Identity theft attracts fraudsters because they can steal significant amounts with extreme anonymity, and victims and law enforcement can seldom pursue them. However, the authors describe an investigation that yielded the arrest and prosecution of a fraudster who used "synthetic identity theft" and other crimes to steal millions. Learn about their practical methods and a stunning twist.
Our client first knew he had a problem when a department store called him about issuing a credit card he hadn't requested. He thought he might be a victim of identity fraud, but it was a bit more complicated. In the beginning, he was the target of a traditional identity theft. However, the fraudster would soon create multiple synthetic persons to mask his criminal activity and hijack our client's credit history.
The victim (we'll call him Sam) — the son of a high net-worth individual — first asked one of his employees, a CPA who worked for one of his father's companies (whom we'll call Sally), to determine what had occurred.
Sam and Sally quickly learned that the identity theft had extended far beyond the department store. For a short time, Sally — who didn't have any investigative experience — attempted to identify and control via credit reporting agencies the fraudster's numerous successful attempts to open credit card accounts, bank accounts or merchant lines of credit in Sam's name throughout the U.S. However, Sally always seemed to be a step behind the fraudster's actions. So, Sam came to our firm to identify the fraudster and build a case for presentation to either a federal or local prosecutor. (In this article, we disguise or conceal dates, locations, financial institutions and other vendors because the facts are part of active criminal investigations or prosecutions.)
'I am who I am!'
Most of our identity theft clients are extremely frustrated because they're struggling to prove they are who they say they are to credit bureaus, banks, credit card companies and others. We tell them that they might never discover who actually stole their identities or the point of compromise, which is where and how fraudsters are able to steal personal identifiers. Furthermore, the authorities probably won't have the resources to investigate and prosecute. For the same reasons, most of the time our clients don't pursue the fraudsters who've stolen their identities. But this fraudster picked the wrong victim. Sam had the financial means and the will to hunt the fraudster down and refer the activity for prosecution.
In our first phone call with Sam and Sally we began to work on identifying the point of compromise, and we explained the realities of investigating identity theft.
We suggested Sam place fraud alerts with the credit bureaus, obtain credit reports from all three reporting agencies and review them for suspicious activity, such as unfamiliar inquiries, new credit card openings and collection activity. Sally had already begun most of these steps.
Because all the fraudster's attempts were in Sam's name, Sam had the right to see the completed applications and other documents the fraudsters used to open bank and credit card accounts. So, we asked for Sam's permission — client authorization or CA — for certain employees of our firm to act on his behalf to receive documents and materials from financial institutions and other entities where the thief had tried to defraud Sam. (Through the years, we've found that obtaining CAs is a powerful way to encourage banks, credit card companies and other merchants to cooperate in identity theft cases.)
The banks and merchants then produced loan applications, customer-service recordings with source telephone numbers, IP addresses, and photographs or videos of the fraudster. We also used the CA to retrieve mail from three virtual offices throughout the U.S. that the fraudster used to receive mail addressed to our client. This action denied the fraudster access to the credit cards and other documents he'd hoped to use to generate cash or merchandise.
Ultimately, we learned the fraudster — who worked for a company that reviewed apartment purchase applications — had stolen Sam's identity from Sam's application. In total, the fraudster would make about 80 fraud attempts using Sam's stolen identity of which approximately half were successful. The fraudster brazenly allowed himself to be photographed many times — more than any other identity thief we'd investigated. We suspect this experienced fraudster knew, as we've discovered in other cases, that banks and merchants probably wouldn't have photographs and videos of him to provide to law enforcement because of their limited capacity to store them.
The quick combined responses of Sam, Sally and our firm prevented the fraudster from successfully obtaining significant cash or merchandise while generating direct evidence that federal authorities would use in their prosecution for aggravated identity theft.
A stunning twist
As we began to follow the leads gleaned from the vast amount of documents and material that the CA had generated, it became obvious that the fraudster seemed to abandon his previously successful avenues. For example, he failed to retrieve — or send someone to retrieve — the mail that contained credit cards in Sam's name, which were delivered to the virtual offices. This seemed odd and inconsistent with our experience because our investigation had remained covert — or so we thought.
When Sally, Sam's employee, had attempted to place a fraud alert with a credit reporting agency, the agency told her and Sam that the fraud alert was unnecessary because Sam's account was already "locked." The agency explained that Sam had placed the lock because he'd purchased its protection plan — a credit-monitoring service — for $19.95 per month. Of course, the fraudster had purchased the protection plan as part of his scheme. We realized that the fraudster had hijacked Sam's credit file with this particular agency, so we focused our investigative efforts on analyzing the leads in this credit file.
We learned that the fraudster had used a photocopy of a counterfeit Ohio driver's license — in the name of our client — as "official government identification" and a stolen credit card to purchase the monitoring service.
After the fraudster gained control of Sam's credit file, he changed the date of birth linked to the account, which gave the fraudster total access to the account and effectively blocked Sam's access to his own credit file — whether the file was locked or unlocked.
The fraudster changed Sam's telephone number and address so now the agency would call or write the fraudster whenever it detected any "unusual activity." Thus, the fraudster had an open window into Sam's and Sally's efforts and our investigation almost from the beginning; the credit-reporting agency opened that window by failing to verify whether the Ohio license was legitimate and allowing fundamental changes to personal identifiers. As a result, the fraudster prevented us from seeing his real-time activities. For example, the fraudster could unlock the credit history just before filing a fraudulent loan application so merchants could access his credit history, then lock the account and await responses from those merchants and financial institutions.
