Cybercrime Expert Insights and Tips: Q&A With Justin Feffer

You probably know cybersecurity is a marathon, not a sprint. Law enforcement officials log the big miles. Fortunately, more and more consumers are joining the race.

We talked to Sgt. Justin Feffer, a Los Angeles-based law enforcement officer and cybercrimes investigator, to bring us up to date about cyber threats and what you can do the help protect against them.

Here’s what he had to say.

5 cybercrime questions answered
What does the future of cybercrime and security look like for people afraid of having their information stolen?

Unfortunately, the future looks very similar to our present. I have 14 years of experience dedicated to combatting cybercrime. I still see the same fundamental security flaws contributing to the theft of our most sensitive data. I don’t see the situation improving.

What should internet users be aware of when it comes to protecting their online information long-term? (e.g., cloud storage, permanent email addresses, etc.)

Be sure to do the due diligence needed to pick the right solution. There is very good literature available, including white papers and reviews by researchers and journalists with proven reputations. Don’t pick a solution based upon an ad—particularly a pop-up ad!

Consult with experts who are familiar with the technology you are considering. Most importantly, make sure that the solution you pick has robust security features including multi-factor authentication.

In your opinion, what are the most common cybercrimes that are the easiest to help prevent?

Business email compromise (BEC) and hacked accounts, due to the theft of stolen passwords, are the two most common and easiest cyber-crimes to prevent.

BEC attacks involve the use of targeted emails asking the victim to wire funds for a fraudulent transaction. BEC works because the victim believes the email with the instruction is from someone with authority.

In the most typical attack, the suspect poses as the CEO of the company and sends an urgent email directing the accounts payable manager to pay an invoice via wire transfer by the end of the day. The invoice is fraudulent, and the suspect steals all of the funds sent via the wire transfer.

Businesses must adopt policies prohibiting wire transfers to unfamiliar accounts based upon emailed instructions.

Accounts are most commonly hacked by suspects who use phishing emails to trick the victims into divulging their account passwords. The password phishing attack usually attempts to induce victims to click on a link crafted by the attacker.

These attacks convey a sense of urgency—warning the victim that unless they perform the requested action they will be locked out of their account or otherwise suffer some adverse result. Victims that click on the link are taken to a website that requests their personal information including their usernames and passwords.

You should never rely solely upon a username and password to secure an account. Implement multi-factor authentication (commonly referred to as two-step verification) to secure your accounts. That way even if a password is stolen the suspect won’t be able to log into the account without access to the second factor.

Have computers made finding cybercriminals easier or more difficult? Why?

Computers and modern technology have proven a double-edged sword in the fight against crime.

Modern surveillance cameras, license plate readers, geolocation services and other technological tools have proven to be extremely helpful to law enforcement in finding criminals of all types.

On the other hand, tools such as TOR (The Onion Router), dark web marketplaces, crypto currencies, robust mobile device encryption, and encrypted communications services have created extreme challenges to law enforcement.

These types of technology can often make it impossible for law enforcement to obtain needed evidence even if they have the proper legal authority and compelling need.

For example, a suspect could have 1 million stolen credit cards on his iPhone, and even if law enforcement seizes the phone and has a search warrant to search the phone, they will not be able to access the phone unless the user provides the passcode.

This type of problem was demonstrated very dramatically in the 2015 San Bernardino Inland Regional Center terror attack when the FBI attempted to analyze the terrorist’s locked iPhone.

Do you recommend any third-party tools individuals can use to privately access the internet, transfer data, or securely delete data?

I find that the most important third-party tools include the following:

Reputable Virtual Private Network (VPN) services allow users to safely access the Internet when working remotely from known secure networks.
Reputable cloud-based file transfer services allow users to safely transfer files to fellow employees and colleagues.
Reputable full disk encryption tools can be used to encrypt portable media such as USB drives to prevent data theft if the devices are lost or stolen.

McAfee expands beyond antivirus to identity theft protection!

McAfee’s core focus has been providing antivirus software to more than 375 million customers, but now the company is adding new partnerships to fuel further growth.

The company is announcing today that it is expanding into the identity theft protection market. The idea is to provide protection in the areas of the connected home, online safety for kids, privacy, and now identity theft protection. It’s a recognition that today’s threat landscape is growing in all facets of digital life.

In the wake of some massive data breaches, the McAfee Identity Theft Protection lets users take a proactive approach with personal monitoring, financial monitoring, and recovery tools. McAfee made the announcements at CES 2018, the big tech trade show in Las Vegas this week.

McAfee is also providing the security for a new D-Link Wi-Fi router that will automatically protect users’ connected home devices.

And the company is protecting Samsung Secure Wi-Fi with backend technology for Galaxy Note8 customers in Europe.

The latest products and services include McAfee Identity Theft Protection, McAfee Secure Home Platform, McAfee Safe Family, and McAfee Safe Connect. The company is partnering with a variety of hardware, software, and broadband providers to keep customers safer.

“Data breaches are increasing in volume and therefore calling into question who consumers can rely on to keep their personal information safe,” said John Giamatteo, executive vice president of consumer business group at McAfee, in a statement. “Today, McAfee is trusted by 375 million consumers worldwide to protect what matters most — whether that is their devices, their child’s online safety, or their identity and privacy. McAfee is a name synonymous with cybersecurity, one that consumers can depend on to continue to evolve and innovate to put consumer minds at ease when digital security uncertainty is high.”

People are aware of cybercrime and concerned about their own cybersecurity, but a survey released last week by McAfee reveals that most consumers aren’t as proactive about protecting themselves as they should be.

The survey found that 61 percent are more concerned about cybersecurity today than five years ago, but only 37 percent say they use an identity protection solution, and only about 33 percent say they consider protecting their identity as their No. 1 cybersecurity priority.

McAfee revealed findings from its survey, “New security priorities in an increasingly connected world,” that showed many consumers are not taking proactive steps to keep their personal information protected from identity theft.

The identify theft protection features McAfee announced today include scanning the online black market and the Dark Web and then alerting users when their personal information is at risk.

McAfee also has a Social Security Number Trace, which delivers reports of known aliases and addresses tied to a users’ social security number so they can review them for potentially fake identities.

The credit monitoring feature sends reports based on lending and credit history and alerts users if there are any changes to their creditworthiness. It also has dedicated agents accessible around the clock.

The new D-Link AC2600 Wi-Fi router powered by McAfee provides consumers with automated security for devices on the home network. It features adaptable machine learning, parental controls, and protection for internet of things devices (such as Wi-Fi security cameras).

Peace of Mind

Peace of Mind
Shred Shop adds layer of security with HIPAA certification
Aisling Maki

Medical identity theft is the nation’s fastest-growing form of identity theft, with about 2.3 million cases in 2014 alone, according to Consumer Reports. If an individual’s health insurance is used by someone else for doctor visits, procedures, or procuring medications and devices, the ramifications can be costly and can destroy the victim’s credit. The patient can also be denied coverage if caps are reached, for example.

The Federal Trade Commission recommends consumers keep paper and electronic copies of their medical and health insurance records in a safe place and shred outdated health insurance forms, prescriptions and physician statements.

Many individuals and health care providers alike look to document destruction and secure storage professionals like Shred Shop of Memphis, 318 Collins St., for peace of mind.

Other industries that use Shred Shop to manage confidential information include law firms, accounting firms, government agencies, schools and small businesses. Customers can watch while their documents are weighed, shredded and baled for recycling.

“We try to fill a niche that the larger companies can’t do mainly because of their size,” said Brenda Allen Huff, who founded Shred Shop, an independent and certified woman-owned business, in the fall of 2005. “It’s very hard to take care of residential and the really small jobs. It’s just not cost effective for their big trucks and all. But we have done a six-pound pickup and we’ve done a 41,000-pound pickup.”

