Rating fraud: Not all security breaches are equal
We rank frauds by type from low risk to high danger of ID theft
Major data breaches, stolen credit cards, hacked social media accounts, spammed email, missing snail mail -- many of us are experiencing fraud fatigue. But no breach should be ignored, though some expose you to more danger and aggravation than others. It helps to know whether you're facing a minor annoyance or a full-on code red alert.
With help from security experts, we've produced a risk-o-meter to rate risks and hassles. You can also learn how to avoid some of these breaches.
You are not your credit card
Keep in mind that there's a big difference between a risk or breach involving only one account and a breach that exposes your entire identity.
"You have to understand, you are not your payment card," says Eva Casey Velasquez, president and CEO of Identity Theft Resource Center in San Diego. "If you have a credit card compromised, the remediation process is significantly easier. You simply call your financial institution and inform them that your existing account was compromised and you need a new card."
But the risk increases when a breach extends beyond one card or account to include personal information such as your Social Security number or other data that could be used to hack multiple accounts, says Steven Weisman, the Amherst, Massachusetts-based author of "Identity Theft Alert" and writer of the blog Scamicide.com.
"When you're talking about taking information to make someone a victim of identity theft, that can affect your credit report" and, therefore, your ability to get a loan, rent an apartment or be hired for a job, Weisman says. "Someone can be running up debts in your name. Someone can steal your identity, use it to commit a crime and you can be arrested and even spend time in jail for something you didn't do. Full-blown identity theft can take a lot of time to fix and cost you a lot of money."
Ranking risks and hassles, from ho-hum to humdinger
To help you get a handle on what you're facing, we've created a system that ranks the security and financial implications, as well as the headache factor, of different kinds of fraud, using a scale of 1 to 5. Here's how to interpret the numbers.
- It's unlikely any of your personal data, money or credit are at risk.
- Just one credit account is at risk -- not your entire financial identity and probably not much of your money.
- Only one account is at risk, but scammers could clean that account out depending on how quickly you react and your financial institution's rules.
- Scammers may have access to enough of your personal information to commit ID theft.
- There's a high likelihood that fraudsters have enough info to commit ID theft, and they intend to use it for nefarious purposes.
How many hassles will this scenario cause you as you work to resolve the issue and deal with long-term consequences?
- No real pain involved.
- One or two calls should clear up the fraud.
- There may be financial consequences that you'll need to spend days or weeks to resolve.
- Get yourself an economy-sized bottle of aspirin. This problem could take weeks or months of phone calls and letters to fight, and could affect your credit and short-term or long-term financial health.
- You could be embroiled in cleanup efforts for years -- an endless migraine of consequences resulting from the theft of your Social Security number and other data that could even impact your physical health.
Scenario 1. Your credit card is stolen or hacked
Someone stole your wallet and with it, your credit card. Or, maybe you still have the credit card but someone somehow got the number and charged items on your account.
Why: The thief wants to spend as much money as possible before you and/or your card issuer get wise to the theft.
The good news: Under the Fair Credit Billing Act, you're on the hook for only $50 and probably not even that. Most credit card issuers have zero-liability policies that mean you won't pay a cent. Plus, the thief has access to just that one account number -- not other personal info that could put your entire financial identity at risk.
The bad news: You have to get the card replaced and change any recurring automatic payments made with the card. In the meantime, you don't have the credit card, which is a problem if that's your only card.
Takeaway: "If your credit card is stolen, it's a hassle but it's no big deal," Weisman says. "By law, your limit of liability is no more than $50. But frankly, I've never seen a credit card company hold anyone to any liability. It isn't anything more than a major inconvenience."
Security risk rating: 2.
Headache rating: 2.
Scenario 2. Your debit card is stolen
Someone stole your wallet and with it, your debit card.
Why: To clean out your account before you find out about the theft.
The good news: The thief has only your debit card -- not anything linked to your identity.
The bad news: You're not protected for such theft the way you are with a credit card theft or breach, Velasquez says. Under the Electronic Funds Transfer Act if your debit card is stolen, in most cases your liability is limited to $50 if you report the theft within two days. But if you wait more than two days, you could be liable for $500. After 60 days, you could be on the hook for the entire stolen amount, although most banks will review such theft on a case-by-case basis.
Even if you do report the theft right away, the bank account linked to the card will be frozen and you'll lose access to the funds while the issue is being resolved. That could take up to five days, Weisman and Velasquez say.
Meantime, you can't pay your bills or get cash. For people who are already living on the financial edge, this can cause a domino effect. No money for gas means no way to get to work, which puts a job in jeopardy, she says.
Takeaway: "If that account gets cleaned out and you don't have access to that cash for three to five days, it can have devastating effects," Velasquez says. "Especially for the financially vulnerable, it can be a life-changing event."
