June 28, 2022
By Pavel Jiřík in Blog
There have been countless famous (and less so) cases of identity theft in history - from false Dimitry I, who posed as the miraculously rescued youngest son of Ivan the Terrible, to dozens of girls pretending to be grand duchess Anastasia Nikolaevna of Russia. All they needed was a convincing story that could persuade people to do what they wanted.
Modern con artists and fraudsters aren’t that much different. Using a believable tale and a bit of psychological manipulation, they can persuade people to hand over their credit card details or other important personal information like ID details. In the US alone, identity theft cost citizens $56 billion in 2020. Worldwide, 86% of consumers have fallen victim to identity theft or fraud at least once.
The situation is even worse if cybercriminals can obtain information from a business database - then they will have access to millions of records that they can use for fraud. Sometimes, such attacks are so spectacular that they even make it to the news. We’ll take a look at some examples of those in a moment.
What Is Identity Theft?
Identity theft occurs when someone obtains your personal information and uses it without your consent or knowledge. They might then use your personal information to apply for a loan, make purchases using your credit card, or apply for government support money or medical services, to name a few examples.
The biggest problem with those attacks is that many victims realize far too late that they have been scammed - often when their credit card is declined during shopping or a bank call reminding them about an overdue loan. According to the FTC, someone becomes the victim of identity fraud every 14 seconds!
What is required in order for someone to take over your life? Just a bit of carelessness, actually - like responding to a survey that promises a shopping voucher, falling for a “technical support scam” when a criminal posing as a tech support employee asks you to download something, or answering a call from someone offering to help you fill in tax returns or government aid paperwork.
You just have to make the mistake of giving them some information that is “necessary for verification”. As soon as a criminal obtains your online login and password information, ID number, or social security number, they know exactly how to take advantage of it - often with devastating consequences.
How Can Identity Theft Affect You?
Whichever scheme an identity thief uses to steal your data (from coercing you to give the details yourself, through attacking a company’s database, to buying the information on the darknet), their goal is the same - their own financial gain. Here are some examples of what identity thieves might do with your sensitive data:
- Open fraudulent credit cards
- File phony health insurance claims
- Use your bank account or credit card to make unauthorized purchases
- Sell your data on the darknet
- File a fraudulent tax return or steal your tax refund
- Access your bank account and change the pin codes or security answers
- Take out loans in your name
Depending on the type of theft that occurs and how the criminal uses your information, you might either find that your bank account is empty, several unauthorized purchases were made, or there are overdue loans on your account. Fixing the situation will also depend on how quickly you responded and how much damage was caused - it could take a day, but it might be months or even years.
While you can’t exactly prevent yourself from being the target of an attack, if you learn how your data can be stolen and what fraudsters might do with it then you'll be better able to protect it and act quickly if someone does manage to obtain it. What better way to learn than looking at some examples of successful attacks? Let’s see some of the most spectacular identity theft cases in the last few years.
The 4 Biggest Identity Theft Frauds in Recent Years
The COVID-19 outbreak has brought a real surge in cybercrime. Fraudsters not only took advantage of companies having to move most of their business operations online but also used the chaos to trick regular people into sharing their personal data by pretending to offer governmental support or testing kits.
The number of attempts to steal our data is so high nowadays that they rarely make the headlines anymore - unless it's something really spectacular. But even before remote work times we had a couple of astonishing theft cases - let’s look at some of them.
The David Matthew Read Case
In 2018, 35-year-old David Matthew Read and 37-year-old Marc Higley, pretending to be Demi Moore’s personal assistants, reported that she had lost her no-limit American Express card and requested for a new one to be issued.
Read obtained his target’s social security number and other identity information from the internet, then using this data he wrote a request to American Express to replace the card that Moore had “lost”. He then posed as her personal assistant sent to retrieve the “Black” card at a Santa Monica FedEx facility. Read even manufactured an ID badge that looked like it came from the Hollywood actress to bolster his claim that he worked for her.
Then, Read spent over $169,000 in the span of five weeks shopping at New York's luxury shops, most likely to resell the goods later. Higley meanwhile accompanied Read on shopping trips to multiple Nordstrom, Apple, Bloomingdales, and Saks Fifth Avenue stores around Los Angeles.
How were they caught? Read made a pretty silly mistake - he used the stolen credit card together with his own personal one to pay off a balance on some of the transactions. Surveillance cameras later caught both him and Higley using the stolen card in a Nordstrom store.
In the end, Higley was sentenced to 14 months in a halfway house and ordered to pay restitution of $52,670. Read, who had already been charged for allegedly purchasing a Mercedes using another person's information, was sentenced to years in federal prison.
The Turhan Armstrong Case
Turhan Armstrong was convicted in 2017 of managing a $3.3 million scam using stolen identities. What makes the case especially egregious is that Armstrong used the Social Security numbers of children and people who had left the US.
