Steps to take to prevent identity theft and related security concerns.
Identity theft poses a serious threat for
financial advisors and their clients. A report released earlier this
year by the Council of Better Business Bureaus predicted that one in 23
adults in the U.S. will be victimized during 2005, at a total cost
exceeding $50 billion.
The 2005 Javelin Identity Fraud Survey Report released by the Better Business Bureau and Javelin Strategy & Research shows that despite growing fears about identity theft and online fraud, identity theft remains primarily low-technology crime today. Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.
According to the report, the most frequently cited source of information used to commit fraud was a lost or stolen checkbook, wallet or credit card, at 29%. Computer crimes accounted for just 11.6% of all known-cause identity fraud in 2004. Of the computer crime that was detected, about half stems from spyware, software the computer user unknowingly installs.
In cases where the perpetrator of the information was subsequently identified, a startling 50% of the violators were known to the victim; 32% of offenders were reportedly a family member of relative; another 18% were a friend, neighbor or in-home employee. By contrast, only 24% of violators were complete strangers, and 13% were employees of a company with access to the victim's personal information.
Another study by the Identity Theft Resource Center entitled Identity Theft: The Aftermath 2004, offered a similar picture. According to this study, released on September 14, 39.4% of respondents cited a friend or family member as the source of stolen information. The study listed the mail as the second greatest source of stolen information at 10.6%.
A number of studies, including the one by the Identity Theft Resource Center (ITRC) and a 2003 Federal Trade Commission study, indicate that identity theft is not evenly distributed geographically. In ITRC's survey, 19% of the victims resided in California. Florida (9%), Texas (6%) and New York (5%) also exhibited high incidences of ID theft. Other oft-cited high-risk states include Nevada, Colorado and Arizona.
It is also instructive to look at what the thieves did with the information once they stole it. In the ITRC study, 66% of victims reported that their stolen information had been used to open a new credit account with their name, followed by purchasing new cell phone service (28%), making charges to an existing credit card account (27%), making charges over the internet (22%) and obtaining new phone service (19%).
Both studies conclude that the vast majority of identity theft is self-detected; that is, the victim is the first one to discover it. ITRC indicates that 85% of victims found out in an adverse manner, through a denial of credit, collection notice, etc.
Once advisors better understand the nature of the crime, some precautions become readily apparent:
Clients must be vigilant in protecting their personal information. This includes the contents of their wallets (driver's license, Social Security Card, Health Insurance ID), their checkbooks and their credit card numbers.
Sad though it may be, the greatest single risk is from somebody the victim knows. Therefore, one should not assume that information in one's home or place of business is safe. It should be secured at all times.
While all advisors and their clients are at risk, those living in high-risk states should be particularly proactive.
Monitor your credit report regularly. Clients can now obtain one free report per year from each of the big three credit bureaus, but this is not enough. Ideally, reports should be monitored quarterly.
Consider subscribing to a credit report monitoring service. These services will notify you whenever someone requests information about you or applies for credit under your name.
Clients should pay particular attention to unusual credit-related activities, but they should also pay attention to communications from cell phone companies, Internet companies and traditional telephone companies, even if they do not maintain accounts with those firms. Communications from such a firm may be an indication of fraudulent activities.
As the ITRC notes, thieves find the mail a good source of information. Avoid mailing checks or anything containing personal information from home. Drop it at a secure location such as the post office.
If your home mailbox is not secure, make sure your mail is picked up promptly, or have it sent to a post office box.
Consumers can protect their financial data by using updated spyware, virus and firewall protection software and by not responding to bogus "phishing" e-mails that request personal data.
Additional prudent security measures include the following:
Never give out personal information over the phone unless you have initiated the call.
Do not use links contained in an e-mail to navigate to a financial institution's Web site.
Always enter the URL yourself, and always use a secure connection.
Use complex passwords (contains letters, numbers and symbols), and guard them wisely.
Shred financial statements and anything else containing confidential information before disposing of it.
One somewhat controversial recommendation of the Better Business Bureau study is that clients replace paper statements and checks with online statements and bill-paying services. Since this particular study was supported in part by CheckFree, VISA and Wells Fargo, one can question its objectivity; however, the recommendation is not without merit. The ITRC study, as well as other independent studies, has concluded that the mail is a rich source of information for thieves. Financial statements, checks, credit card solicitations and other incoming and outgoing mail may provide thieves with crucial ID theft data.