Huff said customers appreciate watching the destruction process, but with medical identity theft on the rise, she wanted to go the extra mile for her clientele in the local health care industry. This meant becoming formally compliant with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which provides data privacy and security provisions to safeguard medical information.

“I decided it was time we get the formal certification,” Huff said. “It wasn’t that we weren’t as careful as we could be before, but this allowed us the formal training – that extra layer of security.”

Shred Shop is a member of National Association for Information Destruction (NAID). Through her contacts there, Huff became aware of Tom Dumez of Prime Compliance – also known as “The HIPAA Man.”

Michigan-based Dumez is a certified security compliance specialist who provides consulting services to information destruction companies and their clients to help them in matters of HIPAA compliance. He usually trains companies larger than Shred Shop.

Huff was unable to locate a local trainer. Dumez’s services came with a sizeable price tag and required her to fly him from Michigan to Memphis, but Huff believed the HIPAA compliance training and certification would be beneficial for her many health care industry clients.

“It was quite a bit of money to have him come, but I think it was well worth it,” she said of Dumez, who provided a risk assessment and made suggestions for improvements to protect sensitive client information. Those suggestions include limiting exposure and fine-tuning chain-of-custody procedures.

“We’re taking anything he says seriously and trying to make those changes to reduce any risk of anything going wrong,” Huff said. “He provided the policies and procedures and he’s there – available to us to answer any questions throughout the year.”

Kelly Dobbins, president at Mid-South Drug Testing Inc., 950 Mount Moriah Road, said her company is required to store background checks for at least seven years. She relies on Shred Shop for its secure storage services and its hard drive removal and destruction services – a recent addition.

“A lot of people don’t think about their hard drives and the fact that they shouldn’t be giving their computers away to anyone unless you’ve removed that hard drive,” Huff said. “You could have all of your medical information on there, too, so it’s a dangerous thing to let a hard drive get out without being destroyed. People can make a lot of money off medical records. We’re trying to make it easier and cost effective for people to destroy that information, too.”

Dobbins, who has known Huff for about a decade, said that, as a small business owner, she prefers doing business with other local small business owners and she’s been pleased with Shred Shop’s services.

“Our documents at Mid-South Drug Testing contain confidential information,” Dobbins said. “We don’t want anyone to have access to our records, and being HIPAA compliant means the Shred Shop has taken yet another step in security. They will also be able to destroy files and hard drives in a manner that is complaint with HIPAA.”

You’re Never Too Safe from Identity Theft!

Recent data breaches underscore the importance of protecting yourself.

By Grace S. Yung

It would be difficult not to notice the growing number of data breaches affecting seemingly “secure” entities, including Anthem, Yahoo, JP Morgan Chase, and even the IRS.

While all data breaches are alarming, the recent Equifax hack—with almost half of the U.S. population affected—means the chances are good that criminals have at least some of your sensitive information.

When it comes to identity theft, one of the first questions people ask is whether they’ll be responsible for fraudulent charges.

Federal law caps your liability at $50 for unauthorized credit-card charges—and, depending on your card issuer, you may not be responsible for anything.

For debit/ATM cards, the amount of liability depends on how quickly you report the theft. If you report the card being lost or stolen within the first two days, you may only be responsible for $50. However, if you wait up to 60 days, you could find yourself responsible for $500—and if you wait more than 60 days, there is no limit to your liability. With that in mind, be sure to check your credit- and debit-card statements and report any evidence of fraud immediately.

After reporting suspected fraud, it is also important to place a fraud alert on your credit reports by contacting one of the three major bureaus—Equifax, Experian, or TransUnion. This is basically a “red flag” notifying creditors and lenders that they need to take additional steps to verify your identity before extending any credit. An initial fraud alert is free, and will remain in place for 90 days.

If your Social Security number has been compromised, be sure to contact the Social Security Administration. Even if the perpetrators haven’t moved forward with any activity, they could be planning to file a fraudulent tax return in the future.

