2012 Identity Fraud Report: Partnering with Law Enforcement F eb ru ary 2012
4301 Hacienda Drive, Pleasanton, CA 94588 USA ● +1 925 225 9100 t ● +1 925.225.9101 f ● www.javelinstrategy.com
2012 Identity Fraud Report: Partnering with Law Enforcement
February 22, 2012 Dear Law Enforcement Officer, I am pleased to provide you with a complimentary copy of our 2012 Identity Fraud Report‐Partnering with Law Enforcement geared specifically for you. Leveraging the work of the Federal Trade Commission (FTC), Javelin has continued this comprehensive fraud study for the past nine years, raising awareness about the impact of identity theft and fraud on American consumers and businesses. Fraudsters are trying a number of new attack vectors and we need to band together to stem off these new avenues of fraud. Today, we continue our partnership with you in the fight against identity theft and fraud by making sure that you have the very latest information available. Together we can combat identity fraud and theft and reverse the trends. Javelin no longer recommends that consumers receive paper statements and therefore the traditional shredding advice has declining relevance. Consumers who receive financial statements electronically detect fraud events much more quickly than those who receive paper statements, yet electronic methods bring their own safety challenges. We are seeing a new frontier of fraud—the mobile era—with smartphone usage on the rise. Smartphone users are one‐third more likely than others to become a victim of identity fraud. Similarly, users of particular social media sites had the highest incidence of fraud. It is not that we are advocating discontinuing using social media or smartphones, but rather we need to help educate the consumer on specific new behaviors to adopt in this electronic frontier. In this report, we have a long list of recommendation that we hope you can help deliver to your local constituents on how to change their behaviors, while still remaining connected. If you find you would like more in‐depth analysis of fraud trends and prevention measures, we do have a comprehensive industry report available—2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier. For sworn officers, we can make that available to you at no charge. We hope that together we can combat fraud at its every turn. Sincerely,
Phil Philip Blank Managing Director, Security, Risk and Fraud Javelin Strategy & Research
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
2
2012 Identity Fraud Report: Partnering with Law Enforcement
Table
of
Contents
Overview .......................................................................................................................................................................................... 7 Detecting Fraud ................................................................................................................................................................. 9 Identity Fraud Vs. Identity Theft ....................................................................................................................................... 9 Methods Criminals Use to Obtain Information ............................................................................................................... 10 Consumer Recommendations ....................................................................................................................................................... 11 Prevention ..................................................................................................................................................................................... 12 Law Enforcement Tips for Preventing Information Theft ............................................................................................... 12 How Can I Prevent Identity Fraud? ................................................................................................................................. 12 Javelin Recommends Taking the Following Steps to Prevent Identity Fraud ................................................... 12 Data Breach Notification Letters ..................................................................................................................................... 15 What Should I Do If I Receive a Breach Notification Letter? ........................................................................................... 16 Detection ....................................................................................................................................................................................... 17 Law Enforcement Tips for Detecting Fraud ..................................................................................................................... 17 How Can I Detect Identity Fraud? ................................................................................................................................... 17 Self‐Detection vs. External Fraud Detection ..................................................................................................... 18 Javelin Recommends Doing the Following to Detect Fraud Early ..................................................................... 19 Resolution ...................................................................................................................................................................................... 20 Law Enforcement Tips for Resolution ............................................................................................................................. 20 What Should I Do If I Become a Victim of Identity Fraud? .............................................................................................. 21 How Consumers React to Identity Fraud ........................................................................................................................ 22 Identity Fraud Protection Solutions ................................................................................................................................ 23 Additional Resources ..................................................................................................................................................................... 25 Methodology ................................................................................................................................................................................. 26
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
3
2012 Identity Fraud Report: Partnering with Law Enforcement
Table
of
Figures
Figure 1: Fraud Incidence Rate, 2003‐2011 .................................................................................................................................. 7 Figure 2: Information Revealed on Social Networking Sites ........................................................................................................ 8 Figure 3: How Theft of Personal Information Happens .............................................................................................................. 10 Figure 4: Javelin’s Prevention, Detection, and Resolution Identity Fraud Model ...................................................................... 11 Figure 5: Protecting Your Information Online ............................................................................................................................ 13 Figure 6: Consumers Who Receive Breach Notifications Face Significantly Higher Risk of Fraud ............................................. 15 Figure 7: How to Contact the Three Credit Bureaus .................................................................................................................. 17 Figure 8: Methods of Detection, 2011 ....................................................................................................................................... 18 Figure 9: Legal Actions Taken by Victims in Response to Fraud, 2009–2011 ............................................................................. 20 Figure 10: Identity Fraud Protection Services ............................................................................................................................ 23
Where Can I Get the Industry Version of the 2012 Identity Fraud Report? If you represent a business or are a professional looking for a more detailed analysis of identity fraud from our 2012 Identity Fraud Report, please reference the full report, titled: 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier The full report consists of 81 pages with 52 graphs and tables. You can purchase it on the research page of our website at www.javelinstrategy.com/brochure/239 or by contacting Paul Zegar at 925‐218‐4724. The sole purpose of the consumer version is consumer education and awareness. Javelin recommends purchasing the full report for a complete analysis, including an overview of the key findings, new trends, quantitative cross tabulations, and longitudinal U.S. identity fraud data from 2003 to 2011.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
4
2012 Identity Fraud Report: Partnering with Law Enforcement
Authors: Contributors: Research:
Publication Date: Editor
Kavita Jayaraman, Senior Analyst, Data and Custom Research Phil Blank, Managing Director, Security, Risk and Fraud Jessica Chu, Research Associate Mary Monahan, Managing Partner and Research Director James Van Dyke, President and Founder Mark Ayoub, Research Associate Shailaja Dixit, Senior Analyst, Data and Custom Research Rachel Townsend, Research Associate February 2012 Oie Lian Yeh; Linda Devine
2012 Identity Fraud Report‐Partnering with Law Enforcement provides tips and recommendations to help consumers prevent, detect and resolve identity fraud. Now in its ninth year, Javelin collects data from approximately 5000 adults each year to measure the overall impact of identity fraud on consumers, and identifies behaviors to might potentially put consumers are risk of becoming a victim of fraud. Javelin’s identity fraud study dates back to 2003 when the Federal Trade Commission (FTC) started this survey. Currently, Javelin reaches an audience of 63 million consumers to help consumers prevent becoming a victim of fraud through continuing education. Year after year, Javelin has received the seal of approval from the Better Business Bureau (BBB). This report provides easy‐to‐follow guidelines and recommendations for consumers to protect themselves against this $18 billion crime. Javelin’s goal is to equip consumers with proven methods to prevent, detect, and resolve identity fraud. The recommendations in this report are based on the results of our 2012 report and backed by the most up‐to‐date identity fraud findings available. A deeper analysis of economic indicators and identity fraud trends is available in the full version of the 2012 Identity Fraud Report, along with a detailed breakdown of how different economic factors, payment purchasing trends, and security dynamics correlate with the change in identity fraud. For commercial institutions wanting to view the complete version of this research study, the 2012 Identity Fraud Report: (81 pages) is available for purchase. Now in its ninth consecutive year, the comprehensive analysis of identity fraud trends is independently produced by Javelin Strategy & Research. Javelin maintains complete independence in its data collection, findings and analysis; the report is a product of Javelin employees only.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
5
2012 Identity Fraud Report: Partnering with Law Enforcement
This research study is made possible by our sponsors, Fiserv, Intersections, and Wells Fargo. These companies are dedicated to consumer fraud prevention and education. The Better Business Bureau also approves of this study.
