What to Do if You Get Your Identity Stolen | Story Time
August 2020
Funnily enough, getting my identity stolen in 2019 was one of the major breaking points for my #InternetPresence as someone who talked about finances.
I’ll never forget it. It was April 1 (the worst April Fool’s Joke in history) and I was speeding to a 5:15 p.m. Yoga Sculpt class at the Henderson Corepower location from work.
At 5:13, I was whipping my car through side streets and trying – desperately – not to be too late.
As I sped down Henderson, my phone started ringing over the Bluetooth. It was a 214 number (the Dallas area code), so I picked up.
“Hello?” I asked, irritated that someone was attempting to reach me at such a chaotic and high-stress time as beating rush hour traffic on the way to a heated hip hop yoga class.
“Miss Gatti? Hi, this is the Southwest Credit Union. Are you traveling?”
Ope. Vibe switch.
“No, I’m not traveling,” I answered, “Why? What’s going on?”
“Well, ma’am,” the woman responded, “Someone’s using your debit card in a Walmart in California right now.”
“That’s impossible – I have my debit card with me. But okay – can you cancel the card?”
I’d had fraud conversations with my credit card issuers before, and so far this one seemed pretty standard – to an extent. As I turned into the Henderson Corepower parking lot coming dangerously close to a Ford Escape, I did the awkward bag lady dance with my purse under one arm, duffel bag of leggings and sports bra dangling precariously from my wrist, and mat shoved under my arm. The time was 5:16, and I hadn’t even changed yet.
I squished my greasy phone between my cheek and right shoulder.
“Well, yes, we can cancel the card. But first I need to ask you a few questions,” she answered.
I hobbled through the door and mouthed Sorry to the instructor, Carlea, who had gone through training with me a year earlier. I gestured to the phone. “Someone has my debit card,” I scream-whispered. “I’ll be right there!"
Did you catch the first red flag?
If this all sounds fairly standard (albeit a little stressful) to you, you may have overlooked the first red flag. Don’t worry, I did too, considering I fell for it.
Your bank would never call you.
The first red flag was that the bank contacted me via telephone. That just doesn’t happen. If a bank suspects fraudulent activity, they’re far more inclined to just block a purchase than to contact you and have a human being ask if you’re traveling. I’m sure it happens sometimes, but 99% of us won’t ever receive a legitimate call from our bank.
Back to the narrative:
I placed the phone on the countertop in the bathroom and ripped open my duffel bag, peeling off my already-sweating-in-April jeans and jumping into my leggings one leg at a time. The woman on the phone asked me questions.
“Did you receive our text message alerts?” She asked.
“Text message alerts?” I repeated, struggling to unroll the sports bra from my shoulders. I hastily swiped up on the call and checked messages. “No, no alerts.” I replied.
“Okay, ma’am, we’re going to make sure you’re receiving those. That’s very important, and that’s why we called. We texted about the purchase but we didn’t hear from you, so let me resend a text and see if you get it. Can you stay on the line?”
Exasperated, I shoved my stuff in a locker and tried to explain. “Listen, I’m 7 minutes late for a yoga class, and I really need to go. Can I call you later?”
Her voice raised an octave. “Ma’am, it’ll just take a second, but if you need to go, we’ll call you. When should we call you? You don’t need to call us. We’ll call you.”
I can’t even count the red flags between the first one and right now.
First of all, the complexity and ridiculous back-and-forth about the text alerts should’ve raised my antennae. Unless a fraud department customer service representative was making $250,000 a year, I have no idea who would go to such lengths to ensure “fraud texts” were turned on.
Secondly, the weird insistence on her calling me (not the other way around) was bizarre, but unfortunately, I was so distracted by how late I was and unsuspecting of danger that I didn’t pick up on it.
I finally managed to get her off the phone after agreeing to check for fraud texts and voicemails after class.
Sure enough, my Apple Watch buzzed and beeped throughout the entire 60-minute session (of which I participated in 49 minutes, thanks to my caller), and I couldn’t focus.
When I got out of class, I was met with a barrage of missed calls, voicemails, and text messages. Some were from standard six-digit no-reply text numbers listing codes for verification, and the voicemails repeated the same fraud alert script. Guess it’s working, I thought, frustrated by the entire experience.
As I got back in my car, I called the number back. It went to a pre-recorded voicemail about standard Credit Union hours.
Hm, that’s weird, I thought, They’re not even open right now.
Only mildly nervous that I couldn’t get ahold of anyone, I checked my account as soon as I got home. Everything looked normal. No Walmart charges. Then my phone rang.
“Hello?” I answered, now slightly calmer and less agitated. I felt bad for being so short with her before.
She was very polite. “Miss Gatti, did you get the text messages?”
“Yes, I got them. I just checked my account; I don’t see any charges from Walmart?”
“That’s because I already removed them for you. Would it be OK if we tried one more fraud alert? I’m going to send one now.”
At this point, I figured I might as well humor her. I had nothing else to do, and she seemed insistent on making sure everything was working properly. The overload of texts and calls that came through during class was overwhelming and I couldn’t make sense of any of it, and I chalked it up to system error – like someone on the other end was trying to push through alert after alert and they all came through at once, a little like when a printer jams then starts again.
Then she disappeared for a long time – I’m talking 15 or 20 minutes. She said she was putting me on hold to work with the system administrator (or something to that effect). I was making dinner and had the phone on speaker on the counter, so I wasn’t really aware of how much time was passing between her going back and forth.
Red flag #I’ve lost count.
This is where the fraud actually occurred.
I found out later (by piecing together my end of the story with the actual fraud department) that the person who had called me (from the bank’s phone number) was also on the phone with the bank at the same time on the other line, pretending to be me.
Keep in mind at this point in the scam, I still didn’t know I wasn’t actually speaking with the bank.
The long delays between conversation were the scammer on the phone with the real fraud department, asking them to remove my ATM limit. The fraud department would send me a text to confirm my identity, and the scammer would get back on the line with me and say, “OK, I sent a text. Can you read the code?”
If I had really thought about what was happening in earnest for a moment, I probably would’ve realized something was amiss – but I was completely unsuspecting. Having never been the victim of an elaborate scam before, I was far too trusting.
All in all, we were probably on the phone for close to two hours, and some other dicey shit happened that revealed she knew more about me:
She asked me to answer my security question, mother’s maiden name.
She read me a list of my other recent purchases to “confirm they were mine,” including a few trips to Chick-Fil-A and a stop at Kroger – which is freaky, because it means she did (somehow) have access to my account. I believe now that she had asked the bank to confirm my recent purchases, and then reiterated them to me as a ploy of believability.
And perhaps the scariest revelation of all occurred when she said something that finally made me suspicious.
How things started to take a turn
Remember how she asked me if I wanted her to cancel my card?
She offered to send a new one in its stead. She read me my address and asked if that’s where I wanted it sent (so… she had my address).
Then – and this is the frustrating part – she said, “Ma’am, it seems as though someone in California is trying to access the online account. I’ve blocked all incoming logins, but do you want us to reset your password?” I felt myself start to panic: Oh my gosh! Someone’s trying to log in to my bank account!
“Sure, reset it,” I answered, “But can you tell me what the new password is?”
“Yes, ma’am, I can, but first I need you to verify the old password. Can you spell it for me?”
Finally, some alarm bells went off in my dumb ass brain.
“Wait a second,” I paused, physically recoiling from my computer screen. “Who are you?” I asked. “Can you tell me any details at all that confirm you work for the bank?”
“Oh, ma’am, I’m so sorry. Of course,” she proceeded to tell me her name, and then – drumroll please – my social security number. "I’m looking at your file right now. Your address is (repeated address) and your social security number is (insert SSN here).”
So while I, a moron, was comforted by the fact that this stranger new everything about me, I should’ve been panicking – which brings us to another embarrassingly humongous red flag.
Your bank would never, ever, ever ask you (or tell you!) personal details over the phone
Ever. Anyone who calls you pretending to be from a bank and asking (or telling) you personal information does not work for your bank.
Luckily, all the bleach from years of dying my hair blond hadn’t totally seeped into the soft part of my skull, because I responded, “Well, I’m still not comfortable giving you the password – if you know it, you know it. Otherwise, I’ll reset it myself. Other than that, is there anything left to do?”
She was quick on her feet. “That’s totally fine, ma’am, and don’t worry – we’re setting a trap on your account tonight to try to catch the IP address of anyone who tries to log in. So don’t try to log in, otherwise it’ll catch you.” She told me she’d follow up in the morning.
I can’t decide what’s worse: that I believed this fraud department employee was of the $250,000/year variety, or that I actually didn’t look at my account.
Come to find out later, over the next 12 hours, a fraud ring in Houston was withdrawing $8,000 from my checking account in $400 increments from ATMs all over Humble, Texas.
