Old-fashioned Identity Theft from the US Post Office

My friend and fellow author, Ann, and her husband found out one day they were identity theft victims because somebody hundreds of miles away filed a USPS change of address form in their name.  It’s mind-boggling that in today’s era of massive data breaches over the Internet, anybody can walk into a post office and fraudulently impersonate anyone else with a change of address form. Surely we can do something about this.

Here is Ann’s story, in her words.  I want to thank Ann for letting me share this.

Here is our experience with our identity theft and Mail Diversion Fraud.

We received a USPS mailed notification for a change of address for my husband’s name. We did not request USPS to change his address, so this meant it was done fraudulently. We contacted the post office, looked at our credit report, saw a bank card issued in husband’s name that we did not initiate, called that bank, canceled the thief’s card, issued a 90 day fraud alert and plan to lock our credit. Then we filed a police report here and in Dallas where the mail was diverted to.

To change or divert someone’s mail address to another mail address is easy. Post office requires no ID or proof of identity when change of address is turned in. It can be done online for $1.

Our banker mentioned this was his first experience with a customer who has had identity theft BY MAIL. The thief actually opened a bank card in my husband’s name- $15,000 limit. The action was likely done online and was issued by another bank other than our bank. It was a puzzling circumstance, because monitoring our existing bank accounts and cards showed no initial funds impact. I guess this “puzzle” of our mail diversion fraud made a pre-set course of action indeterminable, and so we had to make up our process as we went along.

We soon found out that although the identity theft occurs in different ways, the steps needed to amp up our security on bank accounts or credit card accounts would be the same as if there was theft caused by online data breach or by someone hacking into our existing accounts. Since no one gave us a checklist of what to do, we had to think like an identity thief and imagine “What if” scenarios to determine our recovery steps.

We felt an urgency to act fast as we had heard online theft drain of bank funds happens super-fast once a thief “gets in.”

Why? The average Identity theft victim spends over 200 manhours repairing INITIAL damage or instilling barriers to prevent future impacts from identity theft. Resurfacing of fraudulently obtained identity info can occur for 7- 10 years or more. Your identity is now a new commodity on the dark web. A fraudulently obtained identity will be bought and sold, so every conceivable digital detail/doorway that could be breached by thief must be locked down, closed, or changed.

An identity theft victim has to stay diligent in monitoring his or her accounts in an ongoing proactive way. The “small” minor theft of mail diversion fraud- false change of address accompanied by social security compromise is serious business. (If they open a bank card, they have your social security number)

There are two particular things/tips we wish Bank Institutions would do to help their customers with security.

1.  ONLY print last 4-6 digits of accounts on statements! This seems so simple. Many other vendors do this. Having a full account number on a piece of mail makes looking up a user ID easy on the website. A thief may already have the password via email or other data breach.
2. Have ALL bank mail envelopes (or at least those with bank account statements!) printed with USPS service called Return Service Requested. This, as some may know, tells the USPS that if a piece of mail cannot be delivered as addressed, the piece is to be returned, free of charge, to the sender, with the new address or an explanation of the reason for non-delivery attached to it, regardless of whether a change of address order is on file for the recipient. I understand from the post master this receipt of new address costs the business money to do BUT, this feature would be a courtesy to bank or credit card customers.

Here are the individual protection steps we eventually implemented. The steps came from conversations with all the people we have been in contact with- USPS, police department, ID theft watch services, experts in security….people in banking….

1. DON”T ignore or delay opening a USPS mail item labeled “official change of address validation” These should trigger when someone changes their address and the notice is sent to both addresses. We were out of town when ours came, but they seem to trigger and arrive in mail 5 days or so after change of address action is taken.
2. Don’t delay action. Immediately call number inside on notice to tell them you did not change your address. Ask for a reverse order to be put in. This “reverse” will take a while 10-12 days? So we took matters in our own hands and filed a change of address online back to ourselves. We knew the forwarding address via Zander, our identity watch service that we hired. They picked it up and showed the address.
3. File a police report. They will say their “hands are tied” to some degree because of the nebulousness of having a crime victim in one jurisdiction and the thief in another jurisdiction. Don’t worry about that. Just file. The case number you receive will allow you to extend a 90 day credit alert to 7 years if you opt to do this. You need the police case #
4. At the same time you are filing police report, put a 90 day alert on your credit report and plan to extend that alert for 7 years or lock your credit.
5. NOTIFY bank and card account entities. Do not close unless recommended, because new cards come via mail as do checks. Change passwords on ALL accounts and cards, and do not have one password for all.
6. Monitor accounts for fraud activity and be prepared to shut down accounts and cards. Setting bank /credit card account ALERTS- (most online banking have alert options) is a relief. Make sure phone is set to receive alerts.
7. Go paperless. Save trees and mail fraud headache in one action. To undo the change of address is slow and impact ongoing. The data is already online. Why should you be the only one not in the loop?
8. Set up 2 step authentication. This is a process where ANY time anything is done on your bank accounts/cards a code is texted to phone and you have to enter it. Pain in the ! BUT if you are online doing your thing, then what difference does this one code action matter? 3 seconds more to get into your stuff. If a thief gets into your stuff, and you did not have this set up, it costs you 100’s of dollars and hours …so just DO IT!
9. Set little used credit cards to have alerts when items charged. Better yet, get rid of all credit cards or line of credit accounts except what you actually need.
10. Have everything set to alert to cell phone (or email) anytime online activity is engaged in on your account or card, that way if you get alert and you aren’t doing the activity, you can quickly shut it down. Thieves move very fast!!! By the way, the alerts we get do not require us to call or do anything. They are just alerts set by us to text to our phone (& email) over balance or transaction amounts or activity, and we simply see them and can feel relieved because we know it’s our own actions. If activity is NOT us, then we have a heart attack and call a hotline and shut it down.
11. THE MAIN ALERT to set up? User Name attempt. An attempt other than you to retrieve an account’s user name should send you to the account asap. Setting up the alert keeps you from having to log in night and day multiple times a day. EVERYONE should have at least this one alert set up. If nothing else. User Name Attempt is first step of many fraud issues and very easy for thief to get. All you need is an account number, and the financial institution’s helpful “find your user name” feature carries the thief forward. Sure a password follows, BUT if you have had any email breach, it’s possible that the thief has it already.
12.  Set up a verbal password. Any call made to your institution to “change a password” will not continue if you have asked for a verbal password of your choosing to be requested. Just don’t forget the verbal password when YOU need to call? Banks will straighten it back out with you in person if you forget.
13. Security questions- Do them. Have them. Write it down and hide your book.
14. Open a PO box to receive important mail. USPS has alerted on your fraudulently stolen address so it’s likely that you can’t actually change your address again so quickly, BUT you can have checks for new accounts or new cards sent to PO box if necessary. We had no actual fraud on our existing cards so did not shut them down. (Shutting down a card and getting a new one is a bad idea if you do not have an alternate mail address you can securely use.) REMEMBER with mail fraud it might be a while before you can count on all your mail arriving consistently, so you DON’T want to hand new bank cards or new account numbers to the waiting mail thief.

All these steps and actions seem extreme and time consuming especially if “nothing has happened” to existing accounts. (We’ve logged over 150 hours attempting to initially lock down accounts that were attached to the identity that was stolen via mail fraud.) However, Identity Theft is not going away. It’s the fad robbery of the day. Financial and health institutions who use/require social security numbers routinely to do business are most vulnerable entry points for a consumer whose identity has been stolen.