Not long ago, someone pretended to be me at three bank branches and withdrew thousands of dollars from my checking account.
There is now a greater chance that something similar will happen to you.
This type of old-fashioned personal identity theft is on the rise after fraudsters have become increasingly sophisticated during the pandemic, improving their illicit supply chain, making it easier to commit these crimes.
The increase is frustrating banks and the government as they try to deal with the resurrected threats.
“Yours is not a one-off,” said Mary Ann Miller, executive fraud and cybercrime advisor at Prove Identity, a digital identity solutions company, about my recent brush with identity theft, which I wrote about earlier this year.
“An actor walking into branches and doing what they did to your account, withdrawing money, is a trend,” she said. “It’s happening now.”
‘The big money grab’
Identity theft increased during the pandemic as the federal government provided $5 trillion in relief to businesses and households through stimulus checks, enhanced unemployment benefits and food aid, and forgivable loans.
“It was what I call the big cash grab,” Miller said, and the criminals wanted a piece of it. They “skilled” in creating false identities and stealing existing ones, Miller said, so they could fraudulently apply for these pandemic benefits.
And it worked. According to an FBI official’s account, they stole $300 billion in pandemic aid, representing the largest fraud in history. That success encouraged fraudsters to continue.
“They’ve learned those lessons,” Miller said, “and they’ve gotten better and better at what they do.”
‘Very advanced manufacturers’
To pull off the old-fashioned robbery of my bank account, the criminal posing as me needed my bank account number and a fake ID.
These are ripe for picking up Telegram Web, a cloud-based encrypted instant messaging platform that is a favorite forum for selling stolen documents. Miller calls it “the new dark web that isn’t so dark.”
David Maimon, associate professor of criminal justice and criminology at Georgia State University, gave me a tour of Telegram during our interview. On that day, someone had mailed stolen checks from a few days earlier.
These stolen checks can come from home or car robberies. Another fertile ground for these crimes is the US postal system.
Some postal workers simply steal them from the mail they are supposed to deliver. In other cases, thieves rob the carriers themselves or the iconic blue mailboxes found on public sidewalks. It got so bad that the US Postal Service redoubled its efforts last year to curb these crimes.
I may have been one of these victims. A check went missing after I mailed it years ago, and my family later discovered that the mailbox outside our apartment building had been repeatedly hit by theft.
However, a stolen check can only tell you so much. It does not mention date of birth or social security number: crucial personal data needed to create a fake driver’s license or passport.
So the criminals turn to rogue bank and credit bureau employees to find that missing information “for the reasonable price of a hundred dollars,” said Maimon, who is also head of fraud insights at SentiLink.
They can also turn to Telegram and buy fake IDs.
“Fake IDs are the hottest thing you can imagine on Telegram,” Miller said. “There are very sophisticated manufacturers.”
Fake passports have become a growing problem, the federal government warned banks earlier this year, because as “a lesser-known form of government-issued identification” they are more likely to evade detection.
But the fake driver’s licenses offered on Telegram are also “very high quality,” Maimon said.
So high quality that in my case, when the criminal withdrew $11,300 from my bank account, “the poor bank teller probably couldn’t tell the difference between the legitimate, real driver’s license and the fake one,” he said.
‘You can’t forget to do the basics’
The bank tellers in my case also missed other fraud flags.
One was my name. The criminal used my maiden name on the bank withdrawal form to complete the transaction. The problem is that this name no longer appears in my accounts since the change in 2010.
The imposter also misspelled my first name on two slips: Jana versus Janna. The third showed what appeared to be an attempt to correct the botched spelling of both my first and maiden names.
There is also no way of knowing what kind of fake ID card was presented to the tellers because none of them wrote down the ID form and number on the back of the admission slips, a breach of procedure, a bank branch manager later told me.
“Wow, this wasn’t a very sophisticated fraud attack,” said Ian Mitchell, founder of the Knoble, a nonprofit network of financial institutions, law enforcement and other anti-fraud nonprofits.
“It sounds like following the procedures the bank had in place would likely have resolved this issue.”
That’s what the fraudsters are looking for: the weak link. So if a bank has strong cybersecurity but poor personal security, they send impostors. If it’s the other way around, they can hack the financial institution. And to make matters worse, they share this information with each other.
The problem is that a bank invests in anti-fraud measures and forgets about them for five years, Mitchell said. In that time, the fraudsters have gone beyond these measures and discovered new loopholes. Or they exploit old ones that no one has done anything about.
“You can’t forget to do the basics really well. We are constantly up against criminals trying to find new and old ways to beat our defenses,” Mitchell said.
“It’s a non-stop battle.”
—
Janna Herron is a senior columnist at Yahoo Finance. Follow her on Twitter @JannaHerron.