Because parents seldom monitor their children's credit scores and people who have left the country are also not expected to monitor them, the scheme continued for nearly a decade. Armstrong and his accomplices used the stolen data to apply for loans from multiple financial institutions across the country, as well as obtain credit cards, open bank accounts, set up shell companies, purchase homes, and buy cars.
The police discovered something was amiss when Armstrong failed to declare any income to the IRS between 2009 and 2017 while still maintaining multiple residences in Georgia, Florida, and Northridge. During the course of the investigation, the authorities discovered hundreds of fake IDs, credit cards, and social security numbers.
In 2020, Armstrong was convicted of all 51 offenses listed in a grand jury indictment (including conspiracy to commit financial institution fraud, money laundering, and aggravated identity theft) and sentenced to 21 years in prison. He was also ordered to pay $3.3 million in restitution and forfeit two homes — one in Northridge, the other in Perris — purchased with illicit funds obtained from the scheme.
The Kenneth Gibson Case
Kenneth Gibson worked as an IT professional for a large software company from 2012 to 2017. Because of his job, he had access to thousands of people's personal information, including employees and customers, who he unfortunately exploited.
Gibson designed a special computer program that would read people’s information from the company’s database and automatically open fake Paypal accounts in their names. He would then use the stolen identities to apply for credit accounts linked to the established accounts. Over time, Gibson managed to open over 8,000 accounts. To avoid being caught, he only transferred small amounts of money, took cash advances from the credit line, and accessed the cash with a debit card.
And the scheme might have been running for longer if Gibson didn’t get careless. Usually, he would retrieve the cash from an ATM machine, but one time he asked PayPal to send him a check. The name on one of the checks that PayPal sent him matched a victim’s name, which tipped the police off.
In 2018, Gibson was sentenced to 4yearsin prison and supervised leave for 3 more. He also had to pay $1 million in compensation and sell his assets in order to repay the $3.5 million he stole from his victims.
The Luis Flores Case
Stealing the identity of ordinary people is one thing, but how bold do you have to be to pretend to be a famous celebrity, FBI director, or US Marshals service director? Yet, that’s what Luis Flores Jr. did in 2014, together with his mother.
A then 19-year-old Luis Flores, Jr. called the credit card company American Express claiming to be Kim Kardashian, changing her social security number and address to his own so that he could receive new cards. American Express got suspicious though, so they reported Flores and his mother to the Secret Service. And the investigators sure found a lot on them.
Flores had a flash drive loaded with private data from celebrities and politicians - from Michelle Obama and Bill Gates to Paris Hilton, Beyonce, and many more. The said drive contained not only their personal details and security numbers but even their credit card accounts.
What’s more, Flores was also linked to cases involving fraud against the US Marshals Service Director Stacia Hylton and former FBI director Robert Mueller. Using the personal information, he and his mother changed the victims' addresses and phone numbers on their accounts, ordered replacement cards, and also made several wireless transfers from the targeted accounts to their own.
In 2014, Flores was sentenced to three and half years in federal prison for his acts. Meanwhile, his mother was sentenced to three years of probation on top of her jail sentence for lying to the authorities in an attempt to cover up her son's fraudulent activity.
Could Those Attacks Be Prevented?
What do all those stories have in common? The first is that criminals got hold of someone's personal information and used it to commit fraud. Unfortunately, we don't have much control over that - even if we ourselves share our personal data very carefully, all it takes is one disgruntled employee who has access to customer details for our details to fall into the wrong hands. Criminals can also get pretty creative when looking for loopholes they could abuse.
But the second point is that the banks mentioned in these stories only reacted once they noticed there was clearly something suspicious happening on the customer’s account(s). Since the fraudster had all the details of the actual customer, how were they supposed to know that it wasn’t Demi Moore’s personal assistant calling them but an impersonator?
If those companies had access to voice biometrics solutions and could check the caller’s identity in real-time, however, then it would be far easier for them to spot a suspicious person on the line. While criminals can access customer data like passwords or security numbers, impersonating a voice is a totally different story.
The way each human speaks depends on hundreds of unique traits that voice biometrics use to analyze and confirm a caller’s identity.
As long as the system has a stored voiceprint of the actual customer’s voice, it can identify fraudsters on a call in seconds - even if they can answer all security questions smoothly or pass other verification methods. And since voice verification can run in the background during an entire conversation, that also reduces the chances of a fraudster realizing they have been rumbled and ending the call - giving company employees enough time to report the caller.
Fraudsters adapt quickly, and they often get pretty creative when it comes to stealing our data. While it’s probably impossible to avoid them completely considering the technology they have now, we can make their “jobs” harder by not sharing our data on suspicious websites and monitoring our bank account activity.
What about companies though? They can protect themselves and customers who reach out to them via the phone with voice biometrics. Powered with AI, these systems can immediately identify who is asking for a new credit card or to change account details - the actual customer or a fraudster. If you combine basic security tips with the latest technologies, you will be on course to keeping the fraudsters at bay and limiting the damage they can cause.