Summarize the facts and major points from the article and be sure to identify the ethical issue or issues presented in the article.
Cite your source within the body of your initial post and provide a complete reference for the source, formatted according to APA style as outlined
How to protect and minimize consumer risk to identity theft
Albrecht, Chad; Albrecht, Conan; Tzafrir, Shay. Journal of Financial Crime; London Vol. 18, Iss. 4, (2011): 405-414. DOI:10.1108/13590791111173722
Translate Abstract
Purpose – The purpose of this paper is to present and explain the identity theft cycle. The identity theft cycle explains how a perpetrator goes through various stages of confidence and experimentation when stealing an individual’s identity. Design/methodology/approach – The paper takes a conceptual approach by first describing identity theft in detail and then discussing the seriousness of identity theft for consumers today. The paper then presents and explains the identity theft cycle in greater detail including the stages of discovery, action, and trial. Findings – The paper provides evidence to suggest that if identity theft is detected early, consumers can protect themselves from the vast and difficult consequences of identity theft. Originality/value – This paper fulfills an important area of research by providing basic information about the nature of identity theft. This paper also discusses the various ways that perpetrators steal consumers’ information, as well as teaches consumers how to proactively protect themselves from identity theft.
Introduction
Research has suggested that victims of identity theft spend an average of $1,500 in out-of-pocket expenses and an average of 175 hours per incident of identity theft in order to resolve the many problems caused by identity thieves ([13] Smith, 2005). The United States Federal Trade Commission has labeled identity theft as the most common type of consumer fraud, affecting thousands of people everyday. In fact, approximately 40 percent of the frauds reported to the [15] United States Federal Trade Commission (2007) over the last few years has involved some type of identity theft. Furthermore, research has suggested that victims of identity theft suffer both psychological and physical distresses ([11] Sharpe et al. , 2004). Identity theft is used to describe those circumstances when someone uses another person’s name, address, Social Security number, bank or credit card account number, or other identifying information to commit fraud or other serious crimes ([1] Albrecht et al., 2011 ).
Unfortunately, as a result of the internet, increased technology, and easy access to individuals personal data, information such as bank account and credit card numbers, Social Security numbers, telephone calling card numbers, and other valuable information can be used by others to profit at a consumer’s expense ([4] Berghel, 2000). Many times, the most detrimental consequence of identity theft is not the actual loss of money, but rather the loss of credit, reputation, and erroneous information that is extremely difficult to restore or fix ([9] Pastrikos, 2003). If a perpetrator of identity theft ensures that bills for the falsely obtained credit cards or bank statements showing the unauthorized withdrawals are sent to an address other than the victim’s, the victim may not become aware of what is happening until the criminal has already inflicted substantial damage on the victim’s assets, credit, and reputation. Many organizations operate in response to the problem (reactive) we suggest distinctive proactive model like “preventive medicine”. The idea behind this choice is that we attempt to focus mostly on proactive rather than reactive strategy of the organization in order to reduce the number of cases of identity theft before outcomes are aroused and escalation of the situation will occur. In this manner, proactive prevention strategy can be seen as a “preventive medicine”. Indeed, as with most fraud, the most important way to fight identity theft is to prevent it from happening in the first place. Once identity theft has occurred, it is very difficult, expensive, and time consuming to investigate and resolve.
How identity theft occurs
Perpetrators of identity theft follow a common pattern after they have stolen a victim’s identity ([14] Towle, 2004). To help understand this process, we have created the “identity theft cycle”. Although some perpetrators commit fraud in slightly different ways, most generally follow the following three states.
Stage 1. Discovery:
– Perpetrators gain information.
– Perpetrators verify information.
Stage 2. Action:
– Perpetrators accumulate documentation.
– Perpetrators conceive cover-up or concealment actions.
Stage 3. Trial:
– First dimensional actions – small thefts to test the stolen information.
– Second dimensional actions – larger thefts, often involving personal interaction, without much chance of getting caught.
– Third dimensional actions – largest thefts committed, occurs after perpetrators have confidence that their schemes are working.
In the following paragraphs, we will explain each of these stages in greater detail.
Stage 1. Discovery
The discovery stage involves two phases: information gathering and information verification. Discovery is the first step in the identity theft cycle because all other actions the perpetrator takes depends upon the accuracy and effectiveness of the discovery stage. A powerful discovery stage constitutes a solid foundation for the perpetrator to commit identity theft. If a perpetrator has a weak foundation, the evidence gathered will be less likely to support a high-quality identity theft, which minimizes the victim’s overall financial losses.
During the gaining information phase, perpetrators do all they can to gather a victim’s information ([2] Albrecht and Albrecht, 2004). Examples of discovery techniques include such information-gathering techniques as searching trash, searching someone’s home or computer, stealing mail, phishing, breaking into cars or homes, scanning credit card information, or using any other means whereby a perpetrator gathers information about a victim.
During the information verification phase, a perpetrator may use various means to verify the information already gathered. Examples include telephone scams, where perpetrators call the victim and act as a representative of a business to verify the information gathered (also commonly known as pretexting), and trash searches (when another means was used to gather the original information). Although some perpetrators may not initially go through the information verification process, they will eventually use some information verification procedures at some point during the scam. The scams of perpetrators who do not verify stolen information are usually shorter and easier to catch than scams of perpetrators who verify stolen information.
Stage 2. Action
The action stage is the second phase of the identity theft cycle. It involves two activities: accumulating documentation and devising cover-up or concealment actions.
Accumulating documentation refers to the process perpetrators use to obtain needed tools to defraud the victim. For example, using the information already obtained, perpetrators may apply for a bogus credit card, fake check, or driver’s license in the victim’s name. Although the perpetrator has not actually stolen any funds from the perpetrator, he or she has now accumulated the necessary tools to do so. Any action taken by the perpetrator to acquire information or tools that will later be used to provide financial benefit using the victim’s identity fall into this category.
Cover-up or concealment actions involve any steps that are taken to hide or cover the financial footprints that are left through the identity theft process. For example, in this stage, a perpetrator might change the physical address or e-mail of the victim so that credit card statements are sent by the financial institution to the perpetrator rather than to the victim. These concealment actions allow the perpetrator to continue the identity theft for a longer period of time without being noticed.
Stage 3. Trial
The trial stage involves those activities of the identity theft that provide perpetrators with financial benefits. There are three phases to the trial stage: first, second, and third dimensional actions. The trial stage is considered to be the most critical stage of the identity theft cycle because this is where the perpetrator’s work starts to pay off.
First dimensional actions are the first frauds committed, mostly to test the effectiveness of fraud schemes and the stolen information. For example, a perpetrator might go to a gas station and use a stolen credit card to actually determine if the card works. If the card does work, the perpetrator gains confidence in the theft and moves on to bigger scams. However, if the card does not work, the perpetrator faces no immediate threat of consequences and can quickly discard the card without physically having to face anyone.
Second dimensional actions are the actions taken by a perpetrator once initial trials have been successful. These actions often involve face-to-face interactions with others. For example, if the card used at the gas station was successful, the perpetrator may move on to bigger items. The perpetrator may go to a mall and buy shoes, stereo equipment, or other “large-ticket” items. Any actions used to benefit the perpetrator after the initial testing period are considered to be second dimensional actions.
Third dimensional actions are thefts committed after the perpetrator has considerable confidence in the identity theft. For example, a perpetrator may establish telephone accounts, open new bank accounts, secure an auto loan, or perform other actions that provide significant benefits to the perpetrator. Third dimensional actions are the most risky for the identity thief. The likelihood of a perpetrator being caught during third dimensional actions is greater than at any other period in the identity theft.
Once a perpetrator has committed third dimensional actions, he or she often discards the information of one victim and starts over with the discovery stage using another victim’s information.
How perpetrators convert personal information to financial gain
Once perpetrators have accessed personal information, they use that information to their financial benefit. Some of the common purchases made by identity theft perpetrators are as follows:
– Buying large-ticket items, such as computers or televisions. Using a fake credit/debit card, a perpetrator will often buy items that are quite expensive and can easily be sold on the black market. Perpetrators then spend the stolen money very quickly, usually on drugs or other vices.
