Friday, April 21, 2006

I (Attempt To) Track Down An Identity Thief

A little over a year ago, I became the victim of identity theft. Someone opened a bank account in my name at Commerce Bank. Since Commerce doesn't wait before crediting your account with cashed checks and money orders, it's very easy to scam them. Most banks don't put the money in your account until they've verified the checks and money orders are real. To Commerce, this is inconvenient. Also, Commerce Bank doesn't believe in little details like making sure the addresses match, making sure the person's driver's license matches, or anything else like that. So this guy used the account he opened up under my name and cashed bad checks. I'm still getting calls from collection agencies to this day, despite having reported the whole situation to the police, Commerce Bank, my own bank, and all three credit agencies.

So I have a vendetta against identity thieves.

I got an email today on my work account. It read, in part:

Chase Bank is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
It then asked me to go to a website, where they would "confirm my identity."

I was immediately suspicious. Because, first of all, I don't have a Chase bank account. And second, the website they wanted me to go to was not "chase.com" but instead, a website called "gerardano.com."

If it's one thing my mom taught me, it's to not trust guys named Gerard (unless they're "Deputy" Gerard, from The Fugitive). So first, I went to the website anonymouse.org, which allows you to mask your IP address. Then I went to the website.

It was poorly designed. Clearly not a professional job. I once designed a site that mimicked the NYU athletics website and did a much better job of making it look good. Clearly, this site was not affiliated with Chase, despite the many attempts to convince me otherwise. It asked me to complete a brief survey (for which I would be paid $20 dollars!!!) and then asked me to give them my account number and account information.

I was pissed. Not only was this clearly an identity scam at work, but it was a bad identity scam too. It was a scam designed to prey on only very, very stupid people. And they had assumed I was one.

I typed the web address into the search engine at whois.net. This website allows you to look up the owner of the domain name. A lot of times, the owner will mask their identity, by registering through a third party. In this case though, it appeared I had hit the jackpot:

derek gerard
XXX X XXXX XX
kewanee, IL
XXXX_XXXX@yahoo.com
+1.XXXXXXX

[Update: Less than 2 hours after I posted this info, I got a second email with a different website link. That website was registered to a different name and address. So it's possible that info was as fraudulent as the webpage. So, for the time being, I took the contact info down until I can verify it.]

The domain was registered on 4/20/06. Suspicions confirmed. We have a thief. And we know where he lives. Maybe. Immediately I went to Google Maps. Hey you bastard, I can see you!

Did You Know: Kewanee is the "hog capital" of the world. Irony?

I typed the address into the white pages, and the name S.J. Anthony came up. One of the options was to "look up criminal records," which I didn't want to spend good money for. But if somebody out there does, they can look up "Derek Gerard" or "S.J. Anthony" and let me know what they find.

No. I haven't called the number. I'm at work, and I can't imagine how the call would go. I'll call tonight anonymously from my cell phone. I'm think 3 a.m. might be a good time.

Anyway, I sincerely hope that my sleuthing has prevented at least one other person from falling into this trap. And if you do speak to Derek/S.J. tell him the police are on their way.

The email I sent:
Dear Derek/S.J. Anthony/Whoever,

I received an email from you, pretending to be Chase bank. You gave me a link to your website, www.gerardano.com, where you tried to steal my bank account information. I just wanted you to know that I have published your name, address, telephone and email address online, so that everyone will know you're an identity thief. I even posted a link to a satelllite photo of your house!!

Now if you would please give me your social security number, I could make you feel what millions of Americans have felt. The pain of having your identity stolen. You should be ashamed of what you're doing.

I'm looking forward to hearing your response. Maybe it will convince me not to go to the police. But I doubt it.

Sincerely,

Fuck You
[UPDATE II]: Sadly, as I educate myself more about the techniques of these identity thieves, I'm starting to realize my efforts may have been, at least in part, in vain. As Antiphishing.org puts it: "Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites..." In other words, our dear friend Derek Gerard may not be the thief we're looking for. Although I still don't trust him.

Here's some tips if you receive an email like the one i received: Consumer Advice.

I guess I won't be calling that number. But I did report the scam to the authorities. These guys have to be stopped.

2 comments:

steve-o said...

Brilliant!!!

Richie said...

Interesting...I guess they finally got banks and computers out in Kansas now.

That happened to me to. Except someone rang up $1200 at Lowe's somewhere in Missouri on my credit card.

Remember mate, the world is 99% chaos. So what goes around....

Visitor Map: