This a long post but worth reading. You wouldn’t wish this on your worst enemy.
A report by Jessica Roy, a reporter with the LA Times.
A stolen wallet precipitates a reporter’s years-long fight against identity thieves — and a system that doesn’t care and won’t help.
2019 was a pretty exciting year for me. I stole a Tesla. I got into a car accident — a BMW, that time. I got a new iPhone. I opened two new checking accounts and went on a bad-check-writing spree for as much as $13,000 at a time. I attempted to open dozens of new credit cards. I wrote a check for someone’s bail, which they skipped. On paper, Jessica Roy had a wild year. In reality, that year, and what followed, has been a nightmare.
I am the victim of identity theft. And it could happen to you. I also have some bad news: It will be entirely your problem, and no one — not the police, not the government, not the financial institutions — really cares or will help you much. But with determination, you can fight back. I did.
My troubles started in a bar in San Francisco the day after Thanksgiving 2018. When I went to close my tab, I discovered my wallet was gone. By the time I got my bank on the phone the next morning, my debit card had been used at a gas station for $48.15 and with a Square card reader for $30. I disputed both transactions and canceled all my cards. I went to a San Francisco police station to report the stolen wallet.
When I got home to L.A., I had to get a new driver’s license, had to update my autopay bills and had to buy a new wallet. I thought that was the end of it. (I’d also lost maybe $100 in old gift cards, $10 in cash, and a Skin Laundry loyalty card. Devastatingly, I was just one punch away from a free facial.) Then the letters started arriving. “Congratulations! We’re pleased to inform you that your application for a new Wells Fargo account has been approved.” “Welcome to Bank of America, and thanks again for choosing us.” Target called asking about my recent card application. Emails started arriving from my existing credit card accounts:
Email change alert. (The thief tried, but failed, to access my Gmail account that had two-factor authentication enabled. They made a new one with my name and used that instead.) Password change alert. Mobile device phone number change.
I got an email from the monitoring site I use to track my credit score. “Is This New Card Yours?” Another one: “A New Inquiry on Your Equifax Report.” PayPal. Walmart. Macy’s.
I’m a woman of action, and I got moving fast. I froze my credit with all three major bureaus and also froze my file with ChexSystems, the consumer reporting agency that tracks checking account activity. I filed a federal identity theft complaint. I left what would be the first of many voicemails with the San Francisco Police Department to get a copy of the report about my stolen wallet.
When I reached out to Bank of America and Wells Fargo to get the fraudulent accounts closed, I quickly encountered a problem: Their automated phone menus demand your account number before connecting you to a human being. But the letters I received did not have the new account numbers on them. For security purposes.
When the first Social Security numbers were issued in 1936, they were never meant to be a secure identity signifier, but the major credit bureaus began linking your Social Security number to your credit history around 1991.
Outrage No. 1
I started noting how long I spent on hold. Bank of America holds the record: 47 minutes. Once, an associate named Logan told me I needed to make a statement and go to any Bank of America branch to get it notarized. My local branch did not have a notary, they said when I got there, and if they did, I would have needed to make an appointment. Back to the phone queue.
Two years before that, another new concept had emerged in the world of personal finance: the credit score. It was a way to crunch all of the information in your credit history into one number that now serves as shorthand for whether someone should finance your car loan, let you buy a house, or maybe rent you an apartment.
Today, Social Security numbers and credit scores are broadly criticized by financial experts and government officials as overly simplified and, generally speaking, bad.
And your Social Security number isn’t very secure, even with the people who are supposed to be securing it. In 2017, the names, addresses, birthdays and Social Security numbers of 147 million Americans were compromised in a hack of Equifax, one of those companies that calculates your credit score. I was among them. For our troubles, Equifax offered a piddly $125 and some free credit monitoring. Then it turned out the bureau never set aside enough money to pay all the victims. I filed as a victim back in 2019. I haven’t seen a dime, and I don’t expect to.
There are no perfect solutions for identity theft. But experts and a victim have ideas
But what does a massive data breach have to do with my wallet being stolen?
The thieves were likely able to obtain my Social Security number and other information about me for sale on the internet. Whether that info came from the Equifax hack or from a data breach at another institution is unclear.
An Equifax representative said in an email that “we are aware of no evidence that the breach has resulted in the impacted consumer data having been sold or used.” Equifax declined to comment further for this story.
Outrage No. 2
Two addresses belonging to the people who stole my identity appear on my Equifax credit report to this day. Those addresses are in cities I’ve never set foot in. I filed a dispute on the uncooperative Equifax website. Two days later, I see that I can download a PDF for the details of the resolution: “Oops. Something went wrong. Please try again later.” Every time.
In any event, stolen Social Security numbers are not hard to come by online, Eva Velasquez told me. She’s the president and CEO of the Identity Theft Resource Center, an advocacy organization dedicated to helping victims of identity theft.
Her organization sees sheaves of Social Security numbers available as “buy-one-get-one” deals packaged with other consumer data on offer. “They have been so ubiquitously compromised that they are available, essentially, for free,” she said.I started a Google Doc tracking every letter, email and phone call; a physical file folder, soon bulging, kept everything in one place. I felt bile rise in my throat every time I opened my mailbox. Every day, for weeks, there was something new. Sometimes multiple somethings.
I would sit at my kitchen table and call the 800 numbers of the banks or credit card companies or car loan brokers and fight the automated phone menus in a desperate bid to speak to a human being. The thieves, meanwhile, were on a roll. Although my driver’s license had been reported stolen, Bank of America and Wells Fargo issued checkbooks to accounts opened using it. I started getting letters about bad checks$79.04 at Marshalls. $772.94 at Safeway.
$13,743.80 at Big Lots. I began to realize that I was not only the victim of identity thieves, but also of the system that allowed them to steal my identity in the first place. And now, that system was going to make me work an unpaid part-time job fighting my way out of their logistical labyrinth. Kafka would blush.
Bank of America asked me to mail it a notarized affidavit, a copy of my driver’s license and a copy of my Social Security card so it could investigate the bad checks. I replied that it would be insane for a victim of identity theft to put those things in the mail. The person I spoke to said, “We would never require you to send any information like that.” I was holding the letter asking for just that on Bank of America letterhead.
Are you the victim of identity theft? Here’s what to do
That letter said I had 30 days from the date of my claim — Jan. 25 — to fill out and return the forms. I asked why the notice was dated Feb. 25. The representative said the bank had first mailed the letter to the most recent address on file — an address I reported as fraudulent. The place where the thieves lived.
Banks want it to be easy to open an account. As Velasquez put it, consumers “want a zero-friction experience,” which explains how the thieves were able to open checking and saving accounts. Months later, as I tried to close them, Andre from the Wells Fargo fraud department quizzed me on street names where I’d lived and people with whom I’d associated to make sure I really was who I said I was. That is not part of the process to open a new account — just to get a fraudulent one closed.
Protecting your identity
There is no way to completely prevent identity theft. But taking these steps can help prevent it — and lessen the impact if it does happen. Freeze your credit. It takes 15 minutes, and it’s free. Don’t pay for any “upgrades.” Review your credit report at least once a year. You are eligible to get a free copy of your credit report from each bureau annually. Review it to make sure everything looks right.
Check your passwords. Make sure your sensitive accounts — things like your email and your bank accounts — have strong, unique passwords. Use two-factor authentication everywhere you can. Never give anyone your bank password or verification code. Anyone asking you to tell them your password or a code you were just texted is trying to defraud you. Sign up for alerts from your banks. This is so you’ll be notified immediately if someone tries to open a new account. Review your bank statements regularly. See any transactions you don’t recognize? Call your bank right away. Don’t carry your Social Security card in your wallet.
Retrieve mail promptly, and stop it if you’re going out of town. Stolen mail is one of the easiest ways for thieves to get your information. Opt out of pre-screened credit card offers. These can be a data gold mine for thieves. Visit optoutprescreen.com to stop them.
In April, things began to escalate. One of the thieves used my driver’s license to rent a Tesla that was later reported stolen and then found abandoned. Another time, someone presented my driver’s license to police after getting into a car crash in a BMW. I got a phone call from the other driver’s insurance company months later.”I” had written a check for someone’s $600 bail, that someone never made it to court, and I now owed $4,310. The bail bond company told me to come to their office in person with the debt collection letter and a hard copy of my police reports. I said their legal department would have to make me. The man I was speaking to told me to have a nice day and hung up. Eventually, they closed the case.
When you ask a company to lend you money, the company asks the credit bureaus to check your credit history. There are two types of inquiries: “soft” and “hard,” referring to their impact on your credit.
Outrage No. 3
A debt collector in Tuscaloosa, Ala., sent me a collection letter about the bad checks I’d written at a Kohl’s and a Michael’s. They gave me a fax number to send them the police reports. The fax number did not work. Soft credit checks, which are common for things like store credit cards and internet impulse purchases, do not affect your score. Hard inquiries are more extensive, and prompted by big-ticket things like auto loans and mortgages. A hard inquiry typically dings your score by a point or two, and that impact lasts for one year. When your credit is frozen, a hard inquiry into your history tells the creditor, “this account is frozen, so you can’t access that information.” But for reasons I can neither fathom nor explain, the inquiries still show up on your credit report and still affect your score.
One of the thieves triggered a hard inquiry at a car dealership in Van Nuys. I guess the thieves needed new wheels after things didn’t work out with the Tesla and BMW. I wanted to get the hard inquiries removed on principle. The credit score impact was negligible. But I wanted no trace of these people on my previously unblemished financial personhood. The first step to get a hard inquiry removed is to call the creditor — in this case Russell Westbrook Chrysler Jeep Dodge Ram of Van Nuys — and ask them to send a “letter of deletion” to the credit bureaus. I left several voicemails. The person I finally spoke to said he had worked there for 26 years and had never done this before.
I succeeded in getting hard inquiries removed at other institutions, but after several frustrating phone calls, I conceded bureaucratic defeat on the Russell Westbrook one.
The thieves, it seemed, knew everything about me, and I knew nothing about them.
Then in May 2019, I learned the Berkeley police were trying to reach me.
A month earlier, a Berkeley police officer noticed a car without license plates. The two people in the car were on probation for identity-theft-related felonies. In the car, police found checkbooks, credit cards, photocopies of IDs, and other information for more than a dozen people, many of whom had reported stolen identities. Including me.
The Cheez-It box was the most galling part. A quarter-inch-thick police report detailed what police found in the couple’s car: stolen mail; wire cutters; lock picks; a window punch; cellphones; multiple fake IDs, pieces of paper with names and Social Security numbers scrawled on them; a stun gun. A photocopy of my driver’s license. A Wells Fargo card with my name on it. Paperwork from a Best Western with my name on it. A handgun. And a Cheez-It box with a dozen checkbooks stuffed in it.My entire identity theft experience to this point had been rife with indignities large and small. And now my favorite snack food had been implicated.
Outrage No. 4
I called Transunion to get a copy of my credit report. The person I spoke to said I could only request one free copy of my credit report every 12 months, and I had already requested it in December 2018. She told me I could pay $11 for another one. I told her that wasn’t me; it was the people who had been committing identity theft against me. She repeated that I was not eligible for another free copy of my report until December 2019. I’m not proud of this, but I screamed at her. “YOU SENT MY CREDIT REPORT TO THIEVES.” She transferred me to a supervisor. A free copy of my report was mailed, finally, to me. I am not naming the people who stole my identity, for my own safety. I will refer to them as Thief 1 and Thief 2.
An officer asked Thief 1 about the Best Western paperwork — who was Jessica Roy? A friend, he said. Police also recovered a cellphone where someone had texted him about a local credit union where he should open an account: “The other banks are up on the s— and good for putting extra holds before u can actually withdraw money on deposits.” Thief 2, a woman, was on probation for possession of stolen property. Both were booked on multiple charges, including California Penal Code 530.5(c)(3): possessing the identity of 10 or more people with the intent to defraud. Everything found in the car was logged as evidence, including the Cheez-It box. Is my experience unique? The details, yes. But the crime, no. A recent survey conducted by Javelin Strategy and Research and co-sponsored by the three major credit bureaus found 42 million Americans were affected by some form of identity fraud in 2021. Total losses: $52 billion.
There is no single national public database that tracks identity theft, or any cybercrimes, the way that we track violent and property crimes. And there is no law enforcement agency dedicated to investigating cybercrimes at an individual level, so it’s hard to say precisely how prevalent identity theft is. Shima Baughman, a criminal law professor at the University of Utah’s College of Law, told me police don’t report identity theft cases to the FBI, but to the Federal Trade Commission. In its 2021 data book, the FTC notes that it does not intervene in individual cases but refers the data back to law enforcement.
Outrage No. 5
The thieves wrote a bad check for $94.45 at a Trader Joe’s in Modesto. The check had my middle name, last name, and city spelled wrong, and the wrong apartment. Why had the check been accepted in the first place? The FTC report said its Consumer Sentinel Network took in more than 1.43 million reports of identity theft in 2021 — a record high. You can report a cyber crime to the FBI through its Internet Crime Complaint Center, which was one of the first things I did. Filing the complaint generated a report, which was helpful to have. But stolen driver’s licenses and bad checking accounts are not exactly in the FBI’s wheelhouse. The FBI’s complaint center received 51,629 reports of identity theft in 2021, also a record high.
Why are identity theft cases on the rise? For one, they are easy to commit.
“It used to be that you had to have some savvy to commit these crimes,” Velasquez said. Not anymore: “You just need an internet connection.” Suicide prevention and crisis counseling resources. If you or someone you know is struggling with suicidal thoughts, seek help from a professional and call 9-8-8. The United States’ first nationwide three-digit mental health crisis hotline 988 will connect callers with trained mental health counselors. Text “HOME” to 741741 in the U.S. and Canada to reach the Crisis Text Line.
More resources
Victims stand to lose much more than money. The Identity Theft Resource Center puts out an annual report that looks at the toll identity theft takes. In 2022, 87% reported emotional and physical impacts, feeling worried, violated, angry, guilty. Ninety-two percent had trouble sleeping. Forty-two percent reported persistent aches and pains. Seventeen percent developed unhealthy or addictive behaviors. Ten percent reported feeling suicidal.
Victims also were asked how long it had taken to fully resolve their identity theft. Fifty-five percent said they never did. Before Thief 1 and Thief 2’s trial in June 2019, the Alameda County district attorney asked whether I wanted to make a victim impact statement. I did. Re-reading it, even now, is hard. I told them they stole my wallet during a difficult time in my life: I’d had a miscarriage a couple months earlier. The wallet, of blue studded leather, had been a gift from my grandmother before she passed away. “I feel sick just thinking about having to relive all of this again,” I wrote. “This has been a profound personal violation that has significantly affected my mental health. My therapist thinks the stress from dealing with this is part of why I haven’t been able to get pregnant again.””I don’t know if [Thief 1] or [Thief 2] will ever read this statement,” I wrote. “If they do: I found both of you on Facebook. It looks like you both have children. That must be wonderful — I wouldn’t know. Did you think this was a victimless crime? Did you ever think you were stealing not only someone’s credit card information, but their chance to be a mother?”
Outrage No. 6
I reported my wallet stolen to the San Francisco Police Department on Nov. 24, 2018. I left a follow-up voicemail message on Nov. 27. No one responded. When the mail started arriving with all the bad account information in January 2019, I realized I needed a copy of that report. I left four more voicemails. No one got back to me until I filed a records request for the report with my L.A. Times email.
Thief 1 and Thief 2 each faced a year in prison but took a plea deal: nine months in county jail, a six-month residential treatment program for drug addiction, and five years of felony probation.
I felt like I could finally relax. They couldn’t continue their crime spree from a jail cell, right?
