FraudKast
The LexisNexis Risk Solutions FraudKast exposes fraud and theft across all types of government benefit programs. We seek to interview leading experts from both law enforcement, as well as agency investigators to understand and reveal nefarious methods against federal and state programs.
Examples of government fraud that will be included are DMV fraud, SNAP fraud, student loan fraud, social security fraud, state retirement fraud, housing fraud, Medicaid/Medicare, and Tax refund fraud, etc.
All guest experts are on the front lines of detecting, preventing, and fighting these types of government fraud.
FraudKast
Uncovering the True Financial and Personal Impact of Identity Fraud on Government Programs with Eva Velasquez
Identity Theft is a growing problem throughout all levels of industry, healthcare, and government. This podcast explores the various methods used to deceive individuals and steal identities on an individual basis or at scale. This multi-billion dollar industry is now about to explode with the advent of artificial intelligence and the potential nefarious applications across our society.
DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this episode are solely those of the speaker/s and do not necessarily reflect the views or positions of LexisNexis Risk Solutions. LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.
Narrator: Hello and welcome to the FraudKast, brought to you by LexisNexis Risk Solutions. The series that shines a light on fraud and theft across numerous government benefit programs. FraudKast is hosted by Larry Benson, Director of Strategic Alliances for LexisNexis Risk Solutions Government division, and the creator and principal author for the Fraud of the Day website. And now, here’s Larry with today’s guest.
Larry Benson: Welcome to the FraudKast. This is Larry Benson, your host, and today we're going to examine identity theft and the impact on government benefits. Our expert today is Eva Velasquez. Eva is the President of the Identity Theft Resource Center and an expert in this field. Eva, welcome.
Eva Velasquez: Oh, it's my pleasure to be here, Larry. I'm ready to chat.
Larry: So Eva, let's start off by getting everyone on the same page and understanding what does the Identity Theft Resource Center do.
Eva: Well, we are a 501C3 charity organization. We were established in 1999 and our mission is to empower and guide all stakeholders. So, we work with everybody. Government, businesses, victims, consumers, thought leaders, anybody who will listen to us. And we want to empower and guide them to mitigate the risks and harms of identity crimes. And it's pretty broad. When I say identity crimes, I'm talking about scams and fraud, identity theft, data breaches, identity misuse, anything that has to do with a US identity credential. If someone's having an issue with that, they can reach out to us for free advice, assistance, recovery plans, risk minimization plans, and we do all of that through our contact center. It's direct assistance, so it's staffed by live advisors. We have self-directed help on our website. We do research papers. We do education and presentation, so we really just try to be out there in the space letting folks know that they don't have to go it alone.
Larry: Well, that's great, it's definitely needed. Now, we know that identity theft is a growing problem. It's a global problem, quite honestly, but let's just look at it domestically. And right now, there are new scams coming out every day. So, can you kind of talk a little bit about some of the scans that you're seeing, some of the growing scams and some of the impacts that you're seeing as well?
Eva: I can absolutely talk about the trends we're seeing directly from our call center. So, we are talking to folks every single day, and in addition to the types of scams we're seeing, the tool, the instrument, is social engineering. Social engineering is far and away the tool of choice by all of these scammers, and it's across platforms, social media, your online accounts, websites, on your phone, in your email. And that's really where we're seeing the explosion of scams that are affecting the general public. And you know, on that note, I think that there is a real disconnect with folks who think: “They're not talking about me. I'm not vulnerable to these things because of XYZ”, insert behavior practice reason here, and that's just not the case. Everyone is vulnerable. You know the topic of this podcast, we may have listeners that maybe falling into that trap themselves: “I stay in touch with all of the latest trends. I make sure that I practice good cyber and identity hygiene.” And those are all really important and I want to encourage everybody to continue to do that. But, the scammers, they're so crafty and we are being deluged. Everyone is vulnerable under the right set of circumstances, and I think that's a really important thing for folks to remember.
Larry: So, you're seeing this going on in a broad spectrum. When it comes to government benefits, things like SNAP, unemployment, state retirements, etc. Are there specific scams that are coming in after those or are these broad scams across the whole spectrum?
Eva: We're seeing it, really, it is across all agencies. And so, we're still seeing unemployment. I know that that has been talked about ad nauseam, but it is still happening. I think there was this misguided notion that when the enhanced benefits ceased, that all of the sudden this problem would go away. It wouldn't be a lucrative or attractive target for the thieves, but that's not the case. We are still seeing an increased baseline there. We're also seeing an increase in DMV account takeover and driver’s license misuse. As that became a more important credential in identity verification and authentication, well that data became more valuable to the thieves. So, they're going after harvesting that data and trying to misuse that credential. So, we're seeing it in unemployment at the state level. We're still seeing issues with IRS and fraudulent tax returns being filed, and we're definitely hearing from more people who are realizing that their Social Security number is being used for employment purposes. That's always been around, but it's continuing, and people are starting to feel the consequences of that. So, when you think about how all of our credentials are intertwined with not only private sector systems, but with all of these government systems, then you can see how a single misuse can impact someone significantly. They're not just contacting one government agency. They're contacting multiple agencies because of how they're intertwined. And I can give an example of that if you'd like, a concrete example.
Larry: Please do.
Eva: OK, so we get a call in from the contact center for someone that says someone filed for unemployment in my name in multiple states. Not only do they have to contact those states, they also have to contact the IRS, and the tax department in the state where they reside because they don't want those dollars counted as income.
Larry: Mm-hmm.
Eva: Now, if they're on Social Security, which a number of these folks are, they also have to contact the Social Security Administration, because they have to report to them: “Hey, that's not real. That's not my income. Please don't reduce my benefits.” And we are talking to people that are having to go through this on a regular basis. And then they have to contact a reporting agency like a Police Department, maybe the FTC to get the affidavit, they're contacting us. There's a lot of legwork involved in a single incident, particularly when it comes to government identity theft.
Larry: Are there preferred identities that these identity thieves want to steal? You know, when we start talking about Social Security, you're talking about elderly, retired people, et cetera. If you're talking about children, all of a sudden, I would think those identities are attractive because they can be used for a long time, and mom and dad usually aren't looking at those. What do you see in those trends?
Eva: I absolutely agree with you. The identity credentials of children, certainly very, very valuable for the reasons you just mentioned. Then file people who don't have a long credit history or a lot of credit history. Recent immigrants to the country, those are also very attractive identities, again for the reasons you just mentioned. But really what we're seeing is the identity thieves are casting a wide net. They don't seem to be picky. So, the sophisticated, well-heeled fraud rings, they are very likely looking for these identities where they're going to be able to use them across multiple platforms, use them for a long time. I think they're a little bit more discerning in what they're looking for, but because the bar to entry is so low to perpetrate identity crimes, we can go down a rabbit hole and talk about that. But because it's so low, I do think that we're seeing a lot of misuse of any credentials: “Whatever we can use, we're just going to keep hammering these systems with whatever credentials we have” and frankly, making them up, especially for government benefits and for new credit applications. I think folks often think that this can't happen because there's some kind of interaction between the Social Security Administration and the credit card issuers, and there is, there's a mechanism that does that and they are trying to work on the ECBSV, the Electronic Consent Based Verification System, and get that more broadly used. And that will solve a lot of these problems. But until that happens, sometimes the fraudsters just make up a Social Security number, they just make it up out of thin air. It actually gets through and they can build this synthetic identity. But what a lot of people don't realize is then that number can actually be issued to someone. So, we have talked to parents who have a 6-8 month old child with a 5 year credit history, and it's up to them to clean up that mess when the number was tainted before it was even issued.
Larry: Not surprising. What I've learned is that there's a number of people that don't understand that going and getting identity protection doesn't protect you against things like government benefits and the fraud that gets perpetrated on that side. The identity guards and the life locks of the world can protect you on the credit card side, on the bank loan side, things like that. But to have that same identity used for SNAP benefits, unemployment, food stamps, that all can happen, and that is completely transparent to that whole identity protection side of the world.
Eva: Without naming names because we are agnostic when it comes to identity protection companies, they actually can have a lot of value. They can help do some of the monitoring that would be really time consuming for an individual, but to your point, look, there's no panacea, there's no product or service out there that's going to completely eliminate your risk. So, we as individuals have a responsibility, and if you want to use one of those protection companies as one of the tools in your arsenal, do your homework and make sure that you choose the right plan for you. But I also want folks to know if you don't have the disposable income to pay for a service, there are still a lot of free resources out there for you to use, like the ITRC, the FTC, AARP has a lot of resources for seniors, but this gap in government that certainly exists. I don't know if you took a look at the presidential plan that dropped back in March, that is really looking to address some of those gaps. So, at the very least, there has been a more recent acknowledgement of these gaps and lack of universal processes to address them, and they are looking at solutions. So that is a silver lighting in this area, but you're right, government benefits, we just don't have the same processes in place that will allow us to both monitor and recover.
Larry: Mm-hmm. Have you seen any kind of increase in fraud taking place at the DMV's where people are actually going in and getting licenses under someone else's name? How is that perpetrated and who's doing it?
Eva: Well, we've seen it on both sides. So, we have actually seen it in our data, in people contacting us in our contact center, and sharing with us that they're driver's license has been misused, that someone used it in the commission of a crime to apply for government benefits. But we're also seeing it sort of in the ecosystem. David Maimon at Georgia State University. There's a research lab there. He's got amazing information on just how prevalent things like mail theft and all of these credentials, physical documents, and copies of things like driver’s licenses are being stolen from the mail. We've seen that some of these more sophisticated fraud rings, when they look at the equipment that they've been using to make fake driver’s licenses, it's actually the legitimate equipment that belongs to the states. So, the equipment necessary is out there. We know that there's insider threats. If you look at the prosecutions of people. So, there's just all of these different vulnerabilities that are adding up to fraudulent driver's licenses, often using a legitimate person’s number and credentials, just different physical descriptors. They're so out there and they're so prevalent that it's no wonder we're actually now starting to see in our contact center more people discovering the misuse of their DMV, and I use the word account in air quotes just to signify it could be the number, it could be the physical license. We're actually seeing that increase pretty dramatically in 2022.
Larry: The DMVs, from what I have seen, are seeing that increase that you're mentioning. And I'm just kind of, from what I've been able to understand, we're seeing more and more, really in three categories, going in. They’re fugitives, there's the undocumented, and then there are the drug dealers. And it seems like those are the three primary categories that I have seen going in. Have you seen the same thing?
Eva: It makes sense. The way we look at our data is, we don't necessarily do attribution, who the criminal is, because we're victim recovery services and that's where we're focused. So, we're looking at the misuse, but when we look at those categories, how it's being misused, it does make sense. Criminals. Fugitives. Yes, absolutely undocumented folks, because we are seeing a rise in the misuse of Social Security numbers to gain employment. So, these folks are actually paying taxes, often, and not reaping any of the social benefits. But they want to work, so they're using it to work. And without commenting on the broader social issues there, we do have to acknowledge that it really creates a mess for the person who legitimately owns that credential. Because they have to unwind that with the IRS, and the Social Security Administration, and all of those places. So yes, that's my long way of saying I would agree with those categories just based on how we see the misuse occurring.
Larry: Mm-hmm. And I've recently seen that student loan fraud is starting to come to the forefront, that individuals that are elderly are being called by the Education Department, the Federal Education Department, and being asked when they're going to pay their loans back. And these people are sitting there saying: “We've never taken a loan, we don't know what you're talking about.” Somebody else who has used their identity to get a student loan are long gone.
Eva: Right. We haven't seen that necessarily, that age group, in our contact center. We tend to get the young people that are calling us because they're applying for their own student loans or student aid. So, they are trying to launch into their future, you know, better themselves, and they can't because they're told they don't qualify. They already have loans out or have received aid. That's mostly the callers that we get. I have a feeling that as this becomes more prevalent and they are catching more of this fraud, that we might start getting more contacts into our contact center from this older generation that's going: “I'm not going back to school, I'm retired, I didn't file for this loan or this student aid.” But we're not really seeing that in the contact center yet.
Larry: So, you'd mentioned synthetic identities previously and making up Social Security numbers combining information under a name, a different social, an address that doesn't exist, etc. How much of a problem does this create across different agencies, since a lot of those agencies really don't have any ID proofing, they don't front end it with any, what I'll call deep security, and now all of a sudden money starts to flow out to the wrong parties?
Eva: Well, I think if you ask the agencies and ask the public, the answer would be we don't know. Because I don't think they know how big of a problem they have. These things are so siloed, and we understand that it's necessary to protect individual privacy, and that we don't want our data being shared ubiquitously across all government platforms. That doesn't really feel right. However, we need to start having some conversations about smart data sharing. There are ways to do some of these activities like you just talked about, more of the identity proofing, which we're starting to see more at the state level. We saw the IRS start doing more of that about, what's it been, about 10-12 years since the floodgates opened and they had to kind of, you know, the fraudsters just kick that door open and the IRS has slowly been closing it. So I mean, I think we do a good job of measuring the OIG reports and things of that nature. We’ll look at some of these things in silos, but I don't think we have a very good handle. If we try to look at it really, really broadly on just how big of a problem this is, because of how siloed we are
Larry: Do you think that there should be a national identification card? I mean, realistically, you've got a Social Security card issued by the SSA. You've got driver’s licenses issued by 50 States and six territories. By the time you've got all the overlaps that go on, would there be a better way to do it? To have SSA issue some kind of credential that can identify anyone nationally?
Eva: Well, I mean, to your point, everybody has a strong reaction to: “Ugh, we can't have a national identity card.” We already do. And we have state level cards. I think that using static data only, is where we need to kind of rethink that, because I've had people definitely say we need to get rid of Social Security numbers and issue another number. Well, that's just recreating the same problem. I think the solutions that we need to look at are going to put a little bit more control back in the hands of the individual credential owner. There's going to have to be a level of data sharing and information sharing so that that credential can be used not just by industry, but by different agencies, both at the federal and the state level. And I think there's going to have to be a biometric, probably a picture. People forget that biometrics, a picture of your face, that is a biometric. But we may want to start exploring how we can follow more of the NIST standards and the best practices. Something you know, something you have, something you are. How can we tie that into a universal credential? I don't have the answer to that. That's a huge, that's a very heavy question. But I think we need to have more of those conversations because these physical tokens that we have, they're not working. That part of the system is broken. These numeric static identifiers that we have, that's also not working. So let's look at not just what's going to fix the problems we have today and work today, but what is still going to be working five years from now. Because the problems we have today, they're not totally brand new. They've been around for years. We've just failed to kind of keep up with the times, the way the fraudsters have.
Larry: Yep, I agree. So, the criminals themselves were looking at, they're coming in. Everything from the DMV to online. All these different attacks from different directions. Do you see these as mainly domestic individuals? Are these international individuals? Is this organized crime? Tell me what you've seen in that area.
Eva: Yes, yes, yes, and yes. Actually, to break it down, and this is my opinion just based on the data that we're seeing both in the contact center and just, you know, out there, when we look at all of these different reports. I really feel like we have had a new sort of incoming, small, mom and pop fraudster type, domestic type of criminal come into the fraud ecosystem. And the reason I think that is based on looking at all of the social media account takeover, and the social engineering that's going on with scamming individual social media account users and owners. It's so targeted. It is highly specialized. The hook that's being used to get individuals to respond is requiring a fair amount of due diligence and research, just to get that one person to respond. I guess the best example I can give is, you know, once a social media account has been taken over, and that's mostly through social engineering, the scammer then leverages the trust that the followers have in that legitimate account holder, and they use it to scam them, but they aren't doing these blanket asks. They will send direct messages to individuals that resonate with the individual. So, for example, if someone in my social media network came to me and sent me a direct message, they're not going to ask me and say: “Hey, I've got this great investment opportunity, you should try Bitcoin.” Because they don't see on my profile that I'm into the hustle and into investing, and that might be something that would resonate with me. They're going to come after me for a fundraiser or charity scam, because I talk about philanthropy and volunteering and doing good in the world. They're going to say: “Oh, I'm doing this fundraiser for this animal shelter in my community. Would you donate?” And I'm going to say: “Well, yes, what a worthy cause”, that's going to resonate with me. You know, another example, someone who is maybe a student going back to school, trying to better themselves, know that they're struggling, they're going to hit them with a: “Hey, I found this government grant that I got, and I know you'd be eligible for it. You do have to pay this processing fee, but I almost guarantee you're going to get it, let me help you get it.” “Oh gosh, what a saving grace, I would love to get that government grant.” And of course, none of these things are real. They're all fictitious, but the amount of time that has to go into that, I don't think the international, sophisticated fraud rings are looking for that. They're looking for higher dollar numbers, they're looking for bigger bang for their buck, so they're going to be focused on a different group, victim population. Whereas these small time, newly entered fraudsters just trying their hand at: “Hey, I heard this could work, it doesn't require any technical skills. I don't have to know how to write code or hack into a system or exploit those vulnerabilities. I just have to know how to talk to people and hack their brain, do some online research. Sign me up.” Now, again, this is my own personal theory. I don't necessarily have specific data to back it up, but I just feel in my gut that that's what's happening right now, is we see this explosion of these smaller dollar value scams being perpetrated against people who are just regular Joes like you and me. These are not high net worth individuals or businesses. Of course, all of that's going on, but now we're just seeing regular folks being hammered, at volumes even greater than what we've seen over the last couple years.
Larry: Well, I think the word that you said that resonates the most here is “easily building the trust”, because if you can reach out to someone and just know that, let's say they have a bank account at, you know, ABC bank and you get the phone call saying: “Oh Mr. Smith, Mrs. Smith, this is ABC bank. Your account here…” That all of a sudden makes them think: “Oh, well it must be ABC bank because they know I have the account here.” And now: “Oh well, we're concerned that perhaps your account may be in jeopardy. I just want to verify your identity. Can you give us your account number?” Something like that. And start to pull that information out of them where it makes them relax, put their guard down, and give them information that they really shouldn't be giving.
Eva: You are calling out what we are hearing in the call center. And the added layer of that is oftentimes because a lot of this data is so available not just on the dark web, but now on the public web. And it's cheap. These callers pretending to be your financial institution or your credit card issuer, they're going to know your name, your date of birth, your address, and that gives people this sense of: “Well, they knew all this about me. They obviously know my phone number or my email because they've contacted me and they know my name, my date of birth, my address. So, it must be XYZ company calling me.”
Larry: Correct.
Eva: And you're right. Then they go: “OK, well sure I know I have to verify myself, so here's my account number and my Social Security number,” and get this. Now the fraudsters are even asking for things above and beyond that. They're asking people for their IRS pin, and because a lot of folks, they're not doing this every day like you and I are, they don't understand how that's not actually something that would be a useful identifier for your cable company. Your cable company can't use your IRS IP pin to verify you, but they don't understand that. They just know it has something to do with my identity, so they're sharing that as well.
Larry: Sure. Let me get your Social Security number, your IRS pin. How about your driver's license number? How about your Medicare/Medicaid number? I mean, the list just goes on and on.
Eva: They will continue to ask for those credentials. If you keep volunteering them, they'll continue to ask until the red alert goes off and you go: “Oh, maybe I shouldn't be sharing this.” That's when we hear from people. Whatever the trigger is, they stop sharing the information and then they contact us, and we go: “That was absolutely a scam.” But the fraudsters will keep asking because now they just want to harvest your data.
Larry: Sure. And one of the things I've seen, and you can confirm this hopefully, is often they'll get elderly that are sometimes lonely etc. And the elderly are looking for some kind of social connection, and now all of a sudden they've got a phone call and they start giving out far too much information.
Eva: Well, and staying engaged on the line. If it weren't for loneliness and craving that social connection, they may just hang up the phone. There's a lot of factors in there, though. Not wanting to be rude, feeling like, that, this generation feels like: “Oh, you don't just hang up the phone on someone, that's just rude.” Well, I give you permission. Any elderly listeners, I give you permission, you can hang up. It's not rude, it's protecting yourself. And I mean, we've even seen with a lot of the, romance scams get so much attention. And they are real, and they are happening all the time. But we're also seeing it morph into relationship scams. It isn't always about romance. It is about building a connection, familiarity, shared interests, and things of that nature. And then once that relationship is built, you know it's: “Oh, can you loan me money, or I have this business opportunity”, or whatever the hook is, but because of the desire to connect and maintain what you think is a legitimate friendship, they'll often do a lot more than someone else might. After the first two loans, someone might go: “I can't do this anymore.” But they might be able to get four or five out of them, and wire money, and just keep it going for longer because of that need for that connection.
Larry: Sure. We mentioned Medicare, Medicaid before. On the medical ID theft, what have you seen on that side?
