H1N1 identity theft e-mail phishing scam

As if the swine flu virus wasn't bad enough, now identity thieves are using it to their advantage.  Scammers are using e-mails offering a "Personal H1N1 Vaccination Profile".  The e-mail scam appears to come from the Center for Disease Control and actually uses a pretty good (but still fake) version of the U.S. Department of Health and Human Services logo. 

The e-mail tries to dupe the reader into clicking on a link to a separate site, ostensibly to set up a profile containing the reader's name, contact details, and personal medical history.  A screen shot of the picture is below:

The website has several links that all will download a file which probably contaisn some malicious code which would do Lord knows what to your computer.  The virus would probably include code to obtain your personal information from your computer.

Although the Web address in the e-mail link appears to be operated by CDC.gov (the agency's Web site), a hidden portion of the address indicates that the site is actually in Belgium.

Part 2 of explanation of 15 U.S.C. 1681e

For some reason this did not post yesterday as it was scheduled to do, so here it is:

This is part 2 of my explanation of 15 U.S.C. 1681e.  For part of the explanation, see here - http://fcralawyer.blogspot.com/2009/11/part-1-of-explanation-of-15-usc-1681e.html. 

"(d)  Notice to Users and Furnishers of Information

(1)  Notice requirement.   A consumer reporting agency shall provide to any person

(A)  who regularly and in the ordinary course of business furnishes information to the agency with respect to any consumer; or

(B)  to whom a consumer report is provided by the agency;

a notice of such person's responsibilities under this title."

[This section requires the credit bureaus to provide a notice (the content of which is prescribed by the FTC per (d)(2)) regarding their responsibilities to two types of entities - furnishers and users.  Furnishers are the companies that furnish information to the credit bureaus for inclusion on consumers' credit reports (i.e. the banks, credit card companies, collection agencies, etc. whose accounts make up the consumers' credit histories).  Users are the companies that buy consumers' credit reports from the credit bureaus, assuming they have a permissible purpose to gain access to the report.  A company can be both a user and furnisher regarding a consumer, although not at the same time.)

"(2)  Content of notice.  The Federal Trade Commission shall prescribe the content of notices under paragraph (1), and a consumer reporting agency shall be in compliance with this subsection if it provides a notice under paragraph (1) that is substantially similar to the Federal Trade Commission prescription under this paragraph."

[This section defines what the credit bureaus must include in the notices to furnishers and users required by (d)(1) by simply saying that the FTC will prescribe the content and the credit bureaus' notices must be substantially similar to the FTC prescribed content.]

"(e)  Procurement of Consumer Report for Resale

(1)  Disclosure.  A person may not procure a consumer report for purposes of reselling the report (or any information in the report) unless the person discloses to the consumer reporting agency that originally furnishes the report

(A)  the identity of the end-user of the report (or information); and

(B)  each persmissible purpose under section 604 [Section 1681b] for which the report is furnished to the end-user of the report (or information)."

[This section applies to resellers of credit reports.  Before it can resell the report (or any information in the report), the company reselling the report must identify who the report is ultimately being sold to and provide each and every permissible purpose used in obtaining the credit report.  These disclosures are required to be made to the credit bureaus selling the report to the reseller, not to the consumer whose information is being sold.  Although I have seen on at least one credit bureaus' reports to consumers that they list the end user who ultimately gets the resold report as part of the inquiry.]

"(2)  Responsibilities of procurers for resale.  A person who procures a consumer report for purposes of reselling the report (or any information in the report) shall

(A)  establish and comply with reasonable procedures designed to ensure that the report (or information) is resold by the person only for a purpose for which the report may be furnished under section 604 [Section 1681b], including by requiring that each person to which the report (or information) is resold and that resells or provides the report (or information) to any other person

(i)  identifies each end user of the resold report (or information);

(ii)  certifies each purpose for which the report (or information) will be used; and

(iii)  certifies that the report (or information) will be used for no other purpose; and

(B)  before reselling the report, make reasonable efforts to verify the identifications and certifications made under subparagraph (A)."

[This section simply attempts to keep resold reports from being sold for impermissible purposes.  It requires the reseller to identify the ultimate end user of the credit report, certify each permissible purpose used to obtain the credit report and certify that the credit report won't be used for any other purpose (permissible or not).]

