Wednesday, July 29, 2009

Business Identity Theft - Dangers, Gaps, Solutions

I stress that these views are mine and influenced by the works cited here, they are not necessarily the views of ID Experts.

UPDATE 08/06: Panda Security reports 44% of SMBs admit falling victim to cybercrime.

Generally speaking, when most people discuss identity theft, they are referring to an individual using the personal identifying information of another individual, without their consent, to obtain some profit or advantage. Identity theft is largely viewed as a “people” problem, and for good reason- Most state and federal laws, websites, non-profit organizations and consumer advocacy groups tasked with the job of helping identity theft victims address the American consumer at large.

Yet, small and medium sized businesses (SMBs) are an attractive target for identity thieves. According to the Institute of Consumer Financial Education (ICFE), SMBs usually qualify for larger lines of credit, “enjoy extended payment terms and less transactional scrutiny for large purchases or high value ticket items than individual customers.” They often have physical property such as computer equipment of value, or perhaps inexperienced employees that may be susceptible to phishing attempts or bribes. Many SMBs are located in shared business buildings, making it even easier to obtain credit cards and loans. All a criminal has to do is rent a small space or mailbox in your building- the address will verify as correct, and he’ll get the credit cards, loan documents, and bills instead of you. Before you even know something is wrong, he has skipped town without a trace- except for the damage to your business.

In addition to being lucrative, small and medium size businesses are often careless with privacy and security because they are preoccupied with- well, running their business. According to the ICFE, “Many businesses do not regularly review their business credit report.. [or] ..always carefully scrutinize employee charge card billing statements before they are paid, particularly those accounts for which multiple cards are issued.” Additionally, a recent survey from security firm Panda Security shows SMBs in the United States are increasingly the victims of cybercrime, yet many do not take simple precautions to protect themselves. By the numbers:

* (44 percent) were hit by some form of cybercrime

* (10 percent) surveyed were hit so bad that they had to stop production -- worldwide, the average was 30 percent.

* (50 percent) of companies in the survey lost time or productivity as a result of being infected.

* (97 percent) of U.S. SMBs have installed anti-virus and (95 percent) claim their security systems are up to date. YET (29 percent) said they have no anti-spam in place, (22 percent) are without anti-spyware technology and (16 percent) do not have firewalls. (52 percent) said they have no web filtering solution in place. (39 percent) of respondents said that they have yet to be trained about IT threats.

When you combine large cash /credit flow and little scrutiny or security, it is easy to see what a gold mine this is to thieves. I’m not done yet- There is another factor that makes these threats an increasing danger in an age of government transparency and online communications. Not only are you an attractive target, but obtaining the documentation necessary to impersonate a business or pose as a representative of the business is often easier than for an individual.

Your business information is easily obtained from a variety of offline and online sources. Business stationary and business cards are easy to obtain and duplicate, and since “most businesses are eager to open new accounts for other businesses, and the process can be quite simple- such as submitting a request on company letterhead along with the business license number and Tax ID.” (ICFE) Since most businesses display their business license on their wall (as many are required to by law), this theft is dangerously easy. Additionally, businesses may engage in high-risk sharing of their business information. Because many companies such as Costco require an EIN to give users status as a business, the EIN is tossed around a lot on documents and over the phone. Small business owners may even be using their own social security number in place of an EIN, increasing their risk and potential for damage. SMBs aren’t just a gold mine; they’re a gold mine filled with diamonds.

There are unfortunate gaps in our system. There are hundreds of companies, pre-paid legal services, private investigators, non-profits and consumer advocacy groups that are trained and versed in handling personal identity theft- but find themselves either unprepared or unable to assist businesses when they become victims. Their hands are often tied by either state laws, procedural technicalities, binding contracts and user agreements or just plain ignorance.

As pointed out in a recent article by Business Week, “While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit. Before California last year amended its 1997 identity theft law explicitly to include crimes targeting business entities, a business whose identity had been co-opted could not even get a police report. ‘We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes,’ California Deputy Attorney General Robert Morgester says.” (The state legislature amended the “person” in identity theft cases to encompass associations, organizations, partnerships, businesses, trusts, companies and corporations, in addition to logos and “photographic representation” as legally recognized personal ID data.) Yet, there are many other states that still do not recognize business identity theft as a separate crime at all.

Additionally, many loan contracts and credit agreements may have fine print that could leave you high and dry. According to ICFE, “liability provisions in many cardholder agreements specifically exclude: unauthorized transactions involving business cards and cards used for business purposes…and instances where a transaction by an individual, who at some point was given permission to use the card by the cardholder, ‘exceeds authority’ given by the account owner.” Since insider threats are still the biggest concern when it comes to loss prevention, this particular fine print can mean a lot to a business owner. Perhaps most devastating: “Most loan documents contain a provision which states that if the lending bank ‘deems itself insecure’, repayment of the loan may be accelerated. If numerous fraudulent accounts have caused the bank to no longer be confident of the business’ long term viability, a business’ loans or credit lines may suddenly be called and most businesses would simply not have sufficient cash or liquid assets available to fully service the debt.” While there has been a little progress in this area, like state laws, there are a lot of gaps. Visa, MasterCard, and American Express no longer distinguish between small business and individual credit card fraud, which helps companies to clear the purchases made by thieves. We can only hope that others follow suit.

A thief with access to EIN, address, key names, and letterhead or company logos can easily apply for credit or obtain loans and merchandise as a “representative” of your company. There are painful gaps in consumer law and business practices that make the extensive, time-consuming, complex and potentially expensive process of recovering from identity theft even harder. Dealing with the theft can take months or years. Don’t take chances, and protect yourself:

Shred. Shred. Shred. Dumpster diving is still a common source of information.

Don’t hold onto documents any longer than absolutely necessary.

Obtain an EIN and use it instead of your SSN. Be cautious with your EIN and give it out sparingly.

Obtain regular credit reports for yourself and your business. Review them carefully.

Review your Better Business Bureau report regularly. In addition to identity theft, business can also become the victim of professional impersonation. In many cases, evidence of both types of crimes will show up on the BBB report.

Owners should review transactions statements and account for all items. If you give review power to another individual, be aware they are now a target for bribes and extortion. The best solution is to take matters into your own hands and report any unusual activity immediately.

Improve your business physical, technical, and personal security. Alarms, firewalls, encryption and anti-virus are all important components, but more important is the education of you and your staff. How to detect and deter phishing attacks, how to report suspicious behavior anonymously, and what to do if you believe you may have compromised information are all topics every employee should know by heart.

Be an informed consumer- ask what precautions businesses take with your applications and other business identifying documents and data. Explain your concerns. Enough business owners bring up these concerns, they will listen.

Other advice includes;

“Consider using electronic payment options. Since the networks are password-protected and the messages are encrypted, wire transfers and ACH payments are much safer than using paper checks…

And lastly, consider a post office box or a lockbox for your mail. This ensures that business mail is retrieved by appropriate personnel and is not left in a box at the reach of any passerby.”

Practical advice for changing the outlook for SMBs: Put your money where your mouth is, and the squeaky voting wheel gets the grease. Do business with companies with good security practices- even if it means it makes it more difficult to do business with them. Write to your representatives and voice your concerns. Bring awareness to the dangerous of identity theft for small and medium businesses to your associates, your lawmakers and your financial institutions. If legislation regarding personal identity theft rights is any indication, it is going to require a concerted grass roots effort to bring awareness to the issue and create change. It is time.

UPDATE 07/30/2009: Another threat to businesses highlighted by the Better Business Bureau, "Scam artists send an invoice for a product commonly purchased by the business. For example, paper or other office supplies, in hopes that the busy staff will pay the funds without question."

Copyright 2009 Rachel James. Please do not republish without written consent. You are welcome to link in reference.

Thursday, July 23, 2009

Getting Engaged can lead to Identity Theft

republished from ID Experts blog.

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

  • Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.
  • Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.
  • Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.
  • Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.
  • Malware - There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.
  • Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.
  • “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.
  • YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

  • Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.
  • Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.
  • Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.
  • Read ALL fine print carefully. TWICE.
  • Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.
  • Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).
  • Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.
  • Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.
  • Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.
  • Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with or by calling 1-877-322-8228. If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

Tuesday, July 7, 2009

Recession: A Survival Guide

Republished from my contributions to the ID Experts blog.

During this difficult economic time, the problem with scams and fraud is threefold. First, people who are desperate are more willing than ever to “bite” on the lure of convincing scams because of they are under increasing financial stress and pressure. Second, the number of scams and people perpetrating those scams increases during difficult financial times. Third, according to a recent survey by Nationwide Insurance, over half of respondents don’t know if they have enough money to weather fraud. Additionally, “A 2005 Nationwide survey showed the average amount of total charges made using a victim’s identity was $3,968. While most victims were not held responsible for fraudulent charges, 16 percent reported paying an average of $6,440 to cover some or all of the thief’s purchases.”

You may be surprised to find out that spotting a scam it is not as easy as you think. The FTC points out, “[scam] claims are just good enough to be believable; their services and products just practical enough to seem legitimate. Some even try to look like a government agency to enhance their credibility.” Here is a quick rundown of the four most critical issues: Debt, housing, employment and government assistance.

  1. Credit repair / Debit Negotiation companies

The dirty scam: These companies advertise anything from outlandish claims (We can remove ANY debt from your credit report!) to carefully veiled suggestions (We know the tricks that your credit card company doesn’t want you to know). Almost all of them require an upfront fee, and almost none of them deliver on their promises. The IRS highlighted concerns in this report, stating, “Many credit counseling organizations provide valuable advice, education and assistance to those seeking to better manage their debt. But an increasing number of complaints to federal and state agencies indicate that some organizations are engaging in questionable activities.” The report includes some handy tips for detecting deceptive companies. The FTC also has some great advice for those “Knee Deep in Debt or considering one of these companies, as well as the Better Business Bureau. These reports cover dirty scams and provide detailed information about the process, general advice on debt practices, and resources for assistance.

The clean scene: The U.S. Department of Justice’s U.S. Trustee Program provides a list of government-approved credit counseling agencies. The National Foundation for Consumer Counseling provides a list of member agencies online at or call 1-800-388-2227 for 24-hour automated office listings. Look over this Fiscal Fitness: Choosing a Credit Counselor document from the FTC, and this new site discussing debt and scams including vehicle repossession, advance fee loans, ‘anyone can get credit’ card offers, debt negotiation and other scams that are increasing with the economic difficulty.

  1. Home refinance or foreclosure scams, loan modification programs

The dirty scam: Taking advantage of the panic in the market, thieves and scammers are contacting victims for loan negotiation, refinance or foreclosure scams. Using complete lies and half-lies, they never deliver what they promise. They could be pretending to offer assistance for your current situation, or offering you a remarkable deal on a foreclosed property. It could be a rent-to-buy or bait-and-switch scam. Victims find they lose money, turn over personal information and/or complete documents that result in damages and financial loss. They can represent legitimate companies with bad business practices, or complete frauds pretending to be from the government ready to inform you how you can benefit from the economic stimulus package. For more information on these types of scams and the red flags to look for, read the highlight by the FTC here.

