Identity Theft
My identity has been stolen, and although it has nothing to do with Debian,
Linux, or computing (well, in general). I thought it would be educational /
important to notify everyone I can of what happened.
I did not believe it could happen, but I have convinced myself and have
reasonable proof of what happened.
My description starts off talking about using a computer, but that has little
or nothing to do with what happened.
I was on my computer, logged into a financial website, on which I could view
things like my account number, current balance, and such.
I needed some help, so I looked for a help number on that page. I found one
and called it, and got a scammer (although I didn't realize it until too much
later).
He said he was from the financial website I was dealing with, and asked me to
"verify" my information before he could answer my questions (or connect me to
someone else to do that). On that pretext, he asked (and I answered) a lot of
questions about my identity -- more than I should have, including things, like
my mailing address, DOB, SSN (iirc), and, among other things, a credit card
number and such.
(Things like my full SSN (instead of just the last 4 digits), a credit card,
and maybe DOB should have been red flags. I feel very stupid.)
To get the help I needed he directed me to make another call which was
furtherance to the scam, he wanted me to say yes to the questions asked on
that 2nd call in order to place an order for some service (with an initial fee
and then a monthly fee, probably forever).
Once I realized and was quite certain that I had talked to a scammer, I called
the same number (on which I got the scammer) again, and this time I got a bona
fide representative of the financial company (verified by me after some extensive
conversation).
Once I was sure I was scammed, I hung up to try to deal with any mitigation of
the problem that I could do.
Later in the day, I called the same number again, and again got a bona fide
representative of the financial company during which we did things like lock
the account.
In between those last two calls, I started calling other companies and such
(e.g., the company that issued the credit card) to take steps to continue to
mitigate the problem.
The credit card company did have a charge on record that was not made by me
(at least not intentionally) -- they deleted that charge, cancelled the credit
card, arranged to issue a new one, etc.
Here are some of the "kickers":
* At first I thought maybe I had misdialed the number the first time, but my
calls are made over VOIP with Google Voice as the "provider" -- Google Voice
logs my calls (time, duration, number called or calling) and the log confirmed
that I dialed the same number all three times.
* After this happened, I googled for more information, eventually googling
on the key words "telephone intercept" which did lead to some somewhat useful
information (some was about legal entities who can be allowed to intercept
phone calls (e.g., a wiretap)). The information I found indicated that what
happened to me is a known thing for cellphones, but I could find nothing to
indicate that it was a known thing for VOIP calls (nor for landlines).
So, beware.
Note: The only problem that has occurred so far is a fairly small fraudulent
charge on my credit card, but my information is "out there" so who knows what
may happen in the future.
I've done (or am in the process of doing) what I think are all the right
things as far as protecting myself, including things like:
* making a report to my local police department and getting an incident
number (they do not have the capabilities to investigate such a thing, but
some, maybe all entities like insurance companies insist on having such a
report in case of doing things like filing a claim
* reporting it to all the credit rating agencies and freezing my accounts /
reports (at first, they just put a warning in your credit report, I later found
that I could freeze the report so no one could even access it -- I can
unfreeze the freeze if I need to allow some financial institution access to it
for some reason (and then refreeze it). (Aside: iirc, one agency will
maintain the freeze for 7 years, another one does it for 99 years, I will have
to put a reminder on my calendar to remember to renew at that time ;-) As a
more serious aside, at the time I was aware of only 3 credit rating agencies,
I've since become aware of at least two more which I will investitate and if
the seem legitimate, I will freeze the reports there as well.)
* I signed up with one of the companies like LIfeLock (actually, I chose
Aura), who among other things will monitor the dark web for activity related
to me. I have since found that my bank offers a free service to do the same
thing, so I will be signing up with them.
* I am changing (and mostly have changed) the username and password on all
my financial related accounts (I mean things like Paypal and ebay) on which my
information could be used. The new names and passwords have nothing in common
with my name or similar information. (Any security questions now have false
answers that I keep a record of.)
* I made a report to the FBI, and may forward the same report (or somehting
very similar) to the Attorney General of the state I live in. I made the
report to the FBI at least partially because I was not aware that such a thing
could happen on a VOIP phone, and maybe they are / were not aware either.
* I made a report to identitytheft.gov, but don't think much of that. This
event occurred back in mid-October, and I reported it to them rather quickly
(within the first few days iirc (I have a record somewhere)).
Now I get a notice from them (identitytheft.gov) every 15 days that, in
essence, says that if don't update / add to that report within the following
15 days, they will delete it. It seems they are more interested in minimizing
the reporting of such incidents rather than maintaining an accurate historical
record or actually doing anthing about the problem.
This is part of what prompted my report to the FBI -- they don't promise to do
anything about it, but the implication / inference I get is that they will not
delete the report. (And they will look at the report and consider taking
action of some sort, iiuc.)
Reply to: