2019 was a pretty exciting year for me.
I stole a Tesla. I got into a car accident — a BMW, that time. I got a new iPhone. I opened two new checking accounts and went on a bad-check-writing spree for as much as $13,000 at a time. I attempted to open dozens of new credit cards. I wrote a check for someone’s bail, which they skipped.
On paper, Jessica Roy had a wild year. In reality, that year, and what followed, has been a nightmare.
I am the victim of identity theft. And it could happen to you. I also have some bad news: It will be entirely your problem, and no one — not the police, not the government, not the financial institutions — really cares or will help you much. But with determination, you can fight back. I did.
My troubles started in a bar in San Francisco the day after Thanksgiving 2018. When I went to close my tab, I discovered my wallet was gone. By the time I got my bank on the phone the next morning, my debit card had been used at a gas station for $48.15 and with a Square card reader for $30. I disputed both transactions and canceled all my cards. I went to a San Francisco police station to report the stolen wallet.
When I got home to L.A., I had to get a new driver’s license, had to update my autopay bills and had to buy a new wallet. I thought that was the end of it.
More in This Series
(I’d also lost maybe $100 in old gift cards, $10 in cash, and a Skin Laundry loyalty card. Devastatingly, I was just one punch away from a free facial.)
Then the letters started arriving.
“Congratulations! We’re pleased to inform you that your application for a new Wells Fargo account has been approved.”
“Welcome to Bank of America, and thanks again for choosing us.”
Target called asking about my recent card application.
Emails started arriving from my existing credit card accounts:
- Email change alert. (The thief tried, but failed, to access my Gmail account that had two-factor authentication enabled. They made a new one with my name and used that instead.)
- Password change alert.
- Mobile device phone number change.
I got an email from the monitoring site I use to track my credit score. “Is This New Card Yours?” Another one: “A New Inquiry on Your Equifax Report.” PayPal. Walmart. Macy’s.
I’m a woman of action, and I got moving fast. I froze my credit with all three major bureaus and also froze my file with ChexSystems, the consumer reporting agency that tracks checking account activity. I filed a federal identity theft complaint. I left what would be the first of many voicemails with the San Francisco Police Department to get a copy of the report about my stolen wallet.
When I reached out to Bank of America and Wells Fargo to get the fraudulent accounts closed, I quickly encountered a problem: Their automated phone menus demand your account number before connecting you to a human being. But the letters I received did not have the new account numbers on them. For security purposes.
When the first Social Security numbers were issued in 1936, they were never meant to be a secure identity signifier, but the major credit bureaus began linking your Social Security number to your credit history around 1991.
Two years before that, another new concept had emerged in the world of personal finance: the credit score. It was a way to crunch all of the information in your credit history into one number that now serves as shorthand for whether someone should finance your car loan, let you buy a house, or maybe rent you an apartment.
Today, Social Security numbers and credit scores are broadly criticized by financial experts and government officials as overly simplified and, generally speaking, bad.
And your Social Security number isn’t very secure, even with the people who are supposed to be securing it. In 2017, the names, addresses, birthdays and Social Security numbers of 147 million Americans were compromised in a hack of Equifax, one of those companies that calculates your credit score. I was among them.
For our troubles, Equifax offered a piddly $125 and some free credit monitoring. Then it turned out the bureau never set aside enough money to pay all the victims. I filed as a victim back in 2019. I haven’t seen a dime, and I don’t expect to.
But what does a massive data breach have to do with my wallet being stolen?
The thieves were likely able to obtain my Social Security number and other information about me for sale on the internet. Whether that info came from the Equifax hack or from a data breach at another institution is unclear.
An Equifax representative said in an email that “we are aware of no evidence that the breach has resulted in the impacted consumer data having been sold or used.” Equifax declined to comment further for this story.
In any event, stolen Social Security numbers are not hard to come by online, Eva Velasquez told me. She’s the president and CEO of the Identity Theft Resource Center, an advocacy organization dedicated to helping victims of identity theft.
Her organization sees sheaves of Social Security numbers available as “buy-one-get-one” deals packaged with other consumer data on offer.
“They have been so ubiquitously compromised that they are available, essentially, for free,” she said.
I started a Google Doc tracking every letter, email and phone call; a physical file folder, soon bulging, kept everything in one place. I felt bile rise in my throat every time I opened my mailbox. Every day, for weeks, there was something new. Sometimes multiple somethings.
I would sit at my kitchen table and call the 800 numbers of the banks or credit card companies or car loan brokers and fight the automated phone menus in a desperate bid to speak to a human being.
The thieves, meanwhile, were on a roll.
Although my driver’s license had been reported stolen, Bank of America and Wells Fargo issued checkbooks to accounts opened using it.
I started getting letters about bad checks:
- $79.04 at Marshalls.
- $772.94 at Safeway.
- $13,743.80 at Big Lots.
I began to realize that I was not only the victim of identity thieves, but also of the system that allowed them to steal my identity in the first place. And now, that system was going to make me work an unpaid part-time job fighting my way out of their logistical labyrinth. Kafka would blush.
Bank of America asked me to mail it a notarized affidavit, a copy of my driver’s license and a copy of my Social Security card so it could investigate the bad checks. I replied that it would be insane for a victim of identity theft to put those things in the mail. The person I spoke to said, “We would never require you to send any information like that.” I was holding the letter asking for just that on Bank of America letterhead.
That letter said I had 30 days from the date of my claim — Jan. 25 — to fill out and return the forms. I asked why the notice was dated Feb. 25. The representative said the bank had first mailed the letter to the most recent address on file — an address I reported as fraudulent. The place where the thieves lived.
Banks want it to be easy to open an account. As Velasquez put it, consumers “want a zero-friction experience,” which explains how the thieves were able to open checking and saving accounts.
Months later, as I tried to close them, Andre from the Wells Fargo fraud department quizzed me on street names where I’d lived and people with whom I’d associated to make sure I really was who I said I was. That is not part of the process to open a new account — just to get a fraudulent one closed.
In April, things began to escalate.
One of the thieves used my driver’s license to rent a Tesla that was later reported stolen and then found abandoned. Another time, someone presented my driver’s license to police after getting into a car crash in a BMW. I got a phone call from the other driver’s insurance company months later.
“I” had written a check for someone’s $600 bail, that someone never made it to court, and I now owed $4,310. The bail bond company told me to come to their office in person with the debt collection letter and a hard copy of my police reports. I said their legal department would have to make me. The man I was speaking to told me to have a nice day and hung up. Eventually, they closed the case.
When you ask a company to lend you money, the company asks the credit bureaus to check your credit history. There are two types of inquiries: “soft” and “hard,” referring to their impact on your credit.
Soft credit checks, which are common for things like store credit cards and internet impulse purchases, do not affect your score. Hard inquiries are more extensive, and prompted by big-ticket things like auto loans and mortgages. A hard inquiry typically dings your score by a point or two, and that impact lasts for one year.
When your credit is frozen, a hard inquiry into your history tells the creditor, “this account is frozen, so you can’t access that information.” But for reasons I can neither fathom nor explain, the inquiries still show up on your credit report and still affect your score.
One of the thieves triggered a hard inquiry at a car dealership in Van Nuys. I guess the thieves needed new wheels after things didn’t work out with the Tesla and BMW.
I wanted to get the hard inquiries removed on principle. The credit score impact was negligible. But I wanted no trace of these people on my previously unblemished financial personhood.
The first step to get a hard inquiry removed is to call the creditor — in this case Russell Westbrook Chrysler Jeep Dodge Ram of Van Nuys — and ask them to send a “letter of deletion” to the credit bureaus. I left several voicemails. The person I finally spoke to said he had worked there for 26 years and had never done this before.
I succeeded in getting hard inquiries removed at other institutions, but after several frustrating phone calls, I conceded bureaucratic defeat on the Russell Westbrook one.
The thieves, it seemed, knew everything about me, and I knew nothing about them.
Then in May 2019, I learned the Berkeley police were trying to reach me.
A month earlier, a Berkeley police officer noticed a car without license plates. The two people in the car were on probation for identity-theft-related felonies. In the car, police found checkbooks, credit cards, photocopies of IDs, and other information for more than a dozen people, many of whom had reported stolen identities.
The Cheez-It box was the most galling part.
A quarter-inch-thick police report detailed what police found in the couple’s car: stolen mail; wire cutters; lock picks; a window punch; cellphones; multiple fake IDs, pieces of paper with names and Social Security numbers scrawled on them; a stun gun.
A photocopy of my driver’s license. A Wells Fargo card with my name on it. Paperwork from a Best Western with my name on it.
And a Cheez-It box with a dozen checkbooks stuffed in it.
My entire identity theft experience to this point had been rife with indignities large and small. And now my favorite snack food had been implicated.
I am not naming the people who stole my identity, for my own safety. I will refer to them as Thief 1 and Thief 2.
An officer asked Thief 1 about the Best Western paperwork — who was Jessica Roy? A friend, he said.
Police also recovered a cellphone where someone had texted him about a local credit union where he should open an account: “The other banks are up on the s— and good for putting extra holds before u can actually withdraw money on deposits.”
Thief 2, a woman, was on probation for possession of stolen property.
Both were booked on multiple charges, including California Penal Code 530.5(c)(3): possessing the identity of 10 or more people with the intent to defraud. Everything found in the car was logged as evidence, including the Cheez-It box.
Is my experience unique? The details, yes. But the crime, no.
A recent survey conducted by Javelin Strategy and Research and co-sponsored by the three major credit bureaus found 42 million Americans were affected by some form of identity fraud in 2021. Total losses: $52 billion.
There is no single national public database that tracks identity theft, or any cybercrimes, the way that we track violent and property crimes. And there is no law enforcement agency dedicated to investigating cybercrimes at an individual level, so it’s hard to say precisely how prevalent identity theft is.
Shima Baughman, a criminal law professor at the University of Utah’s College of Law, told me police don’t report identity theft cases to the FBI, but to the Federal Trade Commission. In its 2021 data book, the FTC notes that it does not intervene in individual cases but refers the data back to law enforcement.
The FTC report said its Consumer Sentinel Network took in more than 1.43 million reports of identity theft in 2021 — a record high.
You can report a cyber crime to the FBI through its Internet Crime Complaint Center, which was one of the first things I did. Filing the complaint generated a report, which was helpful to have. But stolen driver’s licenses and bad checking accounts are not exactly in the FBI’s wheelhouse. The FBI’s complaint center received 51,629 reports of identity theft in 2021, also a record high.
Why are identity theft cases on the rise? For one, they are easy to commit.
“It used to be that you had to have some savvy to commit these crimes,” Velasquez said. Not anymore: “You just need an internet connection.”
Victims stand to lose much more than money. The Identity Theft Resource Center puts out an annual report that looks at the toll identity theft takes.
In 2022, 87% reported emotional and physical impacts, feeling worried, violated, angry, guilty. Ninety-two percent had trouble sleeping. Forty-two percent reported persistent aches and pains. Seventeen percent developed unhealthy or addictive behaviors. Ten percent reported feeling suicidal.
Victims also were asked how long it had taken to fully resolve their identity theft. Fifty-five percent said they never did.
Before Thief 1 and Thief 2’s trial in June 2019, the Alameda County district attorney asked whether I wanted to make a victim impact statement. I did. Re-reading it, even now, is hard. I told them they stole my wallet during a difficult time in my life: I’d had a miscarriage a couple months earlier. The wallet, of blue studded leather, had been a gift from my grandmother before she passed away.
“I feel sick just thinking about having to relive all of this again,” I wrote. “This has been a profound personal violation that has significantly affected my mental health. My therapist thinks the stress from dealing with this is part of why I haven’t been able to get pregnant again.”
