Bank stickups like the above don't happen much anymore. Instead, today's cyber-robbers skip the tellers and prey on unwitting ordinary account holders.
Below, a veteran financial journalist explains how it happened to him.
By John F. Wasik, RealClearInvestigations
December 9, 2019
In less cybernetic times, bank robbers “knocked over” banks with tommy guns and drove off with the loot.
Now thieves are more likely to silently steal your personal information in indirect (often online) modes before they pilfer actual dollars.
I know this firsthand because it happened to me.
Thieves acquired my personal bank information, printed fake paper checks, and tried to pass $8,000 worth of them.
While I consider myself a fairly sophisticated person – I’ve been covering fraud as a journalist for decades – the irony of becoming a victim showed how persistent and multilayered thievery is today.
I thought I was savvy on what not to do. I didn’t include any account references or numbers in my emails. I didn’t put them in texts. I upgraded my security settings on all my accounts, changed passwords and even signed up for a privacy browser (DuckDuckGo) that didn’t store my searches (highly recommended). I wasn’t responding to emails and clicking on links blindly. In short, I thought I was doing everything right.
Oh, I was also on high alert since my internet security program twice alerted me that someone was trying to hack my email (I changed the password and upgraded security levels). So I was warned, although the threat wasn’t specific.
Still, I was targeted. As I dug deeper into this evolving problem, I was stunned to learn how commonplace identity theft is today and how opaque the problem is. Few institutions want you to know the extent of information-stealing operations.
The good news is, my bank’s fraud algorithm caught the fake checks virtually immediately. But only because a check number had been used twice.
When my banker called me and asked if I knew the names of the people to whom the checks had been written, my immediate response was “call the police.” I was en route to the South Side of Chicago at the time and drove back directly to my local bank branch.
“Can you show me the checks?” I asked my banker.
My name was right; the routing and account numbers were also correct. But something was off. There was filigree around the edges of the check. They had a design and logo I didn’t recognize. It looked like someone had cut and pasted a generic design and inserted the critical numbers.
“These are not checks from your bank,” I told the banker calmly. “How did they get this information?”
He shrugged his shoulders as he pulled up the forms I needed to complete to close the account and report the fraud. That took about an hour. Then I still needed to go to the police and file a fraud report. For some reason, the bank wouldn’t do that for me.
Although the bank restored the $8,000 from the cashed checks within a day or so, I was angry, and puzzled. Where did thieves get this account information?
As I asked that question, I discovered there was more chicanery beyond the bogus checks. About two weeks after the check theft occurred, I received notices in the mail from a credit union and credit card company in Maryland that my request for credit was denied. I hadn’t applied for credit in decades, so this was troubling. Were these the same individuals who cashed the fake checks?
Normally, I wouldn’t have opened those envelopes, since they looked like junk-mail credit solicitations. This time, though, I hoped I would find some leads since they showed where the applications were filed. I forwarded this information to my local police department.
Would finding the perpetrators be easy? Initially I hoped so. We had a possible location and some names on the checks, although they were most likely fake, too. What if someone, however, was dense enough to put their own name on a fake check they were cashing? Sometimes you read stories where thieves leave IDs at the scene of a crime.
I thought I had something investigators could work with, although my main interest was how they stole my information. Where did they get my name? Did it come from my email? The dark web – which has become a thriving black market for Social Security numbers? A third party shopping this information around? No one knew, except for the thieves.
What is clear is that cyberthieves continue to adapt to efforts to thwart them. Chipped-based credit and debit cards that store information in bits and bytes instead of magnetically on “stripes,” which can be compromised with certain scanning devices from card readers, have reduced that type of theft.
In response, “fraudsters have turned their attention to opening and taking over accounts,” said Al Pascual, head of fraud & security for Javelin Strategy & Research. When thieves take over accounts, he explained, they have access to funds and account information through the internet. That often opens the door to other kinds of fraud: They can use passwords to open lines of credit, for example, which is what happened in my case. The personal information is a key to other crimes.
This has made consumers more vulnerable to loss. Credit cards issued by banks will typically reimburse you for fraudulent transactions, but are reluctant to do so for other types of theft.
According to Javelin, 14.4 million consumers fell victim to fraud in 2018, down from the record-breaking 16.7 million victims in 2017. “But victims last year shouldered a much heavier burden than those in recent years: 3.3 million victims bore some of the liability for fraud, nearly three times as many as in 2016, and victims’ out-of-pocket fraud costs more than doubled in two years to $1.7 billion in 2018.”
As the police conducted their investigation, I tried to assess the damage and look for clues. I went to annualcreditreport.com to pull my credit reports from the three major agencies. This simple action was easy, quick and free.
Not surprisingly, my Equifax file was still frozen after I locked it up following its massive credit breach in 2017, in which more than 143 million credit files were stolen. There was nothing significant there. Consumer tip: Freezing your account prevents potential creditors from accessing to your file, which almost certainly means they won’t issue a loan. But you can still see if someone is trying to access your files to obtain credit. Remember, however, that the credit agencies are separate, so make sure to freeze your file at all three.
