BY GREG MERMEL, CPA
A classic technique
of the con artist is to telephone a potential sucker and pretend to be
from their bank or credit card company, or a merchant with whom they may
have placed an order. Under the pretext of "verifying data,"
they are often able to get not just credit card numbers, but also the
Social Security numbers, dates of birth and other data needed for identity
theft.
Ordinary skepticism and mild caution prevent most people from giving out data to people you do not know. Don’t give out information in a call you did not initiate, the advice always goes. If the caller seems legitimate, you get their name and department, look up the business in the phone book, and call back at the listed number.
But what do you do if you get a letter that seems to be from your bank’s fraud control division, with a "fraud questionnaire" and Internal Revenue Service form enclosed? Most likely, you would fill it in and respond.
Wrong Move
One small problem: The whole thing may be a scam. Earlier this month, the IRS sent a news release out about exactly such a scheme in seven states; Illinois is not yet among them. These thieves apparently were easily able to recreate or copy the bank’s logo. They even included a toll-free number and sent a postage-paid envelope addressed to "Bankcard Services Fraud Control" at a post office box in California. (If you want to see the fake items, go to the Comptroller of the Currency’s Web site, www.occ.treas.gov, and look at Alert 2002-6.)
And the IRS forms they sent? Complete phonies. There were several different versions, but they typically sought not only routine information (like name and address) but the most sensitive stuff like bank account numbers, passwords and PINs.
While fairly sophisticated, these may not be the brightest of thieves. By my count, they have at least four federal criminal agencies going after them (postal inspectors, the criminal investigations divisions of both the IRS and the Federal Trade Commission, and the FBI).
What should tip you off in any of these situations is that they are asking for information the business they are impersonating already has. If your bank has concerns about your credit card and is contacting you, they already have your credit card number, Social Security number, mother’s maiden name and credit history. Yes, you have to give some or all of that information when you call in with a question or problem so that the credit card company can verify your identity, but you called them. You took the number off the back of your card or the bill, so you know who you are talking to.
Similarly, apply some logic: Why would the requester legitimately need this information? The fake IRS forms asked for information that would let someone withdraw money from your bank account. Why would the IRS need that? You paid your taxes, didn’t you? Even if you owe back taxes, the IRS is not going to send somebody down to the nearest ATM. They have to pursue all sorts of steps and procedures before extracting money from someone’s bank account–"due process of law"–but once they have taken these steps, they do not need your password or PIN.
Twenty years ago, credit card fraud involved the gas station attendant running a second charge slip on your card to cover cash stolen from the till. Ten years ago, it was the cashier at a hardware store "forgetting" to return your Mastercard so she could pass it to her gang-banger boyfriend. A little diligence on your part could prevent these. Now, stolen credit card numbers are a new frontier for organized crime, and the transactions are often wholesale. Customer databases with this information get hacked, or a dishonest clerk in a hospital billing department copies account information, or an online store develops a nice sideline in illegally selling customers’ credit card data. A recent newspaper story reported on specialized Web sites (members only) which function as clearinghouses for lists of stolen credit card numbers and names; like fish, fresher lists are more desirable and priced accordingly.
As an individual, about the only thing you can do to prevent this is be a bit cautious about where you use credit cards on the Internet. You need not get paranoid and limit the use to American Airlines and Amazon.com. If you know of a company’s physical existence, giving a credit card number to it should be safe, along with those you can trace to legitimate trade or professional associations. But if you need to shop the more remote reaches of the Internet, consider using a secondary credit card, one with a low limit. That way, if the porn site or shareware developer in Australia creates problems, you can cancel that card and change the number without much inconvenience.
The other thing you can do is a regular self-examination, just as the doctors recommend for breast and testicular cancer. Once a year, spend the money to get your credit reports from the three major agencies. Review them carefully, and question anything you don’t understand. It might be legitimate but confusing, or it might be a sign of trouble.
The three credit agencies are Equifax, at 800/685-1111 or www.equifax.com; Experian (formerly TRW) at 888/397-3742 or www.experian.com/consumer/index.html; and TransUnion at 800/916-8800 or www.transunion.com.
Are there money or tax questions you would like to see discussed in this column? Let me know, at 2835 N. Sheffield, Suite 311, Chicago, IL 60657, or 773/525-1778 (888/525-1778 outside the Chicago area).
Greg Mermel is a certified public accountant whose clients in the arts range from individual performers to major theatre companies and suppliers. He also sometimes produces theatre.