(cover image by Brian A Jackson)
Identity theft plunged my life into a bureaucratic nightmare. In this series drawn from my personal experience, I outline what to expect if you become a victim.
This is part two of a 3-part series. Find part 1 here.
No part of this post or others in this series should be construed as legal advice – I am merely discussing my own experiences and providing some supporting information. Any individual should seek (or not seek) counsel based on their own judgement of their situation.
Intro –
It started with a phone call about a denied credit application in my name. Then more calls and notices came in, and strange new lines of credit appeared on my credit report. It quickly became clear that someone had stolen my identity.
In Part 1, we discussed common warning signs of identity theft and prevention best practices. Now in Part 2, let’s dive into the various organizations and agencies needed to engage to clean up the mess.
Readers – do you have perspective or expertise on other forms of ID theft? medical records? Other PII? – post a comment or message us, and I’ll integrate contributions into the main articles
TLDR / Summary
- Navigating an intricate network of nearly a dozen entities is a given.
- The FTC and Law Enforcement are indispensable allies in this ordeal.
- Banks & credit bureaus, on the other hand, aren’t your “BFF”; prepare for a maze of procedures and misaligned incentive structures.
- Total recovery is a marathon, not a sprint: it demands hours, persistence, and sometimes legal counsel.
Part 1: Full scope and early contacts
Groups a victim may need to engage
One of the first headaches I ran into in my journey was figuring out which entities to engage, in what fashion, in what order. While the FTC was extremely helpful in getting the basics sorted out, I ended up learning a lot more through the process, and hopefully others can benefit from my pains.
Here are the main entities identity theft victims often have to deal with:
| INSTITUTION (all links to relevant fraud departments) | SUMMARY |
|---|---|
| The Federal Trade Commission (FTC) | The FTC’s IdentityTheft.gov website has response guides, templates, and other valuable resources. Many other organizations will look for an FTC fraud report before taking action. |
| Local Law Enforcement | A police report is required by many institutions to take corrective action – the police should be one of the first groups engaged. |
| https://www.annualcreditreport.com/ | Source for a free credit report from each bureau, once per year. You may need to pull several reports, so take advantage of every free option. |
| The major credit bureaus * Equifax * Experian * Transunion | The organizations responsible for determining your 0 – 800 credit rating. Most forms of identity theft will impact your credit score, and therefore you’ll need to liaise for corrective action. |
| Chex Systems | The “checking account equivalent” of a credit agency. Used as a resource by commercial banks. |
| Institutions with fraudulent accounts opened in your name | You can identify relevant institutions through a combination of credit reports and any suspicious statements of phone calls. |
| The IRS and The Postal Service | Should attackers commit tax fraud or mail fraud with your stolen information, you may need to engage the IRS or USPS to clear your name. |
| Debt Collection Agencies | If a fraudulent account has been open for too long, creditors / banks may engage debt collectors to aggressively pursue you for money. |
| A lawyer or law firm | Can assist with negotiations, help deal with actual legal or criminal ramifications. Whether needed or not will depend on the severity of the theft and abuse. |
| All other institutions you have fiscal relationships with | Best practice – report suspected identity theft to institutions you have accounts with, even if not part of an initial breach. There is no guarantee a criminal is “Done” after “one round” of inquiries. |
| Credit Monitoring Services | As a follow-up to a theft, one might wish to place longer term 3rd party monitoring or protection on one’s credit. This is potentially expensive in the long run, and there are cheaper (albeit less “Slick”) options. |
Let’s have a look at what to expect in some of those key interactions.
Law Enforcement and FTC: Helpful friends
The FTC: A beacon of hope(?)
image: dnewman8
The FTC proved un unexpectedly effective ally in my fight to reclaim normalcy. The IdentityTheft.gov website was remarkably user friendly in interface, contained actionable action plans tailored based on easy-to-complete questionnaires, and housed readily customizable templates for communications with other entities. For a government-run website, it stands out for its ease of use and practical assistance.
Local Law Enforcement: Call for backup!
If you set your expectations appropriately, local law enforcement is also your friend.
That means – don’t expect criminal prosecutions – your police are more a support system than a detective squad in ID theft cases.
Though that last statement may seem counterintuitive, most local agencies are not equipped, with either the expertise or the time, to track down an individual identity theft case. Though you might want “Justice”, or “Revenge” – you should instead target “getting back to normal.” The biggest value add from your local PD is a solid police report, which others will look to for validation that your claims are legitimate.
Part 2: Banks and Creditors
Financial Institutions: An uphill battle
If only every institution I interacted with had been so helpful as my local police…
Dealing with banks and credit unions was without a doubt the most agonizing part of cleaning up the fraud mess. Their incentives often seem aligned against victims. Their investigation processes can be opaque and lengthy. Persistence and forcefulness are required to get anything done with them.
In my case, I had the displeasure of dealing with Digital Federal Credit Union – a large regional credit union with $10 billion in assets – for the core of fraud against my name. While normally I wouldn’t “name names”, numerous 1 star consumer reviews seem to corroborate my experience so I’m willing to share.
I knew things were going to be wild when I received a welcome packet featuring a numeric PIN that was only 4 digits long – which a representative confirmed was their minimum standard length (and default!).
I’ll leave that to sink in a moment.
This would have been far more secure than the creditor I was dealing with….
Welcome to banking like it’s 1983! The “Digital” in the name strikes me as particularly ironic.
Across all institutions I dealt with, they uniquely failed to prevent fraudulent account openings and subsequently resisted my efforts to close them. They refused to furnish me copies of the documents used to open those accounts, despite this being a legal right under the Fair Credit Reporting Act, and had sluggish, non-transparent response processes. I consistently needed multiple, lengthy phone calls, levels of escalation, and extra documentation to get anything done.
In sum, I endured:
An Epic of Frustration
- 3 months elapsed calendar time
- 2 extensive written evidence packets of 20+ pages length
- Over half a dozen phone calls, each between 1 and 3 hours long.
- Producing more evidence to close an account than was needed by thieves to open it
- About a person-week of effort in correspondence and follow-ups
And yet, even after clearing the immediate issues, I’m still waiting for the documents used to open the fraudulent accounts.
This exhausting process, unfortunately, is a common plight for many dealing with identity theft. I was actually on the lucky side, given this was just one institution – many have repeats of the above across multiple creditors.
Credit bureaus: Mixed response process … Circa 2000’s tech
Dealing with the credit bureaus yielded mixed results. While their tech capabilities were dated and processes cumbersome, one bureau impressively resolved my issue within a business day using a blend of phone and online interactions. Another, however, took over two months and required an exorbitant amount of paperwork.
I suppose this shouldn’t really be shocking, we all remember the Equifax Breach back in 2017..
Key issues:
- Electronic dispute systems were available but flawed. Identity theft cases demanded additional phone calls at one bureau, and another accepted disputes online but required evidence to be mailed separately.
- Dispute resolutions were often on a separate site with no integration to the main bureau portals, requiring recording and manually entering lengthy ID numbers.
- Websites that were like time capsule’s from the early 2000’s
- Online forms had frustrating timeouts, forcing me to draft responses elsewhere and paste them in to avoid losing their work.
- Constant re-authentication interrupted the process, reflecting a dated approach to session security.
So, while the credit bureaus’ investigative outcomes were positive once they received a request and evidence, the journey to that point was fraught with technological inefficiencies.
Part 2 Wrap up & Summary
Identity theft is more than a mere inconvenience; it’s a personal violation with a daunting path to resolution. The multitude of entities to confront and the months of time required necessitate perseverance and tenacity.
Stay tuned for the concluding part of this series, where we’ll wrap discussion of a few additional entities involved and share a pragmatic response guide based on hard-earned lessons.
Any other angles you’d like to see covered? Personal experience to add to things? Put them in comments and we’ll integrate into this and subsequent posts!
Tech Security Bytes 
Leave a comment