One afternoon in August 2019, I got a call on my desk phone at The Times. A man with a heavy accent asked if I was Jessica Roy. He needed my help. His girlfriend had hit him, tried to kill him. Actually, his ex-girlfriend. He was on his way to the police station. I said the name of Thief 2. Was it her? No. He gave me a different woman’s name. He believed she was stealing my identity and he wanted me to report her to the police. He said she’d used it to rent a car. He said she’d recently gotten out of jail and he found a bunch of mail in her car with my name on it. He asked me to email him so he could send proof. I emailed and asked him to send whatever he had. “Thanks Jessica I’ll contact you later today ..im on the police office.” Days later, he emailed me from a different address. He said he didn’t have access to his email and he wanted my cellphone number. I didn’t reply. One minute later, he wrote again. “How i can contact you Jessica Roy.. can you call me at [redacted].or email me you phone number to call me private if you want…thanks Jessica ” Again, I didn’t reply. Two hours later, he sent me a third email with no body text, just two blurry images of pieces of mail with my name and an address in Richmond I recognized from my credit reports.
Two hours after that, he emailed me again with the full name and address of his (possibly ex) girlfriend. Then he sent another email: no message, just two photos someone had taken of themselves in a mirror. Explicit photos, in lingerie.
To this point, I had kept every piece of communication I’d received pertaining to my identity theft. This email, I hit “delete” immediately. It was time to go to the police. The first time I went to the Los Angeles County Sheriff’s Department station in West Hollywood, the person at the front desk said this was a Richmond police issue. I called Richmond. No, they said, the report has to originate in the jurisdiction where the victim resides. I went back to the West Hollywood station. The deputy behind the counter sighed as I pulled out two bulging file folders of documentation. He looked at it — the physical manifestation of months of work and anguish on my part — as though I’d come to show him my stamp collection. I recounted what had happened since my wallet was stolen and said that now a strange man had called me and sent me unsettling emails.
Outrage No. 7
On Transunion’s website, it says “Transunion makes it easy to dispute inaccuracies!” Every time I tried to do that in April of 2019, the website was down.
“So,” he said, expressionless. “You believe yourself to be the victim of identity theft.I corrected him. “I am the victim of identity theft.”
This was worse than getting the runaround from an automated phone menu. The bile tasted familiar. He suggested I talk to the bank and phone company first. I said no. I wanted someone to take my report. It was a Wednesday afternoon in early September. He told me it might be awhile. I was the only person there. I’d come prepared to wait. I’d packed snacks. I chose a spot on a bench directly across from him — where he couldn’t look up without catching my eye — sitting there patiently, smiling politely. After almost an hour, another officer took my report.
I didn’t expect deputies to form a posse and road trip up to Northern California to break down the person’s door. I thought, or hoped, they would alert police in Richmond.
I followed up a month later, in October. A detective told me the case was marked as “pending.” He indicated there was some confusion about why I had police reports with the San Francisco police, and the Berkeley police, and now wanted the Richmond police involved.
Another reason identity theft cases are on the rise: “It’s really difficult to get arrested for committing cyber crimes. It’s very low risk and high reward,” Roger Grimes told me. He’s a cybersecurity expert who’s written on the topic for years.
He and Velasquez described how criminals can buy terabytes of hacked personal data and malware that automates opening credit cards and applying for loans.
Baughman, the criminal law professor, said cyber crimes are wildly under-reported because victims don’t think the police can or will do anything about it. And they’re mostly right.
Part of the problem, she said, is that these crimes cross traditional jurisdictions. (Indeed, after another call to the West Hollywood station, I was told it wasn’t clear whether the case was ever referred to Richmond.)
Your local law enforcement agency is generally interested in the geographic region it polices. Then there are clearance rates, the percentage of cases police solve and a key metric they care about. Identity theft cases cross geographic lines and are hard to clear, so police don’t really want to take them, Baughman said. The only reason Thief 1 and Thief 2 got arrested is because they slipped up. It was a fortunate (for me) coincidence, not the result of an investigation.
What to do if your identity is stolen. If your personal information has been compromised, you need to act fast.
Here’s what to do.