– Taking out car, home, or other loans. Once a perpetrator has gained confidence that the identity theft (through other successful small purchases) is working, he or she often takes out a loan using the victim’s identity. The most common type of fraudulent loan is for an automobile. Because automobiles can easily be traced (using the license plates or vehicle identification number), the car is usually quickly sold so that it cannot be traced to the perpetrator.
– Establishing phone or wireless service in victim’s name. Perpetrators often set up a phone or wireless service in the victim’s name. This is done so that the perpetrator can more easily convince banks, businesses, and others that he or she really is the person he or she claims to be. Perpetrators also use telephones as a form of communication to buy or sell drugs, gain information to steal more identities, begin telemarketing schemes, and/or support other fraud schemes.
– Using counterfeit checks or debit cards. Using debit cards or counterfeit checks, perpetrators often drain victims’ bank accounts. One of the biggest risks of debit cards is the lack of insurance to cover fraudulent transactions. This makes it extremely important that consumers only have a reasonable amount of cash in their checking and/or debit accounts. That way, if a fraudster drains a victim’s checking account, the loss will be minimal.
– Opening a new bank account. Perpetrators often use a victim’s personal information to open new checking accounts under their name. Using the checks received from the new account, they then write checks that will not only cause problems such as NSF (bounced checks) transactions, but in the process, they destroy the person’s name and credit.
– Filing for bankruptcy under the victim’s name. Perpetrators sometimes file for bankruptcy under a victim’s name. Such filings keep victims from knowing that their identity has been stolen. In the process, the victim’s credit report and reputation are damaged, a problem that can take years to repair.
– Reporting victim’s name to police in lieu of their own. Perpetrators have even been known to use the victim’s name and identity to keep their own records from being blemished. Furthermore, if a perpetrator has a criminal record, he or she might use a victim’s name to purchase guns or other difficult-to-obtain items. If a perpetrator does have an encounter with the police and uses a victim’s identity, many times, the perpetrator will be released because the victim has no previous criminal record. However, if the perpetrator is summoned to court and does not appear, a warrant for the victim’s arrest may be issued. Again, it may take years to clear a victim’s name and reputation from federal, state, local, and business records.
– Opening new credit card accounts. Perpetrators often open new credit card accounts enabling them to spend money in a victim’s name with no immediate consequences. This is one of the easiest ways for perpetrators to defraud a victim once his or her identity has been stolen.
– Changing victim’s mailing address. Perpetrators often change the mailing address on a victim’s credit card accounts. This prevents the victim from knowing that there is a problem and enables the perpetrator to continue using the credit card and identity. Because the perpetrator, not the victim, receives the billing statements, the perpetrator can continue the scheme for increased lengths of time.
Stealing a victim’s identity
Stealing a victim’s identity is not as difficult as it may seem. Perpetrators can obtain the information required to commit identity theft in numerous ways. Some of the more common types of information-gathering techniques used by identity thieves are as follows:
Perpetrators gain personal information by posing as a legitimate employee, government official, or representative of an organization with which the victim conducts business.
Perpetrators rummage through consumers’ trash – an activity sometimes called dumpster diving. Preapproved credit card applications, tax information, receipts containing credit card numbers, social security receipts, or financial records are valuable sources of information for identity thieves ([10] Saunders and Zucker, 1999).
Perpetrators skim victims’ credit cards for information when they pay their bills. Skimming is a process where perpetrators will use an information storage device to gain access to valuable information when a credit card is processed. Skimming is a hi-tech method by which thieves capture personal or account information from a credit card, driver’s license, or even a passport. An electronic device used to capture this information is called a “skimmer” and can be purchased online for under $50. A credit card is swiped through the skimmer, and the information contained in the magnetic strip on the card is then read into and stored on the device or an attached computer.
Skimming is predominantly a tactic used to perpetuate credit card fraud but is also gaining in popularity among identity thieves. Skimming is a problem, not just in the developed world, but globally. Malaysia, Hong Kong, Belarus, Colombia, Egypt, and Venezuela are some of the places considered as high risk to travelers making credit card purchases. Skimmers are extremely creative – and since skimming devices are so small and easy to hide, it is not difficult for perpetrators to skim a consumer’s credit card without the consumer noticing. The following are some examples of how cards can be skimmed:
– Skimming at restaurants. Many skimming rings have been known to employ restaurant-serving staff to capture credit card information.