“Scams of identity theft have exploded in recent years, and BBBs across North America hear every day from consumers and businesses who have been victimized. The most critical tool we have to fight identity theft is awareness. The only way we are going to stop it is to educate consumers on how to spot it before they give away critical information.” – Carrie A. Hurt, interim CEO, Council of Better Business Bureaus
About Javelin Javelin Strategy & Research provides strategic insights into customer transactions, increasing sustainable profits for financial institutions, government, payments companies, merchants and other technology providers. Javelin’s independent insights result from a uniquely rigorous three‐dimensional research process that assesses customers, providers, and the transactions ecosystem.
About the Methodology Since 2003, Javelin has collected data from approximately 5000 adults each year to measure the overall impact of identity fraud on consumers. In 2011, 5,022 adults, including 818 fraud victims, answered questions regarding their daily financial practices and behaviors to help determine the potential causes of such fraud as well as to provide detailed information regarding their fraud. Javelin’s identity fraud study reaches an audience of 63 million and is a factual resource for the Federal Trade Commission (FTC) and Better Business Bureau (BBB).
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
6
2012 Identity Fraud Report: Partnering with Law Enforcement
OVERVIEW After a dramatic decline in identity fraud incidence from 2009 to 2010, we see an increase this year of more than 10%. ID fraud increased to 4.90% in 2011 from 4.35% in 2010, which represents a 12.6% increase. The total number of identity fraud victims increased to about 11.6 million U.S. adults in 2011, compared to 10.2 million victims in 2010.
4.9% of U.S. Adults Were Victims of Fraud in 2011 Figure 1: Fraud Incidence Rate, 2003‐2011
Despite an increase in the incidence of ID fraud, the annual overall fraud amount was at its lowest point of $18 billion, since the survey began in 2003. This is likely due to the increasing prevalence of less severe types of fraud. Since the inception of this survey, existing card account fraud, which is the misuse of the victim’s existing credit or debit card, has traditionally enjoyed the reputation of being the least severe type of fraud and historically has had the lowest mean fraud amount of the three major types of fraud. Conversely, new account fraud, which is the misuse of the victim’s personal information to open fraudulent new accounts, has consistently produced the highest mean fraud amount and consumer cost.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
7
2012 Identity Fraud Report: Partnering with Law Enforcement
The average time per victim spent resolving fraud has decreased steadily since 2004, reaching an all‐time low of 12 hours in 2011 from 18 hours in 2004. The average out‐of‐pocket cost suffered per fraud victim has also decreased significantly since the inception of this survey, dropping to $354 in 2011 from $637 in 2004, a 44% decrease. Zero‐liability policies and dedicated fraud and claims teams at financial institutions (FIs) and card issuers have expedited the resolution process and reduced the cost absorbed by the consumer. Consumers should pay close attention to their social media activities. The data indicates a higher rate of fraud among social media users when compared to nonusers. Social media users tend to share personal information as well as participate in games and surveys, which may also personal data. Given that such information is commonly used as identifying tools to access financial accounts, consumers should avoid when revealing personal details such as high school name, mother’s maiden name, pet’s name, and more. In addition, social media users should never disclose these items outside their immediate circle of friends and use the privacy settings and not rely on default settings.
Social Networking Sites Offer a Treasure Trove of Personal Information Figure 2: Information Revealed on Social Networking Sites
Birthday (month and day)
55%
High school name
51%
Email address
47%
Complete birth date (with year included)
31%
Phone number
12%
Sibling profiles
11%
Screenname (AIM, MSN etc)
9%
Pet names
9%
Mother's profile
4%
Mother's maiden name
3% 0%
Q45B: Which of the following have you currently provided on your social networking sites as part of your profile?
10%
20% 30% 40% Percent of Consumers
50%
60%
October 2011, n= 3,126 Base: All consumers who have accessed a social networking site. ©2012 Javelin Strategy & Research
The proliferation of smartphones has also added a new dimension to the role of emerging technology in identity theft. Criminals can leverage relatively lax security practices employed by smartphone owners to access the content of these information rich devices.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
8
2012 Identity Fraud Report: Partnering with Law Enforcement
Detecting Fraud Consumers can take an active role in monitoring their finances and detect fraudulent activities. Javelin data continues to show self‐detection to be the fastest way to identify and resolve fraud. The longer identity fraud goes undetected, the more expensive and difficult to resolve it tends to be for the consumer. Therefore, it is vital for consumers to monitor their accounts by setting alerts and to partner with their financial institutions to help prevent, detect, and resolve fraud. Receiving online statements also allows the consumer to monitor their finances quicker and respond to any abnormalities on the statement quicker than those waiting for their statements in the mail. In 2011, more than 4 in 10 consumers self‐detected fraud, while 54% relied on third parties. Banks, credit unions, and credit card issuers detect more identity fraud but often need the cooperation of their customers to stop incidents quickly.
