The U.S. Attorney's Office for the Southern District of New York has charged seven people with committing an identity theft and fraud scheme that resulted in the loss of more than a million dollars taken from multiple victims.

Investigators from the U.S. Attorney's office, the United States Postal Inspection Service, the Treasury Inspector General for Tax Administration, the U.S. Customs and Border Protection, and Homeland Security Investigations ("HSI") announced the arrest of six of seven defendants in Georgia, Florida, and Illinois. One defendant remains at large.

It is alleged the fraud "crew" developed a sophisticated scheme to steal money from victims' bank accounts. The defendants allegedly used stolen victims' identities, hijacked their bank accounts and cellphones, impersonated them at bank branches throughout the country, and drained their accounts.

The HSI noted that as technology has advanced and become part of our everyday lives, criminals too have evolved with the times. Instances of internet-based identity theft are on the rise.

The defendants stole or bought previously-stolen personally identifiable and financial information belonging to victims, such as names, dates of birth, home addresses, social security numbers, driver's license numbers, and bank account information, which sometimes included passwords, and phone numbers. This information was then used to forge identification documents, such as a counterfeit driver's license, which were then used to log into victims' online banking profiles, create new accounts in a victim's name at the banks, and transfer funds from a victim's existing accounts to those created by the defendants.

To circumvent two-factor authentication, the defendants would take over the victim's phone number through an alleged "SIM swap" fraud. This was done either by tricking the victim's cellphone service provider to switch service for the victim's cellphone number to a SIM card or cellphone controlled by the defendants or by impersonating the victim and claiming that the victim's existing cellphone had been lost. In some cases, the defendants enlisted the assistance of corrupt cellphone store employees who would agree to process the SIM swap in exchange for payment. "Seven Defendants Charged With Million-Dollar Identity Theft And Fraud Scheme" www.justice.gov (Feb. 16, 2023).

Commentary

The above matter consisted of several forms of theft and fraud:

Stolen passwords: The defendants allegedly used stolen passwords. This suggests some victims either did not regularly change their passwords; used the same password for multiple accounts; or used easy-to-guess or easy-to-break passwords. Using a password manager to generate complex, unbreakable passwords for each account, and changing those passwords at least once per year will make it harder for criminals to get access to funds or information.

Cell phone service transfer: Prevent cell phone service transfers by setting up a PIN code for your cell phone service provider that must be used before any transfers, activity, or replacement can be done on the account.

Also, keeping mobile devices locked at all times, except when in use, can also keep thieves from using a device to circumvent two-factor authentication in the event a device is lost or stolen. If a device used for work is lost or stolen, immediately notify your employer and/or your service provider.