– Skimming at ATM machines or gas stations. It is not uncommon for a thief to be bold enough to tamper with an ATM machine. Typically, a “card trapping” device is inserted into the ATM card slot or a card reader is inserted into a gas station pump.
– Skimming by store clerks. A very common form of skimming involves store clerks skimming a credit card when a consumer makes a purchase. The clerk scans the card twice, once for the expected transaction and another in a skimmer for later retrieval. There have also been reports of clerks skimming driver’s licenses when customers that are writing checks supply the license for verification.
Stealing a victim’s identity is not as difficult as it may seem. Perpetrators use numerous ways to get the information required to commit identity theft. Some of the more common types of information gathering techniques used by perpetrators are as follows:
– Perpetrators gather information from businesses. They accomplish this by stealing information from their employer, hacking into organizations’ computers, or bribing/conning an employee who has access to confidential records. Perpetrators steal wallets or purses to gain confidential information or identification. Valuable information is contained in almost every wallet.
– Perpetrators sneak into victims’ homes and steal their information.
– Perpetrators steal mail, which can include bank information, checks, credit card information, tax information, or preapproved credit cards.
– Perpetrators complete a “change of address form” at the local post office and have victims’ mail delivered to a PO box or another address of the perpetrator’s convenience.
– Perpetrators engage in shoulder surfing where criminals will watch consumers from a nearby location as they give credit card or other valuable information over the phone.
– In recent years, perpetrators have begun to use the internet to steal important information. They do this through phishing ([7] Litan, 2004), a high-tech scam that uses spam or pop-up messages to deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Perpetrators will send e-mail or pop-up messages claiming to be from legitimate businesses or organizations that consumers deal with – for example, internet service providers, banks, online payment services, or even government agencies. The message will usually say that the victim needs to “update” or “validate” his or her account. The message then directs the victim to some web site that looks like a legitimate organization site. The purpose of this site is to trick the victim into divulging personal information ([8] Lynch, 2005).
Minimizing the risk
The consequences of identity theft have various stakeholders and consumers are one group of them. Following stakeholder theory ([5] Donaldson and Preston, 1995), we suggest that there are many ways to minimize vulnerability to identity theft ([12] Slosarik, 2002) that should include society, organization, and consumer perception of trust as a part of their proactive prevention strategy. The existence of several stakeholders in the process requires a broad approach that takes into account the complexity of the phenomenon. Such approach bases on the rule of division of responsibility between the different stakeholders. Our guidelines how to divide the consequences and responsibility between different stakeholders based on two rules. The first rule is the “deep pocket” approach which focuses on organizational responsibility. The second rule depends on negligence and focus on people responsibility. Thus, our analysis takes into account three levels: society, organization, and individual.
The harder it is for a perpetrator to access personal information, the less likely a perpetrator is to try and defraud someone ([3] Albrecht et al. , 2008). Division of responsibility between the three levels mentioned above is as follows. The parliament is responsible for education as well as legislation by increasing the punishment for acts of identity theft, passing the weight of responsibility for securing the details of individuals on related organizations, except in cases of individual’s carelessness. Some of the most effective proactive ways for a consumer to minimize their risk to identity theft includes the following:
Guard mail from theft. When away from home, have the postal service hold your personal mail.
Opt out of preapproved credit cards. One of the most common and easiest ways for a perpetrator to commit identity theft is to simply fill out the preapproved credit card applications consumers receive via the mail and send them in. While many individuals will destroy preapproved credit cards, this only protects consumers from having perpetrators go through their trash. Perpetrators still have the opportunity to open a victim’s mailbox and steal preapproved credit card applications even before victims are aware that they have arrived. What most consumers do not know is that in many countries laws are in place that allow consumers the opportunity to opt out of preapproved credit card offers. For example, in the USA, consumers can do this by calling 1-888-5-OPTOUT (1-888-567-8688) to have their name removed from direct marketing lists.