"(3)  Resale of consumer report to a federal agency or department.  Notwithstanding paragraph (1) or (2), a person who procures a consumer report for purposes of reselling the report (or any information in the report) shall not disclose the identity of the end-user of the report under paragraph (1) or (2) if -

(A)  the end user is an agency or department of the United States Government which procures the report from the person for purposes of determining the eligibility of the consumer concerned to receive access or continued access to classified information (as defined in section 604(b)(4)(E)(i)); and

(B)  the agency or department certifies in writing to the person reselling the report that nondisclosure is necessary to protect classified information or the safety of persons employed by or contracting with, or undergoing investigation for work or contracting with the agency or department."

[This section exempts from the end user disclosure requirements of (d)(1) and (2) where the end user is a U.S. agency or department and the report is used for determing whether the consumer should get or continue to have access to classified information and where the agency or department certifies that nondisclosure is required to protect any classified information or safety of employees of the agency or department.]

This concludes my explanation of 15 U.S.C. 1681e.

Good primer regarding preventing ID theft while shopping online

For those of you who like to shop online (i.e. my wife), here's a good article about how to prevent your identity from getting stolen while doing your online Christmas shopping this year:

Online shopping might be a convenient way to tackle your holiday gift list, but is your money really safe in cyber space? Experts offer some tips to safeguard your personal information.

"There's different shapes and forms that they can rob you," says Cesar Fazz, Security Manager for AEA Federal Credit Union. The recently-retired police lieutenant also knows scammers will do anything to steal your money.

"You've got to look at the address on there and look at the sites," says Faaz. Before you embark on cyber shopping, he suggests looking for a few security features.

"If you get on and they have an http address, if there's an 's' usually after that, that usually means it's a secure website." Look for the "s" when you access a web page asking you for personal information such as your credit card number.

Also watch out for a yellow lock icon.

"All that means is that the information is being sent from you, the buyer, to the website that that information is being encrypted and so forth," explains Faaz.

Those features are not fool-proof. Fazz says consumers need to first update all anti-virus software. That's because some viruses will install a program to record everything you type.

"It'll get a virus on your computer and then they're able to either see or record those keys that you're pushing like your password."

Finally forget email links. Manually type in the retailer's web address to avoid being routed to a scam site.

No measure will keep you absolutely safe from identity theft, so experts suggest you read your credit card statements to make sure you didn't become a victim without even knowing it.

 The original article can be found here, at Yuma, AZ's KSWT Channel 13's website - http://www.kswt.com/Global/story.asp?S=11602781.

Explanation of 15 U.S.C. 1681f of the Fair Credit Reporting Act

Below I continue my explanation of each section of the Fair Credit Reporting Act by explaining 15 U.S.C. 1681f.

"Section 608.  Disclosures to governmental agencies [15 U.S.C. Section 1681f]

Notwithstanding the provisions of section 604 [Section 1681b] of this title, a consumer reporting agency may furnish identifying information respecting any consumer, limited to his name, address, former addresses, places of employment, or former places of employment, to a governmental agency."

[This section simply indicates that a credit bureau may provide the personal identifiers of a consumer to a governmental agency, whether the governmental agency has a permissible purpose pursuant to 1681b or not.  Nice to know that big brother can find out where you live, work or used to work for whatever reason they want to.  Or for no reason at all.]

I will begin my explanation of 1681g in the near future.

Part 1 of explanation of 15 U.S.C. 1681e

Here's part one of my explanation of 15 U.S.C. 1681e.

"`Section 607.  Compliance procedures [15 U.S.C. 1681e]

(a)  Identity and purposes of credit users.  Every consumer reporting agency shall maintain reasonable procedures desinged to avoid violations of section 605 [Section 1681c] and to limit the furnishing of consumer reports to the purposes listed under section 604 [Section 1681b] of this title.  These  procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose.  Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report.  No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 605 [section 1681b] of this title."

[This section requires the credit bureaus to have reasonable procedures to prevent impermissible accesses to consumers' credit reports.  Unfortunately, the CRAs procedures are not that good.  Other than the initial investigation of a new user before the CRA will start selling reports to it, the CRAs only require a "certification" that the user is getting the credit report for a permissible purpose.  The problem is that the user can "certify" any reason it wants that permissible whether its really the reason why its getting the credit report or not.  Only after the user gets caught will the CRA be on notice that the user is not on the up and up, which then causes the last sentence of 1681e(a) to kick in.]

"(b)  Accuracy of report.  Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates."

