2010 Identity Fraud Survey Report: Consumer Version

February 2010 4301 Hacienda Drive, Pleasanton, CA 94588 USA +1 925 225 9100 t +1 925.225.9101 f www.javelinstrategy.com

Table of Contents Getting a Full Copy of the Identity Fraud Survey Report... 3 Overview... 5 Prevent, Detect, and Resolve... 6 The Difference Between Identity Fraud and Identity Theft... 6 Methods Criminals Use to Obtain Your Information... 7 How Do Identity Thieves Misuse Stolen Information?... 8 Consumer Security Alert: Dangers of Social Networking... 10 Javelin s Top Five Identity Safety Tips: How YOU can Fight Fraud... 12 Additional Recommendations: A Comprehensive Approach to Fighting Fraud... 13 Prevention... 13 How Can I Prevent Identity Fraud?... 13 Detection... 14 How Can I Detect Identity Fraud?... 14 Resolution... 15 What Should I Do if I Become a Victim of Identity Fraud?... 15 Identity Fraud Protection Solutions: What s Out There?... 16 Where Can I Go to Get More Information?... 18 Methodology... 19 Common Fraud Scams and Terms... 19 2

Table of Figures Figure 1: Javelin s Prevention, Detection and Resolution Model... 6 Figure 2: How Theft of Personal Information Happens... 7 Figure 3: What Are the Most Common Methods of Fraud?... 8 Figure 4: Protect Your Information on Social Networking Sites... 10 Figure 5: Secure Your Computer and Personal Information... 13 Figure 6: Earlier Detection Results in Lower Costs and More Timely Resolution... 14 Figure 7: Identity Fraud Protection Services... 16 Figure 8: How to Contact the Three Credit Bureaus... 18 Where Can I Get the Industry Version of the 2010 Identity Fraud Survey Report? If you are a business or industry professional looking for more detailed statistics, incidence rates and fraud figures from our 2010 Identity Fraud Survey, please reference the full report, entitled: 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise New Accounts Fraud Drives Increase; Consumer Costs at an All Time Low The full report consists of 96 pages with 67 graphs and tables and can be accessed for purchase on the research page of our website at www.javelinstrategy.com/research, or by calling a sales representative at (925) 225 9100. This consumer version was intended for the sole purpose of consumer education and awareness. Javelin recommends purchasing the full report for a complete analysis, including an overview of the key findings, new trends, quantitative cross tabulations, and benchmarking U.S. identity fraud data. 3

Authors: Contributors: Research: Editor: Danielle Miceli, Research Associate Rachel Kim, Analyst Robert Vamosi, Analyst, Security, Risk and Fraud Mary T. Monahan, Managing Partner and Research Director Tom Wills, Senior Analyst, Risk and Fraud James Van Dyke, President and Founder Shailaja Dixit, Senior Analyst Alan Ruperto, Associate Analyst Levi Sumagaysay Publication Date: February 2010 Javelin s 2010 Identity Fraud Survey Report: Consumer Version provides tips and recommendations for consumers to help prevent, detect and resolve identity fraud. This study is designed to help consumers lower their risk of identity fraud by equipping them with the tools and resources necessary to detect and resolve this crime. Over the past six years, Javelin has surveyed nearly 30,000 adults to determine how consumers are being affected by identity fraud in the United States. The 2009 phone survey of 5,000 adults is the most up to date identity fraud study in the United States. Javelin s identity fraud study reaches an audience of 13 million and is a factual resource for the Federal Trade Commission (FTC) and Better Business Bureau (BBB). For commercial institutions desiring to view the complete version of this research study, the 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise New Accounts Fraud Drives Increase; Consumer Costs at an All Time Low: (96 pages) is available for purchase. This research study is made possible by companies committed to helping consumers reduce their risk of identity fraud. Through their sponsorships, Fiserv, Inc., Intersections Inc., Wells Fargo & Company and ITAC, the Identity Theft Assistance Center have contributed to combating identity fraud and educating consumers. The Better Business Bureau also supports this study. Javelin maintains complete independence in its data collection, findings, and analysis; the report is a product of Javelin employees only. The sponsors contribution to the study includes partially underwriting the data collection, analysis and reporting costs. About Javelin Javelin provides superior direction on key facts and forces that materially determine the success of customer facing financial services, payments and security initiatives. Our advantages are rigorous process, independent position, and expert people. 4

OVERVIEW More than 11 million adult consumers became victims of identity fraud in 2009, up from nearly 10 million in 2008. The number of fraud victims rose for the second year in a row. On the other hand, victims out of pocket costs and the time required to resolve fraud have decreased. Out of pocket costs can include unreimbursed losses, lost wages due to time taken off work, and possible legal fees for those victims attempting to prosecute. Banks have stepped up their efforts in counteracting fraud and minimizing the cost and inconvenience suffered by consumers. Most victims don t experience any out of pocket costs, but those who did suffered an average cost of $373. The average time to resolve the fraud for these victims was 21 hours. Due to the zero liability fraud protection offered by most banks and credit card companies, most victims will only have to pay out of pocket expenses to cover their time in resolving fraud, not for reimbursing fraudulent charges. Over the past six years, Javelin has collected data from nearly 30,000 adults to measure the overall impact of identity fraud on consumers. In 2009, 5,000 adults, including 703 actual fraud victims, answered questions regarding their day to day financial practices and behaviors to help determine the potential causes of such fraud. This report provides easy to follow guidelines and recommendations for consumers to protect themselves against this $54 billion crime. Javelin s goal is to equip consumers with proven methods to prevent, detect, and resolve identity fraud. The recommendations on the following pages are based on the results of our latest study and are backed by the most up to date identity fraud findings available. 5

PREVENT, DETECT AND RESOLVE The Difference Between Identity Fraud and Identity Theft Both identity theft and identity fraud are used throughout this report. Most people are familiar with the term identity theft, which is widely used by most media, government, consumer groups and non profit organizations. However, it is important to distinguish between the two terms, as they each have different meanings. This points to the complexity of identity theft/fraud as being a two part crime. True identity theft is the exposure of personal information and typically happens when your personal information is taken by another individual without your explicit permission. Identity fraud is the actual misuse of information for financial gain and occurs when criminals take illegally obtained personal information and make fraudulent purchases or withdrawals, create false accounts or modify existing ones, and/or attempt to obtain services such as employment or health care. Personally identifiable information such as your Social Security number (SSN), bank or credit card account numbers, passwords, telephone calling card numbers, birth date, name and address can be used by criminals to profit at your expense. By accessing and using relatively basic information, a criminal can take over your existing financial accounts or use your personal information to create new ones. There are numerous ways that a criminal can partake in identity fraud, including the following: unauthorized withdrawal of funds from an account, fraudulent purchases to credit cards, and creating new accounts (banking, telephone, utility, loans), all of which can have a damaging effect on an individual s credit. In fact, the first notification that fraud has been committed might be an unfamiliar account seen on a credit report or through contact from a debt collector. Figure 1: Javelin s Prevention, Detection and Resolution Model 2010 Javelin Strategy & Research 6

Methods Criminals Use to Obtain Your Information Many identity thefts can occur through traditional methods such as stolen wallets and friendly frauds, in which the crime is committed by a person known to the victim. In fact, among the victims who knew how their data was taken, lost or stolen wallets, checkbooks, or credit cards accounted for nearly two times as many instances of theft as all online attack methods combined. Identity theft occurrences are often the result of the most remedial and simple ways to steal information, not through hacking or elaborate Internet schemes. Because there are numerous methods in which information can be stolen and that identity theft can be committed, consumers should protect themselves through a variety of best practices and effective behaviors. These are discussed in detail in the Top Five Tips and Additional Recommendations sections. Figure 2: How Theft of Personal Information Happens When the victim is involved When a business or institution is involved Through a lost or stolen wallet Through transactions/purchases made in a store Through stolen information in the home or workplace by a family member, friend, or in home employee Through the mail Through hacking incidences, such as Trojan horses, keylogger software, viruses, malware/spyware on a computer Through a data breach, whereby a business or organization that accesses personal information (hospital, school, department store, company, etc.) has been compromised Through dumpster diving Through shoulder surfing, in which someone obtains personal information by looking over an unsuspecting individual s shoulder By phishing or vishing, in which someone pretends to be a bank or trusted source and tricks a customer into providing personal and confidential information through e mails, calls, or SMS text messages Through social networking sites where personal information can be found and communication with fraudulent individuals can occur Through new and innovative ways that criminals are constantly developing 2010 Javelin Strategy & Research 7

HOW DO IDENTITY THIEVES MISUSE STOLEN INFORMATION? Figure 3: What Are the Most Common Methods of Fraud? Make purchases in person Make purchases online Make purchases over the phone or through the mail Withdraw cash from an ATM Write checks 10% 10% 21% 42% 42% Buy prepaid cards or gift cards Make/attempt to make purchases (unspecified) Bill payments Obtained a new credit card/account in my name Obtained health care Cash withdrawal 6% 5% 4% 3% 3% 2% 0% 10% 20% 30% 40% 50% Q11: How was your information misused? November 2009, n = 649 Base: All fraud victims 2010 Javelin Strategy & Research Once criminals have stolen data, the most common methods they use to commit identity fraud are through making in store and online purchases. The chart above shows that both in person and online purchases account for more than four in 10 cases of fraud. Because online purchases require only a credit or debit card number, this method of fraud is increasingly favored by criminals. Additionally, slightly more than 20% of victims of identity fraud had their information used to make phone or mail order catalog purchases. One of the most effective ways in which consumers can protect themselves from offline and online identity fraud is to monitor their accounts online for unauthorized and unknown purchases. Through online banking, consumers can see all banking and credit card transactions in realtime. If there are purchases that were not made by the account holder, the financial institution should be notified immediately to investigate the charges. If checks or credit/debit cards are lost or stolen, notify your bank immediately to help stop criminals from being able to make purchases. 8

When shopping online, consumers can take additional precautions to protect their payment and personal information. Enrolling in Verified by Visa or MasterCard SecureCode, which allows you to have an additional password when making purchases online, offers consumers greater security. There are also programs such as Trusteer s Rapport and IDVault offered by financial institutions, which can alert users when they enter a website for the first time, thus creating an additional layer of security to prevent users from entering their information into a fraudulent site. In terms of offline identity theft protection, shredding all documents that contain personal identifiable information is an easy way to prevent sensitive documents from getting in the wrong hands. Consumers should never give away sensitive information over the telephone; they should make the initial call to the trusted number to ensure the identity of the source requesting information. Enrolling in paperless statements will prevent thieves from obtaining information sent through the mail. Above all, consumers should take advantage of direct deposit, paperless banking statements and electronic bill payment services to prevent unnecessary exposure of paper documents containing sensitive information. 9

CONSUMER SECURITY ALERT: DANGERS OF SOCIAL NETWORKING As of November 2009, more than half of all U.S. consumers indicated they have used or are using social networking sites. Popular social networking sites such as Facebook, Flickr, Friendster, LinkedIn, MySpace, and Twitter are continually gaining popularity and user adoption. Javelin found that core millennials (consumers ages 18 to 24) reported a higher account misuse or information exposure through social networking sites than other age groups, and Javelin predicts that social networking fraud and potential threats will escalate in the upcoming years. One of the dangers of social networking sites is the public display of personal information. Personal pages and account profiles can expose sensitive, personally identifiable information, and hints on how to easily find it. Criminals can harvest this information to take over accounts or open fraudulent accounts. Users should not store or reveal personal contact information, including phone numbers, Social Security number, date of birth, e mail addresses, physical addresses, mother s maiden name, or other information that could potentially allow a fraudster to obtain sensitive information or hints to passwords. Figure 4: Protect Your Information on Social Networking Sites 10

As more companies in the financial industry are using social networks to market their products and services, consumers must be aware of and cautious about who has access to their information. Banking and payments activity on the social networks has attracted the attention of criminal hackers, fraudsters, spammers and scammers. Consumers are more apt to trust both networking sites than other web activities because they are built on the core concept of making friends and networking. Unfortunately, the world s leading social media sites were designed with minimal privacy and security controls. Fraudsters will keep attempting to target users to obtain personal information and steal identities through these avenues. When thinking about joining and/or using a social networking site, keep the following in mind: Consider site privacy and logistics policies: Some sites allow only a controlled community of users to access posted content, while others do not have strict privacy control policies. Restrict access to your profile and information: Do not reveal sensitive information (e.g., full birth date, full address, etc.) on your profile, account settings, or through any communication. Do not correspond with anyone you do not know or trust. Do not post or reveal personal information: SSNs, addresses, driver s license number, phone numbers, or bank and credit card account numbers should never be posted or visible online. Likewise, do not post anyone else s personally identifiable information. Your typical hangouts, groups to which you belong, photographs, and similar information can be used by fraudsters to identity you and misuse your information. Use extreme caution when giving away any information. Use unidentifiable screen names: Make sure your screen name does not reveal your name, age, hometown, or residence. Do not trust strangers: You do not know who you are communicating with or what information this person can extract from your conversations. Always verify the legitimacy of a company before divulging any personal or account information. Do not provide sensitive financial information over the Internet or phone, such as SSNs, passwords, PINs or account numbers, unless you initiated the contact and are communicating with a verified and secure location, such as the number or web address on the back of a credit card or statement. 11

JAVELIN S TOP FIVE IDENTITY SAFETY TIPS: HOW YOU CAN FIGHT FRAUD Consumers who take precautionary steps to protect themselves and their identity, and are proactive in their approach to combat identity fraud, are less likely to have their personal information stolen and misused. Javelin s Recommendations for Prevention, Detection and Resolution of Identity Fraud This factual, comprehensive five step safety plan helps battle crimes of mistaken identity: 1. Prevent Criminal Access by Protecting your Paper Documents Keep sensitive information from prying eyes. Request electronic statements, use direct deposit, and don t put checks in an unlocked mailbox. When your Social Security number is requested as an identifier in paper documents, ask if you can provide alternate information. At home or work, secure your personal and financial records in a locked storage device last year, at least 13% of all identity crimes were committed by someone previously known to the victim. Shred any sensitive paper documents. 2. Prevent High Tech Criminal Access Install anti virus software on your computer and keep it updated along with your applications and operating system. Secure your electronic personal and financial records on your computer behind a password. Never respond to requests for personal or account information online (or over the phone). Watch out for convincing imitations of banks, card companies, charities and government agencies in the mail, on the Web, over the phone, or on your mobile device. Use legitimate sources to contact financial institutions, such as an official website or the telephone number listed on statements and the back of bank or credit cards. Don t publish your birth date, mother s maiden name, pet s name or other identifying and personal information on social media websites. Use unique and hard to guess passwords, including for your wireless Internet connection, and don t access secure Web sites using public Wi Fi. Install security patches and software updates as soon as they are released by verified sources. For phones, turn off Bluetooth and Wi Fi if they are not being used. 3. Detect Unauthorized Activity in Existing Accounts Monitor current available bank and credit card account balances at least weekly, via online, mobile, ATM, or touchtone banking. Sign up for alerts to be sent to your mobile phone or e mail account. Javelin s study of 5,000 adults finds 43% of all reported identity fraud cases are spotted by consumers self monitoring their accounts and those who use more timely electronic methods to detect fraud experience lower average out of pocket costs. 4. Detect Fraudulent Establishment of New Accounts Monitor your credit reports and non credit account information to spot unauthorized activity. Free credit reports from each of the three major credit bureaus are available each year through annualcreditreport.com or 877 322 8228. Optional fee based services, such as more extensive monitoring of credit information, personal identity records and Social Security numbers offer timely and thorough protection. If you receive a letter notifying you that your private records were involved in a data breach, 1) confirm the letter is legitimate 2) take advantage of any free protection services that are offered and 3) place a fraud alert on your credit report. A fraud alert requires lenders to make sure it is actually you applying for credit. One in four letters are followed by actual fraud, yet many who are alerted fail to take action. 5. Resolve Identity Fraud Completely Work through your bank, credit union or protection services provider to report problems immediately and take advantage of your financial provider s offers of loss protections (all large financial institutions offer zero liability for debit and credit cards and many provide the same protection for online banking and bill pay). 12

ADDITIONAL RECOMMENDATIONS: A COMPREHENSIVE APPROACH TO FIGHTING FRAUD In addition to Javelin s top five tips, there are many other ways for consumers to protect themselves against identity fraud. Javelin recommends a comprehensive, three part approach to best address and combat fraud: prevention, detection and resolution. This section provides steps to prevent fraud from happening, actions to detect fraud if it does occur, and how to resolve fraud if you become a victim. Figure 5: Secure Your Computer and Personal Information Prevention How Can I Prevent Identity Fraud? Consumers can best prevent identity fraud by carefully protecting sensitive information, such as PINs, banking and financial account numbers, SSNs, and limiting the exposure of potentially personally identifiable information. Consumers also should be aware of common fraudster techniques, such as phishing, vishing, and other scams. 1. Regularly install and update firewall, anti virus and anti spyware software on your computer (and mobile device when possible). Also, all operating systems and browser settings should be up to date. 2. Do not reveal sensitive or personal information on social networking sites. This includes Facebook, Flickr, Friendster, LinkedIn, MySpace and Twitter, among others. These sites can provide fraudsters with personal information to access accounts. 3. Recognize secure websites. Do not provide card or personal information at unsecured sites. EV SSL and SSL sites are the most secure and use encryption and other security methods to protect consumer information. To recognize these sites, make sure there is a padlock symbol and an s after the http in the address bar ( https ). If you double click on the padlock symbol, the SSL certificate will appear. If the website has an additional layer of security (EV SSL), green highlighting will appear in the address bar if the consumer accesses the site using a high security browser. High security browsers are safer for consumers to use (e.g., Microsoft Internet Explorer 7 and 8, Firefox 3, Opera 9.5, Safari 3.2, Google Chrome and Flock 2.0). 4. Reduce unnecessary access to financial cards and documents. Do not carry around Social Security cards or unnecessary credit cards or checks. Shred documents with sensitive information prior to disposal, and keep your documents and all personal information in a safe place, inaccessible to those around you. 13

5. Opt out of pre approved credit offers. Call 1 888 5 OPTOUT (1 888 567 8688) or visit www.optoutprescreen.com to be removed from credit card applications and other mail that contains personal information. 6. Follow safe password practices. Passwords should be at least eight characters long, and should be changed frequently. They should contain at least one combination of upper/lowercase letters, numbers, or symbols. Keep them stored in a safe, protected place. Do not use easily guessed passwords, such as your birth date, the name of a close relative, or your pet s name. Do not use dictionary words, the name of the website, or the word password. Capitalized letters shouldn t be the first character (capitalize a random letter) and numbers should be used throughout the password. 7. Use secure internet connections. Avoid accessing websites displaying personal or account information using unsecured Wi Fi connections, such as when at coffee shops, libraries, or airports. The page itself might be secure, but the data transmitted over unsecured wireless connections is not. Also ensure that the Internet connection used at home and at work is through a secure network protected by firewalls. 8. Be aware of your surroundings. Be mindful of those in close proximity that could overhear or watch as you access sensitive financial or personal information. This includes instances when you are on the phone, logging into websites, purchasing at stores, or reading sensitive documents. Detection It is critical that consumers detect fraud as early as possible to minimize potential losses and fraud resolution time. Faster detection results in lower out of pocket expenses for the victim, which includes unreimbursed losses, legal fees, and lost wages. The sooner fraud is detected, the easier it is to resolve, and the less the criminal is able to steal. Figure 6: Earlier Detection Results in Lower Costs and More Timely Resolution How Can I Detect Identity Fraud? Javelin research has consistently shown that consumers are the most successful at being able to detect identity fraud relating to their accounts. The most efficient way to combat fraud is when consumers and institutions (banks, government agencies such as the FTC and other organizations dedicated to fighting fraud) work together. Consumers must be proactive in their approach to best protect themselves against fraud, and should work with institutions in safeguarding their identity. 1. Monitor your credit report on a regular basis. Review and confirm that all the accounts listed belong to you, and that no unauthorized charges have been made or unknown accounts or credit lines have been opened. Free reports are available at AnnualCreditReport.com or by calling 1 877 322 8228. By contacting a different one of the three credit bureaus every four months, it is possible to stagger your free reports to review your credit report three times a year at no charge. To block access to your credit report, refer to the Resolution section. 14

