Protect Yourself Against Identity Theft
With cybersecurity breaches at big companies and a range of scams targeting unknowing consumers, your personal information is more vulnerable than ever
The alarming call came one wintry February day last year while Melissa*, an IT analyst, was at work. She didn’t recognize the number, and when she answered, a sales associate at a jewellery retailer in Mississauga thanked her for joining the store’s credit card program. Confused, Melissa explained that she hadn’t applied for it. “So you weren’t just here in the store?” the associate probed.
The 34-year-old wasn’t experiencing short-term memory loss. As it turned out, a much younger woman in possession of Melissa’s social insurance number, address and birthdate was impersonating her. Over five days, armed also with fake photo identification, this mysterious fraudster used Melissa’s name to sign up for two cellphone accounts, apply for credit cards and take out a payday loan from Money Mart. She’d planned to walk out of the jewellery store with several expensive baubles, but a shrewd employee, sensing something was off about the nervous young customer, refused to initiate the account and, after the woman left, obtained Melissa’s phone number from a credit bureau.
The thief disappeared without a trace, getting away with about $1,000 in merchandise and loans. It could have been worse had she not been discovered before the credit cards were mailed to her, but it was still a huge headache for Melissa. Though she wasn’t on the hook for any money, she had to call every retailer the fraudster visited, supplying proof of identity in order to cancel the accounts. “I’ve spent over 100 hours clearing my name, and my credit is still terrible,” she says. “Why is this my fault?”
STORIES LIKE MELISSA’S are becoming more common. In 2016, approximately 36,000 Canadians were victims of identity theft or identity fraud—up over 20 per cent from the previous year. According to statistics from the Canadian Anti-Fraud Centre (CAFC)—our national agency that collects and analyzes data from these crimes—losses in 2016 totalled almost $14 million.
Meanwhile, with security breaches regularly making headlines, it can seem as if our personal information is in constant danger of being stolen by thieves. Last September, Equifax
disclosed that 8,000 Canadian victims were included in the high-profile hack that compromised the personal information of more than 145 million Americans. In May, Bell Canada announced that hackers had threatened to expose 1.9 million customer records, and the company refused to pay to stop them (a portion of the data was subsequently leaked online). Breaches have also affected WestJet, Uber, Loblaws and Canadian Tire— all in the past year.
While those large-scale thefts are out of your control, and it’s impossible to track which individual frauds come from them, there are ways to make your personal information difficult for thieves to get their hands on.
#1: Your Digits
Your social insurance number (SIN) is the key to a kingdom of personal records, from your credit report to your tax return, so you’re wise to keep it secure. The nine-digit SIN was created in 1964 as a unique client identifier for the Canada Pension Plan and various employment insurance programs, but its use has expanded to virtually all transactions between you and the government. However, with no legal restrictions on who employs it, your SIN may also be requested by private-sector organizations—and that’s where the problems start.
Even if you’re asked for it, you don’t have to give your SIN to your landlord, your doctor’s office, your cellphone provider or when filling out a credit card or employment application. The more it’s floating around, the more likely it’ll be stolen and sold on the so-called “dark web.” (This sinister underbelly of the Internet, which can only be accessed with special software, hosts marketplaces and eBay-like auction sites where identities are bought and sold.) So if you’re not sure whether it’s really necessary to provide your SIN, ask why it’s being requested and if you can provide an alternate form of identification.
Melissa still doesn’t know how her SIN got leaked, but the thief who targeted her used it to request a credit report in her name and then pieced together all the information they needed in order to impersonate her on credit applications.
If you think your SIN has been stolen, file a complaint with police and make sure you get a case reference number and the officer’s name and telephone number. Contact the CAFC for further advice. Every few months, you’ll need to request a copy of your credit report from one of Canada’s two national credit bureaus, Equifax and TransUnion, and review it for any suspicious activity. Credit alerts can be placed on your file, requiring that you be contacted if anyone tries to open a new account in your name.
#2: Your Log-ins
Canadians, like most of the world’s Internet users, are abysmally poor at keeping their online profiles secure. Three researchers from the University of Ontario Institute of Technology—Dr. Christopher Collins, Rafael Veras and Dr. Julie Thorpe— analyzed 32 million passwords leaked from a social gaming company, using them as a large representative sample of North American social media users. Hilariously—or perhaps depressingly—they found the most commonly used passwords involved strings of sequential numbers (“123456”) and painfully obvious word choices (“password”).
They also parsed semantic patterns and found common themes, such as “I love” followed by a person’s name (male names were four times more common than female names). References to food, money, sex, profanity and royalty also cropped up most frequently, says Thorpe, an associate professor of IT security. As for digits, people tend to favour dates, such as holidays and notorious events (like 4/15/12, the day the Titanic sank).