Finally, if you become a victim of identity theft, you should file a report at your local police station.

In terms of proactive measures, identity-theft insurance can be a good way to monitor your credit and accounts, as well to restore your identity and mitigate financial damage if you become a victim. With most plans, the legal fees and other expenses directly associated with reclaiming your identity will be covered. Other common coverage includes lost wages due to time taken off from work to deal with identity theft.

The main carriers of identity-theft coverage include LifeLock, Privacy Guard, ID Shield (an affiliate of Legal Shield), ProtectMyID, and ironically, Equifax. Because coverage varies greatly, it’s recommended that you look at several options.

Although there is no way to guarantee protection from identity theft, there are several other steps you can take to prevent it, including:

• Changing your email and account passwords frequently;

• Having a two-step login/authentication on your email and other online accounts;

• Creating passcodes and adding emergency contact info to your mobile devices;

• Having a special email account for banking and other financial information;

• Changing the default settings on your Internet router;

• Installing a virtual private network (VPN) on your tablet, laptop, and/or other devices that you use in public places;

• Running anti-virus software on all devices;

• Not opening emails or clicking on links unless you recognize the sender;

• Having email and/or text alerts set up for your financial and credit-card transactions;

• Maintaining strong privacy settings on social-media accounts, and not posting your home address or information about when you are on vacation;

• Making sure that you back up all data on your devices in two places—a physical, external hard drive, and in the cloud;

• Putting a security freeze on your credit files with the three major credit bureaus;

• Regularly checking your children’s Social Security numbers to ensure no one is using them;

• Setting up automatic updates for your online programs and apps.

To learn more about protecting yourself from the growing threat of identity theft, talk with a professional who can provide you with guidance and resources. It can be well worth it to put protective measures in place, because when it comes to your personal information, you can never be “too safe.”

This article appears in the November 2017 edition of OutSmart Magazine.

A Warning About Your Boarding Pass!

You should be very careful with your boarding passes for flights. The bar code on the pass can be used by identity thieves to obtain your personal and frequent flyer account information. You should retain these boarding passes until you are in a position to shred or otherwise destroy in a complete manner.

What Do You Know About Wire Fraud?

What Do You Know About Wire Fraud?

What Do You Know About Wire Fraud?What is wire fraud?

Wire fraud is an act of fraud that uses electronic communications, such as making false representations on the telephone or via email, to obtain money.

How does wire fraud work?

Wire fraud occurs when a fraudster obtains money based on false representation or promises.

For example, you may receive wire instructions which appear to be from the settlement agent or attorney, when in fact they are from a fraudster.

Recommended precautions to protect yourself from WIRE/ACH Fraud:

 Do not share your online banking logon credentials (user ID and password) with anyone.

 Do not share your account number with anyone who does not need it.

 Never access your bank account using a public computer (e.g., at the library or a hotel business office)

 Monitor your accounts regularly for unauthorized transactions.  Report any unauthorized transactions to your bank immediately.

 Be suspicious of emails from free, public email account domains as they are often a source of risk.

⇒  Watch out for phishing emails with embedded links, even when they appear to come from a trusted source.

⇒  Install a firewall on your computer to prevent unauthorized access.

⇒  Be skeptical of any change in wiring instructions.

⇒  Confirm wire and other disbursement instructions received by email via confirmed telephone at a known or independently-confirmed number, not the telephone number at the bottom of the email.

GAO Finds Identity Theft Services Limited in Fraud Prevention!

ID Theft Resolutions,Ltd
Call: 1-888-484-9118

Limited in Fraud Prevention

Following the 2015 OPM data breaches, GAO found that identity theft services offer certain benefits but are also limited in what they can prevent.

April 03, 2017 – Identity theft services offer several benefits to organizations and individuals, but there are limitations in fraud prevention and other identity protection services, according to a recent Government Accountability Office (GAO) report.

Medical identity theft and tax refund fraud are also not always specifically addressed in identity theft services, GAO explained.