After the mail is read it must be disposed of, giving thieves another potential source of information. By contrast, electronic documents and payments, if handled securely, could in fact lower the chances of identity theft today.
One electronic service that all clients should be taking advantage of, if available, is the credit card alert. Many credit card companies, including Citibank and American Express, now offer to automatically send electronic alerts by e-mail, voice mail and/or text messages. Among the list of alerts available at various providers are: daily, weekly or monthly spending reports; when monthly charges exceed a user-defined limit; when spending nears credit limit; and suspected irregular usage pattern alert.
While most identity theft today is low tech, there is no guarantee that things will remain the same forever. Advisors and their clients should consistently monitor computing practices to ensure the safety of their data.
One commonly overlooked aspect of computer security is the physical protection of the computer itself. Any computer or server containing confidential records should be locked up in a safe place so that a casual thief cannot easily make off with it. Password protecting and/or encrypting sensitive files adds an addition layer of protection against identity theft.
When a hard drive or other media containing personal information is disposed of, all information should be removed. Deleting files does not remove them from the hard drive; neither does standard reformatting of the drive. A special disk-wiping program must be used to ensure that data is not recoverable by an identity thief.
Spyware is definitely being used by cyberthieves as a tool to steal personal information. Typically, a computer user will download "free" software, and unbeknownst to them, also download a dangerous spyware program along with it. This stealth program will secretly transmit personal information to the thieves. The best way to avoid spyware is to install one or more anti-spyware programs. Microsoft offers a free beta version of their anti-spyware program here: www.microsoft.com/athome/security/spyware/software/default.mspx.
Webroot's Spy Sweeper and Sunbelt Software's CounterSpy are popular and effective commercial products. For those who favor an all-in-one security suite, we recommend ZoneAlarm Security Suite 6.0, which includes a firewall, antivirus, antispam and anti-spyware protection.
The other glaring security hole in many homes and small offices is the wireless router. Today's entry-level routers can be fairly secure if they are installed properly, but most are not. To provide even the most minimal level of security, the default password on routers must be changed, and the security settings must be enabled. Many users fail to do this, making it easy for a thief with inexpensive equipment to literally grab a user's information from the airwaves.
If all of this weren't enough to worry about, new threats always are on the horizon. Have any of your clients asked you about "spit" yet? Haven't yet heard of this emerging threat? The odds are that you will be hearing about it soon. Wikipedia, the free online encyclopedia, defines SPIT as SPAM Over Internet Telephony. This is the VoIP (voice over internet protocol) equivalent of spam (unsolicited e-mail). Imagine a high volume of unwanted voice ads showing up in your voice mailbox. This is just one of the threats that face VoIP users if proper security measures are not implemented.
Spit is an annoyance, but it is one of the less dangerous threats users must deal with in the brave new world of VoIP. I recently did a Web search for the terms "fraud" and "VoIP," and I came across numerous articles outlining potential scams. One popular scam targets the VoIP carrier, rather than the end user. Under this type of scam, a third party contracts with a VoIP service for "bulk" minutes, and then reroutes those calls to a high-cost service ($2 per minute, or something like that). In the end, the VoIP carrier gets caught holding the bag for a big bill. If a client of yours makes use of a local VoIP service that gets scammed, or worse yet invests in one, they could be subjected to a major inconvenience.
Another allegedly popular scam involves the fraudulent rerouting of calls. For example, let's say someone could hack into a VoIP service's software, and reroute calls from a mail-order company to their own extension. The caller would place an order, leaving their personal information-including credit card number. Armed with the credit card information, the hacker could have a field day. Furthermore, since the calls can be routed overseas, detection and prevention can be difficult.
Is there a way to avoid these mishaps? Nothing is foolproof, but some simple precautions can minimize the threat. The easiest is to deal only with firms that have already implemented strict security policies. Network security is a must, as is software that can detect suspicious behavior, such as unusual calling patterns. If you use a VoIP provider, make sure that you are satisfied with their security policies. As a general rule, the larger firms have a lead here over their smaller competitors.
Clearly, advisors and their clients must be vigilant if they are to minimize the impact of identity theft and other security-related crimes. It may be impossible to totally eliminate all threats, but a good understanding of the nature of the crimes and the points of greatest vulnerability can be extremely useful in developing countermeasures. By following the suggestions in this article, readers can go a long way to improving their defenses.
Joel P. Bruckenstein, publisher of Virtual Office News (www.virtualofficenews.com) and an expert in applied technology for financial services professionals, can be contacted at firstname.lastname@example.org.