Over five years, about 27-million people were victimized by a quiet crime that creates lingering agony.
By DAVE GUSSOW
Published March 14, 2004
[Times photo: Skip O'Rourke ]
Stephanie Holmquist Johnson of Plant City has spent hundreds of hours trying to recover from a theft that the crook ran up to more than an estimated $60,000.
[Times photo: Ron Thompson]
There was nothing sophisticated about how Anthony Brannon of Inverness was victimed. Someone stole outgoing bills from his mailbox.
[Times photo: Moroti Kinfay]
"I was scared. It felt as though I was mentally raped," says Jody Bernet of Palm Harbor, whose identity was stolen via a fake e-mail that appeared to be from an online payment service.
Stephanie Holmquist Johnson's life changed the day after her wedding two years ago.
Checks she didn't write bounced. Bills arrived for things she didn't buy. Stores hung up on her calls. She feared going to her mailbox. She cried.
Someone had stolen her identity.
"It's the process to get over it," she said. "If you're a victim of a robbery, you file (a report), you go from there. This is two years now, and it's still not over with. It's messy and it stays with you and it hangs on you."
The Plant City woman estimates the bogus tab has passed $60,000. She has spent "hundreds and hundreds of hours" trying to straighten out retailers, credit bureaus and others about what happened. She can't say how much she has spent trying to clear her name.
In the truest sense, identity theft is a crime that sneaks up on people. By the time victims become aware of the problem, their bank accounts may have been cleaned out or their credit cards maxed out.
Their names may be used to set up fake accounts where the thieves get the goods and the victims get the bills. Or they can find that someone has set up a parallel life, using their name and personal data.
It has become one of the first major crime waves of the 21st century. About 27-million people reported they had been victimized over a five-year period ending in 2002, according to a Federal Trade Commission survey. It costs consumers and businesses an estimated $50-billion a year.
While it has a reputation as a high-tech enterprise, identity theft often starts out as a low-tech operation: "Dumpster diving" in garbage for records, stealing letters from mailboxes, finding a lost wallet or even having a co-worker who raids personal files.
A recent high-tech technique is catching more victims. Called "phishing," fake e-mails from reputable companies such as PayPal, an online payment service, or eBay, the giant auction site, ask people to update their personal information, luring them to Web sites that look real but are not.
It has created headaches for law enforcement and heartache for victims.
"It is more complex and it's really more time consuming" to investigate, said Special Agent Supervisor Mike Phillips of the Florida Department of Law Enforcement, an expert on fraud and identity theft. "You have a trail, but the suspects are doing so much. They just don't victimize one person. They victimize multiple people."
Outgoing mail
Lee Brannon listened to the voice, a strange man recorded giving out her family's personal information as he set up an account for an Internet chat room.
"When I heard that recording, it was chilling," the Inverness woman said. "The hair stands up on your arms because it's just such a strange feeling. After it was over, I was just furious."
Her mailbox was the entry the ID thief used to get into their lives. Her husband, Anthony, remembers putting out some bills, coming home and seeing the flag still up. But he doesn't recall checking the box before going in for the night.
"The first thing I noticed was receiving the next month's bills that had past-due amounts when I was sure I had paid," said Mrs. Brannon, 60, a social worker. "When I realized that, I looked up my bank statement online and found a charge I did not recognize."
She went to her bank, which refunded her money, and she called an 800 number that was printed on a copy of the draft used to raid her account. When the online business called back, it played an audio file of the transaction.
Initially, the Citrus County Sheriff's Office would not take a report, she says, because their money had been refunded. Eventually, though, it did take an identity theft report. Detectives later matched a suspect in another case to theirs.
"The guy was real slick," said Brannon, 57, who works in construction. "It's a low-tech thing. Go out and grab the mail, some identifying thing in there, or credit card application. All it takes is a few changes and off you go."
The Brannons were lucky. They didn't lose any money or spend much time handling the problem, but they did change some of their habits.
"We don't put outgoing mail in the mailbox," Mrs. Brannon said. "We take it directly to the post office. I check my bank account much more often to see if there are any anomalies."
What a break
Stephanie Holmquist Johnson found a hero during her crisis: Detective Harold Varvel of the Hernando County Sheriff's Office.
"He would not let it rest," said Holmquist Johnson, 41, an education consultant for schools. "My (local) police wouldn't even touch it."
The case illustrates the difficulties law enforcement confronts in handling such cases, as well as the frustration the victims endure.
A key break essentially fell into law enforcement's hands - the suspect left a day planner with counterfeit IDs and checks on his car and drove off, Varvel says. Someone found it and turned it in to the Sheriff's Office.
Yet it took almost two years before Varvel could make an arrest. Starting with 23 names from the day planner, the investigation was combined with an FDLE operation and grew to more than 100 names, some fake, others real.
Hundreds of checks were found, all of which had to be inspected by handwriting experts. Witnesses were needed to verify who wrote the checks or signed credit card transactions. Home Depot alone had more than $20,000 in charges.
The apparent source for much of the personal data was from trash bins behind businesses, Varvel says, particularly credit applications that were thrown away. Lax retail security also contributed.
"It's kind of amazing to me the ease with which a lot of merchants accept (identification) without checking into things," Varvel said.
If retailers invested more in training their staffs to learn about fake IDs, he added, there were "easy ways they could have been identified as fraud."
Varvel also ran into what some of the victims had discovered. Some law enforcement agencies wouldn't take reports, much less investigate, calling the cases civil matters. Some retailers preferred simply to write off the losses rather than prosecute. If a fake check was drawn on one bank, another wouldn't look into it.
"In (Holmquist Johnson's) case and with several other victims, they tried to report it and everybody put them off," Varvel said. "It was happening all over."
That doesn't surprise some officials. Small departments in particular may not have the resources, and handling cases where the victim is in one jurisdiction and the suspect somewhere else complicates it further.
"It's hard to wrap your arms around (identity theft) like you can a burglary," said Special Agent Supervisor Bob Breeden of FDLE's Computer Crime Center in Tallahassee. "Identity theft is hard for an agency to work. It has to do with a new crime that agencies aren't comfortable embracing."
Yet that's little consolation for retailers and consumers. Retailers don't want to write off losses but are left with little choice, according to Dan Doyle, vice president of loss prevention and human resources for Beall's Inc. in Bradenton. Investigations take time and cost money, and it's uncertain whether the effort will pay off if police and prosecutors won't take the cases.
"We would be thrilled to death to get someone's attention to prosecute people," Doyle said. But "prosecuting somebody does not mean we get the money back. . . . The original cardholder is not liable. The people who really lose is the credit card issuer and the retailer."
As for more staff training, Doyle says customers want fast service. "Quite honestly, a lot of people get annoyed when their ID gets checked," Doyle said. "I think it really is asking an awful lot for every sales associate in every store to be a police officer, particularly where a credit card purchase is concerned."
Victims face similar problems with law enforcement. Holmquist Johnson ended up demanding that the Plant City police at least take a report so she could use that to prove to others that her story was true.
According to Holmquist Johnson, Sears gave one suspect her account number when the woman applied for a new account. She estimates that 15 or so of the 60 companies she called hung up on her. And she had to contact each company individually, sometimes by long distance, sometimes by certified mail, for each instance because there's no central reporting point for cases such as hers.
Even when she thinks she has the problems fixed, more troubles have popped up when she has applied to refinance her house or buy a car.
"I would shake, absolutely shake," she said. "I can laugh about it now. But the scary thing is it could happen again tomorrow."
So Varvel, who downplayed his efforts, became something of a victim's advocate.
"You get to empathize with what they're going through, so it becomes something you want to bring to justice," he said. "I made calls for victims, contacting the security people at banks to make sure they understood it wasn't the victim" at fault.
Capturing false IDs
Financial institutions in the state lose $100-million a year to fraud, including identity theft, according to the Florida Bankers Association.
"When they commit these check frauds, it's not against the bank, it's against the customer," said Thomas Kerr, the association's chief financial officer. "It's the customer who goes through all the grief."
But the industry had to do something to protect itself, too. In 2002, the association established Fraud-Net, a Web site available only to financial institutions and law enforcement agencies for alerts and information related to fraud, robberies and other security issues. It has grown from a one-state operation to 20 states participating.
"The No. 1 issue was the fact that as an industry we've done a poor job of talking to each other," Kerr said. It had "to come up with a way to battle the criminals. The folks out there doing this have access to and utilize technology very well. We want to do the same. We want to take technology and put it in the hands of the good guys."
