Old-fashioned Identity Theft from the US Post Office

My friend and fellow author, Ann, and her husband found out one day they were identity theft victims because somebody hundreds of miles away filed a USPS change of address form in their name.  It’s mind-boggling that in today’s era of massive data breaches over the Internet, anybody can walk into a post office and fraudulently impersonate anyone else with a change of address form. Surely we can do something about this.

Here is Ann’s story, in her words.  I want to thank Ann for letting me share this.

Here is our experience with our identity theft and Mail Diversion Fraud.

We received a USPS mailed notification for a change of address for my husband’s name. We did not request USPS to change his address, so this meant it was done fraudulently. We contacted the post office, looked at our credit report, saw a bank card issued in husband’s name that we did not initiate, called that bank, canceled the thief’s card, issued a 90 day fraud alert and plan to lock our credit. Then we filed a police report here and in Dallas where the mail was diverted to.

To change or divert someone’s mail address to another mail address is easy. Post office requires no ID or proof of identity when change of address is turned in. It can be done online for $1.

Our banker mentioned this was his first experience with a customer who has had identity theft BY MAIL. The thief actually opened a bank card in my husband’s name- $15,000 limit. The action was likely done online and was issued by another bank other than our bank. It was a puzzling circumstance, because monitoring our existing bank accounts and cards showed no initial funds impact. I guess this “puzzle” of our mail diversion fraud made a pre-set course of action indeterminable, and so we had to make up our process as we went along.

We soon found out that although the identity theft occurs in different ways, the steps needed to amp up our security on bank accounts or credit card accounts would be the same as if there was theft caused by online data breach or by someone hacking into our existing accounts. Since no one gave us a checklist of what to do, we had to think like an identity thief and imagine “What if” scenarios to determine our recovery steps.

We felt an urgency to act fast as we had heard online theft drain of bank funds happens super-fast once a thief “gets in.”

Why? The average Identity theft victim spends over 200 manhours repairing INITIAL damage or instilling barriers to prevent future impacts from identity theft. Resurfacing of fraudulently obtained identity info can occur for 7- 10 years or more. Your identity is now a new commodity on the dark web. A fraudulently obtained identity will be bought and sold, so every conceivable digital detail/doorway that could be breached by thief must be locked down, closed, or changed.

An identity theft victim has to stay diligent in monitoring his or her accounts in an ongoing proactive way. The “small” minor theft of mail diversion fraud- false change of address accompanied by social security compromise is serious business. (If they open a bank card, they have your social security number)

There are two particular things/tips we wish Bank Institutions would do to help their customers with security.

  1.  ONLY print last 4-6 digits of accounts on statements! This seems so simple. Many other vendors do this. Having a full account number on a piece of mail makes looking up a user ID easy on the website. A thief may already have the password via email or other data breach.
  2. Have ALL bank mail envelopes (or at least those with bank account statements!) printed with USPS service called Return Service Requested. This, as some may know, tells the USPS that if a piece of mail cannot be delivered as addressed, the piece is to be returned, free of charge, to the sender, with the new address or an explanation of the reason for non-delivery attached to it, regardless of whether a change of address order is on file for the recipient. I understand from the post master this receipt of new address costs the business money to do BUT, this feature would be a courtesy to bank or credit card customers.

Here are the individual protection steps we eventually implemented. The steps came from conversations with all the people we have been in contact with- USPS, police department, ID theft watch services, experts in security….people in banking….

  1. DON”T ignore or delay opening a USPS mail item labeled “official change of address validation” These should trigger when someone changes their address and the notice is sent to both addresses. We were out of town when ours came, but they seem to trigger and arrive in mail 5 days or so after change of address action is taken.
  2. Don’t delay action. Immediately call number inside on notice to tell them you did not change your address. Ask for a reverse order to be put in. This “reverse” will take a while 10-12 days? So we took matters in our own hands and filed a change of address online back to ourselves. We knew the forwarding address via Zander, our identity watch service that we hired. They picked it up and showed the address.
  3. File a police report. They will say their “hands are tied” to some degree because of the nebulousness of having a crime victim in one jurisdiction and the thief in another jurisdiction. Don’t worry about that. Just file. The case number you receive will allow you to extend a 90 day credit alert to 7 years if you opt to do this. You need the police case #
  4. At the same time you are filing police report, put a 90 day alert on your credit report and plan to extend that alert for 7 years or lock your credit.
  5. NOTIFY bank and card account entities. Do not close unless recommended, because new cards come via mail as do checks. Change passwords on ALL accounts and cards, and do not have one password for all.
  6. Monitor accounts for fraud activity and be prepared to shut down accounts and cards. Setting bank /credit card account ALERTS- (most online banking have alert options) is a relief. Make sure phone is set to receive alerts.
  7. Go paperless. Save trees and mail fraud headache in one action. To undo the change of address is slow and impact ongoing. The data is already online. Why should you be the only one not in the loop?
  8. Set up 2 step authentication. This is a process where ANY time anything is done on your bank accounts/cards a code is texted to phone and you have to enter it. Pain in the ! BUT if you are online doing your thing, then what difference does this one code action matter? 3 seconds more to get into your stuff. If a thief gets into your stuff, and you did not have this set up, it costs you 100’s of dollars and hours …so just DO IT!
  9. Set little used credit cards to have alerts when items charged. Better yet, get rid of all credit cards or line of credit accounts except what you actually need.
  10. Have everything set to alert to cell phone (or email) anytime online activity is engaged in on your account or card, that way if you get alert and you aren’t doing the activity, you can quickly shut it down. Thieves move very fast!!! By the way, the alerts we get do not require us to call or do anything. They are just alerts set by us to text to our phone (& email) over balance or transaction amounts or activity, and we simply see them and can feel relieved because we know it’s our own actions. If activity is NOT us, then we have a heart attack and call a hotline and shut it down.
  11. THE MAIN ALERT to set up? User Name attempt. An attempt other than you to retrieve an account’s user name should send you to the account asap. Setting up the alert keeps you from having to log in night and day multiple times a day. EVERYONE should have at least this one alert set up. If nothing else. User Name Attempt is first step of many fraud issues and very easy for thief to get. All you need is an account number, and the financial institution’s helpful “find your user name” feature carries the thief forward. Sure a password follows, BUT if you have had any email breach, it’s possible that the thief has it already.
  12.  Set up a verbal password. Any call made to your institution to “change a password” will not continue if you have asked for a verbal password of your choosing to be requested. Just don’t forget the verbal password when YOU need to call😊 Banks will straighten it back out with you in person if you forget.
  13. Security questions- Do them. Have them. Write it down and hide your book.
  14. Open a PO box to receive important mail. USPS has alerted on your fraudulently stolen address so it’s likely that you can’t actually change your address again so quickly, BUT you can have checks for new accounts or new cards sent to PO box if necessary. We had no actual fraud on our existing cards so did not shut them down. (Shutting down a card and getting a new one is a bad idea if you do not have an alternate mail address you can securely use.) REMEMBER with mail fraud it might be a while before you can count on all your mail arriving consistently, so you DON’T want to hand new bank cards or new account numbers to the waiting mail thief.

All these steps and actions seem extreme and time consuming especially if “nothing has happened” to existing accounts. (We’ve logged over 150 hours attempting to initially lock down accounts that were attached to the identity that was stolen via mail fraud.) However, Identity Theft is not going away. It’s the fad robbery of the day. Financial and health institutions who use/require social security numbers routinely to do business are most vulnerable entry points for a consumer whose identity has been stolen.

I’m a failure in more ways than I can count.  And that’s a good thing.

Many years ago, I spent hours and hours and hours listening to tapes about success and failure and the power of positive thinking.  And they really were tapes.  MP3 downloads weren’t invented yet. But despite all that good advice, for which I paid $4.99 per tape, I failed as an Amway distributor.  Failure was a bad word in those days. Failure was for losers and good Amway distributors were winners.  Anyone who failed was either lazy or didn’t believe enough in themselves to dig deep enough for success.

What a load of hogwash.

But what a learning experience. While failing as an Amway distributor, I learned not to fear rejection, I learned to approach people higher-up than me who had something I needed, I learned how to eat crackers for dinner at a Denny’s Restaurant in Terre Haute, Indiana, because I couldn’t afford to buy anything from the menu, and I learned how to make tough decisions.

And that leads to my career as an author.  Over the eighteen months from September 2016 into March, 2018, I sent queries to around 110 potential agents, looking for a traditional publisher for my second book. Around half sent form rejection responses, the rest didn’t bother to respond at all. A few took the time to write a real letter. Here is the first part of one custom rejection letter from an agent named Robin:

Dear Mr. Scott:

It’s nice of you to contact me regarding representation. I understand that you haven’t sold large quantities of your self-published book. The endeavor ultimately established the sort of readership you’re able to attract for the category in which you’re writing. A less-than-impressive track record makes it far more difficult to interest a major publisher in an author’s subsequent works. Perhaps a freelance book publicist could have been of some assistance to you.

I’ve been stewing about what Robin said for a long time. I know she’s only the messenger, but the message is, we all have exactly one and only one shot at success. If whatever you try doesn’t work the first time, then crawl back under whatever rock you came from, because you’re a loser and nobody bets on losers.

And that might explain why traditional publishing is in a slow decline.  I looked up revenue numbers for the big five surviving publishers.

See this discussion for more analysis of traditional publishing revenue. Authorearnings.com is another one to keep an eye on.  Here is a January, 2018 market report filled with mind-numbing numbers.

Those are the sterile numbers. Here’s a first-hand observation.  The world headquarters for Penguin Random House is 1745 Broadway, New York, NY 10019.  Back in 2016, I visited a customer in New York City for my day-job and learned Penguin Random House no longer occupies the top floor of its own building. Penguin Random House is hollowing itself out as it lays off people to cut expenses while revenue declines.

By any measure, traditional publishing is declining while the overall market is growing.

Here’s a different perspective on failure. Instead of running away from failure, embrace it. I failed as an Amway distributor, but learned lots of valuable life-lessons. Thomas Edison apparently failed at least 1000 times before inventing his light bulb.  When asked about all those failures, he replied, “I didn’t fail 1,000 times. The light bulb was an invention with 1,000 steps.” Here is a website with lots of inspirational examples around failure.

How many of us fell down on our bicycles when the training wheels first came off? How many overcame academic struggles in high school or college? How many athletes struggled before catching fire? How many of today’s famous business leaders succeeded the first time?  Ever heard of a company named Traf-O-Data?  That company didn’t last long.  But the founding team learned lessons and eventually started a new software company. Today, Bill Gates is one of the richest people on the planet and Microsoft is a household name.

That rock better be awfully big for all those losers to crawl back under.

For the risk-averse publishing companies who don’t want to deal with authors who struggled early – if you want to stay relevant, your boards of directors should bring in new leadership before you drive your once-proud companies into the ground.

Oh yeah, my book #2 recently found a publisher. It wasn’t one of the big five and it’s not a traditional publisher. Why not self-publish again? Well, I learned with book #1 that I need help with sales and marketing. I am grateful to the folks at Morgan James Publishing for betting on me.  Now, let’s go kick some butt in the marketplace.