining that you are contesting the notice because you are a victim of identity theft. Collections agencies tend to have varying requirements, but most will require a letter and proof of identity theft (police report). If you ever get a collections notice for a fraudulent account, you will also want to use Registered Mail if sending a hard copy response.
Hopefully this provides some help to those of you who are worried about identity fraud and do not know how to respond to it. Like I mentioned earlier, the aforementioned advice will help mitigate identity theft, but will not prevent or stop identity theft. If you are reading this, there is a good chance your identity is already stolen (leaked through a significant data breach, e.g. Equifax or US Office of Personnel Management). The real issue is the eventual point in time when a malicious actor actually decides to use your identity for fraudulent activity.
You can take all precautions to protect your data (e.g. shredding documents on disposal), but all it takes is for someone else (e.g. medical office) that has your data to leave your data unprotected (e.g. exploitable database) for your identity to be stolen.