Your name, social security number, address, date of birth, driver’s license number. Vital pieces of information that create your identity. Combined, they make you who you are to others. You need them to identify yourself when you go to work or school, apply for credit cards and bank accounts, or get a passport or ID. They’re essentially your keys to the world.
Without them, who would you be? How would you prove who you are to the world?
Dave Crouse was forced to face that reality.
“I have no identity,” said fifty-six-year-old Crouse in an interview with MarketWatch. “I have no legacy. My identity is public knowledge and even though it’s ruined, they’re still using it.”
In six short months, the criminals had slowly but surely charged over $900,000 to his debit card. He fought tirelessly against the attacks and attempted to salvage his finances. However, ultimately, he wasted almost $100,000 in his attempts to regain his identity, and he drained his retirement and savings accounts in the process. Even his once stellar credit score, formally a 780, had plummeted.
Crouse was a favorable target for a cybercriminal. He was a frequent online shopper, and he did the majority of his banking online. He would frequently use his debit card during his online shopping sprees without using any additional protection measures such as PayPal. One of his favorite pastimes was downloading songs from file-sharing websites, which are notoriously riddled with malware.
The first suspicious activity on his account occurred in February of 2009. However, Crouse dismissed the charges since they were for relatively small amounts of money, only $37 and $17.98.
Crouse was financially secure, and at the time, he had a job in the construction industry making $180,000 a year. The account he did most of his spending out of typically had around $30,000 in it at any given time.
In March, he was laid off from his job. This sudden change of events caused his $2,300 a week income to shrink to $780 biweekly unemployment checks.
Unfortunately for Crouse things really took a turn for the worse in August. “All of a sudden it really got bad,” he recounts. “In August the charges hit big time—$600, $500, $100, $200—all adding up from $2,800 to $3,200 in one day.”
Once he discovered the fraudulent charges, Crouse immediately contacted his bank and began the long process of filling out affidavits, forms swearing he was not responsible for the charges on his account. He says he filled out about twenty affidavits, and one day he filled one out concerning a charge and the following day the bank accepted similar charges nearing $4,000.
“At that point I was going to the bank every day and looking at everything,” he said.
Even after he closed his debit account at that bank, his other accounts were still getting drained daily. Crouse then decided to go to a new bank and open a new account, hoping his information would be safe there. The following day both accounts, the new and old one, were fraudulently charged for $1,100.
Crouse felt defeated.
His new bank explained to him that he was very likely a victim of a cybercrime. His bank advised him it was likely a malicious program that had been installed on his computer without his knowledge while he was visiting one of the file sharing sites he frequented. They theorized he was a victim of was what is called “keystroke malware.”
If this was the case, the cyberattacker was tracking every key he struck on his computer—from his passwords to his banking information—and that’s how they picked up all his personal information.
Malicious software, or malware, such as keystroke malware is often not a targeted attack. When this type of malware is created, it is created to produce as much impact or financial gain as possible with as little effort as possible. It is sent to as many people as possible, so it is given a greater chance of giving the attacker a return on his investment.
It’s also possible that Crouse’s information was being sold on the dark web. He reported that people in multiple locations in Florida; Brooklyn, NY; and North Carolina were using his identity to make purchases.
It’s common for cybercriminals to sell personal information on the dark web for as little one dollar for a social security number. Prospective criminals can also buy what’s known as a ‘“Fullz,” a full package of someone’s personal information (including the victim’s full name, social security number, birthdate, account numbers, and other sensitive information) for about thirty dollars.
“It was nasty,” he said, admitting he even contemplated suicide. “I just couldn’t take it. I didn’t feel like a man anymore. I was violated, and I didn’t know what to do.”
His identity—Social Security number, address, phone numbers, name, even his old information—is still being used in attempts to open new credit cards and bank accounts.
You might believe that Crouse’s case is an outlier, but unfortunately, you would be mistaken. His case is much more common than you may think.
The Internet Crime Control Center (IC3)—the FBI’s department for cybercrime reports and investigations—reported that in 2019 alone there were 68,649 victims of personal data breaches, identity theft, and credit card fraud, and they lost a total of $391,899,453.
Over the next several weeks, I’m going to be sharing excerpts and stories from my book, Cyber Curiosity: A Beginner’s Guide to Cybersecurity – How to Protect Yourself in the Modern World in this article series. Here is the link to get your copy on Amazon! The eBook is 0.99 cents only for the month of May, so get your digital copy today and start reading immediately.
If you want to take your first step to being cyberaware, please subscribe to my weekly Cyber Curiosity Newsletter to get industry news, my articles, and more.