[This is by the far the most important section I have explained yet, at least to my practice.  Virtually every lawsuit I file against a credit bureau includes alleged violations of 1681e(b) (called "e(b)" claims for short).  My FCRA cases typically fall under two categories - those arising from identity theft and those arising from mixed files.  Identity theft cases almost always involve disputes by consumers of the inclusion of the fraudulently opened accounts which are then "investigated" by the credit bureau.  A significant number of the so called "investigations" are botched by the credit bureaus.  These botched investigations violate 1681i of the FCRA.  However, the botched investigations also arguably lead to violations of 1681e(b) when the CRA generates credit reports containing the disputed but not reasonably investigated accounts.

A clearer violation of 1681e(b) happens in mixed file cases.  In mixed file cases, the CRAs generate credit reports using their matching logic which does not use an exact match between the SSN on the account to the SSN of the consumer before putting the account on the consumer's credit report.  This results in accounts of someone with a similar name and SSN showing up on the consumer's credit report.  The argument is that utilizing a matching logic to create a credit report where the SSN is not even required to match is not a reasonable procedure to assure the maximum possible accuracy of the report.]

"(c)  Disclosure of consumer reports by users allowed.  A consumer reporting agency may not prohibit a user of a consumer report furnished by the agency on a consumer from disclosing the contents of the report to the consumer, if adverse action against the consumer has been taken by the user based in whole or in part on the report."

[Once upon a time, a consumer would ask his bank for a copy of his credit report and the bank would tell the consumer that it was not allowed by its contract with the CRA to give the consumer a copy of his credit report.  Now, a consumer asks his bank for a copy of his credit report and, guess what, the bank still tells the consumer that the CRA does not allow it to give the consumer the report.  While I am sure its not in writing anywhere, I would be willing to bet that CRAs still tell its users not to give out copies of the credit reports it obtains.  Regardless, at least the consumer can now tell the bank that what its saying is not true.]

I will continue my explanation of 15 U.S.C. 1681e with part (d) in part 2 of the explanation.

New telephone scam in the U.K.

Based upon my decade of practicing law with an emphasis on representing victims of identity theft, I always believed that identity thieves target those with good to excellent credit histories, since it was those types of credit histories that equate to an easier time getting approved for credit, whether applied for by the consumer or the identity thief.   A target rich environment, if you will.

But here's a scam that targets those in debt rather than those with credit lines available to be obtained.  The article is from http://www.mirror.co.uk/. 

Fraudsters are targeting those struggling with debt.

They are tricking people into giving out personal details and money with scam telephone calls.

Crooks, posing as staff from the Government, Office of Fair Trading, High Street banks or claims-management companies, are calling and persuading people to give them as bank details, with the promise of repayment of debts.

Victims are asked to make an upfront payment after being told they are entitled to a repayment of bank charges or other debts.

Equifax, the ID fraud expert, is urging everyone to keep their personal details safe.

Neil Munroe from Equifax says: “Criminals are targeting those already in debt and they are very convincing and persuasive, calling victims repeatedly.


“Anyone who provides their details over the phone risks having their accounts emptied, leaving them even more in debt.”

Never give out personal details over the phone. Call the head office of the company concerned to find out if a call is genuine.

For the rest of the article, see http://www.mirror.co.uk/news/city-news/2009/11/24/cash-point-fraudsters-target-those-in-debt-115875-21844863/

E-mails trying to get you to check your credit report due to "problems" is probably a scam

I have heard people complain about getting unsolicited e-mails from Equifax telling them there are problems with their credit report and advising them to buy their credit report.  This is either a scam by some perp trying to obtain your personal information or a ploy by Equifax to get you to sign up for a credit monitoring service you likely don't need.  Either way, its something to avoid.

If you want to check your credit report, try http://www.annualcreditreport.com/, which is the website that federal law required the credit bureaus to establish to provide one free credit report per credit bureau to each consumer per year.  Better yet, print out and mail in the pdf request form found at http://www.annualcreditreport.com/ and get your credit reports for free without any arbitration clause taking away your right to a jury trial.  You see, http://www.annualcreditreport.com/ redirects consumers to the websites of Experian, Equifax and Trans Union to complete the process of obtaining the free credit reports.  One or more of the bureaus' websites require the consumer to agree to an arbitration clause to access the credit report.  Sending in the pdf form, though, does not activate any such arbitration clause.

"The reports of my death are greatly exaggerated" ... by Experian

Few knew that the rest of Mark Twain's quote attributed the reports of his death to Experian, but Ann Howe found that out the hard way.  Experian decided to start informing any one who asked for Ann Howe of Seattle's credit report that she was no longer among the living.  Problem is, she was and is very much still alive.

Howe tried to refinance her home mortgage but was denied by her bank because Experian told her bank she was dead.  Apparently, her banker thought she was a ghost since she was sitting in front of him when Experian declared her dead, since the bank opted to believe Experian instead of the breathing, talking woman visiting their bank.

What's worse, it took Howe and her daughter months of faxes, notarized papers, phone calls and letters and still Experian would not believe Howe was alive, which meant the bank would not approve the refinance.

Fortunately, Experian finally agreed with Howe's doctors that she was indeed still alive.  Once Experian came to its senses, Howe's credit report was corrected and she was finally able to obtain her loan.

Identity theft ring in South Florida busted

Police have busted up an identity theft ring operating in south Florida.  A bank teller and five others - namely Janice Coachman of North Lauderdale, Latoya Robinson of Fort Lauderdale, Roberta Huha of Dania Beach, Jude Thompson of Lauderhill, Vincent Ware of North Lauderdale, and Curisha Bryant of West Park - were all arrested in a 3 county crack down of an identity theft in south Florida.  Four other suspects are still at large.

The 21 count federal indictment accused most of the defendants of using stolen credit cards, stealing identities, cashing forged checks as well as recruiting others to joing the ring.  Charges include aggravated identity theft and bank fraud.

According to the indictment, Curisha Bryant was a bank teller at a BankAtlantic branch, where she allegedly shared information from her customers' accounts with three of her co-defendants.

Fair Isaac loses antitrust lawsuit

A Minneapolis jury on Friday ruled against Fair Isaac and in favor of credit bureau Experian in an antitrust lawsuit filed by Fair Isaac against Experian.  Fair Isaac claimed that it had exclusive trademark rights to credit scores utilizing any score range that overlapped 300 to 850.  Fair Isaac claimed that Experian's VantageScore credit score violated its alleged trademark rights.  Unfortunately for Fair Isaac, the Minneapolis jury disagreed.

"Today's verdict is a victory for Experian and for American consumers," said Kerry Williams, group president of credit services and decision analytics at Experian. "By preventing FICO from further stifling competition in the marketplace, the jury's decision will increase consumer choice in credit scoring."

The jury also found that Fair Isaac committed fraud on the Patent and Trademark Office in obtaining its trademark registration.

VantageScore is the credit reporting industry's first credit score developed jointly by the three national credit reporting companies to deliver consistent, objective credit scores across their respective databases. VantageScore provides consumers and businesses with a highly predictive, consistent score that is easy to understand and apply. VantageScore utilizes a range from 501 to 990 that naturally aligns with well-known A, B, C, D and F grade intervals, and is used by four of the top five U.S. financial institutions and eight of the top 10 credit card issuers.

Toys for Tots scam results in arrest for identity theft

Marsha Lynn Foster of Dekalb County, Georgia has been charged with identity theft and theft by deception.  According to authorities, Foster posed as a representative of Toys for Tots and falsely solicited donations from local merchants in a fraudulent manner.  Police arrested Foster Saturday evening at her home near Decatur, Georgia.

Authorities have offered some helpful tips when approached by donation seekers:
Obtain the representatives credentials such as photo identification.
Obtain charity organization information such as a business card and other literature.
Do not give donation immediately. Take the time to contact the agency to verify they had a representative in your area.
Most charity organizations will provide a donation request on letterhead and they will not ask for CASH ONLY.

Most importantly, use your common sense.

Two Dallas women charged with stealing 147 identities

Police have arrested and charged Yolanda Burks and Beverly Crowder, both of Dallas, Texas, after they were found to possess the personal information of 147 Dallas and Tarrant county residents.  Police believe that the duo has used the personal information of others to obtain cell phones and utlility services for over two years.  Authorities believe that the pair may have obtained the personal information by stealing mail or other types of theft.

Authorities are attempting to contact the 147 potential victims.

Identity theft leads to murder

Christopher Helmlinger was murdered in September.  Berryville, Arkansas police believe Evin Davis, Jr. murdered Helmlinger in order to steal his identity.

Helmlinger was shot to death and buried in a shallow grave.  His body was found approximately two weeks after his family reported him missing when police received a tip about a mound of dirt with a shovel nearby.  Davis, who went by the alias Charles Hedstrom, was spotted near the mound of dirt.  The same night Helmlinger's body was found, Davis a.k.a. Hedstrom and his family left town. 

Davis a.k.a Hedstrom worked with Helmlinger at Tyson Foods and spent a lot of time together.  The police's investigation of the tip regarding Davis' proximity to the location of Helmlinger's body led police to learn that Hedstrom was really Davis and was wanted in Missouri for stealing a car. 

