Identity Fraud, Part 1: A $45 Billion Snowball

Imagine getting a US$45 billion bill without knowing exactly how you ended up with such a big tab.

That’s exactly the situation facing Americans struck by identity fraud.

In 2007, the misuse of lost and stolen identity information cost $45 billion, an average of $5,574 per incident, according to Javelin Strategy’s 2008 Identity Fraud Survey Report.

There’s reason for both consumers and companies to be concerned.

Consumers bore only an average of $691 of that cost, and more than half paid nothing, said Mary Monahan, the Javelin Strategy analyst who wrote the report. However, unlike burglary or robbery, it’s not clear to most people how their identities are stolen — and some don’t even know the crime took place.

“Unfortunately, victims rarely know who it is or how it is that their identity is compromised,” said Jay Foley, executive director of the Identity Theft Resource Center.

Sizing Up the Problem

In fact, just 35 percent of people who had suffered identity theft knew how it happened, Monahan’s report found.

Of those, 35 percent, the largest single category, reported that the theft was the result of a lost wallet.

Purchases — including in-store, mail-order and telephone — accounted for 23 percent of thefts, the next largest category. Unscrupulous employees can use small devices called “skimmers” to record credit card information, and sell or use that information to make new cards. ATM machines can also be equipped with such devices.

Employee fraud was involved in 17 percent of identity theft cases, according to Javelin’s research. Fourteen percent occurred in connection with online activities.

Eight percent of losses were attributed to viruses, worms or other computer malware designed to steal personal information, the company’s data show. Data breaches led to 7 percent of losses, while 6 percent were attributed to theft of mail, the report indicates.

Four percent involved consumers who fell for phishing attacks in which an attacker sends a message, typically by e-mail, purporting to be from a financial organization with which the recipient has a relationship, hoping the person will give up personal information and passwords in response.

Interestingly, the figures show that the Internet — widely feared as the den of all identity theft iniquity — is actually statistically safer than many long-standing purchasing methods.

Data breaches are big and dramatic, and often make headline news.

Through August of this year, 449 different breaches involving 22,091,338 records had been reported, according to the Identity Theft Resource Center. In 2007, the organization documented breaches involving as many as 127 million records.

Still, as Javelin’s research shows, the likelihood that any one consumer will be the victim of theft as a result of such a breach is low.

The Specter of False Medical Records

Much of the identity fraud common today does not involve financial instruments. Rather, it involves health insurance information; or identity documents such as Social Security cards, which are needed to get a job; or driver’s licenses, which can help give criminals temporary cover.

“Probably 80 percent of all identity theft today is non-credit related,” said Tom Harkins, chief strategy officer for Secure Identity Systems.

Such fraud can be extremely insidious and potentially more threatening than typical financial fraud, said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse.

Medical fraud can result in incorrect health information showing up on an individual’s medical record, which could lead to a potentially deadly mistake if that person should end up unconscious in an emergency room after an accident or sudden illness, Stephens said. It can also raise issues in trying to get health or life insurance coverage.

Thwarting such theft is difficult, but there are paid services that attempt to address the problem. Harkins’ company, Secure Identity Systems, claims it can catch many efforts to steal identities unrelated to credit by cross-referencing information databases to look for unexpected driver’s license applications, for instance.

Consumers can also opt for identity-theft prevention services, such as those offered by Debix and Lifelock. The companies maintain fraud alert reports on a person’s credit service, requiring creditors to contact the individual directly for confirmation that a credit application is legitimate.

Debix also includes an automated telephone system that includes security information designed to make it difficult for a thief to impersonate someone else over the phone.

Self-Preservation Tactics

Are the services worth it?

The Privacy Rights Clearinghouse generally discourages consumers from subscribing to such services, Stephens said. Some consumers may benefit from paid credit-monitoring — say, those in the midst of messy divorce, whose angry spouses could use their personal financial information to wreak havoc. However, it is not worth the money to most, he said.

Consumers can do for themselves — and free of charge — much of what a company like LifeLock does for a fee, he said. That includes putting temporary fraud alerts on credit reports and taking their names off junk mail and preapproved credit offer mailing lists. Residents of all 50 states can also now stop new credit applications with a security freeze that can only be reversed with an identification number provided by the credit bureaus.

Still, credit freezes are inconvenient and impractical for young and mid-life adults busily buying homes, cars and other merchandise that requires quick credit approval, noted Mike Prusinksi, LifeLock’s vice president of marketing.

“Even a security or credit freeze can’t stop everything,” he commented.

Identity Fraud, Part 2: Digging Yourself Out of the Wreckage

Identity Fraud, Part 3: Taking the Target Off Your Back