In 2011, agents from the Secret Service and the Internal Revenue Service, along with state and local police, launched Operation Rainmaker, a coordinated effort to bust a criminal ring operating in the Tampa, Florida, area.
Dozens of people were arrested, some of them well into the following year. Jewelry and luxury cars were seized. Many of the suspects were former drug dealers who'd found a more reliable, less risky way of making money — identity theft.
The scheme was simple: Gang members and accomplices obtained strangers' names and Social Security numbers from genealogical websites, medical bills and business records. They electronically filed false tax returns in the victims' names, and collected the tax refunds before the IRS knew what had happened. An estimated $135 million in refunds was stolen.
Your Social Security number (SSN) is the linchpin of your identity. It's what an identity thief most wants to steal, and the hardest piece of identification to replace. The Social Security Administration re-issues a new number only under extreme circumstances.
A valid Social Security number gives access to credit information, which is necessary to apply for new credit cards, request a loan or mortgage or open a bank account. In some places in the United States, an SSN is necessary for employment and to rent an apartment or house. (You're even asked to provide your SSN when applying for a U.S. passport.)
For an identity thief, obtaining a stranger's Social Security number is "like winning a lottery ticket," said Scott Olson, vice-president of product at Portland, Oregon-based fraud-protection company Iovation.
Here's how you can protect your Social Security number, what to do if it gets stolen and how to get a new one.
How to protect your Social Security number
There are several steps you can take to protect your Social Security number.
— Don't ever use all or part of your Social Security number as a password or PIN code. Any personal information that can't be easily changed, such as a Social Security number or a mother's maiden name, should never be used for authentication, said Adam Dolby, vice president of business development at Oslo, Norway-based Encap Security, which specializes in security for the banking and retail sectors.
— Don't carry your Social Security card in your purse or wallet. In fact, don't carry your card in anything that can easily be stolen. Instead, memorize the number and put the card in a safe.
— Don't ever email a Social Security number. Most email messages can be read in transmission. Instead, phone the person you're contacting, and get him or her on the line — don't leave a voicemail containing the SSN.
— Don't store electronic documents containing Social Security numbers on your computer, your smartphone or a cloud-storage drive. If you absolutely have to, then encrypt those files and folders so that information-hungry malware can't read them.
— Shred all paper forms that contain your Social Security number before throwing them out. Put the papers you keep — such as old tax returns and correspondence from the IRