Welcome to NerdWallet’s Smart Money podcast, where we answer your real-world money questions. In this episode:
Learn how to protect your identity from theft and fraud by understanding how criminals are exposing authentication flaws.
How can you protect yourself from identity theft and financial scams? What steps should you take if your identity has been compromised? Hosts Sean Pyles and Sara Rathner discuss the pervasiveness of identity theft and practical defense strategies to help you safeguard your financial well-being. They begin with a discussion of protecting yourself from identity theft, with tips and tricks on setting up fraud alerts, freezing your credit, and using unique passwords with the aid of password managers.
Then, Eva Velasquez joins Sean to discuss the nuances of authentication and identity theft. They discuss the challenges businesses and individuals face in verifying identities online, the misuse of social security numbers, and the rise in data breaches, particularly in the healthcare sector. Plus: the alarming increase in data breaches in 2023, the importance of questioning every suspicious communication you receive, and the necessity for public and private organizations to refine their authentication methods.
Check out this episode on your favorite podcast platform, including:
NerdWallet stories related to this episode:
Episode transcript
This transcript was generated from podcast audio by an AI tool.
You never think it’s going to happen to you. You’ll never fall for a scam. You’re too careful to have your identity stolen. You know how to sift through the clutter and the misinformation all on your own. Well, I’m sorry, dear listener, but it could happen to you. So today we launch a new series to make sure you know as much as possible about how to protect yourself and your finances from scams.
I say this unequivocally, your data is out there. Now, not every scammer has every piece of your data, but I don’t want people to be under the impression that, “Well, I didn’t receive a breach notice or I wasn’t paying attention. So that must not be happening to me.” No, I’m talking to you. Your data is out there.
Welcome to NerdWallet’s Smart Money Podcast. I’m Sean Pyles.
And this kicks off our Nerdy deep dive into all the ways that identity thieves can turn your life upside down, especially your financial life. We did not want to have to do a series on this, but we hear story after story about people who fall victim to scammers because it can happen to anybody, and we want to give you every tool possible to avoid having it happen to you.
Sean, I’m going to say it again just for good measure. It can happen to anybody and you do not want it to happen to you. Scammers and identity thieves are evolving with every new technology, including AI. Sometimes it feels impossible to keep up with them. Honestly, we might not be able to, but in this series, we’re going to talk about the ways to protect yourself and what steps to take, heaven forbid, you become a victim.
Here’s a sobering stat, Sara. According to the Federal Trade Commission, people here in the U.S. reported losing more than $10 billion to scams in 2023. That’s over a billion dollars more than the year before.
And toward the top of the list were imposter scams, people claiming to be something they’re not. Whether it’s your bank, your insurance company or even your mom. And that scam has a famous face to go along with it. Folks might’ve heard that Andy Cohen, a host at the Bravo Network, lost a chunk of money to thieves who posed as bank employees and got him to log into his account and eventually stole from him via wire transfers.
So awful. And Sara, the reason you and I keep reiterating that this can happen to anyone is because it’s important to know that if it does happen to you and it messes up your finances, you are not alone. And it’s not because you were stupid or careless. People who experience identity theft and scams don’t have a demographic profile. In fact, we’ll hear in this series that younger generations are falling prey to this kind of thing at higher rates than their elders.
Let’s be specific about that, Sean. According to a 2022 report from the National Cybersecurity Alliance, Gen Z, people who don’t even remember a time without the internet, report higher rates of being taken in by everything from identity theft to phishing and romance scams, more so than baby boomers do. So again, if you’re feeling like your cyber defenses are impermeable, well, we’re here to suggest that you double-check.
Yeah. And we’re not here to scare you, even though all of this can be pretty scary, but we are here to help you build those defenses so that you can keep your money safe and secure and not in the hands of absolutely horrible people.
So Sean, have you ever had this happen to you in one way, shape, or form?
I’ve been contacted by plenty of scammers, especially during the tumult around the student debt cancellation a year and a half ago. I was getting calls multiple times a week from scammers that were trying to get me to pay them to have my loans canceled, a totally predatory scam that preyed on people’s desire to finally be free from the burden of student debt. But fortunately, I have never lost money to a scam, knocking on wood right now. How about you, Sara?
Thankfully, I haven’t been parted from any of my money yet, but I recently sold some pricey baby gear on Facebook Marketplace, and the scammers absolutely came crawling out of the sewers the moment I posted the listing. So here’s what tipped me off to the first scammer of several. Their Facebook profile was created just within the last couple of years. So when I see a very empty profile, it raises my spidey senses a little bit. And then, in chatting with me through Facebook chat, they told me some whole story about how because of their work schedule, their brother would be the one to pick up the item for them. There was no conversation. They were immediately just like, “My brother’s going to come pick it up, by the way.”
There’s always some convoluted story, right?
Right. It got a little complicated. And then there was also another woman who hit me up and also mentioned that her sister would be the one to pick it up for her. And I’m like, “Oh, I heard that story five minutes ago. That’s weird.” Then they tried to pay me through Venmo as if I was a business, which I am not, on Venmo or in life. And so when that didn’t go through, they sent me this typo-ridden email with a QR code and a “click on this link.” And that’s the point where I was just like, absolutely not. And I just totally ghosted them and stopped responding.
Yeah. Unfortunately, Facebook Marketplace is one spot where people will experience scams just constantly. I hear these stories all the time. And your story exemplifies why we took on the series. We want to help people understand things like how pervasive are scams, how vulnerable am I and how can I protect myself, my loved ones, and my cash?
All right, well we want to hear what you think too, listeners. Tell us your stories of identity theft or share how you’re working to fight it or recover from it. Leave us a voicemail or text the Nerd hotline at 901-730-6373. That’s 901-730-NERD, or email a voice memo to [email protected].
So Sean, where do we start today?
Our guest today is Eva Velasquez. She heads up the Identity Theft Resource Center, which is a repository of all things scammy and ID thievery. And she used to be in law enforcement putting the bad guys away. We’ll talk with her first about the scope of the problem and then we’ll hear from her about what is the first step in this process, which is identity theft leading to identity fraud.
Eva, I’m so glad you could join us on Smart Money.
It’s a pleasure to be here.
Since you are immersed in this issue, I want to start with a broad picture of the ID theft scam landscape because we as a country and the world really have been dealing with this problem for well over two decades now, and the technology has gotten smarter and so have the people taking advantage of that technology to do us financial harm. So can you give us a brief evolution of how we got to this point, from the early days of dumpster diving and stolen laptops to now with AI copying our voices?
Well, if you think about how scams have been perpetrated historically, there was a lot more effort that had to be put into it. They’d have to mail a solicitation, call you on the phone and while those things still happen, we have all of these new channels. We have email. We have text messages. We have social media. So there’s all of these new ways that the scammers can get their hooks into you. And if you also think about our identities and traditional identity fraud… And just for the record, for people listening, identity theft is the theft of the credentials that would be used to commit identity fraud. So the fraud is the misuse piece of it. The notion of our identity and what goes into our credentials, it has expanded over the last 20 years. I mean, it really used to be your social security number, your date of birth and your financial accounts, and now we’ve got logins and passwords. There’s misuse of driver’s license numbers and just all of this other data about us that’s used to authenticate us. That can also be misused.
I think the easiest way to put it is anything that you can do with your identity online or otherwise, a bad actor can do if they have the right information about you.
So there’s so much more information connected to each of us as individuals like you just described, our driver’s license numbers, our social media logins, our bank information, and scammers have more tools at their disposal that make it easier for them to try to get that information from us in some way from the comfort of their couches.
Oh, exactly. The bar to entry for these threat actors is so low. There isn’t even a bar anymore. Okay? They’re just stepping into the room because if you look at the fraud ecosystem, it doesn’t take anything but a little bit of seed money to get into this fraud game. And I’m coming from a place of when I was in law enforcement investigating these types of crimes, so much of it was in person and they had to have the look and have the language and really be able to present themselves as whatever they were saying they were. And now that’s just not the case. You’re sitting behind a keyboard. You can use images that you’ve just pulled off the internet. Now, with all of the technology available, it’s very easy to write slick-looking emails or text messages. And the punishment, if you are caught, which is very rare, it isn’t a deterrent because you make all of this money, it’s banked somewhere offshore and it’s waiting for you when you get out in 18 months.
