On Crime & Security
In 2004, Patrick L. Meehan, the U.S. Attorney for Eastern Pennsylvania, filed an indictment charging Harold J. McCoy, Danielle Baker and Karynn R. Long with a variety of federal charges dealing with an identity fraud scheme that stole the personal information of blood donors. The defendants used the information to obtain credit for purchases of merchandise, cash counterfeit checks and obtain bank loans.
According to the indictment, the defendants engaged in this scheme throughout the eastern United States from approximately August 2002 to April 2003. At the direction of McCoy, Baker, an employee of the American Red Cross, stole names, dates of birth, social security numbers, addresses, telephone numbers, places of employment and other information from the computer records of the Red Cross blood drives.
McCoy and his cohorts targeted the victims based on their jobs with companies that paid high salaries, which made it easier to obtain credit. With the personal information from 40 victims, they thieves went on to fraudulently obtain $268,000 in cash and merchandise in more than 170 illegal transactions.
“You had people literally giving something of themselves to help others only to learn later that they wound up giving more than they imagined,” Meehan said. “This was a case in which people paid a price for their compassion. These defendants were responsible for a crisis from which the individual victims and the Red Cross are still trying to recover.”
This fraud case had a significant impact on the Red Cross, as many companies refused to participate in future blood drives. The Red Cross has estimated its loss from this fraud to be at least $455,000, as it had to purchase blood from other parts of the country to make up for the lost donations.
The indictment also noted that the financial loss to retail establishments, credit card companies and banks in this case was approximately $268,762.
The Red Cross defendants received prison sentences ranging from 18 months to 162 months.
I thought the Red Cross identity fraud case clearly illustrates the wide ranging effects of this crime. I contacted Richard Goldberg, an assistant U.S. Attorney and the chief of the Financial Institution Fraud & Identity Theft Section, for the U.S. Attorney’s Office, Eastern District, Pennsylvania, and asked him how business people were hurt by identity fraud cases.
“Businesses are hurt by identity theft when customers trace the theft back to the business,” Goldberg said. “When they realize that a crime is being committed at a certain location, they don’t want to take their business there anymore.”
“A good business – big and small – has to recognize that as much care as they take to safeguard their proceeds, whether cash, checks or money wired into their accounts, they have to take equal care to safeguard the information they have in their files and computers. It is just as valuable,” Goldberg explained.
Goldberg said that you must have physical security so that someone can’t just go in and walk out with a computer that holds all of your customer information. You also have to screen your employees. Many employees realize that information is worth a lot of money.
“Social engineering is much easier than hacking into a system,” Goldberg said. “To do a hacking job, you have to be experienced with computers and know to get information from the computer you’ve hacked, but to corrupt one of your employees, either with money or romance, is a low-tech technique. You can be a common thief and manage to commit identity theft if you pay off the receptionist to steal identity information.”
Goldberg said that in the Red Cross case, McCoy managed to corrupt an employee at Red Cross that had access to donor information. He convinced her that he was in love with her. He told her that the two of them should set up an apartment somewhere, but as they didn’t have enough money, she could steal identity information which would then give them enough money to live in style. Of course, Goldberg said, McCoy wasn’t really in love with her - and he was living with another woman at the time.
Goldberg said that when thieves get identity information they go to someone who can generate a fake ID and that person is now you! They’ll have a photo, a name, a social security number and a date of birth.
“There is no way that a person doing an instant credit application at a Home Depot will know that you’re not the Joe Jones that is standing in front of them,” Goldberg said. “So they are going to give them $4,000 of credit on the spot. No one will know for a while that they let that merchandize walk out with someone that is never going to pay for it.”
Goldberg explained that Home Depot will go to their collection agent and the collection agent will realize that the social security number has two addresses connected to it. One for the bad guy and one for the good guy. He will notify the good guy, who will say that he has never been to that store or event that state. Then it becomes a problem both for the business that lost the money and has to pay the collection agent and the consumer, who has to clear his or her name.
“Businesses have a bit of a quandary. They want to make that sale. They can slow the process down by checking with a credit agency or by asking that person at the counter more questions about themselves, but some buyers might get frustrated by that and just walk out.”
There are two types of identity thieves, Goldberg explained. One is the homegrown variety where a relative is scamming another relative – children taking their parent's or brother’s ID information.
The other type is the real criminal who is generally part of a highly professional organization. Goldberg said that these organizations have the tasks of individual members broken down so that it is almost like a spy cell. No one knows in particular who they are dealing with.
“The person who gets the information from the insider is not the person who makes the fake licenses,” Goldberg explained. “He never makes any contact with the insider, they remain completely separate. They may have runners who go to shopping malls, which is where you are likely to get caught if you are going to get caught. Sometimes store security gets called, so you use those ID runners, many of whom are drug addicts.”
The runners don’t know anyone back up the chain, so they can’t implicate the others, Goldberg noted. They have just been given a counterfeit check or a credit card and a fake ID and told to go in and buy a microwave.
“Identity theft causes billions of dollars in losses to businesses each year,” Goldberg said. “Business people should be seriously concerned about identity theft.”
The U.S. Attorney’s office recommends that businesses can prevent identity theft and reduce the harm it causes by taking the following steps:
- Screen employees carefully and repeat the process frequently.
- Limit which employees have access to sensitive information about clients and customers.
- Create an audit trail so that you can locate the source of the leak if identity thefts occur.
- If an identity theft occurs, contact law enforcement immediately. They can help you investigate and determine how the information was stolen. By taking this step, you might be able to limit your liability in a future law suit.