When a former neighbor contacted Martin Kaul (not his real name) in August 2020 to tell him that he’d received a letter at his old address, Martin thought nothing of it. But when he actually read the letter, which was from a mobile phone company he hadn’t signed any contract with, it dawned on him that he’d fallen victim to a scam – unknown fraudsters had misused his identity to sign costly contracts in his name. As it soon turned out, far more than ‘just’ once.
Stealing a person’s identity has never been easier. As data breaches, leaks and phishing campaigns are running rampant and many people don’t think twice about sharing details from their lives on social media, criminals are finding it easier to get their hands on personal data of other people and steal their identities. From there, they can, for example, drain the victims’ bank and investment accounts, open new credit lines, or steal their tax refunds. In the United States alone, losses from all manner of identity fraud reached $56 billion in 2020, a recent study has found.
RELATED READING:
The aftermath of a data breach: A personal story
Did someone file your taxes before you?
The problem is also acute in other parts of the world, however – Martin Kaul hails from Germany, and his case is far from an isolated one there. To help size up the magnitude of the problem, the forsa Institute for Social Research and Statistical Analysis conducted a survey among German internet users in 2018 that found that 12% of people had been victims of identity-related crimes. One in ten of those affected suffered financial damage as a result of their identity being stolen and misused. Most (80%) also had to deal with the inconvenience of repeatedly having to explain the incidents to law enforcement, financial institutions and others.
This week is International Fraud Awareness Week, and we spoke to Martin to find out how he fell victim to identity theft and fraud, as well as how he cleaned up the mess and got his life back on an even keel. We also offer tips for how you can prevent identity theft and fraud and fight back against enterprising scammers.
The story of an ID theft victim
Last year, you became a victim of identity theft and fraud. How did you realize that something was wrong?
Martin Kaul: It was actually my former neighbor who happened to ‘clue me in’. At the end of August 2020, he called me to say that a letter from a company called Simplytel had been delivered at my old address. Actually, he just wanted to ask whether he should simply throw the letter away, but when I asked him to open it, I was in for a nasty surprise: instead of some sort of flyer, the letter contained documents related to a contract I’d never signed.
Was identity theft the first thing that came to mind?
Martin Kaul: At first, I was actually sure that it had to be a mistake. Before long, though, I began to suspect that I might have become a victim of identity theft. At that time, I hadn’t lived at my old address for three years and had no connection to Simplytel. My suspicions were quickly confirmed, because in the following weeks I received more letters similar to the first one, from other companies.
What exactly happened? How did your data end up in the wrong hands?
Martin Kaul: I still don't know exactly, but apparently someone had managed to use my rather old data records to sign, on my behalf, several mobile phone contracts and subscriptions with providers such as Netflix and others. Even contracts with insurance providers were among them. There were eight cases in total, with other letters being returned with the note "recipient moved house, new address unknown”.
What steps did you take after you realized you were a victim of identity theft and fraud?
Martin Kaul: When I discovered the first unauthorized debits on my account, I realized I needed to act immediately. I had this uneasy feeling that either more mail had already been sent to my old address or would be sent soon. At the same time, I realized that I needed to file a report immediately. How else could I have seriously made it clear to the companies that I was a victim in all of this and not the culprit?
My bank account was in a shambles. More and more amounts were debited from companies with which I had never signed any contracts. At first, I objected to the debits. But this went on and on, and I had no idea what to expect next. Since I couldn’t see any other way to effectively stop the debits, I finally decided to change banks.
I also signed up for Schufa Plus. [Schufa Plus is a credit monitoring service offered by Schufa, Germany’s biggest credit bureau. – Ed.] I was extremely concerned that what was happening could damage my credit rating. Schufa has a notification service. This enabled me to find out at the earliest possible time if there were any inquiries about me or if my credit rating had changed.
Did you receive any help from the companies and/or authorities?
Martin Kaul: Filing a criminal complaint during the lockdown was, to be honest, a disaster. It was only possible online and not in person, so it felt like "nothing was really happening". It was only after I contacted the police by phone a few weeks later that I found out my file number and was able to provide the officer in charge with more information about what was going on. This included the mail addresses used by the criminals, IP addresses, times and online forms used. And yet, the case was closed in mid-February 2021 without any further consultation with me. This was so disappointing.
At the bank, I was able to carry out the chargebacks of the debits I had not authorized digitally without any problems. That went over quite quickly. However, because I had decided to switch banks in order to be on the safe side, I had to spend a lot of time dealing with the issue. A family account, two ‘sub-accounts’, two credit cards and all debit and direct debit orders – it took between 20 to 30 hours of work.