Check personal credit information (credit report) at least annually. In most countries, policies are in place that allow consumer to view their credit report. In the USA, for example, The Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer reporting companies – Equifax, Experian, and TransUnion – to provide consumers with a free copy of their credit report, at the consumers request, once every 12 months. The FCRA promotes the accuracy and privacy of information in the files of the nation’s consumer reporting companies. The Federal Trade Commission, the nation’s consumer protection agency, enforces the FCRA with respect to consumer reporting companies. A credit report includes information on where a consumer lives, how consumers pay their bills, and whether consumers have been sued, have been arrested, or have filed for bankruptcy.
Guard social security card and numbers. An individual’s Social Security number is valuable information for any identity theft perpetrator. With knowledge of someone’s Social Security number, perpetrators can open all kinds of new accounts in the victim’s name. Therefore, consumers should always keep their Social Security card in a safe place.
Safeguard all personal information. Safeguarding personal information is very important for every individual. Consumers who have roommates, employ outside help to clean or perform other domestic services, or have outside people in their house for any reason need to be particularly careful.
Guard trash from theft. Consumers need to tear or shred receipts, insurance information, credit applications, doctor’s bills, checks and bank statements, old credit cards, and any credit offers they receive in the mail, as well as any other source of personal information. Buying a shredder is one of the wisest purchases individuals can make.
Protect wallet and other valuables. Consumers should carry their wallet in their front pocket and never leave it in their car or any other place where it can be stolen. It is important for consumers to always be aware of where their wallet is and what its contents are. Individuals should only carry identification information and credit and debit cards that they regularly use in their wallet. Many individuals lose track of the number of credit cards they have. Consumers should limit themselves to only two or three credit cards and keep the 24-hour emergency telephone numbers of all credit cards they possess in their cell phone’s address book. That way, if credit cards are ever stolen, the victim can quickly call the issuing credit card company and put a block on all transactions. Although debit cards help consumers stay out of debt, most do not have fraud protection insurance. On the other hand, nearly all credit cards now come with fraud protection insurance. Before getting debit or credit cards, consumers should realize the risks that are involved with each and try to minimize those risks to protect themselves. A good practice is to photocopy both sides of all your credit cards, travel cards, and other personal information you keep in your wallet or purse.
Protect passwords. Individuals should use passwords on credit card, bank, and telephone accounts that are not easily determinable or available. Consumers should avoid using information that can be easily associated with them, such as their birthday, their mother’s maiden name, their spouse’s name, the last four digits of their telephone number, a series of consecutive numbers such as 1-2-3-4, or anything else that is predictable. Many organizations will use a default password when opening new accounts. Consumers need to make sure they change these default passwords as quickly as possible. Many individuals use the same password for all accounts. While this does prevent individuals from forgetting their passwords, it makes it extremely easy for a fraudster to gain access to all of the victim’s accounts, once the fraudster has gained access to one account.
Protecting the home. Consumers should protect their house from perpetrators. Some perpetrators have been known to actually break into a home and not steal a single physical object. The victims may not even know someone has been inside their home. The perpetrator will steal all information that is needed to easily commit identity theft and then leave. In order to prevent this from happening, it is important to lock all doors, preferably with deadbolts or double locks, and lock all windows. It is a good idea to have an alarm system. If an alarm system is too expensive, it is sometimes possible to get an alarm system sticker, sign, or box and set it outside an individual’s house. This will make possible perpetrators believe that the house has a security system when it does not. If consumers have an automatic garage door with a code box to open the garage door, they need to pay particular attention that others are not watching when they press the numbers on the code box.
Protect the computer. Legitimate companies never ask for confidential information via e-mail. If an individual has a question about his or her account, the person should call the company using a phone number he or she knows is legitimate. If consumers get an e-mail or pop-up message that asks for personal or financial information, they should not reply or click on the link in the message. Perpetrators are even using “cookie” type software to gather personal and confidential information from consumers’ hard drives. E-mail is not a secure way to send personal information. If a consumer needs to send information over the web, it should be encrypted and the web site should be checked to verify that it is genuine. Many web sites will have an icon on the browser’s status bar that shows the site to be secure. If a web site begins with “https:” it is more secure than a web site that only starts with “http:” The “s” means that the site is secure. However, no matter what anyone says, no web site is completely secure.
Conclusion
In this paper, we have discussed the nature of identity theft and provided ways for consumers to protect themselves to the disastrous effects of identity theft. The paper has also discussed the identity theft cycle documenting, for the first time, the process that perpetrators go through to steal a victim’s identity. As discussed earlier, the identity theft cycle includes the stages of discovery, action, and trial. The identity theft cycle is a first step only and additional research into this phenomenon is still needed. The article has also documented the way that perpetrators use stolen assets and how they convert those stolen assets to funds. We suggested that our ten essential proactive ways can be used as a preliminary measure for checking carelessness of organizations or individuals about their responsibility in a case of identity theft.
Unfortunately, identity theft is a growing problem in today’s world. The best tool that consumers have to protect themselves from identity theft is education ([6] Elbirt, 2005) and awareness – which often times leads to early detection ([16] Wang et al. , 2006). When consumers are aware of their own risk to identity theft, consumers can take proactive measures to protect themselves from becoming a victim of identity theft. It is our hope that this research aids in the prevention and early detection of identity theft.
The material discussed and presented in this article were made in connection with Fraud Examination , 4th edition, authored by Albrecht, Albrecht, Albrecht, and Zimbelman and published by South-Western Cengage Learning. Fraud Examination is the first textbook on fraud specifically designed for business schools and is used in over 100 business schools throughout the world today.
References
1. Albrecht, W.S., Albrecht, C.C., Albrecht, C. and Zimbelman, M. (2011), Fraud Examination, South-Western Cengage Learning, Mason, OH.
2. Albrecht, W.S. and Albrecht, C. (2004), Fraud Examination and Prevention, Thomson South-Western, Mason, OH.
3. Albrecht, C., Albrecht, C.C. and Dolan, S. (2008), “Financial statement fraud: learn from the mistakes of the U.S. or follow in the footsteps of its errors”, Corporate Finance Review, Vol. 12, pp. 5-13.
4. Berghel, H. (2000), “Identity theft, social security numbers, and the web”, Communications of the ACM, Vol. 43, pp. 17-21.
5. Donaldson, T. and Preston, L.E. (1995), “The stakeholder theory of the corporation: concepts, evidence, and implication”, Academy of Management Review, Vol. 20 No. 1, pp. 65-91.
6. Elbirt, A.J. (2005), “Who are you? How to protect against identity theft”, Technology and Society Magazine – IEEE, Vol. 24, pp. 5-8.
7. Litan, A. (2004), “Phishing attack victims likely targets for identity theft”, Gartner Research, 4 May, FT-22-8873.
8. Lynch, J. (2005), “Identity theft in cyberspace: crime control methods and their effectiveness in combating phishing attacks”, Berkeley Technology Law Journal, Vol. 20, p. 259.
9. Pastrikos, C. (2003), “Identity theft statutes: which will protect Americans the most”, Albany Law Review, Vol. 67, pp. 1137-57.
10. Saunders, K.M. and Zucker, B. (1999), “Counteracting identity fraud in the information age: the identity theft and assumption act”, Cornell Journal of Law and Public Policy, Vol. 8, p. 661.
11. Sharpe, T., Shreve-Neiger, A., Fremouw, W., Kane, J. and Hutton, S. (2004), “Exploring the psychological and somatic impact of identity theft”, Journal of Forensic Sciences, Vol. 49, pp. 131-6.
12. Slosarik, K. (2002), “Identity theft: an overview of the problem”, Criminal Justice Studies, Vol. 15, pp. 329-43.
13. Smith, A.D. (2005), “Identity theft and e-fraud as critical CRM concerns”, International Journal of Enterprise Information Systems, Vol. 1, pp. 17-36.
14. Towle, H.K. (2004), “Identity theft: myths, methods, and new law”, Rutgers Computer & Technology Law Journal, Vol. 30, pp. 237-326.
15. United States Federal Trade Commission (2007), Identity Theft, Consumer Sentinel Network, United States Federal Trade Commission, available at: www.ftc.gov/sentinel.
16. Wang, W., Yufei, Y. and Archer, N. (2006), “A contextual framework for combating identity theft”, Security and Privacy, Vol. 4, pp. 30-8.