With regard to the two Office of Personnel Management (OPM) data breaches from 2015, GAO stated that the level of insurance coverage provided was “likely unnecessary because claims paid rarely exceed a few thousand dollars.”

OPM announced on June 4, 2015 that it had been the victim of a cyber attack. The agency then reported one month later that a significantly greater number of individuals were affected by a “separate but related” cybersecurity breach.

Approximately 21.5 million individuals were affected, with some of the compromised information including “identification details such as Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal acquaintances, health, criminal and financial history.”

“Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization,” Acting Director of the Office of Personnel Management Beth Cobert said in a statement.  And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

GAO stated in its report that OPM provided duplicative identity theft services for about 3.6 million people affected by both of its 2015 breaches.

“Contrary to key operational practices previously identified by GAO, OPM’s data-breach-response policy does not include criteria or procedures for determining when to offer identity theft services, and OPM has not always documented how it chose to offer them in response to past breaches, which could hinder informed decision making in the future,” GAO wrote.

“In the private sector, companies often offer consumers affected by a data breach complimentary identity theft services for reasons other than mitigating the risk of identity theft, such as avoiding liability or complying with state law.”

Identity theft services typically include one or more areas of assistance, such as credit monitoring, identity monitoring, and identity restoration, GAO explained. Medical identity theft, identity theft refund fraud, and certain other threats involving stolen personal information are generally not included.

“Evaluation and analysis of these services by both federal and private-sector entities is limited and tends to focus on outputs (such as contractor performance) rather than outcomes (such as reduction of harm from identity theft),” the report noted.

Out of the 26 identity theft services that GAO reviewed, the agency stated that only one “expressly addressed” medical identity theft.

“That product works with the explanation-of-benefits delivery system of the user’s health insurer to alert the user every time a claim is made against the user’s health plan benefits,” the report said. “Users can flag a claim as suspicious if, for example, they do not recognize the procedure or health care provider, and the company then will investigate the claim.”

Additionally, the service is offered as a benefit by health insurers to their members instead of offered directly to consumers.

OPM did not provide many details to GAO in what type of services it offered following the 2015 breaches.

“The current officials told us that they could not find any formal documentation related to the decision to offer identity theft services or the process leading up to this decision,” GAO wrote. “The agency was able to identify a document comparing past public- and private-sector entities’ responses to breaches that may have been considered when determining which services OPM should offer after the second data breach (of background investigation records).”

OPM has previously been investigated for its large data breaches, with reports finding that certain preventative measures could have helped to potentially prevent the incidents.

Toward the end of 2016, an OIG report found that a failure to prioritize cybersecurity and adequately secure high value data helped contribute to the data breaches taking place.

Additionally, the OPM Inspector General (IG) warned the agency as early as 2005 that the information it maintained was potentially vulnerable to hackers.

OPM had an “absence of an effective managerial structure to implement reliable IT security policies,” and also “failed to implement the Office of Management and Budget’s (OMB) longstanding requirement to use multi-factor authentication for employees and contractors who log on to the network.”


Former IRS agent in ABQ admits ID theft

ID Theft Resolutions,Ltd
Call: 1-800-484-9118

By ABQJournal News Staff

Tuesday, March 14th, 2017 at 10:31am

ALBUQUERQUE, N.M. — Former IRS agent Joan D. Mobley, 54, of Socorro pled guilty this week in Albuquerque to a false statement charge and two aggravated identity theft charges in connection with faking the completion of taxpayer audits and falsely signing documents of taxpayers claiming they agreed to pay additional taxes.

Mobley faces up to five years in prison on the false statements charge and a mandatory two-year term on each aggravated identity theft charge that must be served consecutive to any sentence on the false statements charge, the U.S. Attorney’s Office said in a news release.

Under the terms of her plea deal, Mobley is required to pay restitution to the IRS in the amount of $39,738.32. The release did not specify how Mobley benefited from her acts.

Mobley began working for the IRS in 1986 and was a revenue agent at the IRS office in Albuquerque at the time she committed the crimes to which she pleaded guilty.

A federal grand jury filed a 28-count indictment in 2014 charging Mobley with 14 counts of making false statements and 14 counts of aggravated identity theft.

Mobley falsely stated and represented to the IRS that certain taxpayers either had consented to extending the time for assessing employment taxes or agreed to the collection and assessment of additional taxes, according to the indictment.

Mobley acknowledged in court that, instead of completing an audit as required, she falsified records to show it completed. Mobley also acknowledged signing the name of the business’s president on the records.

The guilty plea was announced by Acting U.S. Attorney James D. Tierney and Cordale Lamb of Denver Field Division of the Treasury Inspector General for Tax Administration.

IRS’ Most Wanted: 5 Tax Scams to Watch Out For This Year

ID Theft Resolutions,Ltd

The IRS released its annual list of most wanted tax scams. Being educated on these will help keep you from getting ripped off.

Danny Vena (TMFLifeIsGood) Mar 4, 2017 at 6:07PM
Each year in early February, to coincide with the beginning of tax season, the IRS compiles a list of the most common scams that taxpayers may fall victim to. While you may encounter these at any time during the year, occurrences tend to spike during filing season.

There are many fraudsters out there who would rather take your hard-earned money than make their own. A little caution and skepticism will go a long way toward ensuring they don’t. Read on to learn the scams the IRS wants you to look out for this tax season.

Tax return 1040 and refund check.

1. Phishing schemes
Phishing schemes typically involve an email you receive that appears to be from a bank, credit card provider, or other company that you do business with. Be on your guard, as it may be from a scammer. These emails often look all too real, and they ask you to go to some website and update your personal information. The scammers will then use that information — whether it’s your Social Security number, your online passwords, or your bank account information — to defraud you. Be especially wary of any email that claims to be from the IRS, as the agency typically communicates with taxpayers by mail. Never provide your personal information unless you are absolutely sure who you’re dealing with.

2. Phone scams
A variation on phishing schemes, these scams involve a phone call that you receive from someone posing as an IRS agent. They may be aggressive or threatening, demanding that you pay some fictitious tax bill by sending cash, making a wire transfer, or providing a credit card number. They will try to intimidate you, threatening you with arrest, deportation, or the loss of your driver’s license. The IRS almost always communicates with taxpayers by mail, and it will never, ever ask for payment over the phone. If you receive one of these calls, hang up!

3. Identity theft
Identity theft involves an unauthorized person using your information for their own financial gain. Around tax filing season, crooks will try to obtain your Social Security number and other information using some other scam or hack. They will then file a phony tax return in your name in order to steal your refund. The IRS has partnered with state tax agencies and those in the tax preparation industry to enact safeguards to prevent this fraud. There are signs of progress, as the number of complaints involving stolen identities on tax returns fell by 50% compared to the prior year. Guarding your Social Security number from unauthorized use is the most effective prevention. The IRS provides these recommendations to protect your personal data: “Don’t routinely carry a Social Security card, and make sure tax records are secure. Treat personal information like cash; don’t leave it lying around.” .

4. Return preparer fraud
This is the tax preparer equivalent of offering to sell you a discounted Rolex in an alley. The majority of CPAs and other tax preparers are honest, hard-working folks just trying to make a living. However, there are perpetrators out there who hang out a phony shingle every tax season to prey on unsuspecting tax filers. Additionally, there those tax preparers who mean well but aren’t qualified.

There are a few ways to protect yourself. Always ask the preparer if they have an IRS Preparer Tax Identification Number (PTIN), which they are required to obtain from the IRS. You can also check their credentials using the IRS Directory of Federal Tax Return Preparers with Credentials and Select Qualifications. Be sure to ask to e-file and never sign a blank return — this is the tax return equivalent of signing a blank check. Once your signature is on the document, a dishonest preparer could divert your refund to their own account, and you’d never know. Review your return thoroughly, ask questions about anything that is unclear, and be sure to sign it when you are done.

5. Fake charities
Americans love to support worthy causes they believe in. The problem is that some aren’t so worthy. There are fake charities out there that prey on human kindness by taking in donations but never doing a bit of charitable work. They sometimes have names remarkably similar to those of real charities, and they frequently set up shop immediately after natural disasters and solicit donations from unsuspecting people who are trying to help. They may also call you or show up at your front door. You wouldn’t hand your wallet to a stranger on the street, so never make donations in person or over the phone to someone you don’t know. Don’t give your credit card number or bank information unless you initiate the call, and never give out passwords. Reputable charities can be confirmed by using the IRS Select Check search tool of tax-exempt charities.

Taxpayer takeaway
Be on the lookout, not only when filing your tax return, but throughout the year. As scammers get more and more creative, educating yourself is one way to be sure you don’t become a victim. It has been said that nothing is certain but death and taxes. You can be equally sure that scammers will be happy to relieve you of some of your hard-earned cash if you let them. Being vigilant and playing by the rules is key to preventing financial insecurity.

The $6,269 tax bonus millions of Americans completely overlook
Taxes can be confusing and downright miserable. But a handful of “tax tricks” could help millions of Americans save thousands of dollars. That’s free money you could be leaving on the table. For example: the IRS believes that a full 20% of eligible Americans miss out on a tax break worth up to $6,269… each year! Simply click here to discover how to learn more about these strategies.

The Motley Fool has a disclosure policy.

SSA Putting Millions of Americans at Risk

By: Elizabeth Harrington
The Washington Free Beacon

The Social Security Administration puts millions of Americans at risk for identity theft by putting their full Social Security Numbers on letters sent in the mail.

The agency’s inspector general released an audit this week warning the government that by sending hundreds of millions of letters containing individual’s Social Security Numbers it puts them at risk for identity theft.

“According to [the Social Security Administration] SSA, in 2015, it mailed about 233 million notices that included individuals’ full SSN,” the inspector general said. “We recognize SSA’s efforts can never eliminate the potential that dishonest individuals may inappropriately acquire and misuse SSNs. However, our audit and investigative work have shown that the more SSNs are unnecessarily used, the higher the probability that they could be used inappropriately.”

“The security of beneficiaries’ [Personally Identifiable Information] PII should be foremost, and as a Federal agency and public servant, we believe SSA should be in the forefront of establishing policy and practice by limiting SSN use and disclosure,” the audit said.

Sixty-six percent of the 352 million notices the agency sent out last year contained Americans’ full Social Security Numbers, and the government said it has no idea how many never made it to the correct address.“While it is unknown how many of the intended addressees received these notices, our audit work has shown that the addresses in SSA’s records can be inaccurate,” the inspector general said
“We asked SSA whether it maintained any estimates on the number of mailings that were returned as undeliverable. SSA stated that it did not have any Agency-level number on undeliverable mail,” they said. “SSA could not provide us an estimate of the number of notices with SSNs it mails annually that do not reach the intended recipients and are not returned to SSA.”

The inspector general warned that notices sent to the wrong address can increase identify theft, as it can give strangers access to vital personal information. “Notices intercepted by unintended recipients could provide SSA beneficiaries’ names, addresses, and SSNs to individuals other than the numberholders,” they said.

Auditors said they do not currently have documented proof of identity theft that has occurred as a result of agency letters going to the wrong address, though the agency acknowledged “there is a risk of identity theft anytime it sends correspondence that contains PII.”

The inspector general said identity theft is “one of the fastest-growing crimes” in the country.”

“With a stolen SSN, identity thieves can commit any number of financial crimes in the victim’s name or steal money from the victim,” the audit said. “If the victim is a senior citizen, the thief could even target their Social Security benefits.”

“SSA acknowledges that identity thieves may obtain another’s personal information by stealing their mail or rummaging through their trash,” the inspector general concluded. “It is, therefore, troubling that SSA continues including the full SSN on the majority of its mailings.”