2. Sign up for e mail and mobile alerts through your primary bank and credit card company. E mail and SMS text alert notifications should be set up through financial institutions to alert customers of suspicious activities and changes to their personal information. There is an array of alert offerings consumers can choose the ones that best coincide with their typical banking behaviors and practices, thereby increasing identity fraud protection. Adding a new registered user and changing the address on the account are the two most common methods used by fraudsters to take over accounts, so setting up a new user alert and an address change alert is important if your financial institution and/or card issuer offer these. 3. Review financial statements promptly. Check account balances at least weekly through online banking, mobile banking, by phone, or ATM. Regularly monitor all financial accounts; banking, biller, and credit card accounts should be carefully analyzed electronically. Waiting for paper statements is one of the slowest and most cumbersome ways to detect fraud. Consumers who discover their frauds using electronic vs. paper statement monitoring have shorter detection times and pay lower average consumer costs. Confirm that all transactions are authorized and that there is no suspicious activity or unapproved changes to accounts. Americans who monitor their accounts frequently are most likely to discover unauthorized activity and to detect fraud earlier, thus reducing costs to all parties involved in resolution. Resolution What Should I Do if I Become a Victim of Identity Fraud? The first thing to remember if you become a victim or identity theft or fraud is not to panic. When it comes to your financial accounts, for example, banks are prepared to deal with the identity theft resolution. There is most likely a team dedicated to resolving identity fraud and guide victims through the process. By following the few simple steps below, you can help ensure that your fraud case is handled as quickly and as painlessly as possible. The following actions can serve as a checklist/resource guide for what to do in the event that you become a victim. 1. Immediately contact your bank and credit card companies. If physical documents such as a checkbook, wallet, or debit or credit cards are lost or stolen, if there is unauthorized account activity (suspicious transactions), or if there are changes to personal information such as to a physical address, e mail address, new registered user, login or password, paper statement turn off, etc., the appropriate institutions must be notified as soon as possible. Depending on the individual case, the financial institutions will close your account, cancel your debit or credit cards, and take any other necessary precautions. They will also assist you in setting up new accounts and reissuing new debit and credit cards. 2. Contact the Federal Trade Commission. To report incidents of suspected fraud or identity theft, contact the FTC online at www.ftc.gov/bcp/edu/microsites/idtheft to fill out a complaint form or call 1 877 IDTHEFT (1 877 438 4338). Alternately, the FTC can be reached via mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. 3. Place a fraud alert on your credit report. If your personal information has been compromised, or if you have been a victim of fraud, immediately contact the three primary credit reporting agencies: Equifax, Experian, and TransUnion. (Refer to Figure 6 on page XX for contact information.) All of these companies provide credit monitoring services as well as additional products and services. Fraud alerts notify creditors that a potential fraud has occurred and that they should verify the identity of the applicant before extending credit. An initial alert stays active for 90 days, and an extended alert for identity fraud victims lasts seven years. 4. Consider placing a security freeze on your credit report. If you have been a victim of new accounts fraud more than once and are not actively applying for credit, you may want to place a security freeze on your credit report at each of the three reporting agencies. A security freeze will block access to your credit report, and will help stop new accounts fraud from occurring, but will not stop existing accounts fraud. You should also obtain a copy of your free credit reports to see if the fraud has already occurred. 5. File a police report. If fraud has occurred, contact your local police agency to fill out an identity fraud report. Make sure to save a copy for your personal records. 15

IDENTITY FRAUD PROTECTION SOLUTIONS: WHAT S OUT THERE? In addition to the guidelines and recommendations above and throughout the report, there are additional services for consumers who want extra protection against new accounts fraud the type of fraud in which a criminal uses your social security number and other pieces of personal identifying information to create a fraudulent account in your name (e.g., a fraudulent credit card account, or a fraudulent cell phone account). Credit monitoring, credit freezes, and data scanning can either be purchased for a fee, while fraud alerts can be placed at no cost. Figure 7: Identity Fraud Protection Services Service Credit monitoring Fraud alert Credit freeze Personal information monitoring Description A paid subscription service that monitors your credit for suspicious activity or changes to your credit file (i.e., credit inquiries, employment changes, new accounts or address changes) Intended to detect potential new accounts fraud A message that is placed on your credit report, requiring lenders and creditors to confirm your identity before issuing a new line of credit Intended to prevent potential new accounts fraud Freezes your credit file at the credit reporting agencies, which are then prohibited from issuing your credit history to any lender, creditor, etc. Intended to prevent potential new accounts fraud Scans public records, third party databases and Internet sites to detect exposure of your personal information (credit card numbers, Social Security numbers, etc.) Intended to detect potential identity theft 2010 Javelin Strategy & Research Credit monitoring services are generally fee based. They regularly monitor your credit for suspicious activity and changes to your credit file. E mail alerts are sent when abnormal activity is detected. You have unlimited access to your credit report from all three primary credit bureaus. Credit monitoring is designed to detect potential fraud as soon as possible, and is one of Javelin s best customer safety preventative recommendations because it is extremely effective in early fraud detection. Fraud alerts can be set up at no cost by contacting the fraud departments of all three major credit bureaus and asking them to mark your credit file. Each bureau is required by law to notify the other two agencies, but Javelin and consumer privacy advocates recommend placing alerts at all three bureaus. Fraud alerts are an important feature in preventing someone from opening a fraudulent new account (such as a new credit card or loan) in your name. With an alert in place, a creditor is required to use additional measures to verify that consumers applying for credit are really who they say they are. With new accounts fraud being the most expensive and most difficult type of fraud to resolve, consumers should take advantage of this as a critical, preventative service. Fraud alerts remain in place for 90 days, after which the consumer will need to renew the alert. Fraud victims with proof of identity fraud qualify for the seven year victim statement, which will keep the alert in place for seven years. 16