The clean scene: Be very suspicious of these offers. Check with the attorney general in your state before dealing with any company or person offering assistance. Details on the Federal assistance available to homeowners can be found at . Or, you can contact the Homeownership Preservation Foundation's national hotline at 1-888-995-HOPE. They provide free bilingual assistance to help homeowners avoid foreclosure. HPF is a member of the HOPE NOW Alliance of mortgage servicers, mortgage market participants and counselors. Read more about HOPE NOW at You can also check with the US Department of Housing and Urban Development, and the Federal Reserve’s Foreclosure Resources for Customers. The FTC and Freddie Mac both offer helpful sites for those who are feeling the pressure of mortgage payment or trying to avoiding foreclosure. The Federal Reserve also recommends checking out NeighborWorks. You can also listen to a recent NPR broadcast about these scams.

  1. Employment fraud, classifieds fraud

The dirty scam: Unfortunately, finding a job poses many risks. First, you must be careful about the amount of personal information you place on a resume or online application. Remember that disclosing your social security number and birth date should only be necessary when they are ready to hire you and complete tax information. Even seemingly harmless details, such as the exact dates and companies you worked for, the colleges you attended, and your address, can result in identity theft or professional impersonation (when a thief takes the details of your professional life and presents them as his or her own to land a job). Additionally, you must exercise caution about the ads you respond to and the contacts you receive offering a job. A rule of thumb to remember: if it sounds too good to be true, it probably is. Avoid any job that asks you to cash checks, wire money, or use Western Union on the job. Let’s start with a short list of job scams (and the links to resources regarding them)… ‘Placement service’ for government jobs, head hunters, temporary employment, work-at-home or online jobs, and classifieds fraud.

The clean scene: Resources for government jobs are USAJOBS, US Postal Service Employment, FirstGov, and the Department of Labor. According to the FTC, “Some ads may direct you to call a toll-free 800-number. Once you're connected, you may be switched to a pay-per-call 900-number without your knowledge, or you may be asked to call a 900-number without a proper fee disclosure. Both practices are against the law… Many terms, such as employment agency, personnel placement service, executive search firm, or executive counseling service are used interchangeably. Find out what services a firm offers, how much the services cost, and who pays. If you're required to pay the fee, find out what you'll owe if the employment service fails to find you a job or any leads.” Check suspicious opportunities with the Better Business Bureau, your state Attorney General’s Office, or consumer protection agency. Read these tips from ScamBusters. Find online job hunting privacy tips and a background check fact sheet at Privacy Rights Clearinghouse. As many people are trying to find extra income, we would like to caution people about responses to their classified or craigslist ads. If someone is offering to pay you more than you asked for a service or item don’t do it! Usually they create an elaborate reason that they need you to cash a check and then wire the extra funds to them, or they get you to provide your account number so they can empty your account.

  1. Financial assistance from the government

The dirty scam: Letters, phone calls, emails, text messages- there is nothing that they won’t try! Websites and representatives claim to be able to access “secret” government money and help you apply for it. Usually they want an upfront “processing fee” or sometimes just your personal information. The FTC describes it as, “An email, online ad, or website says you’re eligible to get an economic stimulus payment. You just have to send back a form or submit one online to get it. The message might appear to come from a rebate company or look like it’s straight from the Internal Revenue Service (IRS).

There’s more than one way to perpetuate a stimulus scam. Some scam artists ask you to send a small processing fee, supposedly to get a much larger check in return. That’s money you’ll never see again. Others skip the fee, and instead, ask for your bank account number so they can ‘deposit’ your check. Then, they use the information to clean out your account or open new ones using your identifying information.Some stimulus scams encourage you to click on links, open attached forms, or call phony toll-free numbers. But simply clicking the link or opening the document can install harmful software, like spyware, on your computer. The result could be your personal information ending up in the hands of an identity thief. If you get a message offering you money from the stimulus program in exchange for your personal information, ignore it, delete it, or throw it out. The IRS doesn’t send emails asking for personal information, and rebate companies claiming to have stimulus payments for you should not be trusted, regardless of how plausible the script sounds or how official the forms look.”

The clean scene: Legitimate information about government grants and assistance can be found at,,, and Information for stimulus payments and refunds can be obtained directly from Do NOT click on any hyperlink contained in an email, type the address directly into your browser. You can check up on your stimulus checks here.

If you are prepared, think critically, and proceed with caution, you should be able to determine the scams from the real deal. There are good habits you can form during this time as well. Using cash as a way to limit spending, and limit the number of places you use your card can help your wallet and prevent identity theft. As the economy starts to improve and the panic resides remember that identity thieves don’t just go away. Accounts can be opened now that will not appear on your report for years. Protection now, and in the future, is vital to keeping your identity safe

A special thank you to Washington's Attorney General's office and many other AG offices for providing much of this material.

Monday, July 6, 2009

So Called Identity Theft "Protection" - A Soapbox

Almost daily someone asks me about identity theft protection or identity theft insurance. Usually, they are just interested in what I personally think is the “best” product out there for protecting yourself from identity theft. Remember- It is not “if” your information will be exposed, but when- and with how much damage.This is my personal rant-my soapbox about the types of "identity theft protection" products out there.

Spoiler alert: There isn’t an effective identity theft protection product.

Typically, a company claiming to be an identity theft protection company will provide one or all of these services; access to credit reports, credit monitoring, and database monitoring. Unfortunately, these services cause security problems themselves. First, you are often required to provide all your personal information to a company so they can provide your credit report. Insider threat aside, they are charging you for a service you can obtain for free by visiting or calling 1-877-322-8228. You can obtain your own credit report and review it regularly by spreading out the requests made to each credit bureau by four months. Did you know you can also get a free credit report if you dispute an inaccuracy, are currently unemployed or looking for work, or recently had a negative decision made based on your credit? Sure, access to your credit reports is a great tool. However, it is simply a tool. Many who sign up for these services feel that as long as they have “identity theft protection” they don’t really need to watch their credit reports closely. The idea that someone else is monitoring it provides a false sense of security. You are the only one who knows what should be in your credit report, and the only one who can accurately identify early signs of identity theft.

If you have been a victim of identity theft, or have reason to believe so- you can place a fraud alert. A fraud alert also gives you free access to all three credit reports whenever it is placed. The initial fraud alert lasts for 90 days, but can be extended with a police report to seven years. A seven year fraud alert entitles you to TWO free credit reports from each of the credit reporting agencies annually, so as long as the alert lasts. That is 6 reports a year- equating to a different credit report every other month. All for free. The fraud alert is a “flag” on your credit that says you were a victim of identity theft and that companies should take extra steps to verify your identity before extending credit. (This typically involves sending a letter or calling you at home if an application is received). Sound familiar? This is often the advertised “protection” these companies are offering… only it is free. You just need to call (or go online) one of three credit reporting bureaus, and identify yourself as a victim of identity theft who wishes to place a fraud alert. That bureau will then notify the other two. You must respond to the confirmation letters for your fraud alert to obtain your free credit reports, they are not sent automatically.

Security freezes are another question I get quite commonly. Some of the protection companies out there simply place a security freeze on your credit report. This is also a service that is typically free if you have a police report, or live in certain states. With a Security Freeze, lenders will not be able to gain access to your credit file unless you give permission by "thawing" the frozen file using a secret code, similar to a PIN number. However, the process for placing a freeze involves sending a lot of personal information to the credit bureaus- and even more when you forget the pin number. Notice I said “when” and not “if”. In my experience, most people lose the pin number to their security freeze and neglect checking their credit because of the hassle. This, again, lures consumers into a false sense of security. There is plenty of identity theft that can occur if you have a freeze, and in many instances a freeze just makes it more difficult for you to legitimately check your credit reports to discover the suspicious activity. Payday loans, utility accounts, medical identity theft and criminal identity theft can (and do) still occur with a freeze. It is more common for clients with credit freezes to have identity theft that has been occurring for years than clients who find discrepancies when they request their report quarterly, for just this reason. Security freezes should really be utilized by individuals who are experiencing repeated identity theft, and are comfortable corresponding directly with the credit bureaus. Otherwise, some of the most dangerous kinds of identity theft- including medical identity theft- can occur without detection.