Can you give us a sense of how big the problem is? The ITRC just released its latest annual report. What is this costing us as a citizenry?
The challenge with this is which problem because there’s so many facets to the identity crime problem. We have the theft problem first, and we just released our data breach report. Now, these are the known, publicly-notified data breaches that occurred last year in 2023. We blew the previous record absolutely out of the water, 72% increase over the all time record that we hit in 2021. So our data and the information necessary to commit these crimes against us is absolutely out in the wild. And I really want your listeners to know, I say this unequivocally, your data is out there. Now, not every scammer has every piece of your data, but I don’t want people to be under the impression that, “Well, I didn’t receive a breach notice or I wasn’t paying attention, so that must not be happening to me.” No, I’m talking to you. Your data is out there.
What’s funny hearing you say that is I’m reminded of a piece of mail I got last week that alerted me to the fact that I could win some money in a settlement because of a data breach that involved my personal information, and I had no idea that I was involved in this data breach until I received that postcard in the mail last week.
Oh, my goodness. The newest form of data breach notification is the class action notification saying, “You’re a member of this class.” I am sure you’re not the only one.
I’m wondering what you see as the biggest change over the years in how people are duped.
We have an authentication problem in this country. Well, globally, frankly. We don’t know who we’re interacting with. But before we had these very cheap methods of communication, really, you weren’t getting a mailbag of fraudulent solicitations dumped on your porch every day. But if you think about email in the same terms, you really are. We’re getting just besieged. And so I think the biggest change has been, I can’t tell who I’m actually talking to because these aren’t in-person interactions and there are so many of them that it’s very hard for me to tell if that is a legitimate business or government entity that’s talking to me.
Let’s talk a bit about why it seems like scammers and thieves are always ahead of those who are chasing them. Why are they so adaptive and challenging to shut down?
There’s a number of reasons. First of all, it is their full-time job. That’s all they do is look for vulnerabilities. I was just talking this morning in our standup meeting with one of our members of our team who was talking about how she could keep her dog from getting out from the fence. They were putting chicken wire under the fence. They put something on his collar so that he couldn’t squeeze through the fence. And I laughed and said, “Your dog’s a hacker. Your dog is spending all day searching for the vulnerabilities in your fence line. And you have to be right a thousand times. You have to have everything absolutely perfect, and the dog only has to be right once.” That applies when we’re talking about the relationship that the good people of the world just trying to live their lives and the good businesses trying to protect their information and their data are up against when it comes to these threat actors whose full-time job is to look for those vulnerabilities and then exploit them.
What, in your, view is the main issue that we’re not addressing in this country to help solve the problem?
I go back to it’s an authentication issue. We cannot continue to authenticate people. And that is, I am who I say I am in the traditional ways that we’ve done it in the past. And mostly, that’s either been in person, I walk in the door and you go, “Yep, I know that’s Eva because I know her from before or we have a past relationship.” But because we’ve moved to so many digital only transactions, and these are often financial transactions, there’s a lot behind them. We don’t know who we’re talking to. Businesses don’t have the best handle. They certainly have a lot in place and there’s a lot of rules and laws and regulations in place to know your customer, but even individuals don’t know. They go to a dating website, they don’t know if that’s really the picture and the person that they’re talking to. You go to Facebook Marketplace to sell something. You don’t actually know if that’s a real person.
And so if we focus more on devaluing the static data and using different types of tools, of course in a privacy centric and consent based manner, we have to devalue this data and work on the authentication problem, and then some of these other issues will absolutely be resolved.
What I was thinking about as you were talking just then is how we have turned our social security numbers into the catchall for authentication. And they were never designed to be used in this way. And given the number of hacks that have happened, including the 2017 Equifax hack, it’s safe to assume for the vast majority of people, if not everyone in this country, that our socials are floating out there and people can use them to pretend to be you and to authenticate themselves as you. And that’s just a glaring flaw in our system.
