ID Theft – Insider View

My thoughts about ID Theft have always been, “It’ll never happen to me because I am vigilant.” However also, “it sure seems to happen to a lot of people, so is it only a matter time for me?”

These were essentially conflicting thoughts on ID theft I oscillated between until several weeks ago. I have now acquired the label of “ID Theft Victim.” OK, so that is a slight exaggeration…really it is my spouse, but this change in status affects me, as well.

How did this happen?

According to employer communications, someone internal to the Company had fallen victim to a “phishing scheme” that resulted in copies of W-2s for all employees being provided to an unauthorized external party. This means that a lot of other people are now “victims” of ID theft, through no actions of their own. It turns out that this threat is so common, the IRS sent out a warning notice on March 1st to HR and Payroll professionals.

Here’s the personal impact:

It started with some credit card fraud, which happens here and there every several years anyway. So get a new card and change all of the auto bill payments to the new number. Then within a week we learned that both our federal and state tax returns for 2015 had been filed, and we haven’t even worked up our extensions yet. So that means no more electronic filing of tax returns. Everything has to be manual until we get issued “special” PIN numbers that often take 180 days. Of course, since it has been many years of electronic filing, this also means the need to research how to file paper…really?

And then there is the registration with the FTC, the local police reports, checking Social Security wage information, signing up for credit monitoring and more diligent monitoring of credit files, on-line banking and credit card transactions, and waiting for the next shoe to drop, and hoping not too many do. How about a felony conducted in your name? Now wouldn’t that be fun!

As a reminder, phishing is a way to obtain confidential information, typically by sending an email masquerading as a reputable company, even one you normally do business with.

Tips to avoid falling victim to phishing:

  • Do not enter a website from a link in any email. Enter the site directly from the browser and navigate to the required area yourself.
  • Read carefully the email address. Often very small changes are made to a legitimate address, such as (1) dot something else, rather than dot com, or (2) making small letter changes, such as “w” becomes “vv” or adding an extra small letter like “i” to a word.

Cybercrime is a REAL threat, regardless of how careful you are with your own personal data. Other authorized people have that data too, so you must also rely on them to follow good custody practices, and that doesn’t always work out in your favor.

My message is not really to complain. It is to implore you, as Company management, to assure that people in your organization who work with confidential information are well-trained on cybercrime schemes so they can recognize the opportunities they might inadvertently present to others with less noble intentions. Make sure any thwarted attempts are communicated as appropriate to others in your company so that these issues remain “top of mind” and corporate knowledge is enhanced. Develop rigid policies that must be followed, including a second party review, before someone responds to any request for confidential information. Become familiar with your obligations to your employees and others you do business with in the event of a Company data breach. It probably won’t be fun meeting those obligations.

Cybercrime will certainly drain significant company resources, both monetary and time. Data breach also generates negative employee goodwill, and harbors reputational risks that can carry an immeasurable price well into the future. We can no longer bury our head in the sand when it comes to cybercrime. I’ll close by referring back to my first two thoughts at the top of this post – let’s all strive for the first one.