“I don’t know if [Thief 1] or [Thief 2] will ever read this statement,” I wrote. “If they do: I found both of you on Facebook. It looks like you both have children. That must be wonderful — I wouldn’t know. Did you think this was a victimless crime? Did you ever think you were stealing not only someone’s credit card information, but their chance to be a mother?”
Thief 1 and Thief 2 each faced a year in prison but took a plea deal: nine months in county jail, a six-month residential treatment program for drug addiction, and five years of felony probation.
I felt like I could finally relax. They couldn’t continue their crime spree from a jail cell, right?
One afternoon in August 2019, I got a call on my desk phone at The Times.
A man with a heavy accent asked if I was Jessica Roy. He needed my help. His girlfriend had hit him, tried to kill him. Actually, his ex-girlfriend. He was on his way to the police station.
I said the name of Thief 2. Was it her? No. He gave me a different woman’s name. He believed she was stealing my identity and he wanted me to report her to the police. He said she’d used it to rent a car. He said she’d recently gotten out of jail and he found a bunch of mail in her car with my name on it. He asked me to email him so he could send proof.
I emailed and asked him to send whatever he had.
“Thanks jessica i ll contact you later today ..im on the police office.”
Days later, he emailed me from a different address. He said he didn’t have access to his email and he wanted my cellphone number. I didn’t reply. One minute later, he wrote again.
“How i can contact you Jessica Roy..can you call me at [redacted].or email me you fhone mumber o call me private if you want…thanks Jessica “
Again, I didn’t reply. Two hours later, he sent me a third email with no body text, just two blurry images of pieces of mail with my name and an address in Richmond I recognized from my credit reports.
Two hours after that, he emailed me again with the full name and address of his (possibly ex) girlfriend. Then he sent another email: no message, just two photos someone had taken of themselves in a mirror. Explicit photos, in lingerie.
To this point, I had kept every piece of communication I’d received pertaining to my identity theft.
This email, I hit “delete” immediately. It was time to go to the police.
The first time I went to the Los Angeles County Sheriff’s Department station in West Hollywood, the person at the front desk said this was a Richmond police issue. I called Richmond. No, they said, the report has to originate in the jurisdiction where the victim resides.
I went back to the West Hollywood station.
The deputy behind the counter sighed as I pulled out two bulging file folders of documentation. He looked at it — the physical manifestation of months of work and anguish on my part — as though I’d come to show him my stamp collection.
I recounted what had happened since my wallet was stolen and said that now a strange man had called me and sent me unsettling emails.
“So,” he said, expressionless. “You believe yourself to be the victim of identity theft.”
I corrected him.
“I am the victim of identity theft.”
This was worse than getting the runaround from an automated phone menu. The bile tasted familiar.
He suggested I talk to the bank and phone company first. I said no. I wanted someone to take my report. It was a Wednesday afternoon in early September. He told me it might be awhile. I was the only person there.
I’d come prepared to wait. I’d packed snacks. I chose a spot on a bench directly across from him — where he couldn’t look up without catching my eye — sitting there patiently, smiling politely.
After almost an hour, another officer took my report.
I didn’t expect deputies to form a posse and road trip up to Northern California to break down the person’s door. I thought, or hoped, they would alert police in Richmond.
I followed up a month later, in October. A detective told me the case was marked as “pending.” He indicated there was some confusion about why I had police reports with the San Francisco police, and the Berkeley police, and now wanted the Richmond police involved.
Another reason identity theft cases are on the rise: “It’s really difficult to get arrested for committing cyber crimes. It’s very low risk and high reward,” Roger Grimes told me. He’s a cybersecurity expert who’s written on the topic for years.
He and Velasquez described how criminals can buy terabytes of hacked personal data and malware that automates opening credit cards and applying for loans.
Baughman, the criminal law professor, said cyber crimes are wildly under-reported because victims don’t think the police can or will do anything about it. And they’re mostly right.
Part of the problem, she said, is that these crimes cross traditional jurisdictions. (Indeed, after another call to the West Hollywood station, I was told it wasn’t clear whether the case was ever referred to Richmond.)