Take notes. Write down dates, any information you received, the number you called, whom you spoke to, and the case or incident number. Freeze your credit. This should prevent someone from opening new accounts. File reports with the FBI and the FTC. Visit complaint.c3.gov and IdentityTheft.gov to get started. Contact the banks’ fraud lines. Contact any financial institution where you think a new account has been opened by calling the number for the fraud department. File a police report. You might get some resistance. I did. But having that report is a key piece of evidence so you won’t be on the hook for any thief’s activity.
More detail
On the evening of the same November day I’d spoken by phone with, according to my notes, an “incredibly rude woman” from the West Hollywood station, I got a text and an email confirming a marijuana delivery order. Spam, I thought. A little while later, I got a phone call: It was a marijuana delivery driver. He was parked just outside my hotel in Petaluma with my order. Could I come outside? I emailed the marijuana delivery company, and the founder responded right away. As far as he and I could tell, someone had used my name, email address, date of birth and phone number to create an account, but they forgot to change it to their own phone number when they placed an order for $57 of Legend OG.I forwarded the receipt to the L.A. County sheriff’s deputy assigned to my case, asking him to update my report. We spoke by phone the next day. I had the exact address for where these people were staying, and proof that they’d been there the night before. Surely, the police in Petaluma could knock on the door and check it out.The detective said he’d talk to his sergeant, but he wasn’t sure what they could do with that information.
On Christmas Day 2019, my phone rang again. It was my bank, the woman said, and they had a couple questions, and she just needed to verify my identity before she could go any further. Sure. My name, date of birth, current address. And — just to verify — what was my account password? I remember exactly where I was standing, in my parents’ living room, my extended family gathered over holiday hors d’oeuvres. I looked down at my glass of wine as a thought penetrated my holiday buzz: My password? I hung up.
Outrage No. 8
I recently learned I am listed on background checks as some of the thieves’ “known associates,” likely because of the incident where one of them presented my driver’s license after a car crash. A background check on Thief 4 lists my new home address. Another phone call. Jan. 3, 2020. An officer with the Vacaville Police Department — well, you can guess this next part. A man and a woman arrested. Things found in the car with my name on them. I asked the officer if I could guess their names. Thieves 1 and 2? No.
How about the name of the man who had called me in August and his (possibly ex) girlfriend?
Yup. That was them. I asked for the officer’s email. I had some things to send her.
Sometimes I feel like the heroine of a noir novel. A victim forced to take the law into my own hands, using shoe leather and good, old-fashioned know-how to solve the attempted murder of my personal finances. But more often, I feel like I’ve been victimized twice. Once by the people who plucked my wallet out of my purse. But a second time, and many more times over, by a system that is doing nothing to protect me — or any of us — and that forced me into a part-time, unpaid job cleaning up after the bad system they created.
I’ve told a lot of people this story. They ask what they can do to protect themselves. The answer is tricky. I work on a team focused on service journalism and I’m used to saying, yes, of course there’s something you can do about this. In this case, I feel like saying, “There’s nothing you can do! Good luck!”But that isn’t entirely true. I said I wouldn’t let the thieves win, and I didn’t.
In 2020, my husband and I decided to buy a house. I had to un-freeze my credit to get a mortgage.
Less than 24 hours after I unfroze all my credit reports, I received an alert from one of the banks I use, thanking me for applying for a new checking account. I logged in and saw that my mailing address had been changed to one in Northern California. I called the bank in tears to fix the problem and asked what I could do to make it stop. The customer service rep’s response: nothing.
“If we could prevent all fraud from happening we would, but we can’t,” they said breezily.
When the mortgage company sent my husband and me the completed application to review, three of the addresses on it belonged to the thieves. I got to send yet another email with multiple police reports attached. But ultimately, the mortgage did go through, and we moved into our first home that summer. And this year, in February, we brought our first baby home from the hospital. I was on maternity leave until August. When I got back, my editor asked me what story I wanted to work on next. You’re reading it.
Other victims of identity theft have compared it to managing a chronic condition, Velasquez told me. You have periods of remission, but then have to battle flare-ups unexpectedly, and always at the worst times (like when you’re applying for a mortgage). But it is manageable.
What stood out to me, over and over, was that this wasn’t something I could have prevented, and not something I should have been expected to single-handedly fix. This is a systemic problem that will require systemic solutions.