Credit freezes lock down your credit file and prevent any lender or creditor from accessing your credit history. This service is designed to block new credit from being issued in your name. If you are a victim of identity fraud, depending upon the state in which you live, you may qualify for free coverage. If you are not eligible for free coverage, it may cost up to $30 to place a freeze and $30 to remove it through the credit bureaus. Credit freezes are only recommended for people who will not be actively applying for credit. If you place a credit freeze, you cannot apply for new credit unless you remove or temporarily lift the freeze, which could take up to a few days. Personal information monitoring is a service that scans public sources of information, including Internet sites and public records, to detect if personal information has been compromised. In using this service, you can determine if there have been changes to your accounts or information. 17

WHERE CAN I GO TO GET MORE INFORMATION? There are a number of places to get more information. Javelin has used the results of its study to create an easy to use safety quiz and a list of recommended tips, which can be accessed at: www.idsafety.net The 2010 Identity Fraud Report s sponsors, Fiserv, ITAC, the Identity Theft Assistance Center, Intersections Inc. and Wells Fargo & Company, also make safety recommendations: Fiserv, Inc. www.ebillplace.com/staysafe Intersections Inc. www.identityguard.com/consumer tools Wells Fargo & Company www.wellsfargo.com/privacy_security/fraud/ ITAC, the Identity Theft Assistance Center www.identitytheftassistance.org. Figure 8: How to Contact the Three Credit Bureaus Credit Bureau: Equifax Experian TransUnion Order Credit Report 800 685 1111 888 397 3742 800 888 4213 Report Fraud 888 766 0008 888 397 3742 800 680 7289 Web Address www.equifax.com www.experian.com www.transunion.com Mailing Address Equifax Consumer Fraud Division P.O. Box 740241 Atlanta, GA 30374 Experian Consumer Assistance P.O. Box 9532, Allen, TX 75013 TransUnion Victim Assistance Dept. P.O. Box 6790 Fullerton, CA 92834 *Note: To order free annual credit report from any or all: contact www.annualcreditreport.com or call toll free at 877 322 8228 18

METHODOLOGY A detailed description of methodology for the Javelin 2010 Identity Fraud Survey Report can be found at IDsafey.net. Common Fraud Scams and Terms To clarify common fraud scams and terminology, definitions are provided below. Javelin uses identity fraud as the term to describe the crime discussed in this report. Because this report s underlying survey was based on interviews with individuals who were the victims of fraud committed using at least some portion of their personal information, it will not include other categories of crime such as synthetic identity fraud, which is based upon a wholly fictitious identity. However, Javelin believes that many identity frauds do contain a mixture of true and synthetic components, and these frauds are included in this report. To clarify the usage of common terms by Javelin and different types of scams, definitions are provided below: Account takeover fraud Advanced fee fraud Cloning mobile phone Cloning payment card Card not present (CNP) Consumer cost Credit freeze Data breach Drive by download Existing accounts fraud method of identity fraud in which a fraud operator attempts to gain access to a consumer account by fraudulently adding his/her information to the account; changing the mailing address or making other alterations any scam that, during its course, requires fees to be paid by the victim before other funds are received. Usually, these fees are explained by the criminals to be processing fees, bribes, finding fees, etc. The other funds are never received by the victim. every mobile phone has a unique electronic serial number (ESN) and telephone number (MIN); a cloned mobile phone has been reprogrammed to transmit the ESN and MIN of a legitimate cell phone and the legitimate phone is billed for the clone s calls on the magnetic stripe of a payment card are two tracks that have recorded the card details, track 1 and track 2. Criminals copy and use the track data details to create duplicate payment cards. transaction in which the card is not present at the time of transaction. Card data is manually inputted. the out of pocket costs incurred by the victim in order to resolve a fraud case. These include postage, copying, notarizing documents, legal fees, and may also include payment of any fraudulent debts in order to avoid further problems security freeze placed on a consumer s credit file to prevent the file from being shared with anyone, thus forestalling new accounts from being opened in the consumer s name unauthorized disclosure of information that compromises the security, privacy, or integrity of personally identifiable data. act of compromising a PC passively by downloading a malicious file while the victim views the content of a Web site identity fraud perpetrated against either or both existing card and existing noncard accounts 19

