NerdWallet's Smart Money Podcast - Things You Can Do Right Now to Protect Yourself from Identity Theft
Episode Date: April 4, 2024Learn how to protect your identity from theft and fraud by understanding how criminals are exposing authentication flaws. How can you protect yourself from identity theft and financial scams? What s...teps should you take if your identity has been compromised? Hosts Sean Pyles and Sara Rathner discuss the pervasiveness of identity theft and practical defense strategies to help you safeguard your financial well-being. They begin with a discussion of protecting yourself from identity theft, with tips and tricks on setting up fraud alerts, freezing your credit and using unique passwords with the aid of password managers. Then, Eva Velasquez joins Sean to discuss the nuances of authentication and identity theft. They discuss the challenges businesses and individuals face in verifying identities online, the misuse of social security numbers and the rise in data breaches, particularly in the healthcare sector. Plus: the alarming increase in data breaches in 2023, the importance of questioning every suspicious communication you receive, and the necessity for public and private organizations to refine their authentication methods. In their conversation, the Nerds discuss: identity theft, financial scams, data breaches, cyber security, credit freeze, fraud alert, authentication, online identity, personal data protection, cybercriminals, financial fraud, password managers, financial well-being, data security, impostor scams, phishing, identity fraud, scam prevention, credit monitoring, sensitive information, identity protection, financial instruments, identity thieves, scam victims, credit card fraud, loan fraud, biometrics, cybersecurity strategies, data privacy, digital financial transactions, identity theft resource center, federal trade commission, IRS IP PIN, financial defense, digital predators, financial peace of mind, consumer protection, scam recovery, safeguarding data, and financial education. To send the Nerds your money questions, call or text the Nerd hotline at 901-730-6373 or email podcast@nerdwallet.com. Like what you hear? Please leave us a review and tell a friend.
Transcript
Discussion (0)
You never think it's going to happen to you. You'll never fall for a scam. You're too careful
to have your identity stolen. You know how to sift through the clutter and the misinformation
all on your own. Well, I'm sorry, dear listener, but it could happen to you. So today we launch a
new series to make sure you know as much as possible about how to protect yourself
and your finances from scams. I say this unequivocally, your data is out there. Now,
not every scammer has every piece of your data, but I don't want people to be under the impression
that, well, I didn't receive a breach notice or I wasn't paying attention, so that must not be
happening to me. No, I'm talking to you. Your data is out there. Welcome to NerdWallet's Smart Money Podcast. I'm Sean Piles. And I'm Sarah Rathner.
And this kicks off our nerdy deep dive into all the ways that identity thieves can turn your life
upside down, especially your financial life. We did not want to have to do a series on this,
but we hear story after story about people who fall victims to scammers because it can happen
to anybody. And we want to give you every tool scammers because it can happen to anybody.
And we want to give you every tool possible to avoid having it happen to you.
Sean, I'm going to say it again, just for good measure. It can happen to anybody and you do not want it to happen to you. Scammers and identity thieves are evolving with every new technology,
including AI. And sometimes it feels impossible to keep up with them. And honestly, we might not
be able to. But in this series, we're going to talk about the ways to protect yourself and what
steps to take. Heaven forbid you become a victim. Here's a sobering stat, Sarah. According to the
Federal Trade Commission, people here in the U.S. reported losing more than $10 billion to scams in
2023. That's over a billion dollars more than the year before. Yeah. And toward the
top of the list were imposter scams, people claiming to be something they're not, whether
it's your bank, your insurance company, or even your mom. And that scam has a famous face to go
along with it. Folks might have heard that Andy Cohen, a host at the Bravo Network, lost a chunk
of money to thieves who posed as bank employees and got him to log into his account
and eventually stole from him via wire transfers. So awful. And Sarah, the reason you and I keep
reiterating that this can happen to anyone is because it's important to know that if it does
happen to you and it messes up your finances, you are not alone. And it's not because you are stupid
or careless. People who experience identity theft and scams
don't have a demographic profile.
In fact, we'll hear in this series
that younger generations are falling prey
to this kind of thing at higher rates than their elders.
Let's be specific about that, Sean.
According to a 2022 report
from the National Cybersecurity Alliance, Gen Z,
people who don't even remember a time without the internet
report higher rates of being taken in by everything from identity theft to phishing and romance scams, more so than baby boomers do.
So again, if you're feeling like your cyber defenses are impermeable, well, we're here to suggest that you double check.
Yeah, and we're not here to scare you, even though all of this can be pretty scary.
But we are here to help you build those defenses so that you can keep your money safe and secure and not in the hands of absolutely horrible people.
Criminals.
Criminals.
So Sean, have you ever had this happen to you in one way, shape or form?
I've been contacted by plenty of scammers, like especially during the tumult around the
student debt cancellation a year and a half ago. I was getting calls multiple times a week from
scammers that were trying to get me to pay them to have my loans canceled, a totally predatory scam that
preyed on people's desire to finally be free from the burden of student debt. But fortunately,
I have never lost money to a scam knocking on wood right now. How about you, Sarah?
Thankfully, I haven't been parted from any of my money yet. But I recently sold some pricey
baby gear
on Facebook Marketplace
and the scammers absolutely came crawling out of the sewers
the moment I posted the listing.
So here's what tipped me off
to the first scammer of several.
Their Facebook profile was created
just within the last couple of years.
So when I see a very empty profile,
it kind of raises my spidey senses a little bit.
And then in chatting with me
through Facebook chat, they told me some whole story about how because of their work schedule,
their brother would be the one to pick up the item for them. There was no conversation. They
were immediately just like, my brother's going to come pick it up, by the way.
There's always some convoluted story, right?
Right. It got a little complicated. And there was also another woman who hit me up and also
mentioned that her sister would be the one to pick it up for her. And I'm like, Oh, I've heard that story five minutes ago. That's weird. Then they tried to pay me through Venmo as if I was a business, which I am not on Venmo or in life. And so when that didn't go through, they sent me this like typo written email with a QR code and like click on this link. And that's the point where I was just like, absolutely not. And I just
totally ghosted them and stopped responding. Yeah. Unfortunately, Facebook Marketplace is
one spot where people will experience scams just constantly. I hear these stories all of the time.
And your story exemplifies why we took on this series. We want to help people understand things
like how pervasive are scams? How vulnerable am I? And how can I protect myself, my loved ones,
and my cash?
All right, well, we want to hear what you think too, listeners. Tell us your stories of identity
theft or share how you're working to fight it or recover from it. Leave us a voicemail or text
the Nerd Hotline at 901-730-6373. That's 901-730-NERD or email a voice memo to podcast
at nerdwallet.com.
So Sean, where do we start today?
Our guest today is Eva Velasquez. She heads up the Identity Theft Resource Center,
which is a repository of all things scammy and ID thievery. And she used to be in law
enforcement putting the bad guys away. We'll talk with her first about the scope of the problem.
And then we'll hear from her about what is the kind of first step in this process,
which is identity theft leading to identity fraud.
Eva, I'm so glad you could join us on Smart Money.
It's a pleasure to be here.
So since you are immersed in this issue, I want to start with a broad picture of the
ID theft scam landscape, because we as a country and the world really
have been dealing with this problem for well over two decades now. And the technology has
gotten smarter. And so have the people taking advantage of that technology to do us financial
harm. So can you give us a brief evolution of how we got to this point from the early days of
dumpster diving and stolen laptops to now with
AI copying our voices? Well, if you think about how scams have been perpetrated historically,
there was a lot more effort that had to be put into it. They'd have to mail a solicitation,
call you on the phone. And while those things still happen, we have all of these new channels.
We have email, we have text messages, we have social media. So there's all of these new channels. We have email, we have text messages, we have
social media. So there's all of these new ways that the scammers can get their hooks into you.
And if you also think about our identities and sort of traditional identity fraud,
and just for the record, for people listening, identity theft is the theft of the credentials
that would be used to commit identity
fraud. So the fraud is the misuse piece of it. The notion of our identity and what goes into
our credentials, it has expanded over the last 20 years. I mean, it really used to be your social
security number, your date of birth and your financial accounts. And now we've got logins and passwords.
There's misuse of driver's license numbers
and just all of this other data about us
that's used to authenticate us.
That can also be misused.
I think the easiest way to put it is
anything that you can do with your identity,
online or otherwise,
a bad actor can do
if they have the right information about you.
So there's so much more information connected to each of us as individuals, like you just
described, our driver's license numbers, our social media logins, our bank information,
and scammers have more tools at their disposal that make it easier for them to try to get that
information from us in some way from the comfort of their couches.
Oh, exactly. The bar to
entry for these threat actors is so low, there isn't even a bar anymore. Okay, they're just
stepping into the room. Because if you look at the fraud ecosystem, it doesn't take anything but a
little bit of seed money to get into this fraud game. And I'm coming from a place of when I was
in law enforcement investigating these types of crimes, so much of
it was in person and they had to have the look and have the language and really be able to present
themselves as whatever they were saying they were. And now that's just not the case. You're sitting
behind a keyboard. You can use images that you've just pulled off the internet. Now, with all of the technology available, it's very easy to
write slick looking emails or text messages. And the punishment, if you are caught, which is very
rare, it isn't a deterrent because you make all of this money, it's banked somewhere offshore,
and it's waiting for you when you get out in 18 months. Can you give us a sense of how big the problem is?
The ITRC just released its latest annual report.
What is this costing us as a citizenry?
The challenge with this is, you know, which problem?
Because there's so many facets to the identity crime problem.
We have the theft problem first.
And we just released our data breach report.
Now, these are the known publicly notified data breaches
that occurred last year in 2023. We blew the previous record absolutely out of the water,
72% increase over the all-time record that we hit in 2021. So our data and the information
necessary to commit these crimes against us is absolutely out in the wild. And I
really want your listeners to know, I say this unequivocally, your data is out there. Now, not
every scammer has every piece of your data, but I don't want people to be under the impression that,
well, I didn't receive a breach notice or I wasn't paying attention, so that must not be happening to
me. No, I'm talking to you. Your data is out there.
What's funny hearing you say that is I'm reminded of a piece of mail I got last week that alerted
me to the fact that I could win some money in a settlement because of a data breach that
involved my personal information.
And I had no idea that I was involved in this data breach until I received that postcard
in the mail last week.
Oh, my goodness. The newest form of data breach notification is the class action
notification saying you're a member of this class. I'm sure you're not the only one.
I'm wondering what you see as the biggest change over the years in how people are duped.
We have an authentication problem in this country. Well, globally, frankly, we don't know who we're interacting with. But before we had these very cheap methods of communication, really, you weren't getting a mailbag of fraudulent solicitations dumped on your porch every day. But if you think about email in the same terms, you really are. We're getting just besieged. And so I think
the biggest change has been I can't tell who I'm actually talking to because these aren't in-person
interactions. And there are so many of them that it's very hard for me to tell if that is a
legitimate business or government entity that's talking to me. Let's talk a bit about why it seems like scammers
and thieves are always ahead of those who are chasing them.
Why are they so adaptive and challenging to shut down?
There's a number of reasons.
First of all, it is their full-time job.
That's all they do is look for vulnerabilities.
I was just talking this morning in our standup meeting
with one of our members of our team who was talking about how she could keep her dog from getting out from the fence.
They were putting chicken wire under the fence.
They put something on his collar so that he couldn't squeeze through the fence.
And I laughed and said, your dog's a hacker.
Your dog is spending all day searching for the vulnerabilities in your fence line.
And you have to be right a thousand
times. You have to have everything absolutely perfect. And the dog only has to be right once.
That applies when we're talking about the relationship that the good people of the world
just trying to live their lives and the good businesses trying to protect their information
and their data are up against when it comes to these threat actors whose full-time job is to
look for those vulnerabilities and then exploit them. What, in your view, is the main issue that
we're not addressing in this country to help solve the problem? I go back to it's an authentication
issue. We cannot continue to authenticate people. And that is, I am who I say I am in the traditional ways that
we've done it in the past. And mostly that's either been in person. I walk in the door and
you go, yep, I know that's Eva because I know her from before, or we have a past relationship.
But because we've moved to so many digital only transactions, and these are, you know, often financial
transactions, there's a lot behind them. We don't know who we're talking to. Businesses don't have
the best handle. They certainly have a lot in place and there's a lot of rules and laws and
regulations in place to know your customer. But even individuals don't know. They go to a dating
website. They don't know if that's really the picture and the person that they're talking to.
You go to a Facebook marketplace to sell something.
You don't actually know if that's a real person.
And so if we focus more on devaluing the static data and using different types of tools, of course, in a privacy-centric and consent-based manner.
We have to devalue this data and work on the authentication problem.
And then some of these other issues will absolutely be resolved.
What I was thinking about as you were talking just then is how we have turned our social
security numbers into the catch-all for authentication.
And they were never designed
to be used in this way. Right. And given the number of hacks that have happened,
including the 2017 Equifax hack, it's safe to assume for the vast majority of people,
if not everyone in this country, that our socials are floating out there and people can use them
to pretend to be you and to authenticate themselves as you. And that's just a glaring flaw in our system.
Oh, it absolutely is.
Social security numbers are a good identifier.
That's the Eva Velasquez that lives here, that was born this year.
That is me.
But they're not a good authenticator.
So that's where I go into we need better authenticators.
And we have some promising tools, things like biometrics, even though some people still get that creepy factor.
They are very, very useful when used ethically in conjunction with that Social Security number, usually not necessarily without it, especially when we're talking about financial transactions like getting a credit card or a loan or something like that.
Sean, the statistics on this are outrageous and they're mind numbing.
And it almost makes you want to go back to bed and also wonder if you should just expect
that this is going to happen to you and just give up, give in, deal with it when it comes,
you know, like a natural disaster.
But I know that that's not a good idea.
Yeah, it is so easy to feel overwhelmed by the magnitude of the problem. But that's why we're going to go step by step
through this process over the next few weeks to empower everyone listening to make the choices
and decisions that will best protect them. So in a moment, we are back with Eva Velasquez to talk
about identity theft, what happens, how you can prevent it and what to do if it happens to you.
Stay with us.
All right, so this week we're talking with you about identity theft.
Next week we'll be addressing identity fraud.
What's the difference? sounds like theft is the taking of the data, the credentials, the documents that can be used
to commit identity fraud, that can be used to impersonate you. And the theft has to occur
before the misuse can occur. So theft is really just the first process in this criminal food
chain, right? Absolutely. So walk us through what the difference is
between when our data is compromised
by an attack on a company
and other forms of identity theft.
Well, we just released our data breach report for 2023
and it was pretty staggering.
Record number of breaches, 3,205.
That we know of.
Oh, that's such a great point.
We know that breaches are underreported.
And so these are the ones that were publicly available to us. But there are other ways that
that theft can happen. Stealing these things from the mail. That is a huge issue right now that not
a lot of people are talking about. Your checks, your driver's license, passports, birth certificates, anything that's coming through the mail.
These criminal gangs have secured the keys to the blue mailboxes, either through insider threats or through, frankly, holding at gunpoint, holding the mail carriers up for these keys.
And they're stealing them.
And they're not just for
sale on the dark web, though that's happening. But more and more often they're on the public web,
they're on YouTube. So people don't even know that their credentials are out there. And these
are the physical documents. So there's two examples and there are others of the way that
there can be a theft of your data. So when there's something like a data breach from a company,
it's a hacker going into maybe a cloud server somewhere
and getting all the login credentials
and credit card numbers of someone who's signing up
for a specific service potentially.
Whereas if it's individual identity theft,
it might be someone stealing your passport
or your banking information from a check in the mail.
Correct.
The scope is different.
So in these more analog types of activities,
stealing mail, breaking into your car
and stealing your laptop, dumpster diving,
those things still happen,
but they don't have the scale and the scope
that data breaches have.
So there are so many ways
that they can get these vast swaths of data from these
companies that hold our data. Are there specific industries where these data breaches are more of
a problem than others? Well, healthcare was the number one industry this year, but that's going
on, I believe, six years in a row. It's hard for us to pinpoint why that is, but the richness of the data itself makes for a very lucrative and enticing target.
You're usually going to have financial information, credentials of some kind, health care diagnoses, which often feel deeply personal to people. And I can tell you the story about one incident where it was the data that was
stolen and then exfiltrated was for recent breast cancer patients. Included in this data,
there was financial information and other credentials, but included were pre-op and
post-op pictures. Why would a scammer want this type of information? Because it's leverage to around the country, in this case,
at a hospital where we're seeking care. And it's just all too easy for a threat actor to go in
and do one hack and get everything about us in one go. Well, I don't want to say easy. It's
possible because I don't want to accuse every hospital or every medical provider
of having weak cybersecurity infrastructure. I just think that we're in this fight. And I go back
to the role of the hacker. We have to be right every single time and they only have to be right
once. And so they find a single vulnerability and then infiltrate themselves.
