The Los Angeles Times recently ran a story about the link between taxes and identity theft. In the article, it was reported that the Internal Revenue Service is cracking down on people who commit identity theft by filing false tax returns to try and obtain refunds. This reprehensible action has been a trick of identity thieves for years.

In fact, it happened to a friend of mine. He discovered he’d been a victim of identity theft when he attempted to file his taxes only to be told that he had already filed them that year. “At first I just thought it was an error,” he said. “You’re sitting in your accountant’s office, doing what you do every year and all of a sudden the routine is drastically changed.  You go from expecting your return in a certain amount of time to the uncertainty of cleaning up a huge mess.” 

On this topic, the LA Times article quotes IRS spokeswoman Anabel Marquez, “ID theft is a growing problem all across the country, and we’ve come to find out that the tax system isn’t immune…They’ve figured out that just like they can steal credit card numbers, they can file false refunds.”

Thankfully, the IRS is creating new identity theft screening filters to help agents spot fraudulent returns before they are processed and a refund issued. The agency identified around 260,000 fraudulent returns last year.

Check back to the ProtectMyID blog for more posts on taxes and how you can protect your identity.

The Federal Bureau of Investigation’s website is a valuable resource. It has a lot of information about many different types of identity theft that we at ProtectMyID want to share with our readers. Once a month, we highlight a news announcement, article, alert, or other item from the FBI website about identity theft so you can learn more about how this crime is perpetrated.

Six Charged in Scheme to Use Identities of Deceased People to Get Tax Refunds

WASHINGTON—A 10-count indictment was unsealed, charging six people with various offenses related to a scheme to defraud the Internal Revenue Service (IRS) of at least $1.7 million in fraudulently obtained tax returns, often filed in the names of recently deceased taxpayers.

According to the indictment, between April 15, 2009 until at least August 2011, Muaad Salem, Fahim Sulieman, Hanan Widdi, Najeh Widdi, Hazem Woodi, and Daxesj Patel, and other unknown co-conspirators allegedly defrauded the United States by filing false and fraudulent tax returns, many in the names of recently deceased taxpayers, and directing refunds to controlled locations in the state of Florida.

The indictment further alleges that the U.S. Treasury checks generated by the false and fraudulent returns were then sent by to co-conspirators in Ohio who would sell and distribute the checks for negotiation at various businesses and banking institutions.

“The theft of anyone’s identity is a serious offense, but stealing the identities of the recently departed to defraud other taxpayers is particularly egregious,” said Steven M. Dettelbach, the U.S. Attorney for the Northern District of Ohio.

“Identity theft that leads to tax fraud threatens both individual U.S. citizens and the U.S. government,” said John A. DiCicco, Principal Deputy Assistant Attorney General of the Justice Department’s Tax Division. “The Justice Department and the IRS will continue to cooperate in investigating and prosecuting these crimes to the fullest extent of the law. In our technology-driven society, this simply must be a top priority.”

The six are also charged with three counts of mail fraud and two counts of aggravated identity theft. In addition to the other charges, Patel is separately charged with two counts of making a false claim against the United States and with making a false statement to law enforcement officials investigating the crimes.

“The IRS is aggressively pursuing those who steal others’ identities to file false returns,” said Steven Miller, IRS Deputy Commissioner for Services and Enforcement. “Our cooperative work with the U.S. Attorney’s Office will help protect taxpayers in Northern Ohio from being victimized by identity theft. The IRS is taking additional steps this tax season to further prevent, detect and resolve identity theft cases as soon as possible.”

“This case is an example of the FBI and IRS working together to aggressively pursue and investigate those organized criminal enterprises that commit identity theft and fraudulent activities in the United States costing the taxpayers of this country millions of dollars,” said Stephen D. Anthony, Special Agent in Charge of the FBI’s Cleveland office.

“IRS Criminal Investigation has made investigating refund fraud and identity theft a top priority,” stated Darryl Williams, Special Agent in Charge, IRS-Criminal Investigation, Cincinnati Field Office. “Filing fraudulent tax returns in the names of other individuals may result in significant harm to those individuals whose identities were stolen, as well as a monetary loss against the U.S. Treasury.”

