You’d think my credit card is my best friend, judging by the amount of email it sends me.
It was getting annoying, right up to the moment when the subject line said, “Your address change.”
The email alerted me that someone tried to hijack my credit card earlier this month, bringing home the fears that have been stirred up by a string of high-profile data breaches and teaching me a hands-on lesson in fraud.
Even though I’m immersed in news about consumer data theft, it was a jolt to log into my account and see a false address and phone number. Suddenly hacking wasn’t an amorphous, computerized problem that affects other people. Someone out there had gone after me, personally.
Here’s a screenshot of my supposed new address, courtesy of Google street view, in scenic Houston. Thanks but no thanks.
The card company’s rep said the would-be fraudster changed the address on the account via a phone call. That means he — a woman’s voice would have aroused suspicion — must have my Social Security number and date of birth, as well as the card number. That’s what you need to hoodwink the ID verification process, according to the rep.
No bogus transactions were rung up — this time. The scammer did not even have time to request that a new card be sent to my “new” address, which was probably his next move.
But even if this attempt was nipped in the bud, my identifying details are out there, probably being traded on the hacker-fraudster underground. Maybe the next guy will be sharper, or luckier.
So after changing the card number and its associated passwords, I took the next step: filing an initial fraud alert with the major credit bureaus. The alert functions as a temporary, 90-day filter on your credit reports. Lenders can still pull your report to review loan applications. But, because the report is tagged with the alert, they are supposed to check to make sure they’re not dealing with an impostor.
There isn’t a specific set of steps that lenders are supposed to take, Rod Griffin, Experian’s director of public education, explained when I spoke to him recently about alerts. They are required to use “reasonable policies and procedures” to verify your identity before issuing a new card, or granting a credit limit increase, under the Fair and Accurate Credit Transactions Act.
“Presumably they’ll request additional identifying documents,” Griffin said, plus make a phone call to the number provided on the alert. I put my cell number on the form so lenders can double-check any applications made in my name.
How well does all this work? I’m about to find out. After getting confirmation that the alert had reached the other credit bureaus — the alerts are shared between TransUnion, Experian and Equifax, so you only have to file one — I applied for a new credit card. It’s nothing fancy, and my credit is strong enough that I should qualify for the extra account.
Will the issuer spot the alert and take extra security steps? Be extra careful and reject the application? Or congratulate me on my new line of credit, without checking that it’s really me?
I should know within 10 business days. Instead of the “instant approval” featured online, the card said my application needs additional review. That might be the result of the alert, or something else. At least the application didn’t sail through in the 30 seconds that the card’s website optimistically predicted, but I wonder how many really do.
In the meantime I am keeping an eye out. Filing the alert gave me access to one free copy of my credit report from each of the big three bureaus — in addition to the one yearly copy to which I am entitled under FACTA — so I can check those for suspicious activity.
The rep at my card company said she couldn’t guess how my identifying details got into the wrong hands. But it is safe to assume they’re out there. So from now on I’ll be paying close attention to my credit reports — and to those emails about transactions and other activity on my existing credit card. Thanks for the heads-up, buddy.