Multi-State Fraud Crew Is Indicted: Learning Prevention Tactics From The Bad Guys

May 30, 2023

The U.S. Attorney's Office for the Southern District of New York has charged seven people with committing an identity theft and fraud scheme that resulted in the loss of more than one million dollars from multiple victims.

Investigators from the U.S. Attorney's office, the United States Postal Inspection Service, the Treasury Inspector General for Tax Administration, the U.S. Customs and Border Protection, and Homeland Security Investigations ("HSI") announced the arrest of six of seven defendants in Georgia, Florida, and Illinois. One defendant remains at large.

Investigators allege that the fraud "crew" developed a sophisticated scheme to steal money from victims' bank accounts. The defendants allegedly used stolen victims' identities, hijacked their bank accounts and cellphones, impersonated them at bank branches throughout the country, and drained their accounts.

The HSI noted that as technology has advanced and become part of our everyday lives, criminals too have evolved with the times. Instances of internet-based identity theft are on the rise.

The defendants stole or bought previously-stolen personally identifiable and financial information belonging to victims, such as names, dates of birth, home addresses, social security numbers, driver's license numbers, and bank account information, which sometimes included passwords, and phone numbers. This information was then used to forge identification documents, such as a counterfeit driver's license, which were then used to log into victims' online banking profiles, create new accounts in a victim's name at the banks, and transfer funds from a victim's existing accounts to those created by the group.

To circumvent two-factor authentication, the defendants would take over the victim's phone number through a "SIM swap" fraud. This was done either by tricking the victim's cellphone service provider to switch service for the victim's cellphone number to a SIM card or cellphone controlled by the defendants or by impersonating the victim and claiming that the victim's existing cellphone had been lost. In some cases, they enlisted the assistance of corrupt cellphone store employees who would agree to process the SIM swap in exchange for payment. "Seven Defendants Charged With Million-Dollar Identity Theft And Fraud Scheme" www.justice.gov (Feb. 16, 2023).

Commentary

In this case, many lessons can be learned by examining the tactics used by the thieves to commit their crimes.

First, the personal information stolen may have been sold and resold many times over from the first time it was stolen. Thus, vigilance over your sensitive personal and financial data must be practiced forever.

Second, using stolen passwords suggests some victims either did not regularly change their passwords, used the same password for multiple accounts, or used easy-to-guess or easy-to-break passwords. Using a password manager to generate complex, unbreakable passwords for each account, and changing those passwords at least once per year will make it harder for criminals to steal your money if your data is stolen or leaked.

Next, set up a PIN code for your cell phone service provider that must be used before any transfers, activity, or replacement can be done on the account. Keeping your phone locked at all times, except when in use, can also keep thieves from using your phone to circumvent two-factor authentication in the event your phone is lost or stolen.

Strongly consider signing up with the many credit card companies, credit reporting agencies, or third-party providers of that provide alerts if your personal information is found on the dark web. Although you cannot retrieve stolen information, you can make it harder for cybercriminals to get any use of it. Knowledge is power in these cases. Do not wait until you are victimized before knowing what of yours is out on the web.

Finally, your opinion is important to us. Please complete the opinion survey: