So, you look like Leonardo DiCaprio and like to get dressed up like a pilot and fly around, maybe put on a stethoscope and perform a few routine examinations in the name of cashing a few cheques? This makes for a great plot to a Hollywood film, but not all identity theft is fun and games!
Cosplay aside, our ability to take the form of another person has never been easier, thanks to the sheer volume of personal information we leave online. Accidentally clicked a link in a phancy phishing email? Took a Facebook birthday quiz? Made the choice to be environmentally-friendly by reusing your password over and over again? All of these can help thieves and con artists to moonlight as you.
Naturally, this has caused a huge spike in the number of identity theft reports each year, with cases jumping to over 5.7 million cases in 2020 in the US alone, up from just 1 million in 2007.
While most cases of identity theft result in losses of around $500, there are some spectacularly crazy and, admittedly, exciting cases where colossal corporations, cromulent celebrities, and can-you-blame-em children have been defrauded of millions of dollars. Let’s examine the top 3 and spook each other out.
#1. Abraham Abdallah (Brooklyn, NY)
Back in 2001, we saw one of the first big public cases of identity theft in the digital age, perpetrated by Abraham Abdallah, a busboy who defrauded over 200 celebrities and public figures using a computer in the Brooklyn NY Public Library.
Like something out of a Hollywood blockbuster, Abdallah used an old dog-eared copy of Forbes magazine featuring the “400 Richest People in America” to target a star-studded cast that included the likes of Steven Spielberg, Oprah Winfrey, Warren Buffet, Michael Bloomberg, and even celebrated Ewok patriarch, George Lucas.
Abdallah’s hi-tech scam began with a basic series of credit report requests from ‘trusted’ providers Equifax, TWR, and Experian. After duping those companies, he had obtained social security numbers, credit card numbers and all vital financial records that would allow him to play every leading role in his own celebrity show. He assumed the identity of each of his showbiz victims using their credit cards as his own, accessing their brokerages, and opening new accounts across the world.
Abdallah tracked packages that he ordered in his victims' names all over the US via an intricate network of web-enabled mobile phones and virtual voicemail services, all from the safety of his library computer lab. He used couriers (and even prostitutes) across New York City to deliver the expensive and exotic fruits of his labor (surely Yubari king melons).
His scam was working so well, Abdallah decided to swing for the fences by requesting a 10 million dollar transfer from the account of one Thomas Siebel, founder of Siebel Systems (the dominant CRM provider of the 90s, acquired by Oracle for $5.7 billion, no biggie), to a newly opened Australian account. This would have worked if Siebel actually had the money. Merril Lynch called Siebel’s people to make sure he wanted that much money moved, which sounded the alarm bells everywhere.
Police traced everything they could for the newly greenlit Operation CEO, starting with two Yahoo! email addresses. This led to the discovery of forged documents, voice mail recordings, and the PO boxes that they would eventually stake out. They intercepted and commandeered a shipment of credit card duplication machinery destined for Abdallah, then posed as couriers to arrange a delivery. He was cornered and arrested in his SUV in a suitably Hollywood style , with the arresting officer jumping on top of Abdallah’s moving vehicle and dangling from his sunroof.
The dog-eared copy of Forbes was found on the scene. Beneath their Hollywood photos, scrawled in pen, were social security numbers, credit card info, bank balances, and in some cases, even their mother’s maiden names. Some $22 million dollars was in play when he was finally caught.
If there is anything to learn from this, it is that identity theft doesn’t discriminate: it affects us all. CNN reported that there was a new victim of identity theft in the U.S. every two seconds in 2016, a number that has multiplied each year since as we move further into the digital age. Even Microsoft co-founder, Paul Allen, whose own name was on the PO boxes receiving the deliveries, had no clue they had been scammed until they were told by police.
The way Abdallah was able to succeed was through his interception of private information. In 2001, much of that information was moving physically, via fax and telephone. In 2023, almost all of our information is online - whether we like it or not - making it even easier to intercept with the right tools.
You should always be careful where you are sending your information; encrypting that information with a VPN will help take the guesswork out, leaving you far less susceptible to the more common digital versions of attacks like Abdallah’s.
#2. Cory Cato (Georgia, GA)
Our next case follows the trail of Cory Cato, a 41-year old Georgia native who was busted in 2022 for creating “synthetic identities”. Cato and his gaggle of gangsters gathered the personal information of real people – social security numbers of children, mostly - that were then forged into some cyberpunk-esque fake people, with made up birthdays and names, and some very real incoming money problems. These newly minted identities were then used to open credit cards, bank accounts, and more. Imagine your first week as a person, and you’re already in debt!? At least let people enjoy their bad decisions, like I did in college!