Your local law enforcement agency is generally interested in the geographic region it polices. Then there are clearance rates, the percentage of cases police solve and a key metric they care about. Identity theft cases cross geographic lines and are hard to clear, so police don’t really want to take them, Baughman said.
The only reason Thief 1 and Thief 2 got arrested is because they slipped up. It was a fortunate (for me) coincidence, not the result of an investigation.
On the evening of the same November day I’d spoken by phone with, according to my notes, an “incredibly rude woman” from the West Hollywood station, I got a text and an email confirming a marijuana delivery order. Spam, I thought. A little while later, I got a phone call: It was a marijuana delivery driver. He was parked just outside my hotel in Petaluma with my order. Could I come outside?
I emailed the marijuana delivery company, and the founder responded right away. As far as he and I could tell, someone had used my name, email address, date of birth and phone number to create an account, but they forgot to change it to their own phone number when they placed an order for $57 of Legend OG.
I forwarded the receipt to the L.A. County sheriff’s deputy assigned to my case, asking him to update my report. We spoke by phone the next day. I had the exact address for where these people were staying, and proof that they’d been there the night before. Surely, the police in Petaluma could knock on the door and check it out.
The detective said he’d talk to his sergeant, but he wasn’t sure what they could do with that information.
On Christmas Day 2019, my phone rang again. It was my bank, the woman said, and they had a couple questions, and she just needed to verify my identity before she could go any further. Sure. My name, date of birth, current address. And — just to verify — what was my account password?
I remember exactly where I was standing, in my parents’ living room, my extended family gathered over holiday hors d’oeuvres. I looked down at my glass of wine as a thought penetrated my holiday buzz: My password?
I hung up.
Another phone call. Jan. 3, 2020. An officer with the Vacaville Police Department — well, you can guess this next part. A man and a woman arrested. Things found in the car with my name on them. I asked the officer if I could guess their names.
Thieves 1 and 2? No.
How about the name of the man who had called me in August and his (possibly ex) girlfriend?
Yup. That was them.
I asked for the officer’s email. I had some things to send her.
Sometimes I feel like the heroine of a noir novel. A victim forced to take the law into my own hands, using shoe leather and good, old-fashioned know-how to solve the attempted murder of my personal finances.
But more often, I feel like I’ve been victimized twice. Once by the people who plucked my wallet out of my purse. But a second time, and many more times over, by a system that is doing nothing to protect me — or any of us — and that forced me into a part-time, unpaid job cleaning up after the bad system they created.
I’ve told a lot of people this story. They ask what they can do to protect themselves. The answer is tricky. I work on a team focused on service journalism and I’m used to saying, yes, of course there’s something you can do about this.
In this case, I feel like saying, “There’s nothing you can do! Good luck!”
But that isn’t entirely true. I said I wouldn’t let the thieves win, and I didn’t.
In 2020, my husband and I decided to buy a house. I had to un-freeze my credit to get a mortgage.
Less than 24 hours after I unfroze all my credit reports, I received an alert from one of the banks I use, thanking me for applying for a new checking account. I logged in and saw that my mailing address had been changed to one in Northern California. I called the bank in tears to fix the problem and asked what I could do to make it stop. The customer service rep’s response: nothing.
“If we could prevent all fraud from happening we would, but we can’t,” they said breezily.
When the mortgage company sent my husband and me the completed application to review, three of the addresses on it belonged to the thieves. I got to send yet another email with multiple police reports attached.
But ultimately, the mortgage did go through, and we moved into our first home that summer. And this year, in February, we brought our first baby home from the hospital.
I was on maternity leave until August. When I got back, my editor asked me what story I wanted to work on next. You’re reading it.
Other victims of identity theft have compared it to managing a chronic condition, Velasquez told me. You have periods of remission, but then have to battle flare-ups unexpectedly, and always at the worst times (like when you’re applying for a mortgage). But it is manageable.
What stood out to me, over and over, was that this wasn’t something I could have prevented, and not something I should have been expected to single-handedly fix. This is a systemic problem that will require systemic solutions.
I have some ideas.