You might feel like the above options are fairly airtight, but using any recognizable words or strings of numbers instantly makes your accounts vulnerable to hackers, who employ guessing software that can run through millions of possible passwords per second. The most secure and memorable password is one that uses a string of letters, numbers and characters derived from a phrase that’s been altered to include something personal. For example, you might log into an airline site with “1 lo ajpwK&S,dkwib ba ”— which stands for “I’m leavin’ on a jet plane with Kristof and Sven, don’t know when I’ll be back again.”
In theory, you’ll need to come up with dozens of these. “As soon as you use the same one for multiple sites, hacks can happen,” Thorpe warns. But since remembering them all isn’t realistic, she suggests using free password managers like iCloud Keychain, LastPass, Dashlane, KeePass and 1Password. Although these tools can themselves be hacked, Thorpe says you’re ultimately far more secure using them than being a lazy person with only one password for everything.
#3: Common Scams
Every day, the CAFC gets calls from consumers who’ve been targeted by scammers, and about half of these swindles involve trawling for personal information rather than simply demanding cash, says acting team leader Allan Boomhour. “The data itself is valuable,” he says, explaining that criminals not only use it to open
financial accounts in your name, but can sell it on that dark web.
Leah*, 36, was shopping at No Frills in Toronto’s east end one day when a well-dressed man with a clipboard approached her, offering to sign her up for a new PC Financial MasterCard. She filled out the application form, including her birthdate and SIN, but the card never arrived. After a while, she became curious, so she called the bank and was told that they had no record of her at all. “They said that they didn’t have anybody signing people up in No Frills grocery stores anywhere in the GTA,” she says.
Leah called her regular bank and discovered that someone had managed to get access to her account, most likely by having a duplicate copy of her current credit card sent to a different address, and was using it to make a slew of small purchases.
Another common scheme, email phishing, has grown more sophisticated than cordial entreaties from Nigerian princes seeking your help to transfer vast sums of money. Typically, you’ll get an email from what appears to be your bank or the Canada Revenue Agency (CRA) asking you to “authenticate” your account or receive a tax refund by clicking on a link. You’ll be asked to enter your information in a fake website that often looks very convincing. “It’s almost a mirror copy of the original, but when you try some of the links on the page, like the ‘Contact Us,’ they don’t work,” Boomhour says.
Remember that reputable institutions will never ask for personal information of any kind via email. For its part, the CRA doesn’t send tax refunds by e-transfer— only by cheque or direct deposit.
#4: Your Mail
In May 2017, Toronto Police announced that they’d arrested the leader of a $10-million identity theft ring in a massive investigation dubbed Project Royal. The enigmatic Torontonian, who called himself Johnson Chrome, flaunted his lavish lifestyle at nightclubs, displaying a predilection for glitter-encrusted
designer shoes and fine wines. But his modus operandi was surprisingly simple—he and his associates would steal mail from condo buildings, painstakingly piecing together their victims’ identities until they had enough information to apply for credit. For 10 years, Chrome had evaded detection by only stealing small amounts at a time—mostly between $100 and $5,000.
Indeed, intercepting snail mail is a fairly easy way to steal an identity, especially if your victim receives paper financial statements. Tactics can include Dumpster diving, but also the slightly more sophisticated mail-forwarding fraud—for this, all a thief has to do is input your address, a new one and a credit card number at Canada Post’s website in order to reroute your mail to a vacant, abandoned or for-sale property.
Switching to e-billing and online payments can eliminate this risk, as can renting a PO box where you can retrieve letters and packages at your convenience.
#5: Watch Your Accounts
Too many Canadians don’t check their bank and credit card statements thoroughly every month, says personal finance educator Kelley Keehn, author of Protecting You and Your Money: A Canadian’s Guide to Avoiding Identity Theft and Fraud. This is especially true of seniors, who tend to slow down their consumer spending as they age and aren’t as likely to need loans. “If you don’t care what your credit score is, you’re not going to be checking your credit file for fraudulent activity,” she says.
Keehn recommends a little-known trick for spotting suspicious transactions: through your online banking profile, you can opt to receive an e-mail or text message every time your debit or credit card is used. If you see a purchase you don’t recognize, you’ll be able to report it right away and won’t be on the hook for any stolen money. (Most banks have a 30- to 60-day limit for reporting fraudulent transactions.) There are also a range of phone apps, such as Credit Karma and LifeLock, that can help you monitor your accounts for suspicious activity.
Of course, even if you put this safety measure in place and follow all of the other advice above, you’re still not immune to identity theft. “The reality is, you can take every precautionary step possible and still become a victim. It’s just that big of a problem,” warns Boomhour, before adding one welcome note of reassurance: “At the end of the day, though, you’re not responsible for anything the criminals do in your name.”