My Own Identify Fraud from Woe to Now

---

In July 2022, I became aware that I was the victim of identify fraud.

Events were generally infrequent and including attempts at social security fraud and credit in my name.  My Husband was also similarly impacted.

This occurred around the time of the Optus, Medicare and Latitude data breaches.  But these only released our emails address and phone numbers.  So this was unlikely where the identity theft originally occurred.

After some investigation by myself and the police, it became apparent that our information was likely with a fraud syndicate in Sydney.  This included copies of my drivers licence, my passport, bank statements, and it became obvious that they also had my bank usernames, Qantas frequent flier details, who I was insured with for house and health.  They knew a lot of details about us which were not publicly known to be able to pass security questions.  We identified that it was unlikely that these details were all given out to one person or organisation.  There was only one place where all this data was in one location - our home.  But we had not been subject to any break ins, and given we have two large German Shepards, this was also unlikely.  

Regardless we had our house, cars and workplace swept for bugs and our computers and phones checked for malware and tracking apps.  These found nothing and no evidence of system breaches.  Having family member with computing back grounds - we have always taken alot of precautions.  We had not been hacked.  The source of our identity fraud - like for 9 out of 10 cases -  was therefore deemed by the police to be more likely a family member who had had access to our house whilst we were present - had been observant to note and remember details that allowed them access unknown to us -when we were not present. 

We changed passwords to complex passphrases which we change often, we notified our banks and other relevant organisations of us being at high risk of identity fraud, we put password locks on accounts, set up SMS generating codes or authenticators apps and we went old school - requesting all accounts be flagged with our high risk status - and that changes all required to be done in branches and not over the phone.

In July 2022, I was notified of a fraudulent MyGov account and an attempt to link to my ATO account.  I was referred to the ATO CSIC centre and they password-locked my account. They assured me this would stop unauthorised tax agents or individuals from lodging returns or making changes - unless I called to provide the password for a temporary 48-hour unlock.  This was important for me - as I also run a business and was aware of the risk of fraudulent tax returns being done in business names.

We went to all the major phone companies to makes sure there was no accounts open in our names or the business.  At this time there were none. 

We got new identity documents - unaware that the old ones could still be used in some capacity even though replaced- until likely the day of their original expiry.  Now we are aware with AI, it may even be possible to use these beyond those dates where systems are not linked to government systems - if deep faked with extended end dates - and yes for on line applications this scenario is now entirely possible.  We contacted ID CARE and followed their advice. We did credit checks and identified every fraudulent event and had it removed from our records.  We locked out credit accounts which means if we ever need to apply for credit they have to be unlocked and relocked.   

In March 2023, our identity theft events increased.  Multiply attempts to access our accounts, claims for fire damage to our house followed by claim for water damage, applications for credit cards and loans ( some being successful), claims for medical benefits via Medibank - both of us apparently had braces in in our 50's! and a 1 K massage), and mule bank accounts opened.    An OfficeWorks account was opened in our business name, and around 6K of goods purchased in Bendigo and Bondi.  This account was set up so that it direct debited at the end of the month directly from our business account.  Yes - direct debits are set up by the business and the business bank - they are not well checked by the bank from which the money is drawn - hence why one gets ongoing subscriptions when you have only signed up for a one -ff purchase.    This meant that by the time we knew of the account, when the money was withdrawn from our account, and the police then investigated, the security video of the purchasers had been overwritten.  A second attempt was made online for another office works account a few months later. Office works called us in this case fortunately.  Some banks offer better protection then others - our new bank delays all new direct debits and transfers for at least 24 hours and notifies us of these so we can approve.  I now cant even order a Coles shop without generating a code - but this level of protection is well worth it.

We recorded every email or mobile used during our fraud events, and we used and paid cyber investigators to link these to individuals. We gave these details to the police.  We observed that many of these individuals were already in front of the court system - mostly for drug charges.  Although this was the case, our local police in Illawarra did not reach out to Sydney based police stations regards these individuals or question them, even after we asked them to do so. We just wanted answers. The amount of detail on court sites varies per state - so a Court Data account was very helpful for our investigators.   

At one stage, one of these individuals emailed us and asked for money to stop the identity theft.  We honey trapped them with an email that when opened and read, gave us details of their IP address.  Which we also gave to the police.  But IP addresses can't be used to identify individuals, so this also went nowhere.  One of these individuals stole access to our Qantas accounts, exchanging Frequent flier points for e-cards, which they then used.  We lost millions of points, but Qantas did reimburse them to us.  The fraudsters also booked flights in their names.   The police did not act on this.  However, they did identify a pattern to our identity fraud.  It occurred around important dates, such as our birthdays (possibly due to licence expiry at first - but the pattern continued after this), or when we were away for work or holidays. 

This worried us that either someone close to us was assisting them or we were being watched. We added security to our home with new locks, cameras and secured our property as best we could with fences and gates.  We did the same at our office.  We installed trackers on keyrings, vehicles etc - so that we always knew where each other was and where our important items were at all times.  We did a few tests where we went away but only told one family member - or didn't go away but told a family member we were away.     We identified a potential leak of our movements via these but could not prove it with 100% certainty - maybe they did it on purpose, unknowingly, by coercion, or were subject to malware interception of their emails and texts - we will never now.  But this resulted in us going no-contact with that individual and their immediate family in April 2023. 

It became obvious that it was likely that the emails and mobile phones used to do the fraud,  were linked to individuals who had likely sold their identities for cash or drugs.  The mule accounts were then being used to do identify fraud in our name.  By this time we were also aware of mule accounts in our name which we closed.  Some were with smaller banks which no longer existed.  This is common in money laundering organisations where money and crimes are done through series of mule accounts - making the individual at the "head of the snake" costly and hard to identify.  It becomes too costly for police to investigate multiple events done by a chain of mule accounts.  The standards of evidence required to do searches or compel people to interview is also difficult to achieve.  

In 2023, whilst away, the ATO called me and said they had identified an attempt at a fraudulent tax return.  It was identified as fraudulent and cancelled.  I asked how this occurred with a password protected account but this could not be answered.  I asked for a new tax file number but was told that wasn't possible.  

Later in 2023, our phones were ported to a newly created Telstra account -  although we had alerted Telstra to being at high risk of fraud and a previous sim port attempt in 2022.  Two phones were ported from two different accounts, one whilst I was on the phone to Telstra.  This gave the person access to SMS codes to get access to emails and bank accounts.  It is important to note that for Domestic violence victims (who may leave the house without all their identity documents and a mobile number on a family account)  it is important to be able to get a prepaid account or even move your number across.  However, porting a post-paid phone to a prepaid account without identifying the person has proper ownership of that account using full 100 points of ID or similar - is a breach of the telecommunications Act.  At this time, Testra has stated it is not liable and has done nothing wrong.    

Telstra's lack of action (not flagging our account has high risk, adding precautions as we had requested, and not following the Telcom Act) , resulted in a cyber-attack which we battled for over 24 hours.  We lost access to our phones and contact with family and friends for over 3 days. We lost access to our business systems for us and our staff for several days.  This resulted in a substantial business loss.   Telstra recommended new mobile numbers which they offered to pay the subscription for 6 months for.  We took these but these were prepaid and they started being charged for then within one month (and not 6).  THE porting of our sims (on newly purchased phones) resulted in invoices to pay out phone contracts being generated.  Telstra waived the invoices when we complained.

This was essentially our own data breach.    We acted appropriately.  We investigated access on our business accounts, and we were able to identify that this had just targeted us and not our clients or staff fortunately.   What they access ed on our private emails we will never know. But this confirmed that the cyber attack and Identity fraud were therefore of a personal nature.  This event was essentially a form of ongoing harassment by identity fraud.   If indecent images or bullying of a minor had been  involved,  the police may have taken this further -but there are limited actions / protections currently available for this sort of harassment - and our police don't see a positive-cost benefit analysis of following up such cases.  So in NSW our investigation was eventually closed.  Our case was never referred to NSW Cyber police or Federal police.  

AS a result of this attack - bank accounts were accessed and money moved - which we recovered.  Police investigations showed these monies went to people also impacted by identity fraud - however, these individuals did not want police involvement or investigation into their identity fraud.  So these were likely mule accounts either willing or unknowingly done in this individual's names.  

We therefore decided to change our names.  This was a costly and time consuming exercise.

I applied for victim support through the NSW government.  This was denied - as my harm was not physical and I wasn't the victim of a violent crime.   This seemed odd given, in many states and in the guidance on NSW sites, harm can be psychological and from one event.   I wasn't even allowed mental health support. 

We notified all bodies of our change of name. Our cards were reissued in our new names as well as licences and passports.

On one card the name was changed but not the card number, and this meant one transaction went through, but my preventative actions meant the transaction was rejected by the bank and the money bounced back.  This was investigated and found to be linked to a mule account with over 150k.  The individual whose name was used to set up this mule account did not want further police investigation. This was likely a money laundering account.  

Things then went quiet and we felt that our name change had been effective.  But then we started getting emails from mule accounts making threats to terrorise us.    We blocked these.  We got new phone numbers and new emails.  We gave the details of these emails to the police.  No further investigation was possible as deemed likely sent by mule accounts.  

We notified the ATO of our name changes - but at this time the ATO system was not able to link properly to the NSW BDM site - so it was not an easy or quick process, and I made a complaint to the ATO via the Treasurer.  But we did finally get the name change made.  A lack of ATO shop fronts (there are none now) also hindered being able to do this quickly.

In September 2024, I was advised by my accountant of a notice of assessment processed by the ATO.  This was chased back to a tax agent in Perth.  I contacted Western Australian police and submitted a WA police report that had to go through the NSW police.  It took over 6 weeks to be processed by NSW and sent to WA.  The WA police contacted me and asked for all information I had.  Unlike the NSW police, this went to the WA state-based cyber fraud team and the investigated every event in some way.   The also notified us that this appeared to be more a case of cyber harassment done using identity fraud then a case of identity fraud.  They didn't see these as individual fraud events done by a fraud syndicate.  They saw this as likely a personal targeted campaign  by someone with llkely access to or was part of this syndicate.  Our fraud events had connection to IP and other identifiers in Sydney, Qld, WA, and Victoria.  Our investigations had shown events associated with individuals based around Bondi and western Sydney, where previous individuals associated with mobile numbers used in our ID fraud were known to be based.   Given this groups ability - I felt i was at threat again now my new name had been released. I emailed and called to confirm what data had been leaked - I got no reply.  I asked again how a password protected ATO account was AGAIN accessed.  I was told they couldn't identify how but it was likely a rare event!   Not for me it wasn't - with over 4 unauthorised access events in 2 years on a locked account.

So I changed my name again.  It has now been over 1 year and I have had now further events.  Individuals ( my investigations had identified as either associated with mule accounts or potentially directly involved), are now most in jail on unrelated charges. 

I still worry that some may be watching us and our movements - but we have also taken steps to limit their ability to harm us - unless they directly approach us.  The impact of over three years of identity fraud has affected my family and myself greatly.  

However, these events have also affected many others with financial losses - banks and business. I've learnt that such losses are priced into the everyday costs of goods - which get passed onto all of us and the criminals rarely pay and are rarely caught.  It costs more to identify them and prosecute them - then the monies lost in most cases.     So protection and prevention is the key.