Well, let's talk about some of the ways that thieves go about stealing our identities.
What are some very practical things that we should be on the lookout for?
Like, how do we play defense here?
Well, certainly they want to use it in financial institutions. So they'll want to get credit cards, car loans, mortgages,
payday loans, any kind of financial instrument where it's a loan and doesn't have to be paid
back. They would love to pin that on you. And for the folks who think, well, I don't have great
credit and so have at it, please remember, they can probably get loans. They're going to get loans that you
wouldn't take because you look at that interest rate and say, well, I can't pay that. They don't
care. They're not paying it back. So in that case, what do you think would be the best way for people
to prevent something like that from happening? Oh, freeze your credit. Absolutely. 100 percent.
Freeze your credit. It's free. It's free no matter where you live. It doesn't take that long at all
three of the bureaus, Equifax, Experian, and TransUnion. And now you have to keep track of
that login information. So that's one more thing you have to keep track of. But it is absolutely
worth it because no one can open new credit in your name, even if they have all of the credentials
that are necessary. And honestly, I'm just begging people, have a birthday party and as a gift,
just ask your relatives to freeze their credit. And after that first time of freezing your credit,
it's actually quite simple to thaw when you need to apply for credit again and then refreeze it.
You can actually set it so that your credit automatically refreezes after a certain period
of time. Yep. You can set a window.
Well, beyond freezing your credit, what are some of the best ways that we can protect ourselves,
especially when we don't seem to have much control over these cyber attacks on companies that
do filter down to us? How do we play offensive?
Well, there are a couple of things that I think people should do. The first one is
update your password game. So if you use a unique password across all of your accounts, that is going to be extremely helpful.
And for the folks that say, I've got too many, I can't remember them, my recommendations are
either write them down or use a password manager, which can be a very useful tool if you find them
intuitive. A lot of people
don't, and I don't recommend any particular one over the other, but they can be a very useful tool.
And for other folks, again, just go ahead and write them down. Well, what are some steps that
people can take if they found that identity theft did happen to them? Or if they think that their
identity has somehow been stolen or compromised,
what are maybe the first three major things that someone should do?
This is where it gets challenging because this is such a broad problem that the action steps that
you're going to take are going to be really dependent on what type of data we're talking
about. Reach out and get help. Don't be ashamed or embarrassed that you can't figure this
out on your own. There are plenty of legitimate free resources out there. Now, of course, ITRC is
one of them. We have a toll-free hotline. We have live chat on our website, but you can also get a
ton of really good information about what to do next from the Federal Trade Commission, AARP, Fraud Watch. And of course,
there's you guys. So I would have to say top three things. Understand specifically what has
happened to you. What information has been compromised or is being misused and have that
ready. And then two, seek help. Everybody needs help. And this is a really complicated space.
Is there a specific way that people can try to stop the bleeding in the aftermath of an
instance of identity theft?
Well, absolutely.
And we talked about freezing your credit.
And then there's things like fraud alerts, changing your passwords if you know that it's
a digital account that has been compromised.
So in the case of, well,
let's say taxes, because we haven't talked about that. Let's say it's a federal tax refund fraud
that's occurred. And you now know that someone has filed a false return or attempted to file
a false return in your name. There are specific things that you can do to protect yourself
in the future. One of them is the IP or identity protection pin.
They're issued by the IRS and it's one more extra layer so that you can't file your taxes without
that pin. And then from a kind of stop the bleeding standpoint, I always tell people
to react, not panic. Because if you are spending your mental energy angry and wanting to figure out who did this to you,
I would rather see you spend your energy on cleaning up that mess, getting the proper forms
filled out, reporting it to the right places and getting the help to recover your identity that you
need versus I've got to find out who did this to me so I can get my pound of flesh because I got to manage expectations here.
The vast majority of victims never find out who the perpetrator is.
And the vast majority of cases never go through the criminal justice system.
So, Eva, what tools would you say we as consumers should have but don't?
Is there a magic bullet out there that just isn't being made available to us?
I don't think there's any one magic bullet. I wish there was like this panacea that would
solve all of our problems. But this is something that all stakeholders have to get involved in.