Mail fraud is punishable by a maximum sentence of 20 years in prison; conspiracy to defraud the United States is punishable by a maximum sentence of 10 years; conspiracy to commit mail fraud, making a false claim against the United States and making a false statement are each punishable by a maximum sentence of five years in prison; aggravated identity theft is punishable by a mandatory sentence of two years’ incarceration to follow conviction on any other offense.

Defendants also face a fine of up to $250,000 for each count of conviction.

The case was presented to the grand jury by Assistant U.S. Attorney Gary D. Arbeznik following investigation by the Cleveland Division of the FBI, the IRS-Criminal Investigation, and the U.S. Postal Service.

An indictment is only a charge and is not evidence of guilt. The defendants are entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt.

My grandmother passed away nearly a decade ago. You can imagine my surprise when my mother recently told me that she’d been contacted by a life insurance company trying to locate my grandmother’s descendants in order to pay on a life insurance policy. All she needed to do was provide some personal information, including her own Social Security number. That’s when the red flags that had been waving in the breeze began to flutter at full might.

My mom’s a sensible lady. Having been a victim of identity theft has made her cautious. However, one official-looking document along with the promise of money, and she temporarily forgot all precautions. I am so glad she called me. I did some research and learned that this is a popular scam. Death records are public, and with the proliferation of information printed in obituaries and given away on social networks, it’s easy for thieves to contact descendants, pose as an insurance firm and obtain personal information, including SSNs, with the mere promise of money.

So, what can you do? In my mom’s case, I looked up the life insurance company and called the number I found from an online search (not the number provided on the letter). Luck was with our family, and in this case, the right to an insurance claim was real. But, I know from my research that this isn’t always the case.

If you get a letter that sounds too good to be true, follow these simple tips.

• Reality check – Take a moment to think about the situation. Do not immediately respond.
• Do some homework – Research the company and determine if it is real or fictitious.
• Use your numbers – Don’t call the number given in the letter, use one you’ve acquired from a trusted source.
• Beware of email – Don’t click on links in emails like this. It’s very likely a phishing scheme. Instead, follow the tips above.
• Use common sense – If it sounds too good to be true, it probably is.

Of course there’s such a thing as a great secret password.  Everyone can come up with a combination of letters and numbers that would be nearly impossible for someone else to guess.  The complication comes when you need many passwords; when you’re advised to not use the same password for multiple accounts; and when accounts have different parameters for what a password can contain.

In the wake of the recent, somewhat high-profile data breach at a popular web retailer – and Data Privacy Day on January 28 – I’ve been contemplating passwords.  After all, one of the key recommendations from that company was for customers to change their passwords on any websites where they used the same or similar password.  (Note: the data breach may have included access to customers’ cryptographically scrambled passwords, not the actual ones.)  I am admittedly guilty of using the same password for multiple sites.  I have to ask though, how can I not? 

By very conservative estimates, I have at least 100 web-based passwords – retailers, banks, frequent travel programs, credit cards, alumni clubs, credit cards – many of these organizations require me to have a login, and they recommend that it be different from any other password I use.

So, I’m asking you, do you have any tips for easy-to-remember, truly ‘secret’ passwords?  I know what not to use – birthdates and anniversaries, social security numbers, initials, etc. – but what can I use, that I will be able to recall, that someone else would never figure out? 

And, more importantly, how do I avoid using them for many different sites?  It doesn’t seem realistic to have 100 unique passwords, so how should I divide them up?  The easiest method would be to use one password per category (alumni sites, travel sites, coupon sites, etc.) but when applied to financial sites, that also seems the most foolish approach.

Rather than providing advice or sharing industry news, the purpose of this post is to get your creative juices flowing.  As more and more of our life is headquartered on-line, we need to include cyber security in our personal protection plan.  If you have login and password tips and tricks that work for you, and if you wouldn’t mind sharing, I’m all ears.