Eva: You know, medical ID theft is such an interesting category because I have watched it stay pretty static as far as the rates, at least that are reported to us, it actually only accounted for 1% of all of our cases last year. Government was top, then financial, then criminal was 4%. But it's also one of the absolute hardest types of identity fraud to recover from because we don't have a universal place that you can lock down your medical information, it's provider to provider. Yes, you can contact your insurance company, and the case you're talking about, you can contact Medicare, but it doesn't necessarily stop that credential from being misused at other providers. It's just really hard. It's like a game of whack-a-mole, and it can stop people from having their legitimate medical needs met. So now we've gone out of the world of sort of fraud and finances, and it's really impacting your physical wellbeing. Because if you have mixed medical records, you can get improper care. If it's being commingled with prescriptions, you may not be able to access prescriptions that you legitimately need to take care of a health concern, whether it's chronic or acute, until you unwind this. So you can't actually take care of your health. So even though it's a smaller percentage, again, that we're seeing in our contact center, it can really have devastating consequences.
Larry: I'm assuming that if you've got the true holder of the identity is allergic to penicillin, and someone goes in and steals her identity, and now all of a sudden the record shows that they can have penicillin. As you said, dire consequences.
Eva: I can actually tell you two stories. One, we did have someone who was suffering from appendicitis, but because they had mixed medical records, it was showing that it was removed, and so it took a while to figure out: “Wait, these are commingled records, this person actually does have appendicitis, we need to go remove their appendix”, and that one is very, very scary. One of the other ones that we saw, and it actually was with Medicare, was a senior female called us because she got an explanation of benefits. So it wasn't a bill, it was just an explanation of benefits. She lived in Florida and it was for a vasectomy that was performed in another state, and she was just baffled. She goes: “I don't even have those parts, I don't live in that state, I do not know how this happened.” And we said this is fraud. Obviously someone was using your information to get this medical procedure. And that one we can laugh a little bit about it because it's so absurd and it didn't cause her any immediate harm, but she certainly had to go through the process of contacting Medicare and going: “No, this isn't me, I did not receive these services, someone is using my information, go back and make sure they don't use my Medicare information again.”
Larry: I just have to believe that on the medical side as well as like the student loan side, that there's so much more fraud that goes on that even gets reported in. It's got to be billions across both.
Eva: I would absolutely agree with you that the reason that at least we see such low numbers, is because it's not just not reported, it's undetected, it's undetected by the individual, the legitimate credential holder. So even if it's being resolved at the entity level, they're not alerting the individual and that we know is a problem, frankly, across industry and government agencies where they will identify a potential fraud, resolve it within their own platform, but they don't alert the victim. And the reasons when I've talked to folks, the reasons are plentiful. “We don't want to scare them. We don't know what else we can tell them.” But there is, I do think the decision, it's being made as a decision, that we're simply not going to notify people because it's too hard. It's too hard and time consuming. We don't know what they do. And I think that lack of transparency is potentially keeping those numbers artificially low.
Larry: We know that from back in 2016, I don't know if you recall John Koskinen, who was the Commissioner of the IRS, was brought up in front of Congress and they asked: We don't understand how a W2 can be reported with a Social Security number, but that same taxpayer now submits a tax return with an ITIN on it. So obviously somebody has stolen a Social Security number to get a job. They now are likely here illegally. They want to report the taxes, so they actually put the ITIN on the return. You're getting the W2 and the return together. You know this and you're keeping a separate file. He said: Yes, we have 800,000 tax returns coming in with that every year. We have a separate file. We know that the Social Security number, and I love this, the Social Security number was borrowed and they're using that so they can get the job, but they want to pay their taxes. So they pay their taxes, and our job is simply to collect the taxes. It is not our job to inform the American citizens that their identity has been stolen. Eva, it's 800,000 Americans that have their identities in jeopardy, and the IRS is not telling them.
Eva: Well, and extrapolate that across all the platforms. Unfortunately, a lot of these institutions have this feeling that, well, we stopped … again I go back to the silos, you know, we stopped that fraud here, or we found a workaround so that it doesn't have a direct impact to that credential holder from our agency, our department, our company, and that's our obligation. And until we sort of turn that on its ear and say no, no, no, we all have to be in this fight together and that includes informing the individual, so that they can be a part of the solution. I don't know how much progress we're going to make in this area, but I mean, I had numerous conversations at the state level and with organizations about: What are you telling the [victims], we don't tell them anything. I do know that there were some experiments done. This was a long time, over a decade ago, trying to proactively notify people whose credentials were sort of out in the wild. So, third parties, organizations would find them and then they wanted to notify people, and it did create a lot of backlash, because people didn't know: “Well, who is this? Is this a scam? Who is this telling me that they found XYZ on the dark web?” I just think that a lot of those projects were probably a little bit ahead of their time, but everybody's very gun-shy. They don't want to do anything like that again. When I think the time, now, I think it would be received very differently. Just because this knowledge of the dark web, of your credentials, of identity crimes, it's a lot more a part of the national conversation. So, I think those kinds of notifications would be beneficial, and I'd like to start seeing some folks doing that again.
Larry: The good news is that the IRS was told by Congress: You will start notifying the American citizens that they're identity is in jeopardy. So that was at least back in 2017. So hopefully that's been going on.
Eva: We did start getting calls from people who were confused because they were getting notification about an attempted misuse: “Someone attempted to file a tax return in your name, but we stopped it.” And there was some confusion. People were like: “Is this real? Is it really the IRS?” And we would talk them through it, and here's how you verify it. And it was real. It was real. They were getting that letter. You know: “No action on your part with the IRS”. They resolved it, but let's look at what credentials were misused and what else can we do to help you minimize your risk. I mean, that's why we exist, and we helped fill that gap and helped people understand what the best risk minimization tips would be, or plan would be, moving forward. So, I do think more of those notifications. Hopefully it won't take an act of Congress. Maybe we can do some more of this voluntarily, but we'll have to wait and see.
Larry: So, the last question I have for you is business identity theft. I'm seeing more businesses have their identity stolen and it's tied to individual identity. Are you seeing that and what are the trends there?
Eva: Yes, and really it came, for us, it came to the forefront with PPP loans because it was much easier for the criminals to create a fictitious business and use an individual Social Security number as the business owner. So instead of having an EIN, or applying as an LLC or a corporation, they just said: “Oh, it's a sole proprietorship, and here's the business information.” So, the PPP loan was tied to an individual through their Social Security number rather than a business identifying number. And we're sort of continuing to see that. I mean, there's so much business identity theft, and even when it is tied to their EIN number, those are publicly available records. And so, it can be anything from taking over existing accounts and making changes at the Secretary of State level so that they can take over their existing financial accounts, to applying for new loans in the name of the business and then converting those loans to cash and laundering the money. So, it's absolutely still occurring, but I think it's also under reported, vastly underreported, because businesses don't know where to go. And a lot of times when they go to law enforcement, they're told it's a civil matter, a crime hasn't occurred. “Oh, this is a dispute between that vendor and your business”, or something of that nature. So I think we're conflating a lot of this criminal activity with civil matters simply because the other party involved in the transaction is a business rather than an individual.
Larry: I have to believe that those businesses that are significant in size, where they find a million or two that's been stolen, and the CEO looks at it and says: “I don't want to bring this up in front of the board. I don't want to bring it up in front of shareholders. I want it to go away”, and probably has a conversation with the CFO to bury it.
Eva: You know, I don't have any proof of that happening, but if we look at our current quarterly profits above all, and kicking the can down the road, and not wanting to have anything affect shareholder prices, or shareholder gains, and stock prices, and things like that, it does create an environment that would reward the type of behavior that you're talking about.
Larry: Yeah, and that becomes a problem because it just helps propagate the issue.
Eva: Right. If we don't properly incentivize organizations to be transparent about these types of crimes, to be transparent in their reporting of cyber-attacks, and be transparent in reporting of identity fraud that's occurring, not just insider fraud, but identity fraud that's occurring. Well, then that's something that we can solve. Getting people to do the right thing, that's a little bit harder, but like I said, if they can be properly incentivized and not incentivize the bad behavior, at least that's a step in the right direction.
Larry: So, Eva, we are running out of time, and I'd like to thank you for your input here. It's been eye opening to say the least, and I hope to have you back on at some time.
Eva: I loved getting really meta with you and getting into the weeds. I would love to come back. It was great.
Larry: Thank you very much.
Narrator: Thank you for listening to this episode of the FraudKast. If you’re interested in learning more, head over to our website at FraudKast.com for more episodes, transcripts, and social media links. And remember, that’s FraudKast with a K, not a C. And to stay current on what’s occurring in the world of fraud, be sure to check out FraudoftheDay.com.