Davis' wife was apprehended when she showed up for her final pay check.  She refused to tell authorities where her husband was holed up, but he eventually turned himself in.  Davis is being held while a determination regarding his bond is pending.  His wife is being held on a $1 million bond.

Identity theft is actually "low tech" crime

Good article from Miller-McCune.com explains how identity theft no longer requires criminal geniuses to commit:

The U.S. Census Bureau estimates a little more than one-third of households will refuse to mail out their census forms next year because of fear that sharing personal data could make them susceptible to identity theft.


This is no idle concern — almost 10 million people were victims of identity theft in 2008, a 22 percent rise from the year before. And despite the popular image of some Serbian teenager with superior computing skills hacking into a major mainframe and stealing thousands of pieces of sensitive personal data, then using them to buy flat panel TVs and Blackberries, the majority of identity theft — a whopping 43 percent — comes from such low-tech means as stolen wallets and documents. Only about 1-in-10 thefts are computer-originated.

Those final two figures, in fact, tend to confirm the findings of "Understanding Identity Theft: Offenders' Accounts of Their Lives and Crimes," a study published earlier this year in Criminal Justice Review. Conducted by Lynne M. Vieraitis of the University of Texas at Dallas, and Heith Copes of the University of Alabama at Birmingham, the study is based on interviews with 59 identity thieves incarcerated in federal prisons. The goal of the study was to determine the demographic characteristics of these criminals and how they commit their crimes.

"One of the things we found most surprising is it seems to be very democratic in terms of who's committing [identity crimes]," says Vieraitis. "There are people who are more like street offenders and those closer to the white-collar-type fraudster."

"What motivates all these offenders is money," adds Copes, "and that's where you see the distinction between street life and those living a middle-class lifestyle. The street-life types, these are the hardcore offenders. They live this life of the party, drugs, going out — this hedonistic lifestyle. And they use the money to support that lifestyle. It's a cash-intensive lifestyle. It encourages them to commit more crime, and the cycle continues. The middle class is trying to portray a middle-class lifestyle; they're trying to pay off houses and cars they can't afford."

In either case, the means of obtaining the information needed to pull off their crimes is decidedly low tech — as low tech as, in some cases, Dumpster diving. But the most common method of getting information is to buy it from someone, generally a person who works for a mortgage company, bank, car dealership or state agencies like law enforcement and the Department of Motor Vehicles.

"The most common method was getting it through legitimate access," says Copes. "Either that person worked at the place that had that information or they paid the person to get it. They use what's known as 'larceny sense' — a lot of them could just recognize people they could buy off."

Other methods included stealing mail from apartment houses or businesses like insurance companies — even stealing trash cans from banks. One thief put ads in newspapers seeking employees for a new company, had jobseekers fill out applications that included Social Security numbers, then used those to create false identities.

In all cases, offenders parlayed stolen IDs into cash by applying for credit cards (the most common method), opening bank accounts and depositing counterfeit checks, withdrawing money from existing accounts, applying for loans and public assistance.

One thief would apply for credit cards at places like Lowes or Home Depot, receive instant credit in a specific amount and then max out the card immediately. This felon would even take orders from people beforehand and discovered that gift cards were especially popular: "Gift cards were like money on the streets," she told the researchers. "People were buying them off me like hotcakes."

Yet if all this suggests identity thieves are necessarily smarter than the average felon — you know, like that brilliantly twisted teen Serb hacker — forget it.

"You don't have to have a high IQ," says Copes. "One of the skills is just good social skills. You may pose as someone and pull all their money out of an account, so you need to be able to interact with people, know which teller to talk to and know when a conversation is not going the right way."

So if identity theft isn't primarily a trade for brainiacs, how come it's the sophisticated computer types who seem to define the crime?

"The media has put out this image that it's Russian organized crime or groups using computers hacking into databases," says Vieraitis. "Those are the ones we hear about. I think it makes for a better story. Maybe we just don't focus enough resources on the mundane identity theft. I also think banks and credit card companies have gotten better at helping people out. And most of it is credit card fraud."

"It is a relatively unsophisticated type of crime," Copes adds.

Ringleader behind theft of Bernanke's wife's identity sentenced

Waldorf, Maryland's Clyde Austin Gray, Jr. was sentenced on Friday to 11 years in prison and to repay more than $1.4 million in restitution. Gray previously pled guilty to masterminding a nationwide identity theft ring, whose victims included the wife of Federal Reserve Chairman Ben Bernanke.