Oh, it absolutely is. Social security numbers are a good identifier. That’s the Eva Velasquez that lives here, that was born this year. That is me. But they’re not a good authenticator. So that’s where I go into, we need better authenticators. And we have some promising tools. Things like biometrics, even though some people still get that creepy factor, they are very, very useful when used ethically in conjunction with that social security number. Usually not necessarily without it, especially when we’re talking about financial transactions like getting a credit card or a loan or something like that.
Sean, the statistics on this are outrageous and they’re mind-numbing and it almost makes you want to go back to bed and also wonder if you should just expect that this is going to happen to you and just give up in and deal with it when it comes, like a natural disaster, but I know that that’s not a good idea.
Yeah, it is so easy to feel overwhelmed by the magnitude of the problem, but that’s why we’re going to go step by step through this process over the next few weeks to empower everyone listening to make the choices and decisions that will best protect them. So in a moment, we are back with Eva Velasquez to talk about identity theft, what happens, how you can prevent it, and what to do if it happens to you. Stay with us.
All right. So this week we’re talking with you about identity theft. Next week, we’ll be addressing identity fraud. What’s the difference?
Well, it’s just like what it sounds like. Theft is the taking of the data, the credentials, the documents that can be used to commit identity fraud, that can be used to impersonate you. The theft has to occur before the misuse can occur.
So theft is really just the first process in this criminal food chain, right?
So walk us through what the difference is between when our data is compromised by an attack on a company and other forms of identity theft.
Well, we just released our data breach report for 2023, and it was pretty staggering, record number of breaches, 3,205.
Oh, that’s such a great point. We know that breaches are underreported, and so these are the ones that were publicly available to us, but there are other ways that that theft can happen. Stealing these things from the mail, that is a huge issue right now that not a lot of people are talking about. Your checks, your driver’s license, passports, birth certificates, anything that’s coming through the mail, these criminal gangs have secured the keys to the blue mailboxes, either through insider threats or through, frankly, holding at gunpoint, holding the mail carriers up for these keys, and they’re stealing them. And they’re not just for sale on the dark web, though that’s happening. But more and more often they’re on the public web, they’re on YouTube. So people don’t even know that their credentials are out there. And these are the physical documents. So there’s two examples, and there are others of the way that there can be a theft of your data.
So when there’s something like a data breach from a company, it’s a hacker going into maybe a cloud server somewhere and getting all the login credentials and credit card numbers of someone who’s signing up for a specific service potentially. Whereas if it’s individual identity theft, it might be someone stealing your passport or your banking information from a check in the mail.
Correct. The scope is different. So in these more analog types of activities, stealing mail, breaking into your car and stealing your laptop, dumpster diving, those things still happen, but they don’t have the scale and the scope that data breaches have. So there are so many ways that they can get these vast swaths of data from these companies that hold our data.
Are there specific industries where these data breaches are more of a problem than others?
Well, healthcare was the number one industry this year, but that’s going on, I believe, six years in a row. It’s hard for us to pinpoint why that is, but the richness of the data itself makes for a very lucrative and enticing target. You’re usually going to have financial information, credentials of some kind, healthcare diagnoses, which often feel deeply personal to people. And I can tell you the story about one incident where it was the data that was stolen and then exfiltrated was for recent breast cancer patients. Included in this data, there was financial information and other credentials, but included were pre-op and post-op pictures.
Why would a scammer want this type of information?
Because it’s leverage to get the company to pay the ransom under threat of if you don’t, we will publicly post these pictures. So it’s a very lucrative and attractive target.
Well, what you just described seems like another example of how a lot of our information is tied up in these servers around the country, in this case at a hospital where we’re seeking care, and it’s just all too easy for a threat actor to go in and do one hack and get everything about us in one go.
Well, I don’t want to say easy. It’s possible, because I don’t want to accuse every hospital or every medical provider of having weak cybersecurity infrastructure. I just think that we’re in this fight. And I go back to the role of the hacker, we have to be right every single time, and they only have to be right once. And so they find a single vulnerability and then infiltrate themselves.
Well, let’s talk about some of the ways that thieves go about stealing our identities. What are some very practical things that we should be on the lookout for? How do we play defense here?
