By Bruce Cameron
Every time you sign on to the internet or receive a statement from a financial institution, you are vulnerable to identity theft and fraud.If you have foreign investments or a foreign bank account, you especially need to be on your guard.
Reader X from Cape Town was recently the victim of identity theft and fraud, when scamsters intercepted mail sent to him from his bank in the Netherlands and from an asset manager in Britain managing his offshore investments. The scamsters then used the information to obtain a fraudulent South African identity book and passport.
In the case of the bank attack, the scam was detected while it was under way and the money was recovered. But the scamsters got away with £82 000 from the investment with the asset manager, on which the asset manager had to make good (see “Fraudsters obtain false ID book and passport”, below).
An identity thief steals your personal data to, in effect, “become” you by taking on your identity and then masquerading as you to steal money from you or financial institutions.
Identity theft and the resulting fraud can range from sophisticated operations run by syndicates, which may see significant amounts of money being stolen and transferred electronically across international boundaries, to less sophisticated but more common schemes where your credit or debit card is skimmed and new cards in your name are created.
Identity theft expert and lawyer Hans Gildenhuys says identity theft comes in two main guises:
* Account takeover. A fraudster obtains enough information about you to impersonate you and access (and take over) your bank or store accounts or even a share portfolio. This could result in the fraudster transferring assets out of your name.
Gildenhuys says a copy of your credit card can be used to make purchases, or money can be transferred from your bank or share-trading account to another account, often initially in your own name.
Although you will normally be able to cancel the transactions, you could be involved in lengthy procedures such as proving that you were not responsible for the transactions or that you did not give away information, such as your log-on details, to a scamster.
This theft often occurs because institutions or companies do not do enough to protect your personal information, Gildenhuys says.
* Identity fraud. This fraud, also known as application fraud, is committed using a false identity or your identity details to obtain access to goods or to access credit facilities or services.
This could include financing a motor vehicle or even obtaining a home loan. The use of your identity to run up debt does not make you legally liable for the debt, but can cause you a lot of trouble as you try to prove to financial institutions that “you are not, in effect, you” and even having to clear your name as a debt defaulter, Gildenhuys says.
The final insult is that an arrested fraudster using your identity could use it again in an attempt to prove that you are the identity thief.
Gildenhuys says identity theft may start from something as simple as picking up information about you from what you may consider innocent sources, such as your Facebook or LinkedIn profile, or from mail that comes via the post office.
It was recently reported that a postman in the southern suburbs of Cape Town had been mugged by criminals who were after “bank mail”. Following the mugging, there were a number of reported complaints of attempts to change the banking details of account holders.
Gildenhuys says that reports that criminals obtain information about you by digging through your rubbish are unsubstantiated – there are other, easier ways to get the information. This does not mean that you should simply dispose of personal documents in the rubbish bin. You should shred any personal information before disposing of it, he advises.
He says the average person leaves a substantial personal detail footprint, both on the internet and in other areas. The information about you is used to obtain duplicate, fraudulent documents such as identity books, passports and driver’s licences (see “How you can protect your identity”, right).
Gildenhuys says identity theft has become the most prevalent financial crime in the developed world and South Africa is no exception. Even though it is a significant problem, it is no worse here than it is in Europe or the United States.
And he says banks and other financial institutions are now fighting back by, among other things, letting you know whenever there is any activity on your account, be it a change of personal details or a withdrawal.
He says for the actions of financial institutions, such as banks, to be effective it is important that you always read information sent to you by your institution. But you must take care that the information is genuine. A signal that correspondence is not from your bank is when you are asked for account or log-on details.
Your bank will never request this information from you, he says. This is known as phishing. Phishers create a website that looks very similar to your bank’s site and then send you emails to lure you onto the site and provide your personal data.
A red flag for financial institutions is when an attacker changes your contact details, such as your email address and telephone number, and then soon afterwards an instruction comes for the transfer of money out of your account.
He says financial institutions are making greater use of red-flag signals to prevent identity fraud, but the attackers are also becoming ever-more inventive.
Gildenhuys says the implementation of the Protection of Personal Information Act (Popi) next year will make things far more difficult for identity thieves, because institutions obtaining your information will have to ensure it is properly protected.
Among other things in the Act, companies ranging from banks to car hire firms that demand personal information as a condition for providing services to you will have to show that they will take reasonable care to protect your information by having and maintaining effective systems and controls. You will be entitled to know what controls are in place.
How you can protect your identity
There is no 100-percent foolproof way to protect your identity. There is just too much information about you generally available.
Identity theft expert and lawyer Hans Gildenhuys says that what happens to your personal information is sometimes completely out of your control.
However, this does not mean you should do nothing. You must be diligent in protecting your personal information. Often it is implied that you have provided your personal information to a party requiring the information from you.
You need to ask – and from next year the Protection of Personal Information Act (Popi) will give you the right to ask – why the information is required, and you have the right to withhold or withdraw information if you feel the demand is not justified.
Areas where you need to take particular care:
* Telesales. You need to be particularly careful when dealing with telephone sales people, who may be nothing more than scamsters trying to get things such as your identity number or bank account number.
* Your computer. Never respond to unsolicited requests for personal information, particularly when someone is trying to sell a product. If you want the product, ensure you check on the vendor and pass on the minimum of information. Rather pay by electronic funds transfer than by credit or debit card.
Always use virus protection. Protect your computer with a password, change it frequently and don’t share your password with anyone.
Never respond to emails from financial institutions asking you to update your details. These emails come from phishers trying to get your details. Your bank will never require such details from you.
* Statements from your bank and other financial institutions. Preferably, have these statements sent electronically and not through the mail. When you receive a statement, check all the items on it. Fraud in South Africa is commonly committed through the debit order system where banks do not have sufficient controls in place.
* Your credit, debit and store cards. A good tip from Investopedia.com is to write in the signature space “photo ID required”, which would require the shop assistant to identify you by the photograph in your ID book. If your card is stolen, this will make it more difficult for thieves to make purchases. Photocopy everything in your wallet, including credit card numbers and the contact numbers of the issuers, and store this information in a safe place. If your wallet is lost or stolen, all the information you’ll need to cancel your credit cards will be readily accessible. Report the theft to the police, as you will then have instant proof that you can provide to financial institutions and stores if your cards are abused.
* Protection of the deceased. Even when you are dead, your estate may be subject to identity theft. In fact, your assets may become even more vulnerable. Many Hollywood thrillers are based on identity theft from the dead. Again from Investopedia.com: “When a loved one passes away, obtain a dozen copies of the official death certificate, and notify all financial institutions, including assurance companies, credit card companies and loan holders. Be sure to remove the deceased relative’s name from all joint accounts.”
Fraudsters obtain false ID book and passport
Dishonest officials at the Department of Home Affairs are the main suspects in the issuing of a false identity book and South African passport, assisting in the identity theft of Reader X, whose offshore investments were targeted.
Reader X, who is an actuary and a respected figure in the financial services industry, is a South African permanent resident but not a citizen and does not hold a South African passport.
He suspects that the identity document and passport were obtained from the Department of Home Affairs because the exact photograph used in his identity book and an older version of his signature was used in the fraud. The signature would have come from documents held by Home Affairs.
The forged documents and his signature were used in both the attempt on the Netherlands bank and one on the London office of a local asset manager. (Personal Finance has full details of the institutions involved, but is not publishing them because investigations are still under way.)
Reader X, whose overseas bank account and unit trust account were the targets of identity fraud, says he informed Personal Finance of the fraud because “I think all South African residents who have overseas investments should be alerted to the existence of this syndicate and start monitoring their post and absence thereof, and instruct their overseas institutions to introduce more stringent controls”.
He says the main reason the first fraud was thwarted and the second was detected was his unchanged postal address.
“Had they changed it, I would have been none the wiser to this day, but changing postal addresses is much more difficult, as proof of residence is required,” he says.
The apparently successful fraud in the London case has been referred to the investment industry in Britain so that measures can be put in place to prevent a repeat.
Since the first fraud, the fraudsters have attempted to withdraw similar amounts from other investments held by Reader X and have the amounts transferred to a bank in Mozambique.
The fraudsters sent a letter, with the forged older signature of Reader X, to the asset manager, attempting to change Reader X’s postal address (so that he would not be aware of the withdrawal). The fraudsters instructed the asset manager to cash in £82 000 in unit trust investments and transfer the money by electronic transfer to an account in the name of Reader X at a bank in Bangkok, Thailand.
The asset manager refused the initial request from the fraudsters to send the money by electronic transfer, saying it would only issue a cheque. The fraudsters then telephoned the asset manager, claiming no cheque had been received, to give further instructions for an electronic transfer of the money, providing a Johannesburg telephone number in the process.
The money was finally transferred to the Bangkok bank, from where it has apparently been withdrawn.
The asset manager has admitted that proper processes were not followed.
A letter using a forged copy of Reader X’s older signature was used to get the Netherlands bank to transfer o193 000 to an account in his name in Indonesia – an account Reader X never opened.
Fortunately, Reader X became aware of the transfer soon after it occurred. The Netherlands bank contacted the Indonesian bank to find out if the money was still in the account and instructed the Indonesian bank to return the money.
But the scamsters sent an email message to the Netherlands bank instructing it, in the name of Reader X, to re-transfer the money to Indonesia. The bank responded via email asking for proof of identity. The scamsters sent copies of the forged identity book and the South African passport in the name of Reader X.
After sending the copies, the scamsters unsuccessfully asked the Netherlands bank to transfer the funds to a Hong Kong bank account.
The Netherlands bank has traced the source of the email to a computer in Gauteng.
