Amy Wang and her husband spent hundreds of hours trying to straighten out their financial futures after falling prey to identity theft. Now she wants other would-be victims to learn from her experience.
Amy, a 50-year-old occupational therapist in Miami, says she and her husband, Michael Wang, started receiving credit-card denials and store credit cards in the mail in December of 2015. Eventually, they received actual bills from Macy’s M, -4.18% and Bloomingdale’s totaling north of $25,000.
The shoppers had expensive taste, Amy said, opting for luxuries like diamond earrings, Gucci and Armani. They made many of these purchases locally, she added — “within a county or two from here” and at most 100 miles away.
“It seemed like every day we’d get one … and another one, and another one, and another one,” Amy told MarketWatch of the fraudulent correspondence. “It was like Whac-a-Mole.”
The Wangs, to their dismay, had joined the millions of Americans whose identities are stolen and exploited every year.
About 14.4 million people were victims of identity fraud in 2018, according to Javelin Strategy & Research, a decline from 2017’s 16.7 million and a reversal from three consecutive years of fraud-rate increases. While that decline was driven by a reduction in card fraud, Javelin said, there was a “resurgence of higher-impact fraud types such as new account fraud, account takeover, and misuse of non-card accounts.”
Things got even worse for the Wangs. In January 2016, the couple received a U.S. Postal Service change-of-address form in the mail. But the form didn’t specify their supposed new address, Amy said. She called the postal service that day to try to rectify the address mistake, and only paid a visit to the post office two weeks later at the urging of her concerned mailman.
Post-office officials advised her to contact the Federal Trade Commission and the nonprofit Identity Theft Resource Center (ITRC), Amy said. The couple also filed a police report, which would come in handy when disputing fraudulent credit-card charges, she said.
The family stopped receiving mail for several weeks. Meanwhile, a veritable “windfall” of sensitive documents sent during the beginning of the year — W2s, bank statements, tax forms, and information on college-savings and retirement funds linked to their three teenage children — was ostensibly routed to an unknown address, Amy said.
It took nearly two months for the Wangs’ regular mail cycle to resume, she said, but the thieves “accessed so much” in that time. “It was so shocking, because it cost nothing for them to do that — it was [potentially] a very low-tech way to attack people and access a lot of very valuable information,” she said.
Thanks to a forwarding address printed on bank correspondence and some help from the local post office, she later discovered their mail was traveling to a low-income housing complex about five miles away from their home, though she was unable to narrow the address down to one of the dozens of units. Amy would describe at a 2017 FTC conference how “quick and easy” it was to change a person’s address without much personal information.
Reached for comment about the Wangs’ case, U.S. Postal Service spokesman David Partenheimer declined to comment on matters regarding individual customers. But the postal service “continues to work on balancing the public need for a simple, efficient and accessible platform to handle millions of change of addresses each year with the important requirement of enhanced security protocols,” he told MarketWatch in a statement.
“As part of this process, the Postal Service requires its customers to show proper identification (ID) to change their address and when applying for other services at Post Offices,” Partenheimer said. “The Postal Service will accept certain U.S. State or federal government IDs, U.S. or foreign passports, matricula consular (Mexico), or NEXUS (Canada). Additionally, a copy of the change of address request is sent to both the old and new address.”
The Wangs froze their credit with the three major credit bureaus and successfully disputed the fraudulent charges from the thieves’ five-figure shopping spree. They received an IRS Identity Protection PIN (IP PIN), which would prevent impostors from filing tax returns using their Social Security numbers, and changed passwords and account numbers associated with all of their bank accounts.
But since they weren’t receiving their legitimate credit-card and utility bills during the mail stoppage, they still racked up between $300 and $500 in late fees, not all of which they were able to extinguish. What’s more, Amy said, they spent a collective 200 to 300 hours working to resolve the fraud — “not to mention nights not being able to sleep.”
In what Amy calls a “double whammy,” the ordeal also resulted in costs associated with rental properties she managed and was rehabbing at the time. The credit freeze required her to pass an authentication process in order to have utilities turned on at those properties — a process she would fail, she said, because of the amount of erroneous information now associated with her identity. She wound up having to send home workers she had hired — meaning lost wages for them — and forgo days’ worth of rent money, she said.
The effects of identity fraud stretch well beyond the financial realm, Amy said; the couple took substantial hits to their time, productivity and emotional and psychological well-being. “It seems like a nameless, faceless thing, but it really hurts people,” she said. “It causes distress. And for people who financially wouldn’t be able to afford it … it would be far more detrimental.”
About three in four victims who responded to a 2017 ITRC survey reported that the misuse or attempted misuse of their personal information had been “severely distressing.” Many respondents said they’d felt rage or anger, fear over their financial security, or a sense of helplessness or powerlessness.
Amy has a few theories as to how fraudsters could have infiltrated her family’s sensitive information: For starters, she said, a generic letter from Wells Fargo WFC, +0.73% about 18 months earlier had informed them that a now-former employee had sold some of their personal information to a third party. And her husband, who works at a large hospital, had several coworkers hit by credit-card fraud in a pattern they speculated could be due to a potential HR data breach.
Today, Amy says, she and Michael still fear what bad actors could do with their compromised personal information — particularly that of their kids, who are aged 15, 17 and 19. She likens the thieves to “sleeper cells” lying in wait.
“We don’t know at what point they can pop back up and use this information against them, especially when they become adults,” she said. (Her 19-year-old hasn’t run into any issues so far, she added.) “We always have this identity-theft PTSD: ‘Oh no, it’s starting again; it’s starting again. We’re not getting our mail.’”
Amy believes she was “very naive” when this trouble started and didn’t act quickly enough. She urges people to look out for warning signs of identity fraud and follow up immediately on any suspicious communications they receive. If you are targeted, she added, keep a detailed record of calls made and steps taken in an identity-fraud “file.” File a police report, she added.
Partenheimer also encouraged customers to monitor their mail receipt by subscribing to the postal service’s free “Informed Delivery” notification feature, and to report any suspicious activity or non-receipt of mail over a couple days to their local post office or the agency’s tech-support line.
“Listen; pay attention,” Amy said. “Know what’s going on so you don’t become a victim.”