Identity Fraud Vs. Identity Theft Most individuals are familiar with the term “identity theft,” which is widely used by media, government and consumer groups, and nonprofit organizations. However, it is important to distinguish between identity theft and identity fraud because the terms have different meanings, although Javelin uses identity fraud more commonly throughout the identity fraud survey and corresponding reports. Identity theft occurs after the exposure of personal information; typically someone’s personal information is taken by another individual without explicit permission. Identity fraud is the actual misuse of information for financial gain and occurs when criminals use illegally obtained personal information to make purchases or withdrawals, create false accounts or modify existing ones, and/or attempt to obtain services such as employment or health care. Personally identifiable information (PII) such as a Social Security number (SSN), bank or credit card account number, password, telephone calling card number, birth date (month/date/year), name, and address can be used by criminals to profit at a victim’s expense. By accessing and using relatively basic information, a criminal can take over existing financial accounts (existing card fraud or existing non‐card fraud) or use a victim’s personal information to create new accounts (new account fraud). A criminal can commit identity fraud numerous ways, including the following methods: making an unauthorized withdrawal of funds from an account, making fraudulent purchases with a credit card, and creating new accounts (e.g., banking, telephone, utilities, and loans). All of them can have a damaging effect on an individual’s credit. In fact, the first notification that fraud has been committed might be the appearance of an unfamiliar account on a credit report or contact from a debt collector.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
9
2012 Identity Fraud Report: Partnering with Law Enforcement
Methods Criminals Use to Obtain Information Many identity thefts occur through traditional methods such as stolen wallets and “friendly frauds,” in which a person known to the victim has access to the victim’s statements or other legal documents. Identity theft occurrences are often the result of simple lost or stolen information and not necessarily through hacking or elaborate Internet schemes, although online and mobile threats remain viable. Figure 1 shows some of the many ways that identity theft can occur.
Identity Theft Occurs Through Various Methods Figure 3: How Theft of Personal Information Happens
At home:
While you are out:
Through information left out in the home (or at work) and stolen By means of a lost or stolen wallet or purse by family or friends Through “dumpster diving” by crooks looking for unshredded paperwork that contains personal or financial information
Through “shoulder surfing,” in which someone obtains personal information by looking over your shoulder
Through theft of your mail from your mailbox or diversion of By card skimming, when someone illegally records an imprint of your your mail by a fraudster who changes the address to obtain your credit or debit card information for later use account statements
Through a business you use:
By trickery or pretense:
Through a security data breach, whereby a business or organization that accesses your personal information (hospital, school, department store, financial company, etc.) has been compromised
Through phishing or vishing, in which someone pretends to be a bank or trusted company and tricks you into providing confidential personal information via e‐mails, calls or SMS/text messages
Through hacking incidences, such as Trojan horses, keylogger software, viruses or malware/spyware on a computer
Through social networking sites where personal information can be found and communication with fraudulent individuals can occur
Through these and other new and innovative ways that criminals are constantly developing
© 2012 Javelin Strategy & Research
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
10
2012 Identity Fraud Report: Partnering with Law Enforcement
CONSUMER RECOMMENDATIONS Consumers should continue to frequently monitor their accounts and use financial alerts. Because identity theft can occur by numerous methods, consumers can protect themselves through a variety of best practices and effective behaviors. Many banks, credit card issuers and other financial institutions offer a wide range of alerts at no charge that the consumer can use to help protect themselves. Javelin recommends a comprehensive, three‐part approach to address and combat identity fraud effectively: prevention, detection, and resolution. The next section provides data on current trends, steps to prevent fraud, actions to detect fraud if it occurs, and ways to resolve fraud if you become a victim.
Prevention, Detection and ResolutionTM Model Figure 4: Javelin’s Prevention, Detection and ResolutionTM Identity Fraud Model
© 2012 Javelin Strategy & Research
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
11
2012 Identity Fraud Report: Partnering with Law Enforcement
PREVENTION Law Enforcement Tips for Preventing Information Theft When educating consumers, focus on current methods of information theft. Thieves can steal information on numerous occasions using a variety of attack vectors. Because so many possible types of attack exist, it is impossible to educate consumers on every risk and mitigation. Instead, law enforcement should focus on the newest as well as the most pernicious attacks. A pertinent example of this prioritization is physical vs. online theft. Physical theft of information has been a staple of fraudsters long enough that most consumers have at least a rudimentary understanding of how it is conducted. However, online financial channels are relatively new, and innovation has managed to outpace general consumer understanding of the way they work. Instead of attempting to cover every possible attack vector, law enforcement agencies should give consumers an in‐depth understanding of online financial channels and ways fraudsters can exploit them. If consumers understand the channel, they can make educated decisions about how to behave online. A variety of risks threaten consumers, but mitigations to avoid becoming victims of fraud are available. Although this section offers a comprehensive set of recommendations, encompassing both physical and online information theft, law enforcement agencies should choose those that are most relevant to their area. That way, their constituents will be adequately equipped to prevent fraud from newer attack vectors they might not already recognize rather than be inundated with information on solutions. Consumers can best prevent identity fraud by carefully protecting their sensitive information, such as PINs, banking and account numbers, and Social Security number, as well as by limiting the exposure of personally identifiable information. Consumers also should be aware of common fraudster techniques, such as phishing, vishing, smishing, and other scams.
How Can I Prevent Identity Fraud?
Javelin recommends taking the following steps to prevent identity fraud: Mobile Device Security. Mobile devices are treasure troves of information for fraudsters. The “always on” functionality of mobile devices provides fraudsters with new avenues for securing information. We recommend the following steps to prevent identity fraud:
Install mobile software only from the Android Market or the Apple App Store. ◦
Android users should also read the permissions requested carefully and determine whether the permissions coincide with the alleged function of the application.
Wait at least a week after the application has been released to download. ◦
New applications have not been downloaded, tested and reviewed by users. Untried applications could be harboring malicious code.
Android users should also install an antivirus program to mitigate instances of mobile malware. ◦
Mobile devices are increasingly used to store personal information. You should use antivirus software to guard that information from malicious applications.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
12
2012 Identity Fraud Report: Partnering with Law Enforcement
Make sure all operating systems are the latest versions. ◦
Updates are used to patch security holes found on the previous version of the operating system. Devices that continue to run on old operating systems continue to experience those security vulnerabilities.
Do not jailbreak or root your mobile device.
Make sure that you can erase the content of your Android or your iPhone remotely (each does it differently).
◦ ◦
Rooting a device undermines the security already in place on the operating system to keep you safe. If you lose your phone, immediately wipe it remotely and then notify your FI and cancel your wireless service. Insist that your wireless service provider gives you a separate security code to access your account (all providers can do this).
Be careful with premium SMS numbers — sometimes you are signing up for stuff when you are agreeing to the licensing terms. Just say no.
Be Social, Be Responsible. Social media sites like Facebook, Flickr, Tumblr, LinkedIn, MySpace, Google+, and Twitter are exploding in popularity and the growing ubiquity of these sites have introduced a new set of risks to the user. We are not suggesting you not participate in social media, but examine your current behaviors that expose personal information that is typically used by banks and other companies to verify a consumer’s identity. Javelin’s 2011 consumer data showed that at least 51% of consumers shared their high school name, 31% of the consumers shared their complete birth date (including year), 11% shared their sibling profiles, and 9% shared their pet’s name on their social networking profiles. Interestingly, individuals with public profiles were more likely to share their sensitive personal information, up to 63% shared their high school name, 45% shared their complete birth date, 63% shared their high school name, and 12% shared their pet’s name.
Do not reveal sensitive or personal information on social networking sites. ◦
Such personal details are commonly used by banks and credit card companies as security questions to identify an individual before clearing access to his or her financial accounts, credit card logins, and more.
◦
Social networking sites can provide fraudsters with personal information to access accounts. Use caution when sharing such details on your profile. Also, take advantage of privacy settings so that you can control who sees your profile information.
Use caution when using apps on social networking sites. ◦
Verify that the app does not have access to any personally identifiable information. Users of certain social media apps experience a significantly higher incidence of fraud than the general public. In 2011, users who had ever clicked new apps or updated their profiles with important events experienced a 6.8% incidence rate compared to the overall fraud incidence rate of 4.9%.
Protecting Your Information Online Figure 5: Protecting Your Information Online
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
13
2012 Identity Fraud Report: Partnering with Law Enforcement
Stay Safe Online. Transitioning your financial activities away from paper statements and onto online channels can significantly reduce the time it takes to detect fraud as well as reduce risks associated with physical documents containing personal information. However, the Internet also introduces new threats that you should take into account.
Regularly install and update firewall, antivirus, man‐in‐the‐browser protection, and antispyware software on your computer (and mobile device) when possible. ◦
Be aware of the dangers of online threats and install antivirus and antimalware software on your computer, smartphones, and
◦
Download browser security software to protect against man‐in‐the‐browser attacks. Install security patches and software
tablets, and update it along with applications, browsers, and operating systems. updates as soon as they are released by verified sources.
Use and recognize secure websites. ◦
Do not provide card or personal information at unsecured sites. Extended‐Validation Secure Sockets Layer (EV SSL) and SSL sites are the most secure and use encryption and other security methods to protect consumer information.
◦
To recognize these sites, look for the padlock symbol and an “s” after the “http” in your browser’s address bar. If you double‐ click on the padlock symbol, the SSL certificate will appear. If the website has an additional layer of security (EV SSL), green highlighting will appear in the address bar when you access the site using a high‐security browser.
◦
Use the latest version of your browser. New browser updates patch security holes and provide the most secure environment in which to conduct financial transactions.
◦
Avoid accessing websites displaying personal or account information using unsecured Wi‐Fi connections, such as those at cafes,
◦
On unencrypted public Wi‐Fi, SSL offers little or no protection. You are “somewhat” more secure using your mobile device’s 3G
public libraries, or airports. Also ensure that your Internet connection at home and work is secure or protected by a firewall. or 4G connection. ◦
Turn off Bluetooth and Wi‐Fi when they are not being used.
Watch out for email and attachments from convincing imitations of banks, card companies, charities, and government agencies. ◦
Never respond directly to requests for personal or account information online, over the phone, in email, or through your mobile device — including SMS text messages.
◦
Instead, use legitimate contact information to verify requests for information such as your FI’s website or the telephone number listed on statements and the back of credit cards.
◦
Do not click on embedded links in any email or SMS. If you get an email from your bank or FI, go to its main website or use its dedicated downloadable application.
Follow safe password practices. ◦
Do not use easily guessed passwords, such as your birth date, the name of a close relative, or your pet’s name. Do not use dictionary words, the name of the website, or the word ‘‘password.’’ Don’t capitalize the first character (instead, capitalize a random letter) and integrate numbers into your password.
◦
Use strong passwords for wireless Internet connections, and don’t access unsecure websites or type in PII using public Wi‐Fi on mobile devices, laptops, or computers.
◦
The most secure passwords are at least 8 characters in length and consist of 'four' categories of characters ‐ upper case, lower case, special character (e.g. a percent sign or ampersand) and a number.
Stay Safe Offline. Being aware of your surroundings and effectively destroying physical documents with sensitive information are essential practices to safeguard your identity. There are several simple precautions you can take to ensure that your identity is safe.
Keep sensitive information from prying eyes. ◦
At home or work, secure your personal and financial records in a locked storage device or a password‐protected file — in 2011, 13% of all identity fraud crimes were committed by someone known to the victim.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
14
2012 Identity Fraud Report: Partnering with Law Enforcement
◦
Better yet, scan your documents and store them in an encrypted, password‐protected file on your PC. ID thieves would love to get records of your yearly tax returns.
Avoid providing your full nine‐digit SSN whenever possible, and do not carry your financial cards and documents with sensitive information ◦
When your Social Security number is requested as an identifier, ask if you can provide alternate information. In 2011 25% of fraud victims reported having their SSN stolen.
◦
Do not carry your Social Security card, unnecessary credit cards, or checks.
◦
When asked for your SSN, ask if you can have a different identifier. Many utilities utilize the last four digits of your SSN to verify your identity. If you ask, you can have a security code unrelated to your SSN. Keep your SSN out of 'offline' circulation as much as possible.
Shred documents with sensitive information before disposing of them, and keep your documents and personal information in a safe place that is inaccessible to those around you.
Request electronic statements and use online bill pay whenever possible. ◦
Enroll in direct deposit, shred sensitive paper documents, and don’t put checks in an unlocked mailbox.
◦
Switch from paper statements to online financial account management. While this does not eliminate fraud, it does give consumers more control over their accounts to regularly change passwords, change PII, and monitor activities to reduce their risk of fraud.
Opt out of preapproved credit offers. ◦
Call 1‐888‐5‐OPTOUT (1‐888‐567‐8688) or visit www.optoutprescreen.com to be removed from credit card applications and other mail that contain personal information.
Be aware of your surroundings. ◦
Be mindful of people in close proximity who could overhear or watch you access sensitive financial or personal information when you are talking on the phone, logging in to websites, purchasing goods at stores, or reading sensitive documents.
Data Breach Notification Letters Financial institutions typically send data breach letters to notify customers about the possible leak of personally identifiable information. The letter would also specify what information was stolen or leaked and the steps required to ensure further protection of customers’ accounts. In 2011, 15% of U.S. adults received such letters. This is an increase from 9% in 2010.
Take Action to Protect Yourself If You Receive a Security Breach Notification Figure 6: Consumers Who Receive Breach Notifications Face Significantly Higher Risk of Fraud
© 2012 Javelin Strategy & Research © Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
15
2012 Identity Fraud Report: Partnering with Law Enforcement
What Should I Do If I Receive a Breach Notification Letter? Currently, 46 states require companies to notify you if a breach of security occurs at their place of business and your personal information has been placed at risk. Receiving this notification does not necessarily mean that you will suffer a fraud. However, Javelin data shows that consumers who received breach notifications in 2011 had a substantially higher risk of identity fraud, almost 9.5 times higher, than those who didn’t receive these types of notifications. Consumers who receive security breach notifications therefore need to take action to protect themselves. If you receive a data breach letter, take the following steps: 1.
Verify that the letter is legitimate.
2.
You are strongly encouraged to take advantage of any free services the notification letter offers, such as credit monitoring or ID protection services. In addition, be aware that the free services offered with a breach are often the least costly options available and may not provide full coverage. You may wish to consider contacting a reputable ID protection services company for more comprehensive protection.
3.
You should also call the toll‐free numbers or visit the websites listed in the letter to learn more about the breach, determine your level of risk, and identify the actions you need to take to protect yourself from more damage.
Different breaches have different levels of risk that require specific action by consumers to prevent further harm. The action could be as simple as changing passwords to email accounts that are linked to the FI to canceling the credit or debit card affected to changing security questions and answers to affected accounts. Or the action could be far‐reaching, such as the following:
Monitoring financial accounts
Closing affected accounts
Placing a fraud alert1 on your credit report with the three primary credit bureaus: Equifax, Experian, and TransUnion (refer to Figure 7 for contact details)
Placing a credit freeze2 on your account with the three primary credit bureaus
1
Fraud alerts notify creditors that a potential fraud has occurred and that they should verify the applicant’s identity of before extending credit. An initial alert stays active for 90 days, and an extended alert for identity fraud victims lasts seven years. A fraud alert will trigger a credit report, which the consumer needs to review for any signs of fraud.
2
A credit freeze is stronger than a fraud alert because it locks the consumer’s credit report to prevent new credit from being extended.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
16
2012 Identity Fraud Report: Partnering with Law Enforcement
DETECTION
Law Enforcement Tips for Detecting Fraud The percentage of identity fraud discovered through law enforcement agencies reached a six‐year low at 2% of all identity fraud victims in 2011. Consumers can use various methods to detect instances of fraud, each with its own efficacy. Even if consumers do not perceive themselves as at risk, they should generally adopt several best practices, such as regularly reviewing their credit reports.
Credit Bureau Information Figure 7: How to Contact the Three Credit Bureaus
Credit Bureau Order credit report Report fraud Web address
Mailing address
Equifax
Experian
TransUnion
800‐685‐1111
888‐397‐3742
800‐888‐4213
888‐766‐0008
888‐397‐3742
800‐680‐7289
www.equifax.com
www.experian.com
www.transunion.com
Experian Consumer
TransUnion Victim
Assistance
Assistance Dept.
Atlanta, GA 30374
P.O. Box 9532
P.O. Box 6790
Allen, TX 75013
Fullerton, CA 92834
Equifax Consumer Fraud Division P.O. Box 740241
Note: To order a free annual credit report from any or all agencies, contact www.annualcreditreport.com or call toll free at 877‐322‐8228. © 2012 Javelin Strategy & Research It is critical that consumers detect fraud as early as possible to minimize potential losses and fraud resolution time. Faster detection results in lower out‐of‐pocket expenses, which include unreimbursed losses, legal fees, and lost wages. The sooner fraud is detected, the easier it is to resolve and the less the criminal is able to steal.
How Can I Detect Identity Fraud? Javelin research has consistently shown that consumers can be very successful at detecting identity fraud relating to their accounts. The most efficient way to combat fraud is for consumers and institutions (banks, government agencies such as the Federal Trade Commission, and other organizations dedicated to fighting fraud) to work together. Consumers must be proactive in their approach to protect themselves against fraud and should work with institutions to safeguard their identity.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
17
2012 Identity Fraud Report: Partnering with Law Enforcement
Self‐Detection vs. External Fraud Detection Financial account protection is a shared responsibility between FIs and customers. In 2011, fraud detection was almost equally split between fraud victims and external sources (e.g., FIs and law enforcement). While 43% of consumers were able to self‐detect fraud by monitoring their accounts or using alerts, 54% of consumers relied on their banks and law enforcement. The latter group realized they had been defrauded only when they were notified by these external sources.
Self‐Detection and External Detection Are Almost Evenly Split Figure 8: Methods of Detection, 2011
It is important to note that self‐detection is still the most effective way to detect fraud. Javelin’s data showed that consumers who took an active role in their financial management by monitoring their accounts were able to detect fraud faster than any external source. For example, it took 24 days to self‐detect fraud, compared to 58 days for external detection. External detection also factored into the time the information was being misused. The average length of misuse was 28 days when the fraud was self‐detected, compared to 65 days when the fraud was
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
18
2012 Identity Fraud Report: Partnering with Law Enforcement
detected by external sources. It is in the consumers’ interest to play an active role in managing their financial security and keeping a close watch on their financial activity. Javelin recommends doing the following to detect fraud early: Monitor your credit report on a regular basis. ◦
Review and confirm that all the accounts listed belong to you and that no unauthorized charges have been made or unknown accounts or credit lines have been opened.
◦
Free reports are available at AnnualCreditReport.com or by calling 1‐877‐322‐8228. By contacting a different one of the three credit bureaus every four months, you can stagger your free reports to review your credit three times a year at no charge.
◦
Optional fee‐based services, such as more extensive monitoring of credit information, personal identity records, and Social Security numbers, provide extra security and convenience for those who don’t want to personally monitor their information. When choosing an identity protection service, select a provider that covers both personal information and credit monitoring.3 These providers can also be of great assistance in helping you resolve identity theft or misuse.
Sign up for email and mobile alerts through your primary bank and credit card company. ◦
Set up email and SMS text notifications through FIs so that they will alert you to suspicious activity and changes to your accounts or personal information.
◦
You can choose among a wide array of alert offerings for the ones that apply to your banking behaviors and practices, thereby increasing your identity fraud protection.
◦
The most common method fraudsters use to take over accounts is changing the physical address, so set up an address‐change alert whenever possible.
Review financial statements promptly. ◦
Check account balances at least weekly through online banking, mobile banking, phone, or ATM. Regularly monitor all financial accounts electronically, including banking, biller, and credit card.
◦
Consumers who discover fraud using electronic vs. paper‐statement monitoring have shorter detection times and pay lower average out‐of‐pocket costs. Javelin’s data showed that victims who discovered fraud through electronic monitoring averaged a mean detection time of 9 days, compared to 27 days among those who monitored paper statements. In addition, consumers would save an average of $553 in out‐of‐pocket costs by using electronic monitoring instead of paper statements.
◦
Confirm that all transactions are authorized and that no suspicious activity has occurred or unapproved changes have been made to your accounts.
Customers should take advantage of the tools FIs offer such as email, SMS text alerts, mobile banking, and online banking. ◦
These easy‐to‐use methods allow you to constantly monitor your financial accounts to quickly detect identity fraud. Fee‐based identity protection solutions such as credit monitoring and personal information monitoring can help detect fraudulent new accounts.
3
For more information on the specific services offered by some of the top ID protection products, please refer to Javelin’s Fifth Annual ID Protection Services Scorecard: Increased Focus on Antivirus, Social Media, Child and Medical Identity Theft, Yet Prevention Still Lags.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
19
2012 Identity Fraud Report: Partnering with Law Enforcement
RESOLUTION
Law Enforcement Tips for Resolution The role of law enforcement in the life cycle of a fraud case is likely concentrated in resolution. The number of victims who took no legal action in response to their fraud continues to increase, continuing a trend first observed in 2010. The percentage of fraud cases filed with police declined 15% to 35% of fraud victims in 2011 from 41% in 2010 (see Figure 9). The increasing prevalence of existing card fraud, which has traditionally been the least severe type of fraud, and the decreasing prevalence of new account fraud, which has traditionally been the most severe type, have likely been driving factors in the decline in number of police reports filed. Other legal actions taken on behalf of fraud victims, such as arrests and convictions of thieves, did not deviate significantly from the previous years. Unsurprisingly, when the type of fraud was more severe, a higher percentage of victims pursued legal action. Sixty‐one percent of existing non ‐card fraud victims and 57% of new account fraud victims pursued some form of legal action in response to the fraud compared to 42% of all fraud victims.
Rise in Number of Victims Who Take No Legal Action in Response to Fraud Figure 9: Legal Actions Taken by Victims in Response to Fraud, 2009–2011 58% No legal actions were taken
55% 51% 35%
A police report was filed
41% 40% 10% 11% 9%
An arrest was made
7% 8% 7%
A prosecution was made
6% 7% 6%
A conviction was made
2011 2010
3% 4% 4%
A civil suit was filed 0%
2009 10%
Q37. Were any of the following legal actions taken...
20%
30% 40% Percent of Fraud Victims
50%
60%
70%
November 2011, 2010, 2009, n= 455, 374, 551 Base: All fraud victims excluding those who did not know or refused. © 2012 Javelin Strategy & Research
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
20
2012 Identity Fraud Report: Partnering with Law Enforcement
To expedite the resolution process and encourage a healthy response to fraud, law enforcement agencies can take some of the following actions:
Identify the types of fraud being committed in your jurisdiction and set up predefined plans to address them quickly and efficiently. A long or drawn‐out legal process will frustrate victims and likely increase the perceived severity of the fraud.
Encourage victims to adopt behaviors that can circumvent future instances of fraud. Law enforcement agencies can encourage victims to act in ways that increase their overall security. Although victims who seek legal recourse do tend to adopt productive behaviors, such as using antivirus software or online banking, at a higher rate than the general population of fraud victims, more encouragement is needed. For example, 51% of fraud victims who pursued legal action set up mobile or email alerts in response to the fraud, compared to 39% of all fraud victims. However, almost half of these victims are not setting alerts, which should be a security staple on any account.
Discourage victims from avoiding behaviors that aren’t responsible for the fraud. Victims’ reactions to information theft don’t always manifest in productive behavior changes. Victims who took legal action in response to fraud also tended to withdraw from activities that are not necessarily risky more often than did all fraud victims. Seventeen percent of these victims stopped banking online compared to 12% of all fraud victims. The knee‐jerk response to fraud might not always be the most beneficial to the consumer. Withdrawing from online banking, for instance, could actually increase the severity of future theft because victims who discover fraud through electronic means tend to detect it faster and have a lower average loss.
Consumers can take numerous steps to resolve fraud.
What Should I Do If I Become a Victim of Identity Fraud? If you become a victim of identity theft or fraud, don’t panic. When it comes to your financial accounts, FIs and credit card providers are prepared to resolve identity theft. FIs will likely have a team dedicated to resolving identity fraud and guiding victims through the process. With technological advancements, identity fraud resolution has improved over time. The average amount of time required to resolve a case of identity fraud has steadily decreased year‐over‐year, from a mean resolution time of 18 hours in 2004 to 12 hours in 2011. By following the few simple steps below, you can help ensure that your fraud case is handled quickly and painlessly. These actions can serve as a checklist/resource guide if you become a victim.
Immediately contact your bank and credit card companies. ◦
Report problems and work with your bank, credit union, or identity protection service provider to take advantage of resolution services and reimbursement policies.
◦
If your FI provides fraud resolution specialists, ask for their assistance to ensure the fraud is resolved.
◦
If physical documents such as a checkbook, wallet, debit card, or credit card are lost or stolen, if unauthorized or suspicious account activity occurs, if changes are made to personal information (e.g., physical address, email address, registered users, login or password), or if paper statements are turned off, notify the appropriate institutions as soon as possible.
◦
Depending on each individual case, an FI may close your account, cancel your debit or credit cards, and take other necessary precautions. It will also assist you in setting up new accounts and will issue new debit and credit cards.
Educate yourself on your FI’s and issuer’s zero‐liability protections on debit cards and ATM withdrawals as they vary among providers. ◦
Report all lost or stolen cards and/or fraudulent transactions immediately as the timing of your report may impact the amount that you are liable for under the law.
Contact the Federal Trade Commission. ◦
To report incidents of suspected fraud or identity theft, visit the FTC online at www.ftc.gov/bcp/edu/microsites/idtheft and fill
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
21
2012 Identity Fraud Report: Partnering with Law Enforcement
out a complaint form or call 1‐877‐IDTHEFT (1‐877‐438‐4338). Alternately, the FTC can be reached at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Place a fraud alert on your credit report. ◦
If your personal information has been compromised or if you have been a victim of fraud, immediately contact the three primary credit reporting agencies: Equifax, Experian, and TransUnion (refer to Figure 7 for contact information). These agencies provide credit monitoring services as well as additional products and services.
Consider placing a security freeze on your credit report. ◦
If you have been a victim of fraud related to an opening of a new account more than once and you are not actively applying for credit, you may want to place a security freeze on your credit report at each of the three reporting agencies.
File a police report. ◦
If fraud has occurred, contact your local police department to file an identity fraud report. Make sure to save a copy for your personal records.
Consider enrolling in a high‐quality ID protection service. ◦
While a stolen credit or debit card is easily replaced and resolved, information such as Social Security numbers cannot be replaced and can continue to be abused. If victims find their driver’s license number or SSN has been compromised, they should consider enrolling in ID protection services that monitor credit reports as well as noncredit‐related databases for unauthorized use of stolen information.