There are two possible takeaways from the title of this post. Either, the instruction is to shred rather than trash, or, you should infer that there’s value in saving bills and receipts. I believe both statements to be true.

There was a time when a shredder was, like a copy machine, a fancy piece of equipment found only in professional offices. These days, shredders are touted as must-haves for every home. And, not without reason. If you’re new to the identity theft conversation, you may not be aware of the concept of ‘dumpster diving’, whereby identity thieves comb through the garbage for personal information they can use to set up fraudulent accounts. Despite a dizzying array of sophisticated, technology-enabled methods for pillaging someone’s identity, identity theft is most often accomplished through low-tech methods, including dumpster diving.

It makes sense. We’re constantly inundated with hard copies of important information that we may not choose to keep on hand – financial statements and applications, bills, lease agreements, contracts, etc. And, if you’re not the type to file away every receipt, you may find yourself setting dumpster-diver bait when you toss those seemingly outdated and worthless documents out. If I can‘t convince you that sometimes bills and receipts are important (read below), at least trust that they need to be shredded before leaving your possession. Identity thieves can be patient and cunning, and will source information through various means to compile a complete enough profile to be able to exploit your identity. I probably take it to an extreme, but I shred anything with my name, address, birthday, bank name, or even partial credit card number. Better to be safe than sorry. And, I’ve come to find shredding to be cathartic.

Of course, I don’t shred everything, or even most things. I keep fairly well-organized archives of bank statements, corresponding receipts, and other seemingly important information. And, while staying organized takes effort, on multiple occasions I’ve found that it has saved me hours, headaches, and dollars.

A few years ago I received a letter from the IRS suggesting that information on my tax return was incorrect. Being the fastidious record-keeper that I am, within a minute or two, I was able to find the exact document necessary – a corrected W-2 from an employer – to back-up my tax return. Several weeks later I was notified that the case was closed. Victory! Hours spent keeping my records in line paid off, and I never had to have a conversation with anyone at the IRS.

More importantly, I’ve found that good record keeping has saved me hundreds, if not thousands, of dollars. Hand-in-hand with my strong desire to keep well-organized financial records is an even stronger desire to declutter the space around me. It’s not uncommon for my gaze to come across something I may have purchased that I’ve not found use for. Fortunately, I usually know exactly where the receipt is, and am not shy about making returns. Not only does this create space in my home for my many files, but it creates space in my budget every time I receive a refund!

For me, receipt management is a twofold process. I keep my receipts so that I always have the option to make returns and so that I can defend any financial claims I make. And, when it’s time to finally part with my records, I make sure that they’re of no use to anyone. Worried about having to store too much information? Read on for specific tips on what to shred and what to keep.

Nikki Junker, Identity Theft Resource Center

Remember the days when a phone was for calling people?  Well, those days are long gone now.  The technology began with phones, and then evolved to include car phones, then mobile phones, and now smartphones.  The next generation of phones coming out, which seems to do anything you can imagine, will probably have its own name – superphones perhaps?  One of the necessities the smartphone has taken on to replace is the wallet.  A smartphone has already challenged the necessity of regular phones, computers, camcorders, cameras and GPS devices, so why not a wallet too?

The ability for your smartphone to serve as your wallet is enabled by NFC technology, which stands for Near Field Communication, a technology that allows information to be transferred between devices within close proximity of each other.  Therefore, if your banking information is stored on your smartphone, you could transfer it to a point-of-sale device by putting your smartphone close to it. The process is similar to a speed pass at the gas pump or the fast pass lane on a toll road. The idea of being able to spend money with your phone may be confusing, if not downright scary, but should it be?

First, let’s look at the positive aspects of NFC technology:

• It is convenient:  Instead of lugging around 10 different plastic cards you would have only a phone to carry. No digging in your purse for that department store card you hardly use or having so many cards you don’t even know when you have lost one until quite some time later.
• It can save money: Google Wallet, which is one example of NFC technology, has come up with a service called “Single Tap”, which makes it so that all coupons and rewards that are applicable to a purchase are used at the time of purchase.

