The Times-Dispatch held its 74th Public Square on Dec. 12. RTD Business editor Greg Gilligan led a discussion about the perils facing consumers today, especially cyber-threats. He was joined by Ron Lieber, a New York Times business columnist, and Tom Gallagher, who has led the Better Business Bureau of Central Virginia for 35 years. Publisher Tom Silvestri served as moderator. An audience of about 75 people joined the energetic afternoon conversation at the newspaper’s downtown building. Today, we present highlights. To see a video of the entire event, go to Richmond.com.
Greg Gilligan, RTD business editor: ... Nearly half of consumers surveyed by Stamford University recently indicated that they were a victim of some type of fraud in the past year. These are men, women, college students. Retirees. They’re rich, they’re poor. All walks of life. They’ve all been scammed in some way or another. And it’s a scary thing out there. These cyber-attacks, they happen on the web. They happen to Twitter, they happen to Netflix, they happen to Uber. Ransomware, that’s another type of scamming. Ransomware has infected businesses. They’ve infected government. They’ve infected personal computers around the globe.
And remember, it was only four years ago, right around this time, when Target announced that they had had a major data breach. That was one of the largest at the time. But a few months ago, in September, Equifax came out, and they said that scammers had accessed personal information of about 143 million consumers in the United States. About 4 million of them here in Virginia alone.
About 15 million Americans are thought to have lost some $50 billion a year, because of scams, or because their identities have been fraudulently taken. And that doesn’t include the emotional cost of fraud. About 50 percent of these fraud victims have reported severe stress as a result, according to this report. And more than a third cite some type of depression. So, it’s pretty rampant. ...
But as I mentioned, the biggest scam, the biggest cyber breach, happened back in September at (Equifax). ... We decided to bring in Ron from The New York Times, because Ron has really asked the tough questions. He has dug deep into what’s happened, and what you need to know about it. So I’m going to turn over the program. Ron, tell us a little bit about what you’ve learned, what has happened, how have consumers been affected, and what can they do?
Ron Lieber, the “Your Money” columnist at the New York Times: ... You know, it helps to understand why people were so primed for outrage about this. And the reason why — and I think many of you will agree, if you know anything about this industry — is that there are these three major credit unions. Experian, Equifax, and TransUnion. Most of you have had dealings with them, or seen your credit reports over the years or over the decades. This is an industry, and a collection of companies, that has traditionally not been very consumer-friendly. And if you want to get information about yourself that they have gathered about you, from them, it can be very difficult. It can cost money. Often, the information they have is wrong. And they can have a disproportionately large impact on your financial well-being. Because when you need to apply for a credit card, or a car loan or a mortgage, what they say about you goes. Right? And it has an impact on how much you’ll pay, in the way of interest, if you’re borrowing money.
So most people who have interacted with those companies over the years, they haven’t always had a pleasant experience. Right? And so that’s how those credit reporting bureaus work. Now, it’s been also clear to us that people like me who have written about them on and off for 15 years, that they control and gather just an incredible amount of data. And at least once or twice a year, Tara Siegel Bernard, who’s my reporting partner in crime at The Times — we’ve worked together for ten or 11 years now. Every year or two, we would sort of spitball, “Wow. What’s gonna happen when one of these three big credit bureaus gets breached?” Because it felt like it was sort of inevitable, given that that’s the sort of motherload of data. They’ve got names, and they’ve got dates of birth. And they’ve got Social Security numbers, and they’ve got — you know, all the information about whether we’ve ever filed for bankruptcy. And a thousand million other things.
So, we figured that someday it would happen. And lo and behold, that first half of September, you know, the news alert appears on the wire services. And it’s five or six o’clock in the evening. And I’m in Chicago, and Tara’s in New York. And our security reporter is overseas. And the editor is in San Francisco. And we have basically, you know, 15 minutes to figure out whether this is really it. Like, whether this is the big one. And it became clear very quickly that it was. That they basically lost track of information on most of — on more than half of Americans. ...
The thing that was most surprising about this was how the company handled it afterwards. Because I personally, I professionally, and all of my readers, just had — I mean, a million questions about what this was going to mean for them. How can people lock down their information? What’s the best thing to do to protect themselves? Was I even affected here? How can I access the things that Equifax says that it’s trying to do for me, to help protect myself?
The company’s systems were — they melted down in the wake of this. For those of you who tried to get through to their web site, I’m sure you had the same experience that I did, right? It was impossible. You would call them on the phone, and you couldn’t get through, or you would talk to somebody halfway around the world who had no answers. And the company was just ill-prepared for the depth and the breadth of this problem. ....
Gilligan: So, Ron, you give us a sense, in all your reporting and discussion with Equifax and others, what should we, as consumers, be doing? What steps should we be taking now — you know, three months after the breach took place, or was announced?
Lieber: Sure. Well, you know, just as a reminder, not everybody’s information was exposed. And I’m now about 80 percent convinced that the information that Equifax puts out on its web site is actually accurate. ... I’m reasonably sure that what they tell you is going to be correct. Which is, “Your information may have been exposed,” or, “Your information was not exposed.” ...
I can guarantee that all of your Social Security numbers, your addresses, your dates of birth, they’re out there in the ether somewhere. They’re in a paper filing cabinet at a doctor’s office. They’re someplace else, where a thief working on the inside, or a thief trying to penetrate from the outside, can find it. We are all exposed and vulnerable when it comes to our personal information. So, the question then becomes, you know, what’s the best defensive measure? What is the prophylactic kind of digital method of hygiene that we all should be taking?
I would suggest doing the same thing that I’ve done for more than a decade now. Which is to take out something called a credit freeze. And for those of you who don’t know what that is, or don’t have one, basically you go to the three big credit bureaus, Equifax, Experian, and TransUnion. Each of them have web sites where you can do this. And you set yourself up with a freeze. And what a freeze means, the idea behind a freeze, is to make it impossible for a thief to commit new account fraud. So, here’s how it works: When you freeze your credit files, no company that is not currently doing business with you can access any information about your credit history.
So the way that works in practice is that if a thief gets a hold of your information, and they want to impersonate you, and they sign up for a credit card, or they try to, the credit card company will go to the three credit bureaus and say, “Hey, I’m looking for the credit report on this person.” And the credit bureaus are gonna say, “Well, this file is frozen.” Right? So, once that company that has the application in your name finds out that the file is frozen, they’re not gonna issue any new credit, because they want to check the credit before they issue the new card. Right? And they can’t do that, because the file is frozen. ...
The natural follow-up question is, “Well, what if I actually want new credit for myself?” So, you can still do that. You can temporarily lift the credit freeze with a special PIN number they give you when you set the freeze. So, it’s very important you don’t lose that. It gets complicated if you do. But that’s the best mechanism that I’ve been able to find keeps new identify fraud from happening. It’s something I don’t worry about in my own life anymore.
Now, it is not a silver bullet. There are two other forms of identity fraud for which a credit freeze is not gonna help you. One of them, we’ve already talked about. Greg talked about income tax refund fraud, where thieves will fill out a tax return in your name on January first or January eighth, trying to kind of beat you to the IRS, in the hopes that the IRS will be fooled by the return that they file, and issue an income tax refund based on the fake numbers that the thief submits in your name. ... And really, the only way to keep it from happening to you is to file your taxes as early as possible, so as to beat any potential thieves. It’s literally a footrace, right? Otherwise, you’re crossing your fingers and hoping the IRS will catch people who try and do it in your name.
So, that’s number one. The other one is medical fraud, where people impersonate you in an effort to get medical services for themselves in your name. That’s a little bit less common, but it still goes on. And there, too, it’s very difficult to figure out how to put a stop to that and keep it from happening. But thankfully, it’s still relatively rare. But still, credit freezes can help prevent a lot of really nasty stuff from happening, at a very small cost in inconvenience and time. So that’s what I recommend doing, and that’s what I’ve recommended to readers over the years.
Gilligan: Now let’s talk to Tom. You’ve been with the Better Business Bureau for 35 years. You retired this year. You have seen a lot of scams and fraud over that time period. Give us a sense of what you’re seeing, and how prevalent it is.
Tom Gallagher, Better Business Bureau of Central Virginia: You know, I was interested in what Ron said. It doesn’t make any difference how we feel about Equifax, or TransUnion — it just makes no difference at all. It’s sort of stunning to me, that these guys play such a huge part of our life. They got started inside of 35 years ago. ... It’s really a new phenomenon, that they’ve gone with the only three agencies, and that they’ve been able to pull that through.
My stuff that I’ve seen hasn’t been as global as what Ron has seen. My stuff has been more individually painful, I think. Unless you’re caught up and you can’t control your credit report. You can’t control the way people talk about you, or your ability to do business, or your trustworthiness. That’s just frightful, to me. That people can so cavalierly share information about you, without verifying it. Now, there’s one other step that we always — at BBB — have liked to suggest, is we have these three credit reporting agencies. And they have to give us the information, annually. We ought to do what we don’t do — set these things up three times a year and get a copy of our credit report. This is after the fact. That way, you can see who screwed you.
Gilligan: And you can do it for free.
Gallagher: Yeah, and you can do it for free.
Gilligan: Yeah. AnnualCreditReport.com. Don’t go to any other web site.
Gallagher: Nope. Because there’s people who will sell that to you.
Gilligan: Speaking of scams. ...
Gilligan: So, you both have given us some tips for consumers, what they need to do to prevent these scams. What other tips can you provide?