But I didn’t find this out until the next morning, at 10 a.m., when I finally logged into my bank account to see half of it missing.
Remember, at this point, I still thought this woman actually worked for the bank. In my mind, she was just an overzealous fraud department employee who didn’t end up doing her job correctly and allowed me to get robbed blind.
When I say I sped to the Credit Union so fast I practically teleported…
Luckily, it was just down the street from work. I asked to speak to the branch manager (#FullKarenMode: engage. Square-tip french manicure jabbing one finger at a time onto the reception desk and instant haircut transformation).
Walking through the doors at the Credit Union like…
“Listen, someone from your fraud department last night told me someone was using my card in California. They said they blocked it, and yet my account has been bled dry. You have to help me.” At some point in rattling off my plea, my voice had cracked and I had begun to cry.
The bank teller looked at me through squinted eyes. “What’s your account number?” she asked, staring at the screen as she typed.
“Hm…” she said, covering her mouth with her hand. “I haven’t seen an account get hit this hard in months.”
I choked out a small sob. “So what’s happening? How do I get it back?”
“Listen,” she said, “You need to file a police report. This is a felony, and in order to get reimbursed, you’re going to have to prove to Visa that you didn’t withdraw this money yourself.”
Hold the phone. You’re telling me I’ve just been robbed of nearly $10,000 and now it’s on me to convince Visa that this isn’t some elaborate scheme?
“But first,” she continued, “Can you show me the texts you received?” I threw my phone across the desk at her.
She tapped through them. More squinting. “I mean, yeah. That’s us.”
“Okay, so… if your fraud department didn’t catch this… sorry, but what the f***?” My tears had subsided and I began to feel righteously indignant. What kind of operation were these people running?
“I’m sorry. I really don’t know what happened.” She shrugged.
“Am I going to get this money back?” I asked, hopeful.
“Honestly, ma’am, I don’t know. You need to go file the police report.” I took the paperwork, welcomed another wave of stress tears, and searched the police station in Google Maps.
Filing a police report will put things in perspective, and the cop I worked with wanted me to know that – badly. I couldn’t really speak without my voice cracking as I tried to explain what happened to him, and I could tell he was annoyed.
“Ma’am,” he said, “The woman I helped before you was trying to get a restraining order because her boyfriend keeps beating the shit out of her. You’re going to be fine. You’re going to get this money back. Okay? Can you nod okay for me?”
I fervently nodded. Even though I could tell he thought I was a spoiled brat, I appreciated his assuredness after the bank teller shrugging off my question with an indifferent “I don’t know.”
The mess to follow
The next five days were a blur of bank visits, frantic Google searches, and firing off texts to Ali (my Matriarch partner) asking for advice.
All of this went down on a Monday, and by Friday, I had my money back. But man, it was a long five days, and it felt like it lasted much longer.
The first afternoon (in the aftermath of realizing I had been defrauded) was when I began to realize the person who had called me did not work for the bank.
I replayed the conversation in my head hundreds of times, feeling increasingly violated that she knew so much about me. It was akin to a “The call is coming from inside the house” feeling – you feel dirty, exposed, and vulnerable.
I was also angry at myself for being stupid and overly trusting. I was disgusted at the woman and her counterparts who had done this, sugary sweet and calculating in their approach. At the end of the day, I did feel like an idiot – but I was comforted, in a twisted way, that the actual fraud department was fooled, too.
It took several visits to the local branch before the fraud manager and I realized fully what had happened. They call it a middle-man scheme, but frustratingly for the first few days, the bank was convinced that I had malware installed on my phone and that’s how the fraudulent caller was reading the text messages.
After we cross-referenced the time stamps on my phone calls and the phone calls the person was placing to the real fraud department, we realized it was happening concurrently. The person in the real fraud department who lifted the ATM limit had an interesting story to tell, confirming the long pauses and silences between text message verifications and the scammer’s inability to correctly answer all my security questions.
And yet, despite the red flags raised on the real fraud department’s side, they eventually relented because the woman knew the text codes (that I had read to her).
Visa (not the bank) reimbursed me, and I promptly withdrew the reimbursement and the remaining amount in the account and deposited it into my Chase account.
“Sorry,” I had explained to the teller as I asked them to fully cash me out, “I just can’t risk it again.”
I no longer trusted the fraud department at the Credit Union. I was convinced someone employed by Chase wouldn’t fall for something like that. Because although I had fallen for it, the Credit Union themselves admitted that this woman couldn’t answer my security questions.
Not to mention the fact that she sounded like an older black woman, and I was a 24-year-old white woman. Our voices sounded different, and the bank knew my demographic data. When the voice was coupled with all the other oddities about the caller (long pauses, shuffling papers, unable to answer the questions), it should’ve raised a flag on their end.
And you know what? When I cashed out nearly $15,000 in a cashier’s check, nobody even ID’d me. I said, “My name is Katie Gatti and I need to empty my account,” and the woman wrote me the check without ever asking to see an ID.
That confirmed I was making the right decision.
Don’t forget the part where I played Nancy Drew
Once I had my money back, I was determined to serve #justice to the fraud ring. The Credit Union told me that two other Credit Union members had been hit that week by the same scam, and they couldn’t figure out what was going on. Either there was a breach in their database or they had a leak internally; I didn’t intend to stick around long enough to find out.
When the shit went down, the Credit Union printed out a list of the fraudulent transactions to take to the police department. I noticed each one at an ATM had a unique code affixed, and the beginnings of an address – so you know I Googled within an inch of my life.
For the next 24 hours, my browser looked like this:
Satisfied I had found the place where all my money had been withdrawn, I called the branch. It took a few tries to get someone on the phone, but then I launched into my story. Resume Karen mode.
“…and so, the point is,” I finished, “Someone stole thousands of dollars from me, and they did it at your ATM. I have a police report and I want the ATM footage.”
“Ma’am, we really can’t release that without a court order.”
I was so tired of being called ma’am. “Fine.” I replied. “Then I’ll get one.”
But then I didn’t, because I mostly just wanted it to be over. I figured with an amount close to $10,000 and a few other similar hits in a proximate timeframe, Visa would give enough of a shit to look into it, but turns out they’re up to their ears in money and don’t really investigate this stuff.
The result?
If you get defrauded, you’ll probably get your money back… but whoever did it probably will never be caught.
This makes fraud a pretty desirable arena of crime for people. You can do it from the comfort of your home with a few burner phones, and it’s unlikely (if you spread your theft out enough) that anyone will ever come looking for you in earnest. Solid business model.
Maybe we should start a fraud ring, you guys!
So the unsatisfying end to this story is that, to my knowledge, nobody ever got caught. They got my $8,000, and I got Visa’s $8,000, and for that reason, I think they consider it a victimless crime. Never mind the fact that it shaved at least 3 good years off my life.
So what should you do if this happens to you?
We’ll get into preventative measures in a second, but here’s what you should know if your debit card is defrauded – it’s an excerpt from the National Consumer Law Center:
Lost or stolen card.
“If your card itself was stolen and used, your losses will be limited depending on how quickly you report the loss or theft of the card.
If you notify the bank within 2 business days of learning that your card has been lost or stolen, the most you can lose is $50 or the amount of unauthorized charges made before you call, whichever is less.
If you notify the bank more than the 2 business days described above but less than 60 days after your statement is provided, you can lose up to $50 in charges made in the first 2 business days plus any subsequent unauthorized charges made before you report the loss, up to a total maximum of $500.
If you fail to report the fraud charges within 60 days after your bank statement is sent, there is no cap on your liability for unauthorized charges made after those 60 days. Within the first 60 days, your losses are capped as previously noted. You are not responsible for any unauthorized charges made after you notify the credit card company.”
No lost or stolen card.
“If your physical debit card itself is not lost or stolen, you are not liable for any fraud charges using your debit card number if you report the fraud within 60 days after your statement is sent. That is, neither the $50 liability limit nor the $500 liability limit applies if your card was not lost or stolen. If you take longer than 60 days after your statement was sent, you should still be able to get reimbursement for fraudulent charges made in the first 60 days, but you will not be able to recover later charges that could have been prevented if you had called within 60 days. In either event, you should act promptly.”
Put a freeze on your credit reports
This part is very important, and honestly, you may want to do it anyway.
Put a “freeze” on your credit reports with the three major bureaus:
Equifax
Experian
TransUnion
These three unions create your FICO credit score, and they’re the entities that lenders and credit companies contact before extending you a line of credit. If someone has all of your personal information (address, SSN, etc.), they could buy a car or open a credit card in your name.
If someone opens a credit card in your name, runs up the charges and never pays it off, your credit is affected and the delinquency hurts you.
By placing a credit freeze on your report with the major bureaus, you block all incoming requests for credit. This was a huge thing for me after the fact, because I knew this fraud ring knew everything about me and I was nervous they’d try to use my credit to open a credit card.