Now, for the negative aspects of this new technology:

• Limited availability: Currently, few providers carry NFC technology-enabled phones. And, as of the time of the writing of this article, on the financial end only one major credit card company has teamed up to roll out the new technology.  Therefore you must have a card from that provider or buy a pre-paid card.  If you have these prerequisite items you can use NFC technology right now at many Pay Pass Merchants.  But, of course, the retailer must also have the Pay Pass technology in order to receive your payment.
• Safety: There have been fears of security issues with NFC technology, with many wondering how easy it is for an outsider to read the information being produced through NFC technology.  The technology is currently designed so that banking information can only be transmitted when activated by a pin.  During the short transaction time, the Smartphone must be within a certain distance of the reading device.  That addresses the fear of your information being broadcast to the entire world every time you make purchases, but what if your phone is hacked?  Hackers are moving their targets to mobile devices, so how is your financial information going to be protected if your NFC-enabled smartphone is hacked?  One NFC-software provider has stated that even if a user were to download malware to a phone which would give hackers access to the phone’s entire Operating System, the chip that holds the financial information for NFC-related transactions would remain safe.  The phone’s hardware and NFC memory chip are even separate.  But, with hackers being as ambitious as they are these days, we have to wonder how long it will be until they figure out how to surpass these protections.
• Tracking: In the age of the internet, information is valuable.  Where consumers frequent and how much they spend translates into dollars and cents to companies who can sell this information to companies to target those consumers.  Many companies have already been in the hot seat with the public over the information they gather from tracking users, so this would be one more way for that information to be gathered.

There are more benefits and potential risks with NFC technology as you dig deeper into both the technology and sociological aspects, but the above points show what the argument boils down to.  It is the same issue surrounding almost all of the incredible new technology that is coming out right now.  How much security are consumers willing to sacrifice for convenience?

The Federal Bureau of Investigation’s website is a valuable resource. It has a lot of information about many different types of identity theft that we at ProtectMyID want to share with our readers. Once a month, we’ll highlight a news announcement, article, alert, or other item from the FBI website about identity theft so you can learn more about how this crime is perpetrated.

Two Charged in Identity Theft Scheme

Kenneth C. Osbourne, Jr. and Sheldon Hylton were charged by indictment, filed on August 25, 2011, with conspiracy to commit bank fraud and aggravated identity theft, and aiding and abetting, announced United States Attorney David Memeger. Hylton is also charged with wire fraud and possession, with intent to use unlawfully, of five or more false identification documents.

The charges stem from the defendants’ participation in an identity theft scheme that resulted in the personal identity information of approximately 86 individuals being compromised. According to the indictment, defendant Osbourne used his position as a customer service representative at AmeriHealth Administrators, Inc. to access customers’ personal identity information, including names, dates of birth, Social Security numbers, and bank account numbers, and passed this information along to defendant Hylton. Hylton, in turn, obtained counterfeit checks that were printed using the victims’ names, addresses, and bank account numbers.

The indictment alleges that, between October 2009 and January 2010, defendant Hylton and other co-conspirators deposited approximately 48 counterfeit checks totaling approximately $289,846.82 into bank accounts, and subsequently withdrew approximately $189,300 cash from these accounts. According to the indictment, defendant Hylton also used the personal identity information of five victims to access online adult pornography websites. Hylton also was charged with possession of 15 counterfeit Pennsylvania driver’s licenses.

If convicted, defendant Osbourne faces a maximum possible sentence of 57 years’ imprisonment, including a mandatory term of imprisonment of two years, a $4 million fine, a five-year term of supervised release, and a $1,300 special assessment. Defendant Hylton faces a maximum possible sentence of 82 years’ imprisonment, including a mandatory term of imprisonment of two years, a $4.5 million fine, a five-year term of supervised release, and a $1,500 special assessment

The case was investigated by the Federal Bureau of Investigation and United States Secret Service and is being prosecuted by Assistant United States Attorney Karen M. Klotz.