Gallagher: I’m not sure we can prevent it. Matter of fact, I’m sure we can’t prevent it. We have no control over that data. Now, I am sure that the credit bureaus can prevent it, until the next really smart dastardly Batman foe figures out how to get into that. And that’s just waiting to happen. That’s one thing. The other thing, is just to be really careful. Don’t tell anybody anything about yourself. You don’t have to.
Gilligan: I think, Tom, you once said, “If it sounds too good to be true, it must be too good to be true.”
Gallagher: Yeah. “If it sounds too good to be true, it’s too good to be true.” I mean, just don’t believe anything. Don’t give people — the medical business industry just bums me out. They’re still working with Social Security numbers. ...
Lieber: ... I think first of all, as much need as there is to be vigilant, I think it’s also important to have context and perspective. Even if your information, even if your data is stolen, the chances of it being used in some nefarious way is actually relatively low. ...
The thieves need to be able to sell the data, if that’s what they’re in it to do. And sometimes people don’t want it. Or your information doesn’t get bought. And then, whoever it is that does end up using it, has to actually be successful in doing so. Companies have pretty sophisticated anti-fraud measures. They don’t always work, but they work a lot of the time.
And then, if the thief is successful in using it, it has to impact you in a way that costs you a lot of money or time. That’s the thing that you need to be most scared of. And that, too, doesn’t happen all that often. So the odds are actually relatively low. And then something else, you know, about Equifax, just worth noting. We do not have any indication yet that any of that data has been used in a way — to steal things from individuals whose data was exposed.
Now, why might that be? Well, a couple reasons, right? Sometimes thieves will take the data that they steal and put it on ice for a year or two. In essence, until the coast clears, and people let their guard down. And then, you know, it won’t be clear where they got it from. But it’s also become clear in recent years that some of the people doing the stealing are state actors. And we don’t know whether that was the case here, but it’s entirely possible that, you know, countries you might have heard of that don’t like the United States very much may be behind some of these break-ins. Like the big one at Anthem, where all the health insurance data was stolen. And perhaps this one from Equifax, where all of the personal information on people’s financial records were. ...
But rule number one, most financial services companies will not and certainly should not be sending you e-mail where they ask you to click a link in the e-mail, to go to their web site. Because that’s how scammers work, right? They send you e-mail that looks like it’s from American Express, and they try and trick you into clicking a link, or downloading a file. So legitimate financial service companies should not be doing that. And if they are, you should complain to them. And if they’re telling you there’s a problem with your account, call the number on the back of your card or on your mortgage statement, and do not engage with whatever link shows up in your e-mail. So, that could save you a lot of grief.
Same thing is true with attachments that come from people that you do not know. Or perhaps people that you have not heard from in a while. You know, they may have been hacked, their e-mail was taken over. And some nasty virus is headed your way. So, you know, unless you are reasonably sure that you know what this attachment or this link is about that somebody’s sending to you, I’d think twice before sending it. You know, you can spare yourself 37 percent of all known problems, just by following those couple rules.
Gallagher: This is really pretty simple, and it’s what I learned the first day when I went to work for BBB — know the people that you’re doing business with. Know about ‘em. BBB’s got files, all kinds of files. Other folks have files. And check ‘em out. Look at the BBB experience. Look at the attorney general. Just start searching around on the company. Before you know who it is, check ‘em out before you do business with them. After all, you have what they want, which is money. ...
Now, in the cyber-world, this doesn’t go too well. But there’s a couple of companies that we trust. They’ve earned our trust over the — well, we trust ‘em. I don’t know whether they’ve earned it. But I do, I trust Amazon — and a few other folks. Because I know if it’s a south deal, if it isn’t going the way that I want it to go, I’m out of it. And they send me the money back, and give me popcorn to boot. I control that. I control my marketplace. Nobody can control Tom Gallagher’s marketplace but Tom Gallagher.
Gilligan: ... What’s the horrible, worst scam story that you’ve ever heard, that has affected somebody? ..
Lieber: ... I believe what has happened with Wells Fargo qualifies. And, you know, when you talk about the the worst, the outrageous, the fact that — who knows how many hundreds or thousands of employees at Wells Fargo opened up what may now be hundreds of thousands — or maybe more than a million now — of fake accounts in the names of people who were already customers, just to meet sales goals. You know, the mind boggles that that could go on at one of the biggest banks in America. And if you look at the list of other things that Wells Fargo has been sort of called to the carpet on in the last two years, I mean, it’s a double-digit number of bad things outside of that truly bad thing.
And you have to sort of wonder, right? For all of the good people that I’m sure work there, and do the right thing, is it fair at this point to write the whole place off as a criminal enterprise? It’s a non-rhetorical question that I’m not sure I know the answer to, right? But I have to send money to them each month, to pay off my mortgage. And it makes me sick.