Identity Theft: What it’s like to have your information stolen – a first-hand account from Principal and Chief Investment Officer Seth Meisler
By Seth Meisler, CFA, CPA/PFS, CFP®, BFA™
Not that long ago, I refinanced my mortgage in order to lower my mortgage rates. About six months later, I received a letter from the company that closed my mortgage informing me that they had been hacked and that my personal information had been stolen. This personal information included my name, address, phone number, and social security number. As a consolation, they offered to enroll me for a year on a credit monitoring website. How exactly was the company hacked? An employee in the office clicked on a fraudulent email allowing the hackers an entry point. To their knowledge, the information had not been used.
I want to share my personal experience with you, in hopes that it is helpful if you ever find yourself in a similar situation, and to share tips on what to do if your information gets stolen.
Entry through fraudulent emails (called phishing) is pretty common. Per the FBI, phishing attacks cost companies and individuals $1.7 billion in 2019. This is a big business. (Source: https://securityboulevard.com/2020/04/phishing-statistics-the-29-latest-phishing-stats-to-know-in-2020/)
In all likelihood, this was probably not the first time my information has been exposed through a hack, and to my knowledge, no one has tried to use my personal information for illicit purposes. At least not yet. Regardless, my experience confirms that this process is confusing and time consuming. Because no actual crime had been committed to me, I did not file a police report. In addition, I did not file a report with The Federal Trade Commission (https://identitytheft.gov/), but would recommend doing so if you know that your personal information has been fraudulently used. Their website has a wealth of information.
I had already started making security improvements prior to getting hacked. Safety features that I’ve set up include: keeping my software updated, using antivirus and malware software on my computer, having an online backup of my files, a secure WiFi, and I also started using a password manager. I strongly recommend having a password manager and having each website you use have its own separate password. Many password managers have the ability to tell you if any passwords are being used on more than one site, and they will help you create secure passwords as well. I would also recommend two-factor authentication whenever possible. When you have two-factor authentication, the website sends a code to your phone and you enter that code along with your password. The other step I take is that I review my credit card transactions every week to two weeks. This limits the chance of fraudulent credit card transactions. Finally, many credit card companies offer free credit monitoring service. I would suggest taking advantage of that free service.
After receiving notification of the hack and setting up the credit monitoring service paid for by the company that was hacked, I focused on those areas that would likely be appealing to fraudsters. The first step was Social Security. I have heard stories of funds being misdirected and therefore wanted to make sure that this was prevented. Setting up security for Social Security is fairly easy. They also have an extra layer of security if desired that is under security settings (https://www.ssa.gov/myaccount/).
The second area of focus was on taxes and the IRS. I was able to notify the IRS that I had been hacked by filing IRS Form 14039, Identity Theft Affidavit (https://www.irs.gov/pub/irs-pdf/f14039.pdf). This form was manually completed and mailed. An alternative is to call the IRS Identity Protection Specialized Unit at 1 (800) 908-4490 to put them on alert. You can also view your tax transcripts (https://www.irs.gov/individuals/get-transcript) and account balance (https://www.irs.gov/payments/view-your-tax-account) to make sure that everything looks accurate. For greater security, the IRS is offering tax filers specific pin numbers to be used when filing tax returns. Until recently, the IRS would only give out pin numbers if your information was actually used. Starting in 2021, anyone can get a pin number.
The next step was to contact the credit bureaus. There are three main credit bureaus that monitor credit: Equifax, Experian, and TransUnion. By Federal law, everyone has a right to one free credit report per year from each agency. One website where you can find these reports is www.annualcreditreport.com. Once you have access to the credit report, it is important to review and see if there is credit outstanding at somewhere unfamiliar or any data that appears to be incorrect. When I contacted the credit bureaus I first alerted them that my personal information was stolen and to be on the lookout for any credit requests. I also decided to freeze my credit. Once frozen, no one can open anything under your credit. This way, if anyone tried to open an account, take out a loan, etc. using your credit, it would be denied. If you contact one credit bureau, they will contact the other two. However, to lift the freeze, you need to call each credit bureau separately. An annoying feature I found during my experience with the credit bureaus, was that they tried to sell me items that I didn’t need. I would suggest avoiding paying for monitoring service from the credit agencies.
After securing my information within Social Security, the IRS, and the three credit reporting bureaus, I believe I have done all I can today to protect my personal data.
If my information was used fraudulently, future steps would include filing a police report, filing a report with the FTC, cancelling any impacted credit cards, alerting my financial institution, and talking to the Department of Motor Vehicles (DMV) licensing division about flagging my file so no one can get a new license in my name. You can also search for your email address on https://haveibeenpwned.com/ to see if your email address was compromised in any data breaches.
The process took several hours to research and a couple hours to contact all the agencies and complete any paperwork. Updating logins on websites was by far the slowest process just due to the sheer number of websites and logins. Reviewing your credit is critical nowadays and I would recommend doing so at least once a year. Being proactive will save hours of work in the future.
If you find yourself the victim of fraud, cybercrime, or identity theft, check out our Fraud Victim Call List for a list of places to contact for help.
There can be no assurance that the content made reference to directly or indirectly in this blog post will be suitable for your individual situation, or prove successful. Due to various factors, including changing conditions and/or applicable laws, the content is only reflective of current opinions or positions and is subject to change at any time and without notice. Moreover, you should not assume that any information contained in this blog post serves as the receipt of, or as a substitute for, personalized investment advice from Affiance Financial. Please remember to contact Affiance Financial if there are any changes in your personal/financial situation or investment objectives.