If someone passes, or tries to pass, a counterfeit check, for example, that information goes online, including an image of the bad check. Personal information about victims is not posted.
"The activities that we see on Fraud-Net often can help lead to identity thieves," Kerr said. "We are interested in capturing the false identifications that are being used."
Banks are obligated to cover their customers' losses by law. Credit cards usually have a $50 liability limit. Yet the process can frustrate victims such as Jody Bernet, 43, of Palm Harbor, who had to keep "pushing and pushing" to get her money back.
"I think that's the secret to getting your money back," she said. "You bother people until they're tired of talking to you and they start doing something."
Bernet, who is disabled, got hooked by a "phishing" scam with a fake e-mail and Web site that she thought was from PayPal.
"When I saw my bank account was completely drained and my checking account was completely drained and in the negative, I got physically ill," she said.
One consequence: "We had to go to the food pantry for food because we had no money."
She reacted quickly - contacting her bank, putting a security flag on her credit report, calling the Sheriff's Office and filing a report with the FBI's Internet fraud division.
But Bernet says not all had a sense of urgency. Adding to her anger, Bernet says, was that PayPal refused to give her information about who had raided her account, even after it was confirmed as a fraud, citing privacy laws.
"The bad thing is that people say they're going to straighten things, say they've taken care of this or that. . . . Then you find out out that they haven't done this when you follow up."
"Matter of fraud'
Linda Foley became a victim after a former employer used her personal information to obtain a credit card. That began a 19-month saga to clean up the mess and later to create the Identity Theft Resource Center in San Diego.
"If you talk to victims of mugging or victims of rape or victims of any kind of violent assault, they're gun shy," said Foley's husband, Jay, co-executive director of the center.
Identity theft leaves a similar impression. "You don't know where the exposure is," he said. "You don't know where the next attack is coming from."
In a study conducted with California State University, Sacramento, the center found that most victims (85 percent) discover the problem when bills or credit problems arrive, they spend an average of about 600 hours handling the problem, and about $1,400 in expenses.
The current system isn't working for victims, Foley says, so the center is advocating changes, such as: Businesses need to do better background checks before hiring people. They should be less willing to write off losses from ID theft and be more aggressive in prosecuting cases. Police agencies should be required to at least take a report. Social Security numbers should not be used as identification, whether it's university enrollment, medical insurance or employee IDs, he says. Penalties need to be tougher.
"Judges look at it as a white-collar issue," he said. "It's a matter of fraud. Judges don't sentence these folks very heavily."
In Florida, the Legislature last year increased penalties for ID theft cases, making them felonies with sentences of up to 30 years, depending on the amount stolen.
In addition, the state set up the online Identity Theft Resource and Response Center, which includes a kit that walks victims through the process of how to handle the problem. It also offers "compromised identity certificates" so victims can prove their identities have been stolen.
FDLE's Phillips likes the tougher laws, but says it will take a broad effort to reduce the risk of ID theft.
"I don't think law enforcement is going to be able to make a real dent" by itself, he said. "It requires a partnership with individuals and the business community to make a dent."
- Information from Times files was used in this report. Dave Gussow can be reached at gussow@sptimes.com or 727 771-4328.
Three forms of identity theft
Financial identity theft: The use of personal identifying information, primarily a Social Security number, to create new credit lines in the victim's name. Includes applying for telephone service, credit cards or loans; leasing cars or apartments; and buying merchandise. Credit and checking account fraud or takeover falls into subcategory.
Criminal identity theft: When someone gives law enforcement another person's identifying information in place of his or her own. An example: The perpetrator is stopped by police for running a red light. He doesn't have ID on him, but gives police his cousin's information. When he fails to appear in court, an arrest warrant is issued for the cousin, whose name appears on the ticket.
Identity cloning: When an impostor uses the victim's personal identifying information to establish a new life. He or she lives and works as the victim. This crime might also involve financial and criminal identity theft.
- Source: "Identity Theft: The Aftermath 2003," a study conducted by the Identity Theft Resource Center.
Identity theft complaints
A ranking of major metropolitan areas for 2003. Ranking is based on number of identity theft complaints per 100,000 inhabitants.
Rank, Metropolitan Area, No. of victims, Victims per 100,000 population