Fraud alerts are not perfect- it is up to the company to take precautions in opening an account. Some occasionally ignore the fraud alert and open the account without further verification. Some go to the other extreme and request you physically appear and provide two forms of photo identification before opening an account. Security freezes cannot be ignored, but consumers who use them tend to ignore the types of identity theft that don’t need a credit report to occur yet still appear on the credit report as a symptom of the fraud. Fraud alerts and security freezes don’t apply to your current accounts, so it is important to monitor your statements closely for fraud and notify your financial institution right away. It is a common misconception that identity theft protection services help protect you against fraud on your current accounts- that is not true. It is not safe to provide a third party with enough financial information in order to monitor your transactions, and they would not be able to distinguish most fraud anyway. Clearly fraudulent charges- such as a sudden $3,000 charge from China when your spending habits are always in Michigan- are typically detected by your financial institution (a service they provide for free) and resolved internally.

Most of these companies claim to monitor thousands of databases looking for signs of misuse. Fantastic- except that it doesn’t help you at all. Suppose that one of these programs does notify you that your social security number is being traded like a stock on some black market internet site. Now what? They’re not in the business of tracking down and apprehending these criminals. Often the alert you receive from these services doesn’t even tell you where the information came from, and instead alerts are generic such as “We are alerting you that your address has been changed in public record”. You must go back to the credit reports to find and correct the information. It’s a great reminder to check up on your information- review your SSA earnings statement, EOBs and so forth… but these are all reports and protective steps you can take anyway. For free.

Many of the companies provide a kind of “insurance” component to their services. Read the fine print. Typically insurance only covers actual expenses you incurred such as fax or mailing fees, and occasionally lost wages if you can prove that there was no other way to resolve the identity theft. Strictly identity theft insurance companies don’t fix your credit report for you, they just help with the expense you incur as you embark on the frustrating task yourself. If you cannot afford to take unpaid time off from work (who can in this economy?) this is nearly useless. Even the “guarantees” that are out there are useless since they require that you prove it was a fault in the system that resulted in your identity theft. In the case of many types of fraud, as LifeLock’s Todd Davis found out, their system is not designed to catch it… and therefore, no million dollars.

Identity theft is a scary proposition. Victims spend an average of 330 hours repairing their credit after having their identities stolen, and 70% report making repeated attempts to have inaccurate information removed from their credit reports. Navigating the confusing maze of legislation and paperwork can be daunting, added with the fact that it is nearly impossible to reach a live human at the credit bureaus. Many people are disappointed when they receive no assistance from law enforcement and are frustrated by the complex process of disputing the account. I understand why people want assistance- It is important that you have an expert or group of experts to turn to during this time. I do not intend to specifically promote the company I work for, but I do honestly believe in the work we do for people at ID Experts. You can see from our resources page and blog that we believe in educating consumers and advocating for victims rights. The following is a general recommendation based on my own experience as an identity theft victim, as a consumer, and a security professional.

Consumers should look for is a company that specializes in identity theft restoration. A good company will be willing to spend the time necessary to educate you about free services available to you as a consumer, but will “take over” if you become a victim. From my conversations with clients, I have not heard of another company that takes the time to educate consumers they way we do. The company should also allow you to speak with the same person twice, or allow their representatives to provide their names so you can get consistent answers. Often, just having my direct extension makes all the difference to a client. No identity theft protection service or product is theft-proof, so it is important to have someone to turn to when it fails. Credit monitoring is a great tool- but it is just a tool. It is not an impenetrable shield, but rather a method available to you to assist you in accessing the information you need to protect yourself. Don’t believe me? The FTC and other consumer advocate groups do not recommend these services either.