The most annoying and costly part for me was dealing with the companies involved. I had to contact each one of them. Unlike the perpetrator in his legally invalid "contract conclusion", I as the victim very much had to legitimize myself on the customer hotlines. This was a travesty! That's why I tried to fight my way straight to the legal departments or the fraud departments in order to be heard. If you don't take action yourself and don’t ‘keep your eyes on the ball’, you're guaranteed to have to deal with debt collection agencies or default summonses later on.
How much did you lose to the fraud?
Martin Kaul: In the end, I was able to track down all the debits and was able to have them reversed by the bank as not authorized by me after personally contacting each individual company. For the bank change, the Schufa Plus membership and the correspondence, of course, I still incurred some costs, but these are negligible if I don’t include my own time.
Have you experienced any more problems due to the scammers abusing your identity, for example with Schufa or the bank?
Martin Kaul: Fortunately, not so much with the bank, however even contacting Schufa in person and submitting all the data did not prevent my base score from falling from over 99 to under 90 due to the many inquiries (especially for mobile phone contracts). The algorithm responsible for this is cold, incorruptible and does not react empathetically to such processes at all. In fact, if I had wanted to finance a house or make major purchases during this time, it would have failed because of my credit score. It took me a lot of time and effort, but in the meantime my score has returned to the way it was before the identity theft and fraud occurred.
Have you since found how the perpetrators got ahold of your personal data? Were you careless with your data?
Martin Kaul: Unfortunately, I don't know exactly how the criminals managed to get their hands on my data. I’m sure that the data didn’t come from a person I know, since only people in my immediate vicinity knew I had moved to my current place of residence. That's why I suspect that my data with the outdated address came from an old data breach on eBay.
And no, I wasn’t careless. I simply used the internet. However, I find that it’s quite easy for criminals to steal money from people via identity theft and fraud. In Germany, apparently it’s enough for someone to know a person's name, address, account number and date of birth in order to sign contracts in their name on the internet. What shocked me the most was the fact that not only did no one ask for proof of identity when signing contracts online, but the companies apparently didn’t carry out any plausibility or authenticity checks on the data. No provider noticed the invalid address or the completely inappropriate e-mail address, janbaumgaertner1997@gmx[.]de that doesn’t correspond to my name.
How do you view identity theft today? What advice would you give to others?
Martin Kaul: What I’ve learned is that anyone can become a victim of identity theft. Really anyone, even if you have done nothing wrong. I don't go online without appropriate security measures in place, nor do I use unsafe passwords or give away my personal data in online competitions. I also regularly shut down my old and unused online accounts. As it turned out, however, that didn't protect me from identity theft.
READ NEXT: How to tell if your password has been stolen in a security breach
I do have one tip for other people, though: keep an eye on your mailbox, and if you move, ask a former neighbor to do it. Because a quick response is really helpful in averting the damage that identity theft and fraud can cause. Snail mail that is posted unauthorized at an old address should be thrown back into the nearest mailbox unopened with the note "recipient moved house, new address unknown". This is the only way to ensure that the sender does not get the impression that the item was properly delivered.
And how do you handle your online security and protect your personal data today?
Martin Kaul: I follow all the security measures I can. In addition, since the events I regularly check whether my access data has been stolen by cybercriminals via the online service haveibeenpwnd.com. Also, I now check my account more often so that I notice any unusual transactions and can take direct action.
How can you protect yourself from identity theft and fraud?
These 10 tips can go a long way towards keeping your identity safe. Be sure to also scroll down and listen to the advice shared by ESET Chief Security Evangelist Tony Anscombe.
- Use your personal data carefully, especially sensitive data such as date of birth, occupation, address and bank details. Only provide your date of birth if it is really necessary.
- Follow the same rules during phone calls – it is not you who is obliged to provide information, but the caller.
- Make sure you use secure passwords and don't let anyone look over your shoulder when you log on to an online service.
- Don’t make sensitive transactions or share sensitive data while using public Wi-Fi hotspots.
- Keep operating systems and all programs on your devices up to date. Secure your devices from theft with access protection and encryption. Download software only from original sources.
- Use a trusted security solution to protect against malware and websites that take aim at your personal information.
- Be careful when opening links and file attachments in emails. Never click on links, download files or open attachments in messages unless you verify that they are genuine.
- Regularly check your account charges and credit card spending. Use notification features of credit institutions and banking apps.
- Use services such as Have I Been Pwned to check if your data or access information has been affected by a known data theft.
- Check your creditworthiness via credit reporting agencies in your country of residence.
What can you do if you are a victim of identity theft?
- Be sure to file a criminal complaint with the police.
- Change the passwords on affected accounts and all other accounts where you used the same login credentials.
- If money has already been transferred from your account, inform your bank or lender immediately and have affected accounts and credit cards blocked.
- Immediately reverse unauthorized direct debits.
- Report identity theft to a credit bureau.
- Defend yourself against unjustified payment requests from providers, for example by using the sample letter from the consumer advice centers.