You can just navigate to the sites for the bureaus and request a freeze. It’s pretty straightforward. They’ll give you a long PIN that you need when you want to remove the freeze (when you actually want to apply for credit), so make sure you keep it. It’s a bear to get it back if you forget it.
Preventative measures
Cut up your debit card. Just kidding, that’s extreme – but maybe stop using it? I’m still not really sure how mine got defrauded; I was always very careful with it, only using it in places where I could see the point-of-sale system, not using it for gas or online purchases, and sticking to relatively safe-seeming businesses (I mean, shit, what’s stabler than a Chick-Fil-A?).
Realistically, you’d be better off leaving your debit card at home and only paying for things with cash or a credit card. Credit cards are far less scary to get defrauded because the credit card companies just wave their magic wands and make the purchases disappear – there’s no physical transfer of your funds until you pay the bill, which you can vet for accuracy.
Sign up for bank push notifications. Now, I get push notifications from all my banks and credit card accounts when anything happens that’s over 1 cent. This serves a dual purpose in that it also shames you out of spending money on dumb stuff, because you’re faced with a push notification that says, “A charge of $166.67 at TARGET on Jul 30, 2020 at 2:08 PM ET is greater than the $0.01 limit in your Alerts settings.” I wish I could program it to append, “Stop going there.”
I actually did catch fraud on my Discover card once this way. When my phone began lighting up one Friday morning with $200 at Old Navy and $300 at Bass Pro Shops, I knew something had gone terribly wrong. I called Discover and within minutes the purchases were erased and the card had been closed. Far less #drama.
Don’t answer phone calls from numbers you don’t know. The fraud ring that called me had faked the caller ID to appear as the bank’s phone number. Even if you have your bank’s phone number programmed in your phone, don’t answer. Let them leave a voicemail and call the number back after verifying it’s correct. There’s no way for them to rig it so you call back their fake number; if you dial the bank’s number, it’ll actually go to the bank.
Get very friendly with your accounts. You should be checking that shit daily. Even with spending alerts, I still like to keep an eye on everything. After all, nobody’s going to watch your assets more closely than you are. At the risk of sounding paranoid, the worst thing you can do is leave an account unattended for weeks on end, especially checking accounts that are particularly vulnerable.
Use different passwords for everything. Gone are the days of Scruffy1234 for every password – you don’t have to use crazy, long passwords for your Facebook account and New York Times subscription, but for banking, investing, insurance, etc., I’d definitely recommend using a random password generator and creating a different 16-digit password for every account. Why? Because think about what would’ve happened if the fraud ring who targeted me DID get my password somehow – the same password that would’ve unlocked my other bank accounts and investment accounts. It wouldn’t have taken them long to zero in and bleed me dry. By using complicated and impossible to guess passwords (and a different one for each), you’re building a pretty high firewall around yourself and your assets.
On that note, be cautious with public networks. That is to say, maybe don’t log into your Bank of America account in a Starbucks on public wifi. I’ve been notoriously pretty bad about this because in some ways it feels like overkill, but public networks do expose you to more risk than your private home network.
Final takeaways
In the months that followed, I received more DMs than I’d ever expected that fell into two categories:
Someone telling me this had happened to them or someone they know before, with grandparents being especially vulnerable – the scheme I heard about a lot was a fraudulent caller identifying someone’s grandparent (I mean, think about it – all they’d have to do is look you up on Facebook and read through a few comments to isolate a sweet grandma or grandpa), calling them, and pretending to be the police. They’d say the grandchild was in jail and that the kid had requested the police not call their parents. The bail would be something ridiculous, like $1,000 in Best Buy gift cards, but often in the panic and terror of the situation, the grandparent would do it. Really scary (and sad).
Someone letting me know they watched my Instagram Story diatribe about what happened, and then they received a similar sketchy call from someone pretending to be the bank in the coming months.
My point is, it’s scarily prevalent – probably for the reasons that we addressed above. It very rarely gets investigated, because little hits here and there happen constantly and Visa doesn’t give a shit.
The most dramatic story I heard after the fact was a friend’s mom getting taken for $150,000. Of course, Visa cared enough to investigate that one, and the woman who defrauded her is in jail now.
All in all, exercise extreme caution and skepticism. If I hadn’t answered the phone, none of this would’ve ever happened. But the good news is, now you have an entertaining account and a few hot takes out of it, so I guess all is not lost.
Same time next week. See you here!
