• Brett Johnson

Change of Address: Cybercrime Still Ain't Rocket Science

I’ve said it before and I will continue to say it:  Cybercrime Ain’t Rocket Science.  It is easier today for a crook to engage in online crime than it ever has been.  That is one reason that the numbers of cybercriminals have increased dramatically.  When I ran ShadowCrew, the precursor of today’s Darknet markets, we ended with 4,000 members.  When AlphaBay, the largest online crime site in the world, was shut down last July they had 240,000 members.  Cybercrime will only continue to grow.

One of the most popular online crimes being committed right now is adding an address on to a credit report or forwarding mail to an address controlled by a fraudster.  A fraudster does this so they can open new accounts or order replacement cards for existing accounts.  Profit potential for fraudsters committing this crime?  Anywhere from $5,000 up to $70-$80k.

How easy is it?  Well, Cybercrime Ain’t Rocket Science.

Here is a sampling of how a fraudster can either forward your mail to an address he controls or add an address he controls to your credit report:

The United States Postal Service.  There are two ways a fraudster can use the US Postal service to forward mail to another address.

 Walk into the post office and fill out a change of address slip—FREE

Buy a prepaid debit card, register it in the victim’s name.  GO online to and submit the form electronically for change of address.  Use the prepaid card to pay the $1.00 fee.

The US Postal service isn’t supposed to forward debit and credit cards.  Well, at least that is what the card issuers have printed on the envelopes they send out.  The truth is the US Postal service RARELY pays attention to those words.  Credit and debit cards are regularly forwarded to alternate addresses.  USPS does send out a notice to the old address and the new address to notify of the change, but the notices often arrive too late for the victim to stop the fraud.  That, and the notice the USPS sends out looks like junk mail and is often overlooked by the victim.

Account Take Over (ATO) of a Low-Level Account.  A criminal pulls your credit report, an easy thing to do.  He then goes over the credit report and finds a utility or a crap store account.  He spoofs the phone number of the account holder and calls customer service.  Talking to customer service he says he needs to update the billing address.  He might also say he wants to update the billing phone number.  Being a crap store or a utility company and only asking to update billing address is extremely easy.  Customer service doesn’t suspect any type of fraud and usually update the info with minimal question. 

The address is then entered into the credit bureau that the company reports to—effectively immediately.  It takes some time for it to update to the other bureaus, but an experienced fraudster often knows which bureaus specific credit providers pull from and target only the ones that the utility or store reported the address change to.

Ordering Phone Service in the Victim’s Name.  Crook finds a drop address using Zillow or some other service.  Drop needs to be empty, but not look empty.  He pulls the victims SSN and DOB for $2.90 from Robocheck.  He then orders physical phone service in the name of the victim to the drop address.  Only to the outside of the house.  He tells the phone company he will handle all inside connections.  This adds the drop address to the credit report.  It also adds the physical phone number.  Sure, the crook might not have access to the inside of the house, but he doesn’t need it; he can have calls to the new number forwarded to a burner phone.

Dispute Process on Credit Bureau Website.  This is more involved and requires pulling SSN, DOB, Background check, and credit report.  The idea is to start a dispute process on one of the credit bureaus and update the address to a drop address.  It works well but requires a lot more work than the other techniques mentioned here.

Secured Credit Card or Another Credit Application.  Simply applying for credit using a drop address often results in adding the address to the credit report.  Experienced fraudsters tend to apply for secured credit cards or any credit card which builds credit.  Often these same cards advertise that they report things like address to the credit bureaus.  Going this route often takes 2-3 months for the credit report to reflect the address change.

Adding Authorized User.  A crook can buy a credit card login on a variety of fraud-related marketplaces.  Cost is typically $10.  He can then utilize the authorized user system to add drop addresses onto victim’s credit reports.  How?  Easy.  He gets the Name, SSN, DOB of the victim adds that as an authorized user to ANY credit card along with the drop address he wants to use.  Then he waits.  @ months later the drop address is on the victim’s credit report-all by adding the victim as an authorized user to ANYONE’s credit card. 

Cash App.  Create account with victim’s info.  Order Cash App card to drop address.  Drop address is updated to drop address.  Takes up to 60 days to see the change on the credit report.

Varo Bank App.  Create an account with victim info.  Use drop address as sign up.  If asked for more info, ignore the request and soldier on.  Again, about 60 days to reflect on the credit report.

There are other methods.  These are currently the most popular and vary widely in relation to the skill and patience of the fraudster.  Regardless of technique used, once a drop address is listed on a credit report, the fraudster can easily set up new accounts and order replacement cards for existing accounts.  Using the cards?  Ordering items, cash advances, etc.  This type of crime results in huge profits for criminals. 

How do you protect yourself as an individual?

 Freeze your credit.  This stops all new account fraud.  A crook cannot open a new account with your info.  He can’t even pull your credit report.

Monitor all accounts and place alerts on existing accounts.  If you monitor the accounts and place alerts, then you either see any changes to existing accounts, or you are notified of an account change.

For businesses being used to perpetrate this crime? 

A variety of changes need to take place.  The USPS needs to change the entire way they process change of addresses and mail forwarding.

The use of Authorized Users needs to be completely overhauled to prevent this type of crime and the rise of synthetic fraud.

Utilities and Crap Stores need to increase security and realize that fraud isn’t always directed at them.  Sometimes, they are a tool used for fraud committed elsewhere.

Credit Card Applications and Assorted Cash Apps.  The way they are processed, and the associated security measures need to be tweaked to handle this and synthetic fraud.  Meaning things like address need to be verified.  Identity needs to be verified more extensively.  All BEFORE it reports to a credit bureau. 

If a company is unable to do these things in house, there is a variety of security companies which provide effective solutions.

273 views0 comments