Well, certainly, they want to use it in financial institutions. So they’ll want to get credit cards, car loans, mortgages, payday loans, any kind of financial instrument where it’s a loan and doesn’t have to be paid back. They would love to pin that on you. And for the folks who think, “Well, I don’t have great credit, and so have at it.” Please remember, they can probably get loans. They’re going to get loans that you wouldn’t take because you look at that interest rate and say, “Well, I can’t pay that.” They don’t care. They’re not paying it back.
So in that case, what do you think would be the best way for people to prevent something like that from happening?
Oh, freeze your credit. Absolutely, 100% freeze your credit. It’s free. It’s free no matter where you live. It doesn’t take that long at all three of the bureaus, Equifax, Experian, and TransUnion. And now, you have to keep track of that login information. So that’s one more thing you have to keep track of, but it is absolutely worth it because no one can open new credit in your name, even if they have all of the credentials that are necessary. And honestly, I’m just begging people, have a birthday party and as a gift, just ask your relatives to freeze their credit.
And after that first time of freezing your credit, it’s actually quite simple to thaw when you need to apply for credit again and then refreeze it. You can actually set it so that your credit automatically refreezes after a certain period of time.
Yep. You can set a window.
Well, beyond freezing your credit, what are some of the best ways that we can protect ourselves, especially when we don’t seem to have much control over these cyber attacks and companies that do filter down to us? How do we play offensive?
Well, there are a couple of things that I think people should do. The first one is update your password game. So if you use a unique password across all of your accounts, that is going to be extremely helpful. And for the folks that say, “I’ve got too many, I can’t remember them,” my recommendations are either write them down or use a password manager, which can be a very useful tool if you find them intuitive. A lot of people don’t. And I don’t recommend any particular one over the other, but they can be a very useful tool. And for other folks, again, just go ahead and write them down.
Well, what are some steps that people can take if they’ve found that identity theft did happen to them, or if they think that their identity has somehow been stolen or compromised, what are maybe the first three major things that someone should do?
This is where it gets challenging because this is such a broad problem that the action steps that you’re going to take are going to be really dependent on what type of data we’re talking about. Reach out and get help. Don’t be ashamed or embarrassed that you can’t figure this out on your own. There are plenty of legitimate free resources out there. Now, of course, ITRC is one of them. We have a toll-free hotline. We have live chat on our website, but you can also get a ton of really good information about what to do next from the Federal Trade Commission, AARP Fraud Watch. And of course, there’s you guys. So I would have to say, top three things, understand specifically what has happened to you, what information has been compromised or is being misused, and have that ready. And then two, seek help. Everybody needs help, and this is a really complicated space.
Is there a specific way that people can try to stop the bleeding in the aftermath of an instance of identity theft?
Well, absolutely. And we talked about freezing your credit, and then there’s things like fraud alerts, changing your passwords if you know that it’s a digital account that has been compromised. So in the case of, well, let’s say taxes because we haven’t talked about that. Let’s say it’s a federal tax refund fraud that’s occurred, and you now know that someone has filed a false return or attempted to file a false return in your name. There are specific things that you can do to protect yourself in the future. One of them is the IP or identity protection pin. They’re issued by the IRS, and it’s one more extra layer so that you can’t file your taxes without that pin.
And then from a stop the bleeding standpoint, I always tell people to react, not panic, because if you are spending your mental energy angry and wanting to figure out who did this to you, I would rather see you spend your energy on cleaning up that mess, getting the proper forms filled out, reporting it to the right places, and getting the help to recover your identity that you need versus I’ve got to find out who did this to me so I can get my pound of flesh because I’ve gotta manage expectations here. The vast majority of victims never find out who the perpetrator is, and the vast majority of cases never go through the criminal justice system.
So Eva, what tools would you say we as consumers should have but don’t? Is there a magic bullet out there that just isn’t being made available to us?
I don’t think there’s any one magic bullet. I wish there was, like this panacea that would solve all of our problems, but this is something that all stakeholders have to get involved in. We need government to make some changes to rules, regulations, and policies. We need industry to make some other things available to us. And then we come in. We as consumers need to put some of these best practices, make them habits. Just things like turning on alerts on all of your accounts. You can do this with your financial accounts. You can get an alert every time your debit card or your credit card is used, particularly for card not present transactions.
And the other thing that you can do, again, it’s not a silver bullet, but it’s already available to all of us now. We just don’t necessarily practice it. With all of this incoming communication, if you didn’t initiate the contact, I want you to go to the source. So if you have something incoming, a phone call from the IRS, a text message from your bank, an email from your employer asking you for sensitive data, rather than respond in that thread, I want you to go to the source and say, “Hey, are you trying to get in touch with me?” 99 times out of 100, the answer’s going to be no. They’re not trying to get in touch with you. So it’s just taking that little bit of time to verify and having a skeptical attitude that you have to verify everything that’s incoming that you didn’t initiate the original contact.
I’d love to hear what you would say to listeners who might be thinking to themselves, “This is just too complicated. I don’t have time to deal with this. And there’s nothing that’s really going to help anyway,” because I think it is very easy to feel helpless against this onslaught because like you mentioned before, even reporting an instance of fraud or identity theft to the police seems like it’s probably not going to help much.
I can really empathize with that. And I do hear it. I do hear it from people who are like, “This is so hard. It’s too much, and it’s not how I want to live my life.” Well, not every one of these tips applies to every person. So I just encourage people to focus on, where do you spend most of your time? Is it on email? And if it is, then okay, I’m going to teach you some attitudes and some tips over email, and you can start there until it becomes a habit. Is it on social media? Well, I really want to teach you some habits and tips that you can practice on social media so that you aren’t going to be victimized, so we can start there. And even putting just those small things day-to-day in place, it stops you from being the low hanging fruit. And scammers love the low hanging fruit, so don’t be the low hanging fruit.
Well, final question, Eva, I have to ask. I know you started your career in law enforcement, but despite that, have you ever had your identity stolen? Has any of what we’ve talked about today hit home?
Well, early on, I did many, many years ago, and it was an existing account. I had a couple of different times where an existing credit card was misused and not authorized by me. And I don’t want to turn myself into a target in case anyone is listening and saying, “Oh, she hasn’t had someone open new accounts in her name.”
Well, Eva Velasquez, president and CEO of the ID Theft Resource Center, thank you so much for helping us out today.
It was a pleasure. And I hope folks learned something today and they feel more empowered to be able to take care of themselves out there in this crazy identity world.
Sara, what I keep coming back to is the simple fact that identity theft scammers really have the upper hand right now. As Eva said, a scammer’s full-time job is trying to manipulate us and manipulate our personal information to get our money. And regulation has not kept up. So like with many things in this country, we unfortunately are on our own right now, and we have to do everything in our power to try to keep ourselves safe and financially afloat.
It’s unfortunate that regulation doesn’t keep up with the tech savviness that’s happening here. And so that’s what’s really slowing down any real efforts to provide some, not just protection, but maybe compensation, if this happens to you. Yeah, that’s the issue. Not only do you need to be protected, but you need to be made whole if it does happen to you. It feels a little bit like the Wild West. All right, Sean, what’s coming up next week in episode two of this series?
Next week, we are going to look at what happens when thieves steal your identity. The next step is to commit fraud with that identity. And for most people, you’ll never see it coming.
August 28th was a normal day. I took my cat to the vet, went and got groceries. That morning, I checked my online banking just to make sure I had enough money to do everything. It just seemed like a normal day. And then everything changed that evening when I got that email.
For now, that’s all we have for this episode. Do you have a money question of your own? Turn to the Nerds and call or text us your questions at 901-730-6373. That’s 901-730-NERD. You can also email us at [email protected]. Also, visit nerdwallet.com/podcast for more info on this episode. And remember to follow, rate and review us wherever you’re getting this podcast.
This episode was produced by Tess Vigeland. I helped with editing. Kevin Berry helped with fact checking. Sara Brink mixed our audio. And a big thank you to NerdWallet’s editors for all their help.
And here’s our brief disclaimer. We’re not financial or investment advisors. This nerdy info is provided for general educational and entertainment purposes and may not apply to your specific circumstances.
And with that said, until next time, turn to the Nerds.
Discussion about this post