About a month ago after getting finished with a client meeting, I was getting ready to dig into an extended financial planning project. I thought to myself that I should check my email before jumping in just in case there was anything urgent that I might want to deal with first. Oh, did I find something urgent to deal with…
As I scrolled through my email, I noticed three emails in a row from Bank of America with the following subject lines and general bodies:
- Confirmation: Email Address Updated
Your primary email address was set up or changed on 06/21/2017.Your security is important to us. If you did not authorize this change, please contact us immediately at xxx-xxx-xxxx.
- Security Alert: Your Banking Passcode Was Reset
We’re letting you know your Online Banking Passcode was reset on 06/21/2017.This alert relates to your Online Banking profile, rather than a particular account. The account number shown above is for verification purposes only.You can sign in to Online or Mobile Banking to review your account activity. If you didn’t request this change, please call us at xxx-xxx-xxxx.
- Bank of America Alert: Transfer Recipient Has Been Edited
The information for one of your transfer recipients has been changed.
What I discovered over the course of the next 30 minutes or so as I was on the phone with the bank’s customer service and then fraud department is that my bank account had been breached. In fact, the person that somehow hacked into my account was able to authenticate my identity over the phone with a Bank of America representative and this is how they were able to begin the process of stealing money from my personal checking accounts. They managed to get a total of $2,500 out of my accounts via four separate transactions. This was picked up very quickly by Bank of America and my accounts were already frozen by the time that I actually called in, but the damage had already been done.
In the end, after a fraud investigation was conducted by Bank of America, our money was reimbursed, but there was a large, inconvenient, and time sensitive project that I had to jump into in order to rectify this breach and hopefully contain it from going any further.
There were a number of steps involved in this process. I started with a basic list provided by an automated email from Bank of America and got the process under way. I was definitely on the right track, but luckily during a conversation with a friend and colleague of mine, I was referred to Carrie Kerskie, the Director of the Identity Fraud Institute at Hodges University. Not only did she personally accept my unscheduled phone call, but she spent nearly an hour with me right then and there to learn more about my situation and helped me devise a detailed plan for the steps that I should take in order to contain this problem that I had encountered.
What To Do After a Security Breach
I am certainly not a subject matter expert on the topic of identity theft or fraud and I would imagine that the prescribed action plan could vary based on the circumstance. With that said, it appears to me that many of the steps that I took would be recommended in the event of identity fraud. Without going into too much detail, here is a summary of the steps that both my wife and I ended up taking based on some of the information that I was able to find combined with Carrie’s advice:
- Contacted the identity protection and credit monitoring service that we subscribe to and alerted them of the breach
- Filed a police report
- Reported an identity theft incident with the Federal Trade Commission
- Contacted all three credit bureaus to establish a fraud alert
- Reviewed all credit reports looking for suspicious information and activity
- Froze our credit reports with all three bureaus to prevent anyone from attempting to fraudulently establish new credit
- Logged into my Social Security Administration account and set up two-factor authentication to prevent someone else from beating me to the punch
- Submitted an Identity Theft Affidavit form to the IRS to prevent anyone from attempting to fraudulently file a tax return
- Contacted the National Consumer & Telecom & Utilities Exchange to request a copy of our current report, review the report, and then freeze the report to prevent anyone from attempting to fraudulently establish new credit
- Contacted our cell phone carrier to confirm that there has been no suspicious activity and take any potential additional steps to protect our phone numbers
- Completed a request to opt out of offers for credit and insurance
- Closed our bank accounts and opened new accounts
- Requested all new credit cards
- Added both telephone and security layers where possible with all of our financial institutions
In addition to all of this, we have a number of vendors that we pay via automatic ACH or debit and those also all needed to be modified. This was clearly a stressful thing to go through and it took a lot of time and energy to remedy. We are still dealing with some follow up actions related to the problem.
While working through this all I have just continued to wonder to myself, “how did someone get a hold of this sensitive information and what could I have done to prevent it”? I think that some of the steps mentioned above could have potentially helped, but how do could I know for sure?
I am going to continue digging on this issue and do what I can to keep you informed of best practices and things that you should probably be aware of in an effort to prevent these types of things from happening in your life as they have mine. Please send me your questions and/or comments on this issue by Clicking Here.