Much like his predecessor, Abraham Abdallah, the key to Cato’s nationwide fraud ring was a commercial mail receiving agency called Pak Mail, which he maintained in the heart of the Peach tree state. It was there where he and his co-conspirators collected all of the actual paperwork and statements for these manufactured individuals and, of course, spent the funds from their ill-gotten gains.
While there isn’t much information on how Cato got caught, we do know that one of his 11 co-conspirators, Turhan Armstrong, drew the attention of US homeland security after failing to report any income for multiple years during the scam. Pay your taxes, people! Turhan himself racked up a bill of over 3 million dollars, while Cato’s total ended up around 2 million, defrauded from various banks & lenders. Every penny stolen was ordered to be paid back as restitution, in addition to his 94 month sentence for conspiracy to commit financial institution fraud & aggravated identity theft.
As per the Attorney General’s office: “[Cato] and his co-conspirators built their wealth off the backs of the people whose identities they stole, many of them children,” prosecutors argued in a sentencing memorandum. “Both the effects on these victims’ credit histories and their sense of violation are impossible to quantify, but they provide further reminder of the seriousness of [Cato’s] crime and the callousness of his conduct.”
Keeping an eye on your data is huge and is maybe the most important step to keeping yourself safe or remedying identity theft. In this case, no one thought to check the credit reports of Cato’s victims, you know, because they were kids. According to a 2017 study conducted by Javelin Research, more than 1 million children had their identities stolen, and 66% of victims were under the age of 8. A study from the Center for Cyber Safety and Education revealed that 40% of children in grades 4-8 have talked to a stranger online. Even worse, 53% provided their phone number to that person! Talk to your kids about cybersecurity early and often.
Advise the youths in your household to keep their (and your) credit card information to themselves and opt out of storing it online when shopping or making (terrible) microtransaction in-game purchases on their phone. If your teen has access to their SSN/SIN, urge them never to provide that information online. Teach them about phishing, teach them about the strength of a good password, too.
This is a nice reminder for us (pretend) adults, too, as we’re certainly not immune from bad decisions. According to Aite Group’s latest research on U.S. Identity Theft, around 47 percent of Americans had suffered financial identity theft by 2020. Some are hardly even at fault, as digital criminals are making it harder to know what is real and what isn’t.
Ross J. Anderson, Professor of Security Engineering at the University of Cambridge, describes social engineering (in the context of internet security) as the “psychological manipulation of people into performing actions or divulging confidential information”. A great example of this is the use of the "forgot password" function on most websites which require login – an improperly-secured password-recovery system can be used to grant a malicious attacker full access to a user's account, while the original user will lose access to the account.
#3. Evaldus Rimasaukas (Lithuania)
Likely the largest socially engineered attack so far was carried out by 48 year old Lithuanian Evaldas Rimasauskas, between 2013 and 2015, netting over 120 million dollars from two titans of the digital age: Facebook and Google.
To complete this complex con job, Rimasauskas and his wiseguy goons set up a fake company registered in Latvia, with a functioning website, lookalike domains, email addresses, and even bank accounts – all the dressings required to pass as Taiwan-based parts manufacturer, Quanta, who was actively working with the two companies at the time.
Rimasauskas designed sophisticated phishing emails, uniquely tailored to specific Google and Facebook employees, invoicing them for true goods and services that Quanta had actually provided to the tech giants, implying that payment had yet to be made.
Massive amounts of money were deposited via wire transfer into the many fraudulent accounts Rimasauskas had created, spread across Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong, while he quietly sat behind a computer halfway across the globe.
When he was caught before Christmas 2016, Rimasauskas had barely even touched the money – he was just the guy asking for it (or so he said). He owned up to the charges, pleading guilty to fraud through a Russian translator in a Manhattan court after his extradition to the states. He got 60 months in the American slammer (I’m bringing that term back), in addition to forfeiting $49,738,559.41 in illicit dividends, and paying restitution in the amount of $26,479,079.24 to two already very rich tech corporations.
It might be tempting to savor the schadenfreude of giant, ad-spamming, data-farming corporations getting a bit of comeuppance - but the truth is this could have just as easily targeted small businesses and ruined people’s lives.
While Rimasauskas had a complex and elaborate system in play here, simple phishing scams remain a problem for everyone on a much smaller scale. Security firm Aurora claims losses from identity theft cases totalled $502.5 billion in 2019 and were expected to rise 42 percent to $712.4 billion in 2020, with further increases expected each year going forward. In short: identity theft is not going away.