An indictment or information is an accusation. A defendant is presumed innocent unless and until proven guilty.

By Nikki Junker, Identity Theft Resource Center

With our lives being so packed full of activities these days, it is not uncommon for people to need public computers to stay connected while out and about. This could be a business person using the hotel business center, a college student in the library, or a traveler checking their email in the airport. While we are all aware that computers retain information from their users, a public computer user may not consider just how dangerous that information could be in the wrong hands. Retained Internet history, passwords or social network log-in credentials provide an excellent opportunity for identity thieves to access all of the information they will need to steal the user’s identity. However, following the tips below can help decrease the risk of becoming the target of identity thieves:

• Don’t save your log-in credentials: Upon signing into personal online accounts (email, banking, social networks, etc.) most internet browsers ask the user if they would like for the computer to remember the log-in credentials. While this is helpful for those of us with a bad memory, it is incredibly dangerous, especially on a public computer, and it is recommended that users choose to not have the computer remember login credentials and passwords. On public computers, it is pointless to have this information retained, as you are unlikely to need it again. Further, all an identity thief has to do is access the computer after you and double click on any site where you have log-in information saved. This will give them access to your accounts.
• Don’t leave the computer unattended: Whether sensitive information is present on the screen or not, users should never leave their computer unattended. Just a few minutes is all a thief needs to jump on the computer, do a little backtracking, and obtain a wealth of information about whoever was using the computer previously.
• Keep an eye out for shoulder surfing: Shoulder surfing is when a thief stands within close proximity to a victim in order to over-hear or over-see personal information. Be aware of anyone standing behind you or anyone who can’t seem to keep their eyes on their own screen.
• Don’t enter sensitive information into a public computer: Sometimes users have an emergency and have to use a public computer to access a bank account or school records. However, it is highly recommended that users refrain from entering the sensitive information associated with these tasks into public computers. Even if all of the other safety tips here are followed, users cannot be sure that this personal information is not going to be captured via key loggers or spyware.
• Erase your tracks: There a few steps users should take before leaving their session at a public computer in order to erase some of the data that has been stored during their use. Though it may sound confusing, it is actually quite simple and will usually only take a few seconds. You can find exact instruction here for Internet Explorer, which operates very similarly to other browsers. Users should remember to: 
  • Delete Internet history
  • Delete cookies
  • Delete temporary internet files

In the end, the best way to protect yourself is to act as though you are being watched and to think twice about what you would be sharing. This is a good hard and quick rule to protect your information should you find yourself needing to use a public computer and will help you avoid becoming a victim of identity theft.

It’s a truer statement than ever before: we live in the information age.  Technology enables myriad conveniences, including the ability to make purchases at any hour of the day without stepping foot into a store.  Every once in a while, that technology is compromised.

Popular online retailer Zappos.com has informed over 24 million customers that the database storing their personal information was hacked.  Among the data that may have been accessed are customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of consumers’ credit card numbers and cryptographically scrambled passwords (but not the actual password).  Zappos stated that full credit card numbers were not stolen because they were stored separately.

Some might suggest that most of the personally identifying information that was accessed is not particularly private, though others would argue that it should be.  In general, names and addresses are easy to come by, and the last four digits of a credit card are found on most sales receipts.  That may be why the focus of the company’s announcement about the cyber attack, and its customer-facing action plan, is on the passwords (albeit cryptographically scrambled ones) that may have been accessed. 

Zappos automatically expired and reset customer passwords and set up a page instructing customers to create a new password. Further, they recommend that customers change their password on any other websites where the same or a similar password is used.

The Zappos data breach comes on the heels of several large data breaches in 2011 involving customer information.  Despite advancements in technology, and retailers’ strongest infrastructure and best intentions, it may be hard to take advantage of technology’s conveniences and feel completely protected at the same time.  For more information on data breaches and identity theft protection, please visit ProtectMyID.