Someone Tried To Steal My Identity

You don’t understand what’s happening at first. A suspicion creeps in, but you think, “surely not, this wouldn’t happen to me?”

You make a couple of calls, pay an agency to get access to your credit rating, and there it is: A bunch of applications for bank accounts in your name that you never made. A precursor to overdrafts that someone will expect you to honor, even if the money never came to you in the first place.

It didn’t take long before I had it under control – it’s worth overreacting to this kind of thing – but I learned a few things along the way. I’d like to share the story and what I learned with you here.

Identity Theft: What to do

First of all, it’s worth saying that I got off lightly, for a couple of reasons, two of which are luck and the fact that my identity is harder to steal than some people’s by virtue of my name. I don’t want to come across as a victim here, because I’m not – I lost no money and other than some anxiety I was left unscathed.

The Story, Part One

I was walking into my home when I bumped into the downstairs neighbor, who asked when I was moving out.

I hadn’t told him I was moving out, so I asked him how he knew. He replied that a letter had come to the address, without mentioning an apartment number, addressed to “The Occupier”, and he had opened it to find a notice from the Royal Mail informing “The Occupier” that mail to my surname had been successfully redirected. Therefore he assumed I was moving out.

The thing is, I was moving out, but I hadn’t had my mail redirected yet. So I asked to see the letter, which he gave me, and I called the number at the top.

The Royal Mail immediately cancelled the redirection (to my knowledge I lost exactly one copy of The Economist), and said they’d start a fraud investigation.

The Explanation, Part One

Your identity is protected by the security put in place by every organization with which you treat. This includes your bank, your mortgage provider, your Gmail account and, as I discovered, the national mail service.

None of these organizations are supposed to allow anything to be done in your name without having taken the proper precautions to ensure that you are the person making the request.

In the case of the Royal Mail, they are supposed to check the identity of anyone asking for mail redirection. Unfortunately, in practice, they’re not as careful with this as they perhaps should be. Not only did they permit someone to redirect mail from my address, they allowed them to do it with a simplified version of my name. My name is fairly complex and occasionally, for non-legal correspondence such as loyalty programs to children’s clothing brands, I use a simpler version of it. The identity thief must have come across one of these letters and based their attempted theft upon it.

The second thing I learned is that they’re going to make it difficult for you to investigate your own identity theft. The letter I received from the Royal Mail stated that while they had cancelled the redirection and acknowledged that it was an attempt at identity theft, they would not be providing me with the information regarding the address to which my mail was being redirected unless I obtained permission from the police to receive that information in the first place.

In an ideal world, the police would automatically investigate this sort of thing. In the world in which we live, unfortunately, they do no such thing unless things get really out of hand. I wasn’t going to spend a half-day trying to get a document from the police stating they weren’t investigating and had no objection to my receiving this information, so I let it drop.

The Story, Part Two

I received another letter about a week later, from HSBC, asking me to call the branch to provide some additional information regarding the current account I was in the process of opening.

I was not opening an account with HSBC.

I tried to call their fraud line. Unfortunately, there’s no such thing. I ended up calling their customer service and fighting my way through automated prompts asking me for account numbers, user identifiers, passwords and the like, until I finally had a human being on the other end of the line. This person was able to put me through to the fraud team.

Once through, they were helpful and thorough. They cancelled the account opening request and labelled the attempt as fraud. They suggested I get a copy of my credit report to see if any other requests had been made in my name.

The Explanation, Part Two

I’m surprised that, with the amount of identity theft going around, there isn’t a clearer way to deal with it when it happens to you. I had to go through a lot of fumbling around before I got to someone who cared.

That said, once you get through to that person, things happen fast. The banks have no interest in dealing with fake persons and they lock this kind of thing down sharpish.

The problem is, when someone applied for something in your name, there’s no way for you to know they’ve done so unless you’re plugged into your credit rating. I hadn’t really paid all that much attention to my credit rating in the past. I’ve had a lot of debts over the years and I’ve always used debt in a responsible and careful way, so it’s always been paid off.

The next step was to sign up to Experian to peek behind the curtain.

The Story, Part Three

Experian is one of the credit rating agencies banks use to assess whether you’re a good risk or not.

Your Experian Credit Score is 999 out of 999

It turns out there was a good reason why it was my identity they were after. I have an excellent credit score. In fact, I have a perfect credit score.

Hurray me. My credit score is valuable and attractive to identity thieves.

Also on my credit report: Another soft credit check from a bank I’d never dealt with, so more anxiety and people to call.

On my credit rating there were now two CIFAS records. CIFAS is the organization that records when someone has attempted to steal your identity. It tells everyone else checking your credit score to be careful because you have been a victim of (attempted) identity fraud in the past.

By the time I’d finished calling the new bank on my credit report, I had a third CIFAS record. They’re still there, I just checked. In fact, I don’t think that kind of thing ever goes away.

The Explanation, Part Three

CIFAS records don’t stop you getting credit, but they make things that little bit more difficult when you want to do something that relates to your identity.

When I called the Royal Mail to ask for my mail to be redirected to my new address, I was told that the expedited procedure (filling in a form online and uploading a form of ID) was not available to me.  I had to present myself at a physical post office with two forms of address verification.

Importantly, these forms of identity verification needed to be original paper correspondence from utility companies or from my bank.

That’s positively medieval. I haven’t accepted dead trees as correspondence from any of these organizations for years. Everything I have is online. Apparently, the Royal Mail’s procedures are explicit about the need for messages tattooed onto slices of dead tree, so to redirect my mail I’d have to call the utility companies and ask for a printed bill to be sent to my old address, which I had by then vacated. I would then need to find a way to obtain these bills despite no longer having access, and then walk them over to a post office. Bummer. 

If you’ve been trying to write me letters and I haven’t acknowledged them, I wasn’t being rude, this is why. I never received them. Sorry.

I received (at my new address) a raft of letters from banks and credit rating agencies informing me that they had all been in touch with each other and that I could get free copies of my credit report by using certain codes and the like, and that they were all conducting fraud investigations. Then it all stopped and I never received anything from any of them again.

Except for Experian, who continue to monitor my credit, because I pay them and they have me flagged as high risk, or something.

In Conclusion

I was lucky my neighbor bumped into me in the hall.

Without that, the requests for additional information from the banks would have been forwarded to an unknown address where an identity thief would have tried to convince them to open accounts in my name. (S)he would then have received credit and debit cards in my name, tied to my credit rating, and would have caused me a lot of difficulties and anxiety.

I was lucky that my name was incorrectly used – had they used my full, legal name, it’s entirely possible the bank would not have needed any additional information in the first place.

For some reason, my credit rating is still 999 out of a possible 999, so this has done nothing to dent my ability to ruin my life by getting into extreme debt. I have not availed myself of this opportunity, however.

Finally: the Royal Mail need to do a better job of checking people’s identity papers (not their address, but their name), to see that the person requesting a redirection is the actual person who bears that name.

It only takes the smallest hole in a single company’s security for an identity thief to get their metaphorical crowbar into the wall that protects your identity from misuse. Once there, they can spread like a cancer through banks, correspondence, utility bills, email accounts and contracts until they’ve infested a large part of your life and they’re almost impossible to uproot. Your credit rating will be in shreds and you’ll have a bunch of difficult interactions with lending organizations on your hands.

I was quick, I was aggressive, I was smart about how I dealt with it, but above all: I was lucky.