#4. David Matthew Read (Los Angeles, CA)
In 2018, David Matthew Read impersonated the personal assistant of actress Demi Moore, using her stolen Social Security number to request a replacement for her no-limit American Express "Black" card. He then picked up the card from a FedEx location in Santa Monica, spending more than $169,000 in high-end stores across Los Angeles and New York City.
Read’s mistake was using both the stolen card and his own card in some transactions, leading to his capture via surveillance footage. He was sentenced to several years in federal prison, while his accomplice, Marc Higley, received 14 months in a halfway house.
#5. Turhan Armstrong (Georgia, GA)
Turhan Armstrong led a decade-long fraud scheme, using Social Security numbers of children and expatriates to steal $3.3 million. Armstrong and his co-conspirators opened credit accounts, took out loans, and even bought homes using the stolen identities, which went unnoticed due to their victims’ inattention to credit histories.
Armstrong’s lavish lifestyle and failure to declare income led to his arrest in 2020. He was convicted of 51 charges, including aggravated identity theft and money laundering, and sentenced to 21 years in prison with a restitution order of $3.3 million.
#6. Kenneth Gibson (Reno, NV)
Kenneth Gibson exploited his position as an IT professional to access sensitive data, creating a computer program to open over 8,000 fake PayPal accounts using stolen identities from his company’s database. He used these accounts to link credit lines, withdrawing small amounts to avoid detection.
Gibson’s scheme unraveled when PayPal flagged one of the checks he requested, and he was eventually sentenced to four years in prison. He was also ordered to pay $1 million in restitution for the $3.5 million he stole.
#7. Luis Flores Jr. (Florida)
In 2014, Luis Flores Jr. and his mother attempted to steal the identities of several high-profile figures, including Kim Kardashian and Michelle Obama. Flores contacted American Express pretending to be Kardashian and tried to get a replacement card issued to his address. The company became suspicious and notified the Secret Service.
Upon investigation, a flash drive was found containing private information of numerous celebrities, politicians, and public figures. Flores was sentenced to three and a half years in prison, while his mother was sentenced to probation for covering up his crimes.
#8. Wendy Brown (Wisconsin)
If given a chance to relive your youth, would you take it? Wendy Brown, a 33-year-old Wisconsin woman, did just that…by stealing her daughter Jaimi’s identity. In a bizarre attempt to reclaim her lost teenage years, Brown enrolled in high school using Jaimi's name. But she didn’t stop there; Brown even joined the cheerleading squad, hoping to relive her youth through her daughter’s identity. Her plan was working—until the school contacted Jaimi’s previous school and discovered she had never transferred. This raised red flags, eventually unraveling Brown’s elaborate scheme.
#9. Nakeisha Hall (Birmingham, AL)
Identity theft can be frightening enough, but what if the criminal works for the very agency meant to protect your personal information? This was the case with Nakeisha Hall, a former IRS employee who exploited her position to steal taxpayer information and defraud hundreds of victims. Over an 11-year period, from 2000 to 2011, Hall used her access to sensitive tax records to steal nearly $1 million from unsuspecting individuals. Hall worked in several IRS offices, including the Birmingham, Alabama Taxpayer Advocate Service—a department ironically designed to help identity theft victims.
#10. Russian Hackers Phish John Podesta
Identity theft doesn’t always involve a stolen credit card or Social Security number. Sometimes, it can change the course of political history. This is what happened to John Podesta, chairman of Hillary Clinton's 2016 presidential campaign, who fell victim to a phishing scam during one of the most contentious elections in U.S. history.
Russian hackers posed as Google, sending Podesta an email claiming his account had experienced “unusual activity” and urging him to change his password. Unfortunately, the email was a sophisticated phishing attack that led him to a malicious website. Once he entered his credentials, hackers gained access to his email account.
What followed was a massive leak of thousands of private emails, which were made public just as the election was reaching its climax. The contents of these emails damaged the Clinton campaign’s reputation and added fuel to an already volatile election.
#11. Shimon Hayuy: The Tinder Swindler
You may have already heard of this guy if you’ve the Netflix show called: The Tinder Swindler. It tells the story of Shimon Hayut, a scammer who posed as a wealthy businessman on Tinder.
Using his fake, luxurious lifestyle, Hayut built relationships with women and gained their trust. Once close to them, he fabricated stories about dangerous business rivals threatening his life, asking for loans and credit card access to escape these threats.
Over two years, he defrauded multiple women out of an estimated $10 million. Hayut never repaid the money, leaving his victims with crippling debt.
Don’t want to become a victim?
Well, we can’t do anything to protect against stupid, but we can make it a lot harder for stupidity to prevail. Using a reputable VPN like Windscribe is just part of a larger, comprehensive cybersecurity plan
