Wednesday, November 29, 2006


It’s the holiday season and the stores will be filled with happy families rushing for last moment presents for loved ones and friends. The stores will also be filled with criminals and thieves intent on having a happy holiday at your expense.

For stores and merchants this is the busiest time of the year and almost every store will run short handed and often with untrustworthy temporary employees. Normal credit checking procedures will not be followed or waved as merchants try to capture as much income as possible. Instant store credit will often be granted without ID verification or credit checking.

What can you do to protect yourself during this season?

Here are KnightsBridge Castle’s suggestions for extra care during the holidays:

Check you credit card when it is returned to you to make sure it is you own, and not substitute.

If possible, don’t let your credit card out of your view when processing payments at a store.

Check your on-line credit accounts frequently – at least weekly or more often for early detection of fraud.

Close unused and dormant merchant accounts. These accounts are like open doors inviting thieves to enter your home and accounts.

Shop on-line. Many risks are reduced through on-line shopping.

Make a photocopy of the contents of your purse or wallet. If your wallet or purse are stolen are you going to remember exactly what you were carrying? Can you take action to close accounts within moments of the detection of theft?

If possible avoid making payments to temporary employees. Seek a supervisor or long term employee to handle your transactions.

Never apply for instant store credit. Instant store credit only provides thieves with effective and riskless ways to steal from merchants. You pay higher prices as a result.

Watch you incoming mail very closely for new unauthorized credit card welcome letters or cards. Last Christmas we had clients discovering up to 11 unauthorized cards during the hollidays.

To ensure a truly happy holiday, take a little extra care.

Tuesday, November 28, 2006


An all too common and overlooked fraud is credit card substitution. In this fraud your credit card is taken for a given transaction and a substitute card of similar appearance returned to you. It may be a fraudulent card or an expired card.

The fraudster hopes you will not notice that the card has been substituted, and most people don’t really look at their card when it is used to process a transaction. This gives the fraudster both your card and valuable time to use the card for fraudulent transactions. If you notice that the card was substituted the sales clerk will claim an error, feign embarrassment, and then find your real card.

It’s always wise to take a quick look at credit cards, ATM cards, and debit cards when returned by a merchant to ensure that the card has not been substituted or for that matter that the merchant during a busy Christmas season has not mixed you card with another.

Wednesday, November 22, 2006


Phishing Scams – Definitions and Protection

We all need to be aware of the online scam known as "phishing" (a variant of the word "fishing"). Phishing involves the use of e-mail messages that appears to originate from a bank or trusted business or government agency such as PayPal, Ebay, Bank of America, the IRS or another source, but they are actually originating from thieves and criminals.

Phishing e-mails typically ask you to click a URL link to visit a Web site. Once on the website you are asked to enter or confirm personal financial information such as your account numbers, passwords, Social Security number or other data. Although these Web sites appear legitimate, they are not. These impersonation websites are the domain of thieves and organized crime groups. Giving up your personal information in the name of “confirming” your account is in essence giving the thief or crime group the keys to your kingdom. Some sites that you click on may appear temporarily out of service, in reality the site may be downloading a virus and or other malware (ill-intended software) to your computer.How can you spot a phishing scam?

Look for these warning signs:

-- Urgency. The message you receive often insists you to act immediately by suggesting that your account is threatened or will expire soon. It often says that if you fail to update, verify or confirm your personal or account information, your account will be closed. Several years ago these messages often contained spelling errors and grammatical errors often reflecting their origin off shore. However this is no longer true. The best phising scams in recent months have been using perfect English and grammar.

-- Demands for personal information. Ethical businesses will never ask for confirming information from you by email. They already have this information and the do not need it again. Modern computer systems simply do not loose this information or require you to re-confirm your data. Requests for the following information is a flashing red light indicating identity theft pending if you respond.
-.- Account numbers and passwords
-.- Credit and check card numbers
-.- Social Security numbers
-.- Online banking user IDs and passwords
-.- Mother's maiden name
-.- Date of birth
-.- Other confidential information

-- Download Software Demands Never install software downloads directly from e-mail messages, or from companies or Web sites you do not recognize. If you are instructed to download new software, go to your browser, search on the name of the business, and download from the business site directly. If you don’t find the new download instructions prominently displayed on the landing page you can be assured the email is originating from criminals.

-- HTTPS is no longer a protection. Organized crime groups are purchasing legitimate security software that indicates you are on a secure and encrypted site. Do not rely on the HTTPS element. Yes the link is secure, but you’re still talking to organized criminals.

Basic Safety Tips

-- Be suspicious of demanding messages. Messages threatening to terminate or suspend your account without your quick response should be treated as suspicious.

-- Businesses never ask for confirming information on-line, by telephone, or in a fax. A legitimate business will never request personal information from you by email, on the phone (if the call is initiated by them), or in a fax. If you are concerned call your trusted business directly using the telephone number found in the phone directory or on your statement. Do not use the telephone number provided in the phishing email – you will only end up talking to the criminals.

-- Never download software originating in an unsolicited email. Installing unsolicited software from an email is asking to be robbed.

-- Never click on the URL provided within an email. The URL may look legitimate, may have the company name, and an HTTPS indicator, but its still a criminal site. Always type in the URL yourself or better yet use your browser and search for the general corporate website and begin you account access there.

-- Never give out your password except to logon. Never logon using the URL contained in an email.

-- Install and maintain anti-virus, anti-spam, and spyware detection software. It’s a fact of life, you cannot use online systems without these critical protections installed.

Useful Links to Phishing Information Websites

phishing brochure provided by The Office of the Comptroller of the Currency (OCC).

"How Not to Get Hooked by the 'Phishing' Scam," available at:,

"ID Theft: When Bad Things Happen to Your Good Name," available at: This is a general publication on ID Theft and is usefull, however in the opinion of KnightsBridge Castle it misleads victims into thinking that federal government agencies such as the FTC or the Social Security Administration is prepared to assist them in recovery. In our extensive experience, and by the admission of these agencies, they will not or cannot assit individual victims in any meaningfull way.

Recent phishing scams – Our blog reports on recent and new phishing scams every two weeks. However many phishing scams are years old, such as the PayPal scams.

General Advice

Install and Use Anti-Virus ProgramsViruses can infect a home computer in many ways: through floppy disks, CDs, e-mail, Web sites and downloaded files. Anti-virus programs help protect your computer against most viruses, worms, Trojans and other unwanted invaders that can make your computer "sick." Viruses, worms and the like often perform malicious acts, such as deleting files, accessing personal data or using your computer to attack other computers. If a file is infected with a virus, most anti-virus programs provide you with options of how to respond, such as removing the harmful item or deleting the file. Installing an anti-virus program and keeping it up-to-date is the best defense for your home computer.Firewalls: What Are They and How Do I Use Them?Before you connect your computer to the Internet, you should install a firewall. A firewall can be generally described as a security guard for your home computer. The guard is a piece of software or hardware that helps protect your PC against hackers and many computer viruses and worms. With a firewall, you define which connections between your computer and other computers on the Internet are allowed and which are denied. There are firewall programs, both free and available for purchase that provides the capabilities you need to help make your home computer more secure.E-mail AttachmentsE-mail viruses and worms are fairly common. Here are steps you can use to help you decide what to do with every e-mail message attachment you receive. You should only open and read a message that passes all of these tests:

The know test—is the e-mail from someone you know?
The received test—have you received e-mail from this person before?
The expect test—were you expecting e-mail with an attachment from this sender?
The sense test—does the e-mail subject make sense based on who is sending the e-mail? Would you expect this type of attachment from this person?
The virus test—does this e-mail contain a virus? To determine this, you need to install and use an anti-virus program.

Purchasing and Installing Programs

Apply these practices when you select software for your home computer.

Learn as much as you can about the product and what it does before you purchase it.

Understand the refund/return policy before you make your purchase.

Buy from a local store that you already know or a national chain with an established reputation. If you buy software on-line access the vendor by searching first on your browser. Be carefull to make sure that you have spelled the company name correctly. There are criminals who will take advantage of a mispelling.

Keep Your System Up-to-Date. Use the automatic update feature of these protection programs. At KnightsBridge Castle our few on-line systems are updated many times a day by our service providers.

Backups: How Important?It is a good practice to back up important files and folders on your computer. To back up files, you can make copies onto media that you can safely store elsewhere, such as CDs or floppy discs.

For more information on home computer security, visit

As always KnightsBridge Castle is prepared to assist you in the prevention, detection, recovery, and prosecution of the many crimes of identity theft.


Tax liens are public records and for many years the Social Security Number of the person subject to the lien was included in the record. As a public record it became accessible in public records searches.

The author was subject to a tax lien placed in error by a taxing authority. The lien was placed one morning years ago and removed by the afternoon. However the public record lingered and the SSN was available to anyone with a public records search facility.