How Consumers React to Identity Fraud After becoming fraud victims, many victims say they are taking preventive measures against identity fraud: Nearly half of victims have started using online banking and about 44% have installed antispyware or a firewall on their computer. Almost 4 in 10 consumers have signed up to receive email or mobile alerts regarding credit card or checking accounts after being victims of fraud. The number of consumers who are taking legal action when they become fraud victims is decreasing. Many victims find they need a police report for legal action, yet the number of victims filing a police report in 2011 dropped to 35% from 41% in 2010.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
22
2012 Identity Fraud Report: Partnering with Law Enforcement
Identity Fraud Protection Solutions Specific services are available for consumers who want extra protection against new accounts fraud — the type of fraud in which a criminal uses a victim’s Social Security number and other personally identifiable information to create a fraudulent account in the victim’s name (e.g., credit card, cell phone, or utilities) — and other types of fraud. Identity protection services such as credit monitoring and personal information monitoring can be purchased for a fee. Javelin advises consumers purchasing fee‐based services to look for the firm’s BBB rating. These services can provide peace of mind and convenience for consumers who want extra protection.
Credit Monitoring and Personal Information Monitoring Services Figure 10: Identity Fraud Protection Services
Service
Description
Credit monitoring
A paid subscription service that monitors your credit for suspicious activity or changes to your credit file (e.g., credit inquiries, employment changes, new accounts or address changes) Intended to detect potential identity fraud
Personal information monitoring
Scans public records, third‐party databases and Internet sites to detect exposure of your personal information (credit card numbers, Social Security numbers, etc.) Intended to detect potential identity theft
Fraud alert
A message that is placed on your credit report, requiring lenders and creditors to confirm your identity before issuing a new line of credit Intended to prevent new accounts fraud
Credit freeze
Freezes your credit file at the credit reporting agencies, which are then prohibited from issuing your credit history to any lender, creditor or others Intended to prevent new accounts fraud © 2012 Javelin Strategy & Research
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
23
2012 Identity Fraud Report: Partnering with Law Enforcement
Credit monitoring services are generally fee‐based, although many consumers receive them free as part of a data breach settlement. These services regularly monitor your credit for suspicious activity and changes to your credit file. Changes include credit inquiries, public records, delinquencies, negative billing information, employment changes, new accounts, and address changes. Email alerts are sent when abnormal activity is detected. Credit monitoring is designed to detect potential fraud as soon as possible after it has occurred and is one of Javelin’s best customer safety preventive recommendations because it is extremely effective in early detection of fraud. Although many services offer monitoring for only a single credit bureau, single‐bureau monitoring is not as effective as monitoring all three credit bureaus because many lenders will contact one bureau and not the others. Generally, triple bureau monitoring is not available for free as part of a data breach settlement or notification. Personal information monitoring is a paid service that scans alternative information sources outside of the credit report, including Internet sites, public records, and even card forums (underground sites on which stolen cards are bought and sold), to detect if your personal information has been compromised. In using this service, you can determine if changes have been made to your accounts or information. While ID protection services have traditionally been detection tools, personal information monitoring has taken steps toward a more preventive service. Products such as Not Me™ offered by ID Analytics alerts consumers in real time when their identity is being used and allows the legitimate owner of that identity to take steps to block the fraud. The most complete identity protection services offer both personal information monitoring and credit monitoring. Fraud alerts are a consumer’s right under the Fair and Accurate Credit Transactions (FACT) Act. If you think you may have been a victim of fraud, you can set up a fraud alert by contacting the fraud departments of the three major credit bureaus and asking them to mark their credit files. Each bureau is required by law to notify the other two agencies, but Javelin and consumer privacy advocates recommend placing alerts at all three bureaus. Fraud alerts are an important feature in preventing someone from opening a fraudulent new account (such as a new credit card or loan) in your name. When an alert is in place, creditors are signaled that a possible fraud has occurred and that they should use additional measures to verify that consumers applying for credit are really who they say they are. Given that new account fraud is the most expensive and most difficult type of fraud to resolve, consumers should take advantage of fraud alerts as a critical, preventive service. Fraud alerts initially remain in place for 90 days, after which the consumer will need to renew the alert. The initial alert will generate a credit report, which the consumer should carefully review for signs of fraud. Victims who can document fraud according to set criteria can qualify for the seven‐year fraud alert. A seven‐year fraud alert requires creditors to contact the consumer by phone, in person, or through the manner in which the consumer indicates before extending credit, raising limits, or adding new users. An active‐duty alert is available to active‐duty military personnel. The active‐duty alert lasts 12 months and includes name removal from prescreened credit or insurance offers for two years. Credit freezes lock down your credit file and prevent any lender or creditor from accessing your credit history. This service is designed to block new credit from being issued in your name and is a stronger prevention method than a fraud alert. If you are a victim of identity fraud, depending on the state in which you live, you may qualify for free coverage. If you are not eligible for free coverage, it may cost up to $30 to place a freeze at the three bureaus and $30 to remove it (costs can vary by state law). Credit freezes are recommended only for people who will not be actively applying for credit. If you place a credit freeze, you cannot apply for new credit unless you remove or temporarily lift the freeze, which could take a few days. Many consumers are surprised at how often their credit reports are reviewed for such activities such as getting a new job, opening a new utility account, or taking out a new insurance policy. © Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
24
2012 Identity Fraud Report: Partnering with Law Enforcement
Additional Resources Javelin has used the results of its study to create an easy‐to‐use safety quiz and a list of recommended tips, which can be accessed at www.IDsafety.net. The 2012 Identity Fraud Report’s sponsors — Fiserv, Intersections, and Wells Fargo — also make safety recommendations: Fiserv www.ebillplace.com/staysafe
Intersections www.identityguard.com/consumer‐tools
Wells Fargo www.wellsfargo.com/privacy_security/fraud/
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
25
2012 Identity Fraud Report: Partnering with Law Enforcement
METHODOLOGY
In 2011, 5,022 adults, including 818 fraud victims, answered questions regarding their daily financial practices and behaviors to help determine the potential causes of such fraud as well as to provide detailed information regarding their fraud. A detailed description of methodology for the Javelin 2011 Identity Fraud Report can be found at www.IDsafety.net.
Common Fraud Scams and Terms account takeover fraud
Method of identity fraud in which a fraud operator attempts to gain access to a consumer’s account by fraudulently adding his or her information to the account (e.g., changing account mailing address, adding himself or herself as a registered user, or making other alterations).
card not present (CNP)
Transaction in which the card is not present; card data is manually entered. This includes purchases made online, by phone, or through the mail.
casual social network activity users
Social network users who indicated that they sometimes use the indicated social networking activity or often use the indicated social networking activity.
cloud
The cloud is a metaphor for the Internet. With the cloud, software services and data are not hosted locally but globally and are accessible remotely by browser. Amazon, Google, and Rackspace, for example, offer large cloud networks that are leased to various businesses.
consumer cost or out‐of‐pocket cost
Out‐of‐pocket costs incurred by the victim to resolve a fraud case, including postage, copying, notarizing of documents, and legal fees; costs may also include payment of any fraudulent debts to avoid further problems.
credit freeze
Security freeze placed on a consumer’s credit file to prevent the file from being shared with creditors, thus forestalling new accounts from being opened in the consumer’s name.
credit monitoring
Service that scrutinizes a consumer’s credit file for suspicious activity or changes on his or her credit report such as credit inquiries, delinquencies, negative billing information, employment changes, and address changes. Monitoring is particularly helpful in detecting new account fraud after it occurs. The most effective credit monitoring companies will monitor all three credit bureaus because many lenders will contact only one.
data breach
Unauthorized disclosure of information that compromises the security, privacy, or integrity of personally identifiable data.
drive‐by download
Act of passively compromising a PC by downloading a malicious file while the victim views the content of a website.
existing account fraud
Identity fraud perpetrated against either or both existing card and existing non‐card accounts.
existing card account fraud
Identity fraud perpetrated through use of existing credit or debit cards and/or their account numbers. This fraud type can also be referred to as existing card fraud or truncated to ECF.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
26
2012 Identity Fraud Report: Partnering with Law Enforcement
existing non‐card account fraud
Identity fraud perpetrated through use of existing checking and savings accounts or existing loan, insurance, telephone, and utilities accounts or other accounts. This fraud type can also be referred to as existing non‐card fraud or truncated to ENCF.
external detection methods
Methods of detecting fraud in which an external resource is the first to discover the fraud. Examples of external detection methods include discovering fraud through notifications from the bank, law enforcement, or debt collectors.
fraud amount
Total amount of funds the fraud operator obtained illegally; these may result in actual losses to various businesses and organizations and, in some cases, to the consumer.
frequent social networking activity users
Social network users who indicated that they always use the indicated social networking activity or often use the indicated social networking activity.
friendly fraud
Fraud committed by someone who knows the fraud victim personally, such as a family member, co‐worker, or friend. Friendly fraud is more damaging (harder to detect and longer to resolve) because the perpetrators tend to be aware of the victim’s habits and know how to hide the fraud. Also, victims tend not to report friendly fraud to authorities.
identity fraud
Unauthorized use of some portion of another’s personal information to achieve illicit financial gain. Identity fraud can occur without identity theft (for example, by relatives who are given access to personal information or by the use of randomly generated payment card numbers).
identity theft
Unauthorized access to personal information; identity theft can occur without identity fraud, such as through large‐scale data breaches.
key logger
Spyware that captures and records user keystrokes on a computer and is used by fraudsters to obtain passwords, PINs, logins, and other sensitive information.
mail order/telephone order (MOTO)
Orders placed through mail or telephone channels (a type of card‐not‐present transaction).
malware
Malicious software designed to access a computer or operating system without the knowledge or consent of the user. Some examples of malware are computer viruses, worms, Trojan horses, spyware, malicious adware, and rootkits. Malware is damaging code or programming that gathers information without permission.
man‐in‐the‐browser (MITB)
Attack in which a perpetrator is able to read, insert into, and modify, at will, messages between the Internet browser and a server without either party’s knowing that the link between them has been compromised.
man‐in‐the‐middle (MITM)
Attack in which a perpetrator is able to read, insert into, and modify, at will, messages between two parties without either party’s knowing that the link between them has been compromised. MITB attacks are a subset of MITM attacks in which the browser is exploited to trick the legitimate parties into revealing sensitive information.
mutual authentication
Method by which the FI and the customer identify each other by providing and identifying shared secrets.
new accounts fraud
Identity fraud perpetrated through use of the victim's personal information to open fraudulent new accounts.
P2P services
Person‐to‐person services refer to a financial tool that allows the consumer to transfer funds to another person's account electronically. These P2P services can be conducted through a PC, smartphone, or tablet.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
27
2012 Identity Fraud Report: Partnering with Law Enforcement
personal information monitoring
Service that keeps an eye on a consumer’s personally identifiable information by monitoring channels, including online surveillance, public records and databases, Internet sites, and “carding” forums (underground sites where stolen credit card numbers are bought and sold). Third‐party solutions that offer this service provide additional value because they can more holistically prevent and detect identity fraud, including medical and health insurance fraud.
phishing
Method of "fishing" for Internet users’ passwords and financial or personal information by luring them to a fake website through an authentic‐looking email that impersonates a trusted party. Phishing emails could attempt to impersonate an FI, issuer, merchant, or biller.
privacy settings
User‐defined controls that allow users to manage the visibility of various parts of their social media profiles, including who has access to specific information.
self‐detection methods
Methods of detecting fraud in which the consumer is the first to discover the fraud. Examples of self‐detection include discovering fraud through electronic or paper monitoring or reporting a card lost or stolen.
severely impacted
Victims who report that they have suffered a significantly negative effect because they have been fraud victims. Consumers rate the impact a 4 or 5 on a scale where 1 represents “little or no effect” and 5 represents a “severe effect.”
smartphone
A mobile device with phone, keyboard, web access, and apps (e.g., Android, iPhone, Windows Mobile, BlackBerry, etc.)
social networking
A medium for consumers to interact with one another online. Users are responsible for generating content and can post and edit conversations, pictures, and media. Some of the most popular social media sites are Facebook, MySpace, LinkedIn, Twitter, FourSquare, Yelp, and YouTube.
Trojan horse
Program that appears to be a useful file (e.g., a music file or software upgrade) from a legitimate source, tricking the victim into opening it; once activated, the Trojan horse allows intruders to access private information.
two‐way actionable alerts: review and release Review and release alerts are user‐defined notifications that alert the consumer when the transaction is still pending. The transaction that triggered the alert remains pending until the consumer can verify or deny it within the alert. two‐way actionable alerts: review and respond Review and respond alerts notify consumers after a transaction has been completed, but allows the consumer to respond within the alert if he or she wants to take certain action. This could include reporting the transaction as fraudulent or transferring funds from one account to another. Wi‐Fi hot spots
Location that offers Internet access over a wireless local area network. These hot spots can be set up in public venues where users can connect using laptops, smartphones, tablets, and other Internet‐accessing devices.
Wi‐Fi Protected Access (WPA)
Designed to replace WEP by using stronger encryption. Extensions of WPA and WPA2 include Temporal Key Integrity Protocol (TKIP) and pre‐shared key (PSK, also known as personal) mode. Both require the addition of a pass phrase that is used in the process of encrypting the data packet.
© Copyright 2012 Javelin Strategy & Research. All rights reserved. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report.
28