New Credit Protection Laws Including Other Tips to Avoid Being a Victim of Fraud

By Michael Selinfreund, President / General Counsel of Counsel of Cherry Creek Title Services, Inc.
This article is intended for educational purposes only and not as legal advice. You can view dozens of articles and educational videos of mine at www.cherrycreektitle.com, and the videos are also available on the Cherry Creek Title Services’ YouTube channel.

A credit freeze is a very effective and free tool to avoid being a victim of identity fraud.  It costs nothing; lasts for seven years, and you can release it temporarily or even just for the benefit of one prospective creditor. And, you don’t need to have been a prior victim of credit fraud and provide a police report to qualify for a freeze. You will need to add the freeze separately to the three major credit bureaus: Equifax, Transunion and Experian, and you must also release each freeze separately should the need arise. You’ll do so with a PIN you’ll receive. Parents and Guardians will be able to freeze the credit of a child under 16. To establish credit freezes with the 3 main bureaus, just go to the respective websites of Equifax, Transunion and Experian. Alternatively, you can call and write them as well. As of September 21, 2018, new federal legislation, the Economic Growth, Regulatory Relief and Consumer Protection Act, goes into effect requiring all three credit bureaus to freeze and unfreeze their credit reports free of charge. This legislation comes about after last fall’s breach at Equifax whereby the credit of 150 million Americans was compromised. The new law further requires each credit bureau to set up a credit freeze webpage and act on online and over the phone requests within one business day. If the request is received by mail, they will have three business days to freeze the credit report. If you unfreeze your credit online or by phone, the freeze must be lifted in an hour.

Another option is to put a fraud alert on your credit report by contacting any one of the three main bureaus. They have to share the fraud alert with the other two. Fraud alerts have always been free and lasted for 90 days; however, as of September 21, 2018, they will last one year (seven if you’ve been an actual victim of identify theft). And then of course, you can put another one for the subsequent year indefinitely. In the event any fraudster attempts to open new credit or extend existing credit in your name, a call is made to the phone number you provide when placing the freeze by one of the bureaus and many difficult questions off your credit file going back many years will be asked to confirm your identity. I prefer the fraud alert to the credit freeze. It’s easier to place it with 1 bureau forced to share it with all 3 rather than all 3 separately as the freeze requires. It doesn’t have to be unfrozen (and then frozen again at all 3 bureaus) when you need to allow a creditor or even a utility company, potential employer, licensing agency etc. to pull your credit. I’ve used the fraud alert for many years without a single fraudster attempting to commit identity fraud against me despite being the victim of several breaches besides the Equifax breach.

For your credit card and bank accounts, set-up your profile so you get text messages and/or emails every time a charge is placed on your account or an item or ACH is processing through your bank account. This way you’ll know immediately if your bank account or credit card has been compromised and can contact the bank and/or credit card company to freeze the account from any further fraud. You aren’t responsible for fraudulent charges, but it’s a lot easier to have just 1 or 2 that you instantly stop than wait until the end of a billing cycle and discover dozens of fraudulent charges. I log in to my bank, securities and credit card accounts daily to review the activity in addition to receiving alerts. By catching any fraud early, you minimize the number of fraudulent charges plus you’re giving the bank and/or credit card company/merchant services company immediate notice to stop any further fraud.

I recommend using soft or hard tokens for any of your financial accounts that offer them. A hard token is a small physical device that generates a random number which changes continually. Most change every 30-60 seconds. To access your brokerage account, bank account, etc., you must enter the number on the token in addition to your password. A soft token is a code sent to you via text message or through an app that you enter along with your password. Soft tokens appear to be the future. Tokens make it extremely difficult for a fraudster to gain access to your financial accounts. Get in the habit of looking daily at all of your financial accounts online. I recommend buying an inexpensive extra computer like a Chromebook that you never use for email nor to surf any sites on the internet other than just your known financial account sites. Malware typically infects your computer via email attachments and malicious websites. By having a separate “clean” computer that is NEVER used for email nor for searching the web, you eliminate the opportunity for malware to invade your computer and steal your financial information.

Regarding your personal checking account, use a computer-based program like Quicken and reconcile your bank account daily. It only takes a few minutes, and that will enable you to see any fraudulent checks or fraudulent ACH debits as they occur so you can take immediate action with your bank if any are fraudulent. FDIC covers you on your personal account. Buy secure checks for personal or business accounts that cannot be washed. I use Safechecks based in California, but other companies such as Intuit sell secure checks. Pay as many bills as possible through your credit card and via ACH payments minimizing your check activity.  For those that still hand write their checks, besides using secure checks, fill them out with a Uniball 207 pen.

A business account doesn’t have FDIC coverage so you should add positive pay or payee positive pay to your business accounts. It allows you to inform the bank manually or via an upload of an .xls or .csv file of the checks you write so that any items that you haven’t pre-authorized become exception items. You then have a certain amount of time to reject them from being paid or even set up your account so all exceptions automatically are returned unpaid. I don’t recommend the latter as exceptions are created for innocent reasons such as MICR line reading errors or forgetting to enter the item in positive pay, and it’s nice to still approve those items rather than having them automatically returned.  Your bank will tell you how long you have to approve or reject any exceptions if you go the route.  It will be by a certain time the following day after the item is presented to your account.  I prefer the option whereby items are paid by default unless I object. I review all exceptions very early every morning and act accordingly. On your business account, you’ll want to add ACH filters or blocks; wire blocks (at least an international one if you send wires), dual authentification; a soft or hard token to send and verify wires; and clean computers, as discussed above, dedicated solely to wires and financial matters that you lock up when not in use. Sit down with your banker at least once a year to discuss your account security features and new products and procedures your bank offers to keep your money secure. Lock up your checks and your financial computers since fraudsters often garner their information from people working on office cleaning crews. They switch keyboards so they can monitor keystrokes to procure your passwords; access your USB ports to install malware, steal checks, etc.

If you have an entity such as a corporation or LLC in Colorado (and many other states), for no cost, you can secure your entity by procuring password-only access from the Secretary of State. If your entity is based in another state, make sure it either already requires a password or see if you can add one. The password makes it far more difficult for a fraudster to file any documents regarding your entity. Business identity fraud exists, and that’s why the state offers the ability to secure your entity.

Cross-cut shred anything financial or with your name, social, account numbers etc. I read about fraud activity regularly, and much of it still originates with the theft of information procured from your trash or from your outgoing mail containing checks. They either wash the stolen checks or print up new checks in your name with the MICR line information (routing and account number) they steal off your check. So, again, try to set up as many payees as possible to accept credit card payments or ACH payment in lieu of writing checks. For the checks you mail, only send your mail through a secure mailbox. Most neighborhoods have mail stations with locked outgoing mailboxes as do most office buildings. If you have to, go to the post office.

On your non-secure computers, add an anti-malware program such as Malware Bytes and an anti-virus software program such as AVG. Image your computer once a month on a portable drive. I image mine weekly using Acronium. I back-up daily to the cloud, another computer and also to a portable drive. I run windows defender in windows 10. I back up my QuickBooks and Quicken files plus key spread sheets on a thumb drive daily. Open no email attachments unless you’re positive you know where it originated, and I recommend never answering your phone if you don’t know the caller. People still get duped all the time into providing confidential information or even making payments by fraudsters posing as the IRS or one of your financial accounts. The IRS and your bank will never call you seeking such information or payments. And always assume anything you’re asked to click on inside an email is a malicious link with the intent of corrupting your computer. I make sure I’m expecting the attachment and the sender is exactly who I expect it to be by carefully inspecting the sender line and often calling the sender on a known number to verify they sent it. I also often open attachments first on my phone to confirm their authenticity since I don’t keep anything confidential on my phone and such malware is not typically written to corrupt your mobile device. Besides, I won’t open anything until I’m 99.9% sure it’s legitimate even on my phone.

Regarding email accounts, for all your email activity that contains any confidential or non-public information, do not use a public email account such as Gmail.  I pay $55.00 per month for 10 email accounts hosted by a secure email server that filters out spam emails and emails containing malicious content. I send my personal email through Comcast and use Gmail accounts for those I don’t wish to have my primary personal email information.

Finally, if you find yourself sending a wire, absolutely assume you’ve been given fraudulent wiring instructions and go from there. Contact the receiving party directly on a confirmed legitimate phone number or go visit them and confirm the accuracy of the wiring instructions. Never trust any email you receive attempting to modify those instructions regardless of how authentic it appears. Immediately go back through the steps above and confirm everything with the receiving party after ensuring you really are communicating with the receiving party and not a fraudster. The amount of buyer funds to close real estate transactions that are being hijacked by fraudsters tricking the sender of the wire with phony emails is epidemic. In the alternative, shop for a title company that will accept a cashier’s check as many still do especially given the current risks associated with wires being irretrievably stolen.

I recommend storing your password and account information on a password protected spreadsheet, and of course, make them complex and change them regularly.

Fraudsters are continuing to come up with new ways to steal your money. Be extremely alert every time you’re sending money through any means, and make sure you have all possible protections added to your bank and credit accounts.

Visit www.cherrycreektitle.com to view numerous articles I’ve written primarily on Colorado real estate legal topics and many are available in video form at the Cherry Creek Title Services YouTube channel.