The agency should've considered the birth-date change as a red flag, and it should've checked the validity of the driver's license or at least realized that Sam's actual history in its file didn't link Sam to any address in Ohio.
This method of redirecting documents kept the fraudster informed about our investigative process, while he continued to receive mail in Sam's name and other victims."
Synthetic persons, identification and eventual prosecution
During the investigation, we learned that the fraudster continued to victimize Sam by creating synthetic persons — defined by law enforcement as combining a real Social Security number (Sam's) with a different date of birth, and a fictitious name and address. (See
U.S. postal inspector discusses synthetic identity theft.)
The combinations, of course, are endless. Regardless, the newly created identities impede detection. Although criminals began creating synthetic identities to commit fraud in the late 1990s and early 2000s, only recently have authorities begun prosecuting those they've alleged to be synthetic identity fraudsters.
Ultimately, we were able to identify the fraudster's given name (and numerous synthetic persons with multiple addresses, which the fraudster created) by comparing Sam's actual addresses with those listed in credit reports and with fraudulent information on applications the fraudster submitted to credit card companies, retail merchants and banks. We then were able to link the fraudster to other victims and crimes, which amounted to millions of dollars in losses.
We connected the fraudster to the theft of $2 million from a hedge fund, fraudulent student loan applications and fraudulent receipt of veterans' benefits, among other crimes. We referred all the frauds to the U.S. Postal Inspection Service, which presented the case to the local U.S. attorney's office.
The solid cooperation of Sally — our client's employee — and the helpful relationships with the postal inspectors and federal prosecutors in multiple jurisdictions led to the recent multi-count indictment of the fraudster, who faces significant mandatory jail time.
Other enablers for the fraudster
Though our focus has been on the glaring deficiencies with a credit reporting agency's protection and monitoring service, our investigation discovered additional enablers.
The nationally known chain operating the three virtual offices the fraudster used throughout the U.S. to receive mail provided its services to him without requiring his complete application or two supporting pieces of identification, which the U.S. Postal Service (USPS) requires for all Commercial Mail Receiving Agencies (CMRA).
Before CMRAs begin to receive mail on behalf of third parties these customers must submit to them the completed USPS Form 1583, "Application for Delivery of Mail Through Agent" with two forms of personal identification plus their photographs.
As we noted above, the fraudster used virtual offices to receive fraudulent credit and debit cards without fear of identification. Once the fraudster realized that we'd located and obtained his mail from these virtual offices, he changed his address directly with financial institutions and merchants rather than filing a change of address form with the USPS or the virtual office. This method of redirecting documents kept the fraudster informed about our investigative progress, while he continued to receive mail in Sam's name and other victims.
The fraudster legally changed his name twice in one year — to become different synthetic persons — in local courts in the state of Washington. We couldn't determine what he used as identification to complete these name changes, but it was probably counterfeit identification documents that supported his residence, which the state didn't verify.
IRS PIN and hack
During the investigation, Sally became concerned about the impending tax-filing season. Our experience included numerous instances of fraudsters filing false tax returns before the victims filed their actual returns. When this happens, the U.S. Internal Revenue Service (IRS) reports to the taxpayer that a return has already been filed and the refund issued. Normally, victims will provide proof that their identities were stolen and spend the next year trying to get the IRS to pay them their refunds. The IRS provides identity theft victims with PIN numbers to be used when filing future returns.
The IRS declined to provide Sam with a PIN because it couldn't verify his identity through the credit-reporting agency. Of course, we had our conversations with the IRS before we learned that the fraudster had hijacked our client's credit file. Instead of engaging in the time-consuming and awkward process of obtaining a PIN from the IRS, we recommended the client file his 2015 tax return on the earliest possible date that the return would be accepted by the IRS, which was Jan. 19, 2016. So, at a minute past midnight on that date Sally electronically filed Sam's tax return.
In February, the IRS reported that hackers had obtained more than 700,000 PINs that had been issued to identity theft victims. (See
Cyber hack got access to over 700,000 IRS accounts, by Kevin McCoy, USA TODAY, Feb. 26, 2016, .)
Victims shouldn't carry the burden
We rely upon global institutions that are entrusted with our personal and financial information — and therefore, our identities — to construct robust protocols and controls to protect us. However, they often fail to do this. These entities must develop systems to protect consumers from identity thieves and be vigilant about maintaining them. They need to abide by policies commonly referred to as "know your customer" and "know your vendor" to prevent fraud.
We recommend establishing authentication systems similar to passport applications processes that require mandatory verified government-issued identification before individuals can access credit files or obtain credit protection plans. We believe most consumers would agree that the temporary inconveniences would be worth it if they could have safeguards that would reduce the chances of becoming identity theft victims.
Regardless, all of us share some of the responsibility for protecting ourselves. We must vigilantly check our credit reports, credit card statements and bank transactions for unfamiliar or suspicious activity and shred documents with sensitive PII.
Any of us can become victims of identity fraud, including synthetic-person theft. But it's unacceptable that victims always seem to carry the burden of proving to credit bureaus, financial institutions, and the IRS or other nations' tax agencies that their identities have been compromised.
You shouldn't have to be wealthy, have an attorney on retainer or spend countless hours trying to fix what a criminal has done to you to get your identity back.
Anthony P. Valenti, CFE, CAMS, is managing director of Stroz Friedberg LLC in New York. His email address is: AValenti@StrozFriedberg.com
Stephen G. Korinko, CFE, CAMS, CPP, is vice president of Stroz Friedberg LLC in New York. His email address is: SKorinko@StrozFriedberg.com.
For more, see the sidebar,
"Immense identity fraud problem."