That left Transunion and Experian, the other two bureaus among the “big three.” Both showed the false credit applications, so I immediately contacted the bureaus to tell them. I also froze access to those files, which, again, you can do for free. (They also try to sell you additional credit monitoring services, but basic freezes should provide adequate protection from someone tapping your information). I also passed along the reports to the police, hoping that would help them zero in on the culprit.
When I scanned my Transunion file, though, something else popped up. My birth year was wrong and there was other incorrect information. That’s not something that I would’ve erred on since I regularly check my credit files. Did someone get into my file and put in his or her birth year to steal my credit? Transunion didn't have an answer and neither did the detective, although he thought an outside intrusion was a possibility. Were the check fraud and fake credit apps related? I don’t know, and neither did the detective, although in multilayered fraud, it’s being done.
'Call Our Claims Department'
At first, when I talked with my local police detectives about a month ago, they expressed frustration. Banks are not volunteering banking information – even when an investigation is requested by the customer. My bank, one of the largest in the country but which I am not naming because I don’t want to give cyberthieves any additional information, required a subpoena through the state attorney in our county to acquire records I was willing to provide. All I wanted to know was how that information was stolen.
When I asked my banker how the institution’s investigation was proceeding, he nonchalantly told me to “call our claims department.” Oh, great. I’m sure a call center on another continent is right on top of this, I said to myself sarcastically.
As you can imagine, banks are loath to tell law enforcement that their account security can be – and is being – compromised. The numbers provided to me following a series of freedom of information requests seemed low; banks may be under-reporting their security breaches or simply stymie outside probes through the subpoena barrier (see below). Other recent searches and FOIA requests with regulators like the Consumer Financial Protection Bureau and Comptroller of the Currency turned up only a handful of complaints.
Research by third parties, though, shows a continuing problem with theft. There’s little reason to think that it will get better after massive heists of customer information from Equifax, Home Depot, Target and other corporations that maintain databases on hundreds of millions of customers, usually including addresses, birth dates, Social Security numbers, credit card numbers, lines of credit accounts and other information required to steal another person’s identity.
“I tend to think that all of my credit information is already out there” and available to be readily stolen, notes Ted Rossman, an industry analyst for Bankrate.com. “If it hasn’t been compromised, it will be soon.”
There are numerous back doors for cyberthieves.
According to Emily Wilson, vice president of research for Terbium Labs, a data protection company, “Fraudsters have a wide range of opportunities to access identity data. They may come into it as part of compromised cardholder information through a payment breach and build out the remainder of the identity from there, or they may gain access to online profiles that contain more extensive identity details.
“They can also buy full identities directly from dark web vendors if they want to outsource the data collection process,” she added. “These fullz packs” – slang for fairly complete stolen identity data – “typically include cardholder information, account access credentials, date of birth, Social Security number, and often details like mother’s maiden name or answers to security questions.”
Wilson adds, “Once a fraudster has their hands on this identity information, they can continue to use it across a variety of schemes, since most valuable identity details (like a Social Security number) are lifetime data, viable to exploit for decades.”
A Call Center in the Philippines
Having been the victim of identity fraud multiple times – someone pilfered my credit card number in Europe years ago – I was tempted to sign up for one of the services that regularly monitor and report potential credit or ID fraud. Rossman at Bankrate.com told me these services are often not worth it. “You can do this yourself for free,” he said. “You can check your credit regularly.”
Wilson agreed: “Identity monitoring services are too little, too late. While they’re a favorite offering of organizations that have experienced a data breach, they alert consumers to an exploit after the fact – an alert once an account has already been opened, or once a fraudster has already prompted a credit check. Freezing credit profiles is a far more effective way to block identity theft.”
Just when I thought I had resolved the check fraud matter, my bank threw me a curveball: It withdrew money from my account without explanation for one of the bogus checks. I was flabbergasted. I had spent hours opening and closing accounts, upgrading security levels, changing passwords, checking all of my credit reports, signing legal paperwork saying I was a fraud victim and keeping in touch with my local banker. I was on the road when he left me this message:
“For some reason, we debited your account for one of the [bogus] checks. That’s not right and I’m looking into it. In the meantime, here’s the number for our claims department.”
When I called the claims department, which was a call center based in the Philippines, they told me to talk to my local banker. They wouldn’t call him directly since “we can only take incoming calls.”
Nevertheless, the call center gave me a piece of slightly useful information, although they had closed their investigation. The bank that had cashed the check in question – Wells Fargo – had accepted liability for it. Since I had her on the phone, I asked the call center woman one final question: “Why are subpoenas required for the police to investigate?”
“Standard procedure,” she replied.
Even more frustrating was that the subpoena for bank records filed by my local police department was initially denied by my county state’s attorney office. The detective was trying to find out why at the time of publication.
Still, I was disturbed by the repeated warnings from my security software. I switched over to a private browser and started researching secure email services. In the meantime, I continue to work with my local police department and trust that my banker can resolve the issue with the one fake check (I was told it would be corrected). And I continue to be vigilant as I explore advanced cybersecurity measures. But it’s tough to stay ahead of the crooks these days.