By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.
Cybersecurity has been much in the news this month, as Equifax and the Securities and Exchange Commission (SEC) have both been hacked, victims of scams.
To recap: Equifax announced that a hack had compromised the data of more than 140 million consumers, while the Securities and Exchange Commission (SEC) has admitted to acting as an inadvertent tipper of insider information illicitly obtained from its EDGAR filing system. (See Yves here on Equifax, and my post yesterday here for the SEC.)
So one can be forgiven for thinking of the internet as a major if not the sole locus of today’s scams problem.
The Wall Street Journal yesterday ran a jaunty– albeit a bit hair-raising– interview with Frank Abagnale Jr.– the subject of the biopic 2002 Catch Me if You Can, ‘Catch Me if You Can’ Scam Artist Has a Warning for Today’s Consumers that says it ain’t so.
Once a top class scam artist– successfully posing as pilot, doctor, and lawyer– before getting caught, doing five years’ time– Abagnale and has subsequently spent the last forty years as a security consultant, advising the FBI and others on ways to avoid and counteract scams, particularly those involving cybercrime, fraud, and identity theft.
I realize that the interview is paywalled, and for those who don’t have a WSJ subscription, it’s probably too late to buy a copy of yesterday’s paper.
So I’m going to share with you a few of Abagnale’s thoughts, and some more of my own.
Technology Only Makes Scams Easier– and They’re Not All Confined to the Internet
Abagnale’s first big point– which may seem a bit obvious but is the basis for some of his other observations so I include it here:
…I always tell people what I did 50 years ago as a teenager is now 4,000 times easier to do today than when I did it. Technology breeds crime—it always has and it always will. There’s always going to be people willing to use technology in a negative, self-serving way. So today it’s much easier, whether it’s forging checks or getting information. People go on Facebook and tell you what car they drive, their mother’s name, their wife’s maiden name, children’s name, where they’re going on vacation, where they’ve been on vacation. There’s nothing you can’t research in a matter of a couple of minutes and find out about someone.
For me, this seems yet another reason not to use Facebook– or at least, be very careful about what one shares there. (An added benefit of turning our collective backs on Facebook might be that Mark Zuckerberg might go away, away, away, and never return, and in the process, give up his dream of becoming El Presidente.)
But I digress. Once someone has your personal information, that scammer can pull off what Abagnale calls the grandparents scam– and as an ambassador to the Fraud Watch Network of the American Association of Retired People (AARP), I presume he has first-hand experience with some of its victims:
They go on Facebook and they see who the grandparents are, they see who the grandson is dating. The typical call will come in on your caller ID as, for example, the NYPD. You see the police department is calling, because they can easily manipulate the software that controls caller ID. You pick up the phone, the guy says, “This is so-and-so at the New York City Police Department, and we have arrested your grandson this evening and he was driving while intoxicated. He needs to post bail in the next two hours or he will have to spend the weekend in jail.” You wouldn’t believe how many millions of grandparents fall for that, until you explain the scam to them.
Note that the internet is used to source the information necessary to make this scam work, but the rest of the operation doesn’t involve cyberspace at all.
What Abagnale doesn’t mention– but to which I will draw out the obvious connection– is how the Equifax hack is going to make similar financial scams easier, by putting so much information, such as that people often reveal unwittingly on Facebook– wrapped in a neat bow, in the hands of people who can deploy it to con people into turning over more details. So, if someone calls, claiming to be from Equifax and needing to verify information– beware. This may be some variation on the grandparents scam.
One way to protect yourself somewhat from some of the consequences of the Equifax hack that cannot be mentioned too frequently, as this Wolf Richter crosspost describes, Wolf Richter: Worst US Consumer Data Hack Ever? Equifax Confesses, is to impose a “security freeze” on one’s credit record with each of the three major credit bureaus:
A security freeze (aka “credit freeze”) will prevent the credit bureaus from selling your data to anyone. It will not prevent hackers from stealing that info, but it will make it very difficult for them – or for those who buy that data from them – to use this data to open credit accounts in your name and steal your identity. If they submit your data to a credit card company to apply in your name for a credit card, the credit card company checks with credit bureaus to confirm this information and review your credit. But since there is a credit freeze on your account, Equifax cannot disclose that information, and the credit card company will not open an account in your name.
Note: Even if you try to open a new bank account or credit account, you will not be able to, unless you first remove the credit freeze. Credit freezes do not impact current banking and credit relationships; they continue as normal.
Credit bureaus are required by law to provide this service, otherwise they wouldn’t. They hate it. Selling your data is how they get revenues. Locking this data eliminates those revenues. But it’s the most effective way to protect yourself.
Check Forging Now Made Easier
Now, something I found particularly worrying and learned from this Abagnale interview is how much easier it now is to forge checks– compared to when Abagnale began his scam career. By that I mean someone recreating a bogus form of your personal check, and then writing against your account.
Note that staying offline doesn’t protect you from this check forging risk– this is not a risk created by the invention of the internet and cyberspace:
Think about this: You go into a convenience store today and write a check for $9. You have to hand the clerk the check with your name and address, phone number, your bank’s name and address, your account number at your bank, the routing number into your account. That’s your wiring instructions. Your signature that’s on the signature card at your bank. And then the clerk has written down your state driver’s license number on the front and your date of birth. You don’t get the check back. You can get an image of the check; the physical check goes to [the store’s] warehouse, where eventually, six months from now, they will destroy it.
In the meantime, anyone who would see the face of that check—from the clerk who took it at the counter to the one that made the night deposit—could draft on your bank account tomorrow, would have all the drafting instructions. Or they could go online [and order checks] that look exactly like your checks, but put their name on it and put your account number on it. So every check they write gets debited against your account. It’s so simple to do.
It’s amazing to me that people are writing $9 checks from their wealth-management account, their private banking account, and giving them to some stranger in a store.
Come to think of it, put that way, I now realize it’s pretty amazing as well. And it made me wonder not why identity theft is so frequent, but why it’s not even more frequent. I guess this is yet another argument for using good ole cash. Or at least being very careful about drawing checks on a wealth management account or an account in which one keeps much of a balance. (Of course, if one keeps a minimum amount in one’s checking account, then the bank hits you with exorbitant fees.)
Yes, I know if someone scams you in this way, it is in theory possible to unwind the damage– but I shudder at the time and effort that would be involved in doing so.
The Consumer Financial Protection Bureau Isn’t Undertaking Enough Consumer Education
Abagnale’s alive to the downward cycle of what at Naked Capitalism we call crapification– although he wouldn’t use such a term to describe it. This applies to the government more or less opting not to focus on a consumer protection agenda — I know, regular readers will say, that’s a feature, not a bug. And I expect that at least a couple of commentators will point out to me that I’m naive to think that I’m part of the constituency the government is supposed to act on behalf of. Instead, it’s donors, lobbyists, and big corporations that call the shots– and they generally espouse a consumer fleecing rather than a consumer protection agenda.
I myself largely agree with that criticism but note that it wasn’t always this way– the baseline here has certainly changed in my lifetime:
I don’t think we’ve done a lot to really protect consumers. Back in the 1970s, before I ever wrote a book or anyone knew who I was, I did a series of public-service ads for the Department of Justice that were really well filmed. They were all about 30-second ads. They were all very well written, and very well done. I recently testified with the U.S. Senate about the Federal Trade Commission, and the fact is these things aren’t done anymore. There are no public-service ads, and if there are bank-statement stuffers added, they’re selling some product of the bank.
Abagnale also doesn’t see that the Consumer Financial Protection Bureau has done very much to reverse that trend:
That agency has really not done much to protect the consumer. What they’ve done is gone out and found a lot of [wrongdoing at] financial institutions and banks and brought in a lot of money to the Treasury, but they haven’t done a lot to help the actual consumer from being a victim. If they wanted to really help the consumer from being a victim, they would be doing a lot more trying to educate the consumer.
Now, on his broader point– enforcement, and bringing money into Treasury– I think he overstates the case. I’ve written about the CFPB’s enforcement and rulemaking failings, most recently in House Votes to Overturn CFPB Mandatory Arbitration Ban and Payday Lending and the CFPB: Another Pending Cordray Fail. The CFPB were largely part and parcel of the previous administration’s cadre of financial sector enablers, part of the Too Big to Jail consensus. Too much enforcement wasn’t attempted, and too little rule marking done– and that which was, done so late as to render these efforts vulnerable to overturn under Congressional Review Act procedures.
But on the issue of consumer education, I think Abagnale’s correct. This is just another example of where the CFPB has failed to live up to its potential– and I would ignore all the screaming and yelling and gnashing of teeth on the part of critics of the agency who pretend it’s thus far imposed significant constraints on financial industry practices.
Technology certainly makes it easier to pull off certain kinds of scam, but not all of these are tied to the internet, nor would they be prevented by better cybersecurity. So, hat tip to Frank Abagnale for making me aware of some of these other risks– and what I might do to protect myself against them.