Security risk rating: 3.
Headache rating: 4.
Scenario 3. You friend a fraudster
A fraudster posing as one of your friends asks to connect on social media and you quickly accept. Then you realize you're already connected and this new social media "friend" is a fraudster. Now all the personal info you share with your real friends is available to an identity thief.
Why: The fraudster may already have some account information on you and now is trying to fill in missing puzzle pieces or get information about your identity that could be used to answer your password security questions, such as "Name your first pet" or "Where did you go to high school?" The fraudster could use this information for full-scale identity theft or to hack one account at a time.
The good news: You could be safe if you catch the mistake and delete the fraudulent friend right away. If the hacker is doing this on his own, he'll need time to comb through your account, Weisman says.
The bad news: If the hacker is using software to scrape personal info from your page, you might be at risk the minute you click accept.
Takeaway: "The more info we put out there, the easier we make it for ID thieves to steal our identities," Weisman says.
Security risk rating: 3.
Headache rating: If the account provides those last missing puzzle pieces to set up new accounts: 4.
Scenario 4. Change-of-address fraud
You haven't gotten any snail mail for days; you see your mailman as he drives by and he says the post office received a change of address notice from you. You didn't fill one out.
Why: The thief first wants access to mail so he can get account information and other personal identifiers. Next, he wants to make sure you don't receive mail notifications when he changes passwords, PINs or other key information for those accounts, and opens new accounts in your name, Velasquez says.
The good news: You missed a few days of junk mail.
The bad news: This scenario is a major indicator of ID theft.
Takeaway: "This is alarming," Nguyen says. "It's not like they want to get your Time magazine for free. They're either getting stuff that belongs to you or preventing you from knowing about something they've done."
Security risk rating: 4.
Headache rating: If the thief opens accounts in your name and changes existing passwords: 4.
Scenario 5. Hackers expose your data in a major federal breach
You're among the millions of victims whose extensive personal information was exposed in the federal data breaches at the Office of Personnel Management.
Why: Thieves can use that information to open new accounts in your name for apartments, cell phones, car loans and more.
The good news: You're not alone; about 22 million people were affected in two separate breaches.
The bad news: Thieves now have access to a lot of your personal info -- the breaches included Social Security numbers and information used for security clearances, as well as employment, educational, residential, financial and health histories.
The takeaway: "Think of your identity like a puzzle," Velasquez says. "The more puzzle pieces [thieves] have, the more they can get an understanding of who you are and the more easily they can use that information to perpetuate fraud. Maybe it's medical fraud. Maybe they want to open new financial accounts in your name. They can do that if they have access to other identifiers."
Security risk rating: 5.
Headache rating: If the info is used to create a new identity: 5.
Scenario 6. Medical ID theft
Your doctor's office gives you a form to sign confirming that you've moved; but you've lived in the same house for years. This could be a sign of medical ID theft, one of the fastest growing forms of identity theft.
Why: Medical ID thieves seek to get free medical care, free drugs, free equipment or to commit other fraud.
The good news: It could be human error.
The bad news: If it's medical ID theft, the implications go beyond financial. When your medical history is intertwined with someone else's, you're at risk for misdiagnosis, being prescribed a drug that doesn't work with current prescriptions, having insurance claims denied or even losing your insurance, says Ann Patterson, program director of the Medical Identity Fraud Alliance. Nearly two-thirds of victims in a 2014 survey by MIFA paid out-of-pocket expenses averaging $13,500 including services received by the ID thief, Patterson says.
Takeaway: "Financial risks can be significant," Patterson says. "But the most severe consequences are not financial -- they're related to a consumer's health as the result of confusion about the victim's true medical condition and health history because it's corrupted with information about the identity thief's health conditions."
Security risk rating: 5.
Headache rating: 5.
You can't prevent some of the scenarios above but you can take action to help prevent being an individual target.
- Set up your debit card so that it's only an ATM card and can't be used to buy things and clean out your account, Weisman says.
- Choose strong passwords, change them often and don't keep them written down in an obvious place.
- For security questions linked to your accounts, make up fake answers that are easy to remember yet have nothing to do with your real first pet, high school or mother's maiden name. "Give a nonsensical answer," Weisman says. "For ‘Where did you go to high school?' answer ‘Grapefruit.' It's just silly enough you won't forget it."
- Read the explanation of benefits notices your insurance company sends out, even if they say you don't owe anything, Velasquez says. That will alert you to any procedures or doctor visits that didn't involve you.
And if your credit check engine light comes on, investigate immediately.See related: , Credit card fraud and ID theft statistics, Know your fraudster: 8 types of card criminals
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...