However recent legislation required that the full SSN not be released in public records. Records in recent years have not contained the last four digits of the SSN. The first five digits have been reported.

Our recurring eye-spy reporting system has noticed that for clients with old tax liens the full SSN report is slowly being replaced in favor the abbreviated SSN. The process has been slow, and it will take several years for the full SSN of old tax liens to be fully removed. However this gaping security risk is slowly being lessened.

Tax liens are more common that many people think. In an experiment in our home town of 4,000 residents, we located the full SSN of over 2,300 by searching public records for tax liens within a given zip code. In other words more than 50% of our fellow townspeople were at risk of disclosing their SSN.

However a word of caution to all. Even the elimination of tax lien reporting of full SSN’s does not eliminate the ease with which an accomplished database specialist can obtain SSN’s. Skilled searching will still find individual SSN’s with relative ease.

Tuesday, November 21, 2006


This week a report released by the Government Accountability Office (GAO) has summarized the results of a nine month study of 24 major federal agencies. The study looked into how well agencies are keeping tabs on the security of their data resources including personal information.
"Agencies have not adequately designed and effectively implemented policies for periodically testing information security controls," wrote Gregory C. Wilshusen, director of information security issues for the GAO. "While almost all agencies had documented policies for security testing, the policies did not always adequately address elements important for effective testing."
Six agencies were targeted for in-depth studies. The GAO found that these agencies did not document their test methods and results, failed to define assessment methods, didn't test their controls and couldn't determine whether previously reported problems had been addressed.
Government agencies are mandated by the Federal Information Security Management Act (FISMA) to take these steps and others to improve information security within the federal government.
KnightsBridge Castle complies with all federal and state requirements for information security. It’s unfortunate that the federal government may indeed not be in compliance with the rules it applies to individuals and business.

Monday, November 20, 2006


This week we observed two interesting events in our offices. One was an excellent phishing attempt and the other a bad billing system. Both of these events illustrate problems for business owners and individuals.

We have become very adept at spotting phishing here at KnightsBridge Castle. This morning we were notified by American Express about our business account and the necessity of capturing our business expense records before year end. The email said that to print out our business records we should click on the Amex link provided in the email and print the records. We clicked, and were presented with a very good looking clone of the Amex site. It pitched signing up for the service of printing the expense records. All we had to do was logon. At this point we stopped. Why?

We don’t have a KnightsBridge Castle corporate account with American Express. And the corporate accounts we do have allow us to print records as part of the basic service. Further our systems searched for the URL identifier of the linked site and came back with an unregistered URL! Further investigation indicated the possibility of a redirect from the URL to an unknown site. Was this a scam? Absolutely.

Now the other side of the coin.

We began to receive bills from a credit card processor by email that we did not subscribe to. The bills were from one of the largest firms. Our CFO & CPA were convinced it was fraudulent. False billing is a common fraud and large companies often pay without thinking. We all reviewed the billing notice and the several others that followed. We did not respond.

Then our credit card processing was momentarily turned off. Why? It turns out that our credit card processor had been purchased by the larger company. The larger company had failed to notify us. The company with whom we had the account continued to process our information and send its billing data. However due to confusion in the acquisition the acquiring company had also sent billing records.

This then presents a new challenge to businesses. How can one determine if a bill is valid or if it is fraudulent? In our case we always assume fraud unless we have some certainty that it is valid. Our caution here bit us because the new company failed to properly notify us and to provide adequate and correct account information

We will not change our policy on these bills. The acquiring company was PayPal. We have discussed this matter with them, they admit the error, but seem to have little concern about this issue. Given the number of times the name of PayPal is used in phishing we would expect PayPal to do a better job.

Thursday, November 16, 2006


Here is a summary of phishing attempts from November 1 to November 15, 2006.

You may click on the bank name to see an image of the actual phishing attempt. Images are provided by WebSense.

Phishing Alert
State Bank of India

Phishing Alert
First Exchange Bank

Phishing Alert
Central National Bank of Enid

Phishing Alert
Fake Bank: McLloyds Bank International

Phishing Alert
Emporiki Bank

Phishing Alert
Crane Federal Credit Union

Phishing Alert
HawaiiUSA Federal Credit Union

Phishing Alert
Northern Federal Credit Union

Phishing Alert
Sears Card

Phishing Alert
Arizona Bank & Trust

Phishing Alert
Ouachita Independent Bank

Malicious Website / Malicious Code
Fradulent You Tube video on MySpace installing Zango Cash

Phishing Alert
Sears Card


Here is the text of this weeks email scam:

Thanks for your mail and for accepting my offer. I apologize for my late reply. Its due to my duties here.

Since your last e-mail to me on the month of February, I could not reply back because my troops were camping at the road to the Jordanian border. That makes it difficult for me to check my email.

I have every proof of this transaction, only I need your assistance in smuggling this money out of Iraq.

I am ready now to transfer the money to you after counting which took me days. The total amount is $6.8million in $100 bills.

I want you to send your banking details to enable the transfer of the money.

After I finished the transfer, you will take 50 percent of the money and deposit the rest in your bank for me.

I am giving you all the trust and I believe that with the help of God, we will successfully transfer this money out of Iraq.

Please do not disclose this to anybody as to protect my duty with the US Marine.

Captain Mark Edwards, Iraq.

Tuesday, November 14, 2006


Today's email scam had everyone here at KnightsBridge Castle shaking our heads.

We were notified by a prominent regional credit union that as good customers they wanted us to fill out a satisfaction survey and in return we would be paid $100. The logo of the website we were directed to looked very good and the page was well designed. Upon completion of the survey the survey company asked which bank account we wished to have our $100 deposited into. We need only supply the bank account number and pin!

We traced the server to a location in Romania.

The federal credit union has posted prominently upon its own website a warning about this scam. Unfortunately a few victims will respond and not go directly to the credit union site for confirmation. The take the easy way, clicking on the email link, and they land right in the lap of a Romanian crime group.

Thursday, November 09, 2006


The USPS reported recently that 20% of residents do not file change of address notices with the USPS when they move! A quick analysis indicates that the 20 to 28 year old age group are the most likely not to take advantage of this critical identity protection provision of the USPS’s services.

This age group is highly coveted by credit card issuers and they are targeted for “pre-approved” credit offers. As their mail piles up identity thieves move in.

Don’t leave undelivered mail behind. It’s inviting identity theft and the chaos that inevitably follows.


The US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) reported in a new study that mortgage loan fraud in the United States continues to rise, and has risen 35 percent in the past year.

FinCEN conducted the assessment, which was based on an analysis of Suspicious Activity Reports (SARs) regarding suspected mortgage loan fraud, to identify trends and patterns that may be useful to law enforcement, regulatory authorities, and financial institutions offering mortgage loan products.

FinCEN began its assessment after noticing a significant increase in the filing of SARs concerning mortgage loan fraud. Since the inclusion of mortgage loan fraud as a characterization of suspicious activity, the number of SARs pertaining to mortgage loan fraud increased 1,411 percent by 2005. Many of the SARs reviewed included more than one characterization of suspicious activity in addition to mortgage fraud. "False statement" was the most reported activity in conjunction with mortgage loan fraud, while "identity theft" was the fastest growing secondary characterization reported.

FinCEN's Office of Regulatory Analysis reviewed SARs that depository institutions filed between April 1, 1996 and March 31, 2006. A search of SARs containing "mortgage loan fraud" as a characterization of suspicious activity retrieved 82,851 reports, of which a statistical random sampling of 1,054 were reviewed for additional analysis. SARs included in this assessment reported suspicious activity related to mortgage fraud in all 50 states, the District of Columbia, Puerto Rico, Guam and American Samoa.

"SARs are useful as both a regulatory and law enforcement tool," said Robert W. Werner, Director of the Financial Crimes Enforcement Network. "FinCEN offers a unique analytical perspective because of its position at the intersection of law enforcement and the financial industry. This information will help both constituencies assess the risks to the financial system from their points of view."

FinCEN's findings in the assessment are supported by the recent rise in the number of pending law enforcement cases involving mortgage loan fraud.
FinCEN's Mortgage Loan Fraud Assessment is available

Consumers owining realestate, or buying and selling realestate must excercise extreme caution in protecting their property assets. Recovery of stolen realestate is very costly often costing tens of thousands of dollars in lawyers fees to fr-establish title. Law enforcement and banking institutions will be of no help in mitigating these very real out of pocket expenses. Protecting your property is your responsibility as is the financial consequences of such protection.

Wednesday, November 08, 2006


The real estate market in the US is huge and wherever there is money to be made identity thieves will strike. According to the FBI last year identity thieves skimmed $1 billion from the $3 trillion US mortgage market.