We need government to make some changes to rules, regulations and policies. We need industry to make
some other things available to us. And then we come in, we as consumers need to put some of these best practices, make
them habits.
Just things like turning on alerts on all of your accounts.
You can do this with your financial accounts.
You can get an alert every time your debit card or your credit card is used, particularly
for card not present transactions.
And the other thing that you can do,
again, it's not a silver bullet, but it's already available to all of us now. We just don't
necessarily practice it. With all of this incoming communication, if you didn't initiate the contact,
I want you to go to the source. So if you have something incoming, a phone call from the IRS,
a text message from your bank, an email from your employer asking
you for sensitive data. Rather than respond in that thread, I want you to go to the source and
say, hey, are you trying to get in touch with me? 99 times out of 100, the answer is going to be no,
they're not trying to get in touch with you. So it's just that taking that little bit of time to verify and kind of having a skeptical attitude that you have to verify everything that's incoming,
that you didn't initiate the original contact. I'd love to hear what you would say to listeners
who might be thinking to themselves, this is just too complicated. I don't have time to deal with
this. And there's nothing that's really going to help anyway, because I think it is very easy to feel helpless against this onslaught.
Because like you mentioned before, even reporting an instance of fraud or identity theft to the
police seems like it's probably not going to help much. I can really empathize with that. And I do
hear it. I do hear it from people are like, this is just,
you know, this is so hard. It's too much. And it's not how I want to live my life. Well, not every one of these tips applies to every person. So I just encourage people to focus on
where do you spend most of your time? Is it on email? And if it is, then okay, I'm going to
teach you some attitudes and some tips over email.
And you can start there until it becomes a habit.
Is it on social media?
Well, I really want to teach you some habits and tips that you can practice on social media
so that you aren't going to be victimized.
So we can start there.
And even putting just those small things day to day in place, it stops you from being the low hanging fruit.
And scammers love the low hanging fruit. So don't be the low hanging fruit.
Well, final question, Eva, I have to ask. I know you started your career in law enforcement,
but despite that, have you ever had your identity stolen? Has any of what we've talked about today hit home?
Well, early on, I did many, many years ago, and it was existing account. I had a couple of
different times where an existing credit card was misused and not authorized by me. And I don't want
to turn myself into a target in case anyone is listening and saying, oh, she hasn't had someone open new accounts in her name.
Well, Eva Velasquez, president and CEO of the ID Theft Resource Center,
thank you so much for helping us out today.
It was a pleasure. And I hope folks learned something today and they feel more empowered
to be able to take care of themselves out there in this crazy identity world.
Sarah, what I keep coming back to is the simple fact that identity theft scammers really have the upper hand right now. As Eva said, a scammer's full-time job is trying to
manipulate us and manipulate our personal information to get our money. And regulation
has not kept up. So like with many things in this country,
we unfortunately are on our own right now. And we have to do everything in our power to try to keep
ourselves safe and financially afloat. It's unfortunate that regulation doesn't
keep up with the tech savviness that's happening here. And so that's what's really slowing down
any real efforts to provide some not just protection, but maybe compensation if this happens to you. Yeah, that's the issue. Like, not only do you need to be
protected, but you need to be made whole if it does happen to you. And it feels a little bit
like the Wild West. All right, Sean, what's coming up next week in episode two of this series?
Next week, we are going to look at what happens when thieves steal your identity. The next step
is to commit fraud with that identity.
And for most people, you'll never see it coming.
August 28th was a normal day.
Like I took my cat to the vet, went and got groceries.
That morning, I checked my online banking just to make sure I had enough money to do everything.
It just seemed like a normal day.
And then everything changed that evening when I got that email.
For now, that's all we have for this episode. Do you have a money question of your own?
Turn to the nerds and call or text us your questions at 901-730-6373. That's 901-730-NERD.
You can also email us at podcast at nerdwallet.com. Also visit nerdwallet.com slash podcast for more info on this episode. And remember to follow, rate, and review us wherever you're getting this podcast. This episode was produced by Tess Bigland. I helped
with editing. Kevin Berry helped with fact-checking. Sarah Brink mixed our audio. And a big thank you
to NerdWallet's editors for all their help. And here's our brief disclaimer. We're not financial
or investment advisors. This nerdy info is provided for general educational and entertainment purposes
and may not apply to your specific circumstances. And with that said, until next time, turn to the nerds.