You’ll never see it coming. You’ll be going about your daily life, riding the bus to work in the morning, sipping your Starbucks and reading the news on your phone—when out of nowhere, a collection agency will call. They’ll say you owe a credit card company $15,000. Actually, three credit card companies and a dermatologist’s office as well. They’ll say you might want to check with the IRS and your banks too, because something’s not quite right with your tax return, credit score, and savings account.
You’re stunned. You have one credit card with a balance of about $700, and you make regular payments. You live within your means, share a small apartment your girlfriend (you’re planning on getting married soon), and your FICO score’s excellent. You tell them they must have the wrong person, but they read back your full name, date of birth, and social security number, which all check out.
You have to work hard to keep from throwing up.
Allow me to introduce myself:
I’m your worst criminal nightmare.
You’ll never meet me, never see a picture of me, but I will haunt you for years. I’m Ukrainian, probably—maybe Russian. Details aren’t important. I’m young, male, computer savvy, and completely amoral. Not my fault—I grew up in a lawless, semi-failed state, so crime comes naturally to me. You can call me Yuri, just to make this simpler.
Here’s what I do for a living: ruin people’s lives.
So you ask yourself (in between desperate phone calls to Visa and Bank of America):
How could this happen?
I’ll lay it out for you. Two weeks ago, me and a bunch of my hacker friends cyber-attacked an American HMO. We spent hours probing their online defenses. We looked for backdoors to their servers. We sent phishing emails, innocuous Google docs and jpegs of a Kardashian. All it took was one careless employee to click on that attachment, and boom, the entire company network was compromised.
What was I looking for? Information—your date of birth, your home address, your gender, marital status. But mostly, what I wanted was your social security number. Once I got that…the rest was easy.
When I get a bunch of SS numbers, I sell them in bulk on a Dark Web marketplace. Cheap too, maybe ten cents a number. But if you’ve stolen a million numbers, that can add up to real money.
More lucrative are what we call “Fullz.” Fullz are just what they sound like—the full file on your identity: address, DOB, gender, and SS number as a kicker. Fullz are pricier—$30 to $100 for a live batch. Again, that money can add up.
So who did I sell your data to? Some loser in Maryland who lives in his parents’ basement and only showers once a month. We’ll call him Phil. I’ve never met Phil, and don’t want to, but here’s what he did with all that precious identity information of yours.
First, Phil applied for credit cards in your name. Lots of them. Once the cards were approved (and he was rejected a bunch of times, but not every time) and delivered (to a PO Box, not his parents’ place), he went on a spending spree. Not for stuff he wants, but for stuff he could easily resell on eBay, or Craigslist, or just out on the street.
Of course Phil, he’s never going to pay off those credit cards. He’ll default, because he knows that when the accounts are turned over to a collection agency, that agency is going to look up the social security number and…come after you.
So, now we’re back to that first moment when you realize that you’ve been the victim of a crime. But your nightmare is just beginning. Because I didn’t just sell your info to a slacker in Maryland. I sold it to as many slackers as I could find. Jon, Francois, Vladimir, Juanita. And here’s what all those other people did with your birthday, height, weight, gender, address and SS number.
They applied for mortgage loans. Big ones, small ones. They tried to buy condos and foreclosure homes. And then they applied for second loans and car loans. Sometimes in your name with a different address, but more often in their own names. They will never make a single payment on any of these loans, but they’ll move the proceeds of the sales as fast as humanly possible. Speed is of the essence, because the moment you catch on, the jig is up.
They had medical procedures. Seriously, they really did. Jon had dental work, Juanita dermabrasions. Vladimir blasted that kidney stone that’s been bugging him for years. Oh, and they billed you. Hope you’re feeling better, by the way.
They applied for a tax refund. Not theirs—yours. Before you did. (That social security number is damn useful, isn’t it?) They got that check quick, because the federal government rarely does its homework on early returns, and cashed it. Yep, they can do that. Happens all the time.
They got new cell phone numbers and ran phone scams, like dating scams or Nigerian Prince scams. Oh, and if you think that the fact that I sold your information to other Russians will protect you—because how will they scam someone in the US when they don’t speak good English—guess again. There are now fraudulent call centers where criminals can hire native English (or Italian or French or German) speakers to scam banks, utilities, or nursing home residents out of their money.
Maybe you’re thinking, well, my bank (or utility or phone company) has a way of identifying me—my mother’s maiden name or my first pet—so scammers won’t be able to trick them. This is called Knowledge Based Authentication (or KBA), and is very useful. But a friend of mine already hacked into Lexis-Nexis once (in 2013), and he’ll do it again soon. Lexis-Nexis keeps a vast treasure trove of KBA data for companies all around the world. And when I get that data, poof, say goodbye to even more of your money.
And just so your feelings aren’t hurt, understand that none of this was personal. I don’t know you, don’t care about you one way or the other. You are one thing to me, and one thing alone: money.
So what can you do to stop me? Well, you change your passwords from your kids’ birthdays or 12345678 to something long and strong. That’ll help…sort of. But remember, I didn’t start by hacking your account. I hacked your HMO.
You could withdraw all your money from the bank and keep it under your mattress. But did I mention I have friends in the States who also specialize in burglary and home invasions?
So let me explain to you how that’s going to go. You’ll be asleep with your girlfriend, two in the morning, when you hear a pounding on your door and…
Actually, you know what—I’m going to let the rest of that story be a surprise to you. Trust me, you’ll never see it coming.
Intrigued? Check out Drew Chapman's new book The King of Fear, which is the blistering sequel to The Ascendant, following unlikely hero Garrett Reilly as he tries to save America from an economic armageddon.
Copyright © 2016 Drew Chapman.
To learn more or order a copy, visit:
Drew Chapman has written on numerous studio movies. He also directed the indie film Standoff. Currently, he creates and writes TV shows for network television, most recently working on the TNT spy show Legends. Married with two children, Chapman divides his time between Los Angeles and Seattle.