Unfortunately for the victims the financial costs of recovery are large and cannot be passed on to someone else. Victims typically spend tens of thousands of dollars on lawyers and in court costs to extract themselves from mortgage frauds. Real estate is not purchased on credit cards and there is no “friendly” bank that will assist you in recovering from the financial impact of this crime.

The scams are many but they often involve con men purchasing your home and then rapidly reselling the home or refinancing the home. Using false identities with forged identity documents the purchaser arranges financing, or takes owner financing. Within moments of completing a deal the home is often sold to another unsuspecting victim or refinanced in such a way as to yield quick cash. The thief then assumes another identity and dissapears leaving the victims to clean up the financial mess.

The real estate market is slowing down and police authorities expect that mortgage fraud is likely to rise. Why? Desperate and anxious sellers will not scrutinize deals and buyers as they have in the past. Using con artist skills, mortgage fraudsters take advantage of a buyers desire for a quick sale.

Not all real estate fraud and theft involves an interaction between the seller and the buyer. Often the identity thief commits the crime simply using forging skills and access to public records.

One recent report about identity thief and con artist Bevin Cox illustrates the enormous cost of this criminal activity. Cox identified his victims by studying the MLS (multiple listing service) ads for real estate. He studied title documents, visited the court house for property records, all the while making copies of critical documents.

Using basic forging skills he created false bills of sale and then either sold the property to others or refinanced the property directly with banks.

Cox is thought to have taken more than $15 million in these criminal transactions. He is now on the run from the law. The Secret Service wants to see him and he is considered armed and dangerous.

Our Identity Theft Most Wanted blog has carried a description of Cox since August 15. You can visit the Most Wanted blog by clicking on the link on the right hand side of this blog.

Tuesday, November 07, 2006


Microsoft’s new and long delayed Internet Explore release 7 was tested at KnightsBridge Castle this week and it failed in several critical ways – but the biggest failure was to report known secure sites as not secure.

KnightsBridge castle uses a lot of the most secure internet sites in the world in fighting identity theft crimes – including investigative databases and federal policing authorities. Many of these sites when accessed receive a warning from the new IE7 that the site is un-secure.

Here is the message returned from IE7. not only for our very secure site, but also for one of our governments most secure sites:

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Our website certificates and that of the Federal Government site we reference are valid and current. Microsoft needs to fix this problem soon or loose any credibility with the internet community.


Just when the public begins to understand the value of HTTPS:// and the importance of certificate checking via suppliers like Verisign, the criminals have begun to effectively mimic these safeguards and fool consumers into risky activity. These precautionary security provisions are now of little value as criminals have developed increasingly sophisticated impersonation schemes.

In the past few weeks we have noticed spam emails which lead to either valid HTTPS sites or mimicked sites. In the case of valid HTTPS sites, the criminals have purchased secure server programs in order to commit their crime. The unsuspecting citizen is actually on a secure connection, but he is connected, not to the legitimate business he seeks, but directly to the criminal site.

In other cases criminal webmasters have pasted on top of the URL an image block that says it’s HTTPS and that it’s connected to a legitimate vendor, but in fact the connection is to a criminal site.

In addition the familiar VeriSign logo has been copied and when clicked you are provided with what looks like an authentic certification from VeriSign. It’s not authentic, but it looks good. Only an expert can tell and then only by examining the source code – not for what it says, but for what is missing.

At KnightsBridge Castle we have had to change our internal authentication methodologies in order to avoid these traps. The tools we use are sophisticated and unavailable to most internet users. The solution for consumers seeking safe replies to email notifications? --- We don’t have one. Only be careful and don’t ever supply personal information over the internet when receiving a notification email from PayPal, Ebay, Bank of America, Network Solutions, or anyone.

If you need to access you account ignore the convenient email link. Go to your browser. Search for the home page of the company you seek and then access your account. It’s not fool proof, but its some protection.


  1. Swedish Hospital in Seattle reported that an employee took names, birthdates, and social security numbers from files at the hospital for at least three patients. The stolen identities were used to apply for false credit and to purchase items at Wall Mart, Zales, and Banana Republic.

    The employee was a support services worker. Although the hospital is notifying over 1,100 patients of the personal information security breach, a spokesman said that only three patients were compromised. Free credit reporting was offered to all affected.

    What’s wrong with this picture?

    Swedish Hospital’s continues to use badly flawed systems and processes as well as offering an entirely misleading and ineffective free "credit monitoring" service.

Management at the hospital needs to address the following critical items:

-- Are background checks, including criminal checks, performed on all employees, subcontractors, or others who may have access to data?

-- How are service workers to be restricted from accessing data in the future?

-- How can the hospital be certain that only three of 1,100 exposed patients were the only ones affected?

-- Why are social security number still used as identifiers for patients?

And the most important issue:

-- Why is Swedish Hospital offering useless “credit monitoring” services to "at risk patients", rather than providing effective and meaningful protection? We have written often about the ineffective nature of “credit monitoring”, but we suspect that few "at risk patients" realize that credit monitoring systems will notify them of credit breaches long after the breach has occurred, and usually after they have been contacted by creditors demanding payment.

Most importantly, credit monitoring is useless is providing meaningful protection against the preponderance of identity theft crimes using social security numbers such as employment fraud, tax fraud, medical benefits fraud, driver’s license fraud, and over 80 other crimes of fraud using social security numbers.

Swedish Hospital has failed its patients twice – first in not providing adequate safeguards against this horrendous crime, and secondly in offering useless remediation to the criminal act.

Friday, November 03, 2006


Terrence Chalk, CEO of the respected service provider Compulinx was arrested this week on charges of stealing the identities of his employees in order to secure credit cards and fraudulent loans.

Chalk is charged with submitting some $1 million worth of credit applications using the names and personal information -- names, addresses and social security numbers -- of some of Compulinx's 50 employees.

Workplace identity theft is the most common form of identity theft. Data stolen from the workplace, wallets and purses stolen in the work place, employee data theft, poor data protection and privacy protection, all contribute to work place data theft and identity theft.

This twist, the CEO as the culprit, is unusual.


RFID (Radio Frequency Identifier Technology) allows specially equipped radio receivers to read the contents of an identification chip from a distance. These chips have been appearing in credit cards, drivers licenses, and now in the new US Government passports.

The chips contain information about the person and the information contained within the document, license, or passport. Government and business raced to put these new technologies into production in order to speed up information processing services. With RFID in a passport, it was thought that citizens could clear customs and immegration quickly when returning to the US. Rather than hand the passport directly to the customs agent, the passport could be read without leaving your pocket or purse.

However the new technology allows hackers to access personal information with small receivers. They need only stand near the RFID enabled card or passport to read the contents of the document. In a recent study by the University of Massachusetts two RFID readers were purchased. The RFID readers scanned credit cards issues by VISA, MasterCard and American Express and uncovered numerous vulnerabilities. Even thought the contents of the cards were deeply encrypted, the researchers were able to relay data to decryption software and then read the contents including personal information.

In testimony before Congress, government agencies assured congress that RFID technologies were safe for US Passports. At KnightsBridge Castle, we believe that this technology is not safe and especially for a US passport.

Wednesday, November 01, 2006


It will soon be Christmas and as the holidays set in stores, shopping districts, and the malls of America will be busy with shoppers and identity thieves. Christmas and New Years are the harvest season for identity thieves, as they commit their frauds and theft, while honest citizens and shopkeepers are too busy to pay careful attention.

Among the many crimes of the season is the “instant store credit” theft. Using forged identity documents and a stolen ATM or credit card number, identity thieves present themselves to store clerks as prepared to buy merchandise. The identity thief provides identification and a forged credit card, but before the transaction is completed, the thief applies for instant store credit. Many merchants’ provide incentives to customers to apply for store credit as a way of improving sales and reducing the expenses of credit card charges. Sales clerks are often encouraged to offer instant store credit if a customer provides identification and a seemingly valid credit card.

Once instant store credit is granted the identity thief purchases the maximum amount of merchandise allowed. The amount is usually under $1000. The items purchased have immediate resale value on the street or, in a variant on the scam the merchandise is returned for cash within hours of purchase.

This technique for identity theft works because criminals know that “credit checks” for instant store credit are not performed before the credit is issued. Customers are in a hurry, sales clerks are incented to provide instant credit, and the credit department of the store are swamped.

Last Christmas, we a KnightsBridge Castle had a client who discovered 27 applications for instant store credit in a two day period before Christmas. 11 cards were granted. All cards were maxed out within moments of issue. The client discovered the crime only when the cards arrived in the mail.

Credit monitoring, fraud alerts, or even a credit freeze does not prevent these crimes. Why? Because the credit is issued before a credit check is run.

Blog tracker