How Thieves Use Facebook to Steal Your Identity

It’s the bane of modern life: the two-headed monster of identity theft and identity fraud.

Though the terms are often used interchangeably, there is a difference. ID theft occurs when someone steals personal information about you- Social Security number, address, bank account numbers, etc. When they actually use that information for their own gain-like opening a credit card, then they have committed identity fraud.

The Federal Trade Commission (FTC) estimates 10 million Americans are victims of ID fraud every year. Thieves do not need a lot of information in order to steal your identity, just one critical piece of data--such as your Social Security number or your mother’s maiden name---gives access to a lot more information.

Moreover, a surprising amount of ID theft does not involve making fraudulent purchases. Take Megan Mullen: the 25-year old Tennessee woman charged with posing as her girlfriend Kerilee Burns. Mullen already knew Burns’ birth date and address.ullen allegedly took Burns’ health insurance card and used it to get treatment in a local hospital.

The good news is that, after climbing each year since 2003, the identity fraud incidents declined last year, according to the 2011 Identity Fraud Survey Report by Javelin, a consulting firm that advises financial services companies on security issues. The survey also showed 8.1 million consumers were affected, the same number as in 2007, and down from more than 11 million the year before.

Not only did ID fraud claim fewer victims last year, the amount of money involved fell to $37 billion from $56 billion. Javelin attributes this drop to the dramatic decline (41%) in losses from existing credit card accounts. By comparison, the amount lost on new accounts, which typically aren’t monitored as closely, fell less than half that.

Javelin also credits increased efforts by law enforcement, more sophisticated fraud detection systems and behavioral changes by consumers as reasons for the curbed ID fraud. More individuals have signed up for credit-card monitoring services and we are more aware of identity thieves' techniques such as “phishing”- a scheme that involves sending an email from what appears to be a legitimate financial institution requesting that you reply back and provide account and other personal information.

But perhaps the biggest factor in last year’s decline in identify fraud can be attributed to the absence of one man: Albert Gonzalez, the mastermind behind major data break-ins at retailers such as Target (NYSE:TGT), JCPenney (NYSE:JCP), Barnes & Noble, Sports Authority, and 7-Eleven.

Gonzalez is currently serving a 25-year prison sentence. Gonzalez, who was a paid informant for the Secret Service at one point, assembled a talented team of cyber thieves and in addition to the companies named above, hacked into the parent company of TJ Maxx and Marshalls (NYSE: TJX), obtaining information on 94 million accounts. Gonzalez’s group was also responsible for hacking into the Heartland Payment Systems, gaining access to more than 130 million credit card accounts. Javelin describes this attack as “the largest data breach reported in U.S. history.”

“Once he was out of the picture and several of his cohorts were also behind bars, big headline-grabbing data breaches subsided in 2010,” according to Javelin’s 2011 report.

Despite the drop in total losses from identity theft, the average cost per victim went up. Javelin attributes some of this to a 36% increase in cases involving debit cards, which don’t carry the same consumer protections and loss limits as credit cards.

“Credit cards offer the greatest protection [against fraud] because you have zero liability as long as you tell the issuer when you see your statement,” according to Ben Woolsey of He says that “even after you pay your bill you can still get the money refunded,” with some issuers giving you as long as 60 days to report fraud. In contrast, Woolsey says if the fraud involves a debit card “you have to catch [the fraud] within two business days and notify your bank.” Even then, you can still be on the hook for up to $50.

Last year ushered in what could turn out to be a permanent shift in the way ID thieves use stolen credit card information: for the first time, fraudulent “card not present” purchases- such as those made online or over the phone- exceeded “card present” purchases, which involve in-person transactions where a physical credit card is used. Phil Blank, managing director of security risk and fraud at Javelin, expects this trend to be permanent due to continued growth in online shopping.

In essence, it’s a constant, ever-changing game: The good guys (consumers, law enforcement agencies, security providers) come up with a way to foil would-be identity thieves. In return, the fraudsters (a creative bunch) adjust by developing new techniques. Phishing, for instance, has morphed into “smishing;”instead of sending an email to your computer, scammers are sending an urgent text message to your mobile phone- apparently from your bank or brokerage firm- requiring that you to text back confidential information. It’s the technique that hit thousands of Wells Fargo customers in Oregon last month.

Now ID thieves are mining the mother lode of personal information: social networking sites such as Facebook. These websites are especially dangerous because users' guards are down, thinking the only people accessing their page are “friends.” Often, someone will list juicy tidbits such as their birthday, the name of a parent or sibling, their home address, vacations they’ve recently taken, schools they’ve attended, the car they own, their pets- in other words, the answers to some of the most common security questions you must respond to order to gain access to website's containing extremely sensitive personal data- investment and accounts, government records, etc.

“These social websites truly don’t care about your privacy. They want you to put as much out there [as you’re willing to]. They want to exploit it,” says Woolsey. “It’s consumer beware.”

After gathering what they can on a social networking website, a skilled identity thief can head to job sites such as LinkedIn and to see if you’ve posted a resume. Now they know about your professional background, places you’ve worked, and degrees you hold. Next stop: where, armed with a ream of inside information about you, Blank says they can fake a membership in your name. This allows them to uncover the magic key to the kingdom, the most common piece of personal information that must be provided in order to access financial accounts: your mother’s maiden name!

It’s that simple.


Impersonating another individual online is the latest frontier. It’s so new there is no national law that addresses it. Most states do not have any laws that explicitly cover it, either. That could change, however, thanks to Dana Thornton. The 41-year old New Jersey woman was indicted last year for seeking revenge on her ex-boyfriend, Michael Lasalandra (a police officer), by creating a phony Facebook page under his name. She allegedly listed his date of birth, photos and posted unflattering comments about other individuals in an effort to slander Lasalandra’s reputation. Although Thornton has been charged with one count of identity theft, her defense lawyer claims state law does not specifically address creating a profile of another person on a social networking website.  If convicted, Thornton faces up to a year and a half in jail. A hearing is set for this week.

Next week: Why your mailbox is an identity thief’s best friend, who are the most vulnerable victims, economic indicators of identify theft, and how to protect yourself

Ms. Buckner is a Retirement and Financial Planning Specialist and an instructor in Franklin Templeton Investments' global Academy. The views expressed in this article are only those of Ms. Buckner or the individual commentator identified therein, and are not necessarily the views of Franklin Templeton Investments, which has not reviewed, and is not responsible for, the content. 

If you have a question for Gail Buckner and the Your $ Matters column, send them to:, along with your name and phone number.