Identity Theft - what to expect, and what to do now

It appears that I am the subject of an identity theft operation. Some weird things happened in the last couple weeks:

1. My employer informed me that someone (unknown) filed an unemployment claim with my state (Tennessee) and when they verified the last day of work, realized it was fraudulent when told "he still works here".
2. A credit card I have has a monitoring feature, and I got a notification that my Social Security number has appeared on the dark web.
3. Yesterday, I received a bank statement for an account I don't have/didn't open, with a bank I have no other business with. I used to be a customer, but not for 5 years or more.

The bank statement looked pukka, so I googled the phone number of the bank (a very large one), and called in, rather than call the number on the statement, in case that was a scam. It turns out the account is genuine, and was opened around the time of the unemployment claim, although I don't know for sure the two are connected.

What can I expect as the next steps on the part of the attacker? Curiously, the account had $0 in it. No attempt to obtain actual credit so far, so I wonder if the account was to be used to have the unemployment paid in. Or perhaps there's another stage to the attack yet to come.

Here's what I've done so far:

Reported the unemployment fraud to the Police/Sheriff, and got a case number. I don't expect them to investigate though.
Had the bank cancel the account.

It looks as if the bad guys have:

My name (but not middle name)
My address
My email address (one of them)
My SSN

I think all I can do now is:

Change all my passwords and PINs on financial sites to unique, long crypto type ones that Safari suggests. I've been resistant to doing that, because of usability concerns. I chose a longish unusual name (ie not a dictionary word), added some numbers and special characters that I could remember, and thought that would be sufficient. Well now I don't believe that's enough, so I'll go through that ball ache. I'll absolutely have to write them down, which is a no-no in my mind, so that will then go in the safe.

So two questions:

1. What can I expect in terms of the attacker's next steps?
2. What else can I do to protect myself?

Cheers!
 
It appears that I am the subject of an identity theft operation. Some weird things happened in the last couple weeks:

1. My employer informed me that someone (unknown) filed an unemployment claim with my state (Tennessee) and when they verified the last day of work, realized it was fraudulent when told "he still works here".
2. A credit card I have has a monitoring feature, and I got a notification that my Social Security number has appeared on the dark web.
3. Yesterday, I received a bank statement for an account I don't have/didn't open, with a bank I have no other business with. I used to be a customer, but not for 5 years or more.

The bank statement looked pukka, so I googled the phone number of the bank (a very large one), and called in, rather than call the number on the statement, in case that was a scam. It turns out the account is genuine, and was opened around the time of the unemployment claim, although I don't know for sure the two are connected.

What can I expect as the next steps on the part of the attacker? Curiously, the account had $0 in it. No attempt to obtain actual credit so far, so I wonder if the account was to be used to have the unemployment paid in. Or perhaps there's another stage to the attack yet to come.

Here's what I've done so far:

Reported the unemployment fraud to the Police/Sheriff, and got a case number. I don't expect them to investigate though.
Had the bank cancel the account.

It looks as if the bad guys have:

My name (but not middle name)
My address
My email address (one of them)
My SSN

I think all I can do now is:

Change all my passwords and PINs on financial sites to unique, long crypto type ones that Safari suggests. I've been resistant to doing that, because of usability concerns. I chose a longish unusual name (ie not a dictionary word), added some numbers and special characters that I could remember, and thought that would be sufficient. Well now I don't believe that's enough, so I'll go through that ball ache. I'll absolutely have to write them down, which is a no-no in my mind, so that will then go in the safe.

So two questions:

1. What can I expect in terms of the attacker's next steps?
2. What else can I do to protect myself?

Cheers!
If you've not already seen it - this may help:

 
As far as password go, consider your favourite song.
And change the s's to dollar signs, or a's to @s

ie "Jeremi@hw@$@bullfrog"

That's effectively what I had, although not as long as that. I think they key thing is have them be unique to each site, so if one gets compromised, that's boxed off to just that account/bank/company.
 

RBMK

LE
Book Reviewer
I would expect that the fake account may be used for money laundering. Evidently getting hold of bent money is relatively easy, getting it "washed" so it doesn't look dodgy is more difficult. Once it's paid into a legit bank account it becomes "clean" money.

I had one of the fake porn "pay me $2,000 in bitcoin or I'll put your porn videos of you thrapping off in front of the computer all over the internet and to all your friends. The scary thing was that they had a password that I used about 4 years ago for IIRC Linkedin. However, I had my laptop stolen about 4 years ago and immediately changed all my passwords for longer and stronger ones.

I guessed that the scumbag in question had gotten hold of some of the info off my old laptop.

fortunately, I've never thrapped off in front of a laptop and hence I just deleted the email.
 
If you've not already seen it - this may help:


Cheers, I had forgotten about the FTC. Makes it a federal job then, if they're ever caught.

I wasn't going to report the bank account to the Police, because they seemed disinterested in the unemployment claim. But thinking about it, if it does all go pear-shaped and I start losing money, they're going to say "why didn't you report this as soon as you found out?". So I suppose I'll have to.
 
I would expect that the fake account may be used for money laundering. Evidently getting hold of bent money is relatively easy, getting it "washed" so it doesn't look dodgy is more difficult. Once it's paid into a legit bank account it becomes "clean" money.

I had one of the fake porn "pay me $2,000 in bitcoin or I'll put your porn videos of you thrapping off in front of the computer all over the internet and to all your friends. The scary thing was that they had a password that I used about 4 years ago for IIRC Linkedin. However, I had my laptop stolen about 4 years ago and immediately changed all my passwords for longer and stronger ones.

I guessed that the scumbag in question had gotten hold of some of the info off my old laptop.

fortunately, I've never thrapped off in front of a laptop and hence I just deleted the email.

Yes, desktops usually have better monitors and no webcam :)
 

DAS

War Hero
I would expect that the fake account may be used for money laundering. Evidently getting hold of bent money is relatively easy, getting it "washed" so it doesn't look dodgy is more difficult. Once it's paid into a legit bank account it becomes "clean" money.

I had one of the fake porn "pay me $2,000 in bitcoin or I'll put your porn videos of you thrapping off in front of the computer all over the internet and to all your friends. The scary thing was that they had a password that I used about 4 years ago for IIRC Linkedin. However, I had my laptop stolen about 4 years ago and immediately changed all my passwords for longer and stronger ones.

I guessed that the scumbag in question had gotten hold of some of the info off my old laptop.

fortunately, I've never thrapped off in front of a laptop and hence I just deleted the email.
Not your laptop. I was the same boat but never lost / had stollen a laptop/computer. LinkedIn did have data breaches in the past though.
 
I would expect that the fake account may be used for money laundering. Evidently getting hold of bent money is relatively easy, getting it "washed" so it doesn't look dodgy is more difficult. Once it's paid into a legit bank account it becomes "clean" money.

I had one of the fake porn "pay me $2,000 in bitcoin or I'll put your porn videos of you thrapping off in front of the computer all over the internet and to all your friends. The scary thing was that they had a password that I used about 4 years ago for IIRC Linkedin. However, I had my laptop stolen about 4 years ago and immediately changed all my passwords for longer and stronger ones.

I guessed that the scumbag in question had gotten hold of some of the info off my old laptop.

fortunately, I've never thrapped off in front of a laptop and hence I just deleted the email.
It is more li8kely to have been a data breach than a password from an old laptop. You can check email addresses to see if they've been involved in a data leak at:


It then tells you which websites are involved so you can change your password. I just typed in one of my email addresses (that I've had for about 20 years) - suffice to say I've changed all the passwords long ago, but have received the 'I know your password' type scam emails:

1644931078561.png


1644931112969.png
 
Keep an eye on the bank account, if they try passing any money through it, clear it out quickly in cash!
More seriously, they may have set up the bank account to help with the benefit claim. One risk to watch out for is if they make a loan or credit card application in your name and run up debt that you become liable for.
 

endure

GCM
Get yourself a password manager. It will generate them for you and store and fill them in on sites you visit.
 
The thinking on passwords has changed over the years since requiring overly complex passwords doesn’t actually improve security. The thinking now is fairly simple passwords but with multi-factor authentication (ie. text to cell phone or using an authentication app). MFA is key to online security, not passwords.

Here is Microsoft’s Office 365 password recommendations - simple passwords with MFA.

Password policy recommendations - Microsoft 365 admin
 
Get yourself a password manager. It will generate them for you and store and fill them in on sites you visit.

That's built in to macOS/iOS/iPadOS, and is something I use today, but I have been choosing my own passwords, which have all been the same. So I'll go through and change them all to unique ones.

One of the issues stopping me was the Chrome browser. I have to use Chrome at work; some of our internal systems are developed specifically against Chrome, and some features don't work on other browsers.

Until recently it couldn't read the Keychain, but apparently now there's an extension from Apple that does do that. I was just going to say that's an hour of my life I won't get back, but now I've looked into it, I have 471 compromised passwords in the password manager. So more like half a day!

Most of them are compromised through re-use. Though I have a lot accounts that I can get rid of. For example, apparently I have an account with sbb.ch (Swiss trains) because I bought some tickets there about 5 years ago. So all this will have to be combed through and I'll bin stuff like that. If I ever have to use Swiss trains again, I'll just reset the password, I suppose.

Bit of an eye-opener, to be honest.
 

Old Stab

LE
Book Reviewer
Sites with payment information such as online banking, Ebay, Amazon etc..I have 2 part verification setup. Its a PITA but it is secure and stops anyone doing anything to my accounts.
 
That's built in to macOS/iOS/iPadOS, and is something I use today, but I have been choosing my own passwords, which have all been the same. So I'll go through and change them all to unique ones.

One of the issues stopping me was the Chrome browser. I have to use Chrome at work; some of our internal systems are developed specifically against Chrome, and some features don't work on other browsers.

Until recently it couldn't read the Keychain, but apparently now there's an extension from Apple that does do that. I was just going to say that's an hour of my life I won't get back, but now I've looked into it, I have 471 compromised passwords in the password manager. So more like half a day!

Most of them are compromised through re-use. Though I have a lot accounts that I can get rid of. For example, apparently I have an account with sbb.ch (Swiss trains) because I bought some tickets there about 5 years ago. So all this will have to be combed through and I'll bin stuff like that. If I ever have to use Swiss trains again, I'll just reset the password, I suppose.

Bit of an eye-opener, to be honest.
Using Microsoft, you can set a reminder to change your password at set intervals. A very quick and easy step to keep your password protected.
 
Really long passwords have disadvantages, particularly in corporate environments. That’s why Microsoft is saying use short passwords that are easy to remember and don’t require regular changes. Passwords can be cracked so you need to add layers to the authentication process through MFA.

All my banking and retirement accounts require entering a code that is texted to me and it works well.

Password policy recommendations - Microsoft 365 admin
 

Interesting! When I joined a company a long time ago that I don't work for anymore, they asked me to have a master password, and I used that for everything for years. It was a name and two numbers. Say "David01". That site tells me a massive attack scenario would take less than a second to brute-force it.

The 2022 version of my "master password" is measured in thousands of centuries in the best case.

So my concern isn't so much password strength, I think we're there, as-is. The problem is re-use, so if a company gets hacked and loses their customer data, I am still at risk, because they can just try Bank A, B and C with my email and password. At some point they would succeed.
 
Top