Existing card accounts fraud Existing non card accounts fraud Fraud amount Identity fraud Identity theft Interactive financial messaging Keylogger identity fraud perpetrated using existing credit or debit cards and/or their account numbers identity fraud perpetrated using existing checking and savings accounts, and existing loans, insurance, telephone, and utilities accounts total amount of funds that the fraud operator obtained or tried to obtain illegally. These may result in actual losses to various businesses and organizations (and in some cases to the consumer). These may also be funds that are either recovered or the loss is avoided due to preventive measures adopted by the businesses unauthorized use of some portion of another s personal information to achieve illicit financial gain. Identity fraud can occur without identity theft. For example, it can occur with relatives who are given access to personal information or by the use of randomly generated payment card numbers. unauthorized access to personal information. Identity theft can occur without identity fraud. For example, it can occur with large scale data breaches. two way messaging between FIs and their customers, including alerts for consumer directed prohibitions malicious, hidden software that monitors your keystrokes to collect e mail and online banking usernames and passwords. This information is remotely stored and sent to potential hackers and fraudsters. Mail order/telephone order (MOTO) mail order/telephone order: orders placed through mail or telephone channels (a type of card not present transaction) Malware Man in the middle (MITM) Mutual authentication New Accounts and Other frauds Non identity fraud Pharming Phishing Pretexting Scanning Skimming malicious software designed to gain access to or damage a computer system without the owner's knowledge or consent an attack in which a perpetrator is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised method by which both the FI and the customer can identify each other, for example, by providing and identifying shared secrets. identity fraud perpetrated by using the victim's personal information to open fraudulent new accounts direct misrepresentation by a fraudulent merchant, investment firm, charity or other organization that results in financial loss to the consumer attack in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent websites without their knowledge or consent method of "fishing" for Internet users passwords, financial or personal information by luring them to a fake website through an authentic looking e mail that impersonates the victim s financial institution collection of information about an individual under false pretenses (the pretext ), usually done over the phone, such as calling a bank while posing as a customer to find out personal information a program similar to virus scanners used to detect malicious software on a computer the theft of payment card information in what is otherwise a legitimate transaction (Example: skimming devices are sometimes placed at unattended gas stations to record the card information of purchasers). 20

Smishing Spam Spoofing Spyware Surf through downloads Synthetic identity fraud Trojan horse True name fraud Virus Vishing VoIP Worm a version of phishing sent by SMS messaging (text messaging), which sends a cell phone message that directs victims to a website that downloads malicious spyware (Trojan horse) onto the victim s cell phone or computer. unsolicited messaging (usually in the form of e mail) sent out in large quantities to a large number of recipients, usually containing some kind of untrustworthy advertising method in which a person or program successfully disguises itself as another. Generally, the user receives e mail that appears to have originated from a legitimate source when it actually was sent from an illegitimate source. software that is installed unknowingly on a personal computer to intercept or take partial control over the user's computer activity. Spyware programs can collect different types of personal information, but can also interfere with user control of the computer, such as installing additional software and redirecting web browser activity. also known as drive by downloads, surf through downloads are downloads that occur without any knowledge of the user. Surf through downloads may happen by visiting a website, viewing an e mail message or by clicking on a deceptive pop up window. fictitious identity created to defraud an organization; typically generated using a real Social Security number and multiple different names. These frauds are covered under this survey because a consumer victim is involved. To be considered true synthetic identity fraud, all consumer information must be fictitious, which is very rare. In the unlikely event that all components of the identity are fictitious this would not be covered under this survey. program that appears to be a useful file (i.e., a music file or software upgrade) from a legitimate source, tricking the victim into opening it. Once activated, the Trojan horse allows intruders to access private information. see identity fraud a computer program that can replicate itself and infect computers without the owner s consent or knowledge. Viruses can be transmitted as attachments to an e mail or in a downloaded file, or be present on a CD or other forms of digital media. version of phishing that uses a combination of e mail and telephone, or just telephone; the victim is urged to resolve an account issue by a criminal posing as a financial institution, and is thereby prompted to provide personal information. Voice over Internet Protocol: a protocol for transmitting voice over the Internet. Criminals are using VoIP to place autodial phone calls to commit frauds because the calls are inexpensive and difficult to trace. computer program that makes copies of itself on its own. It uses a network connection to send copies of itself to other computers on the network (e.g., by sending out infected e mails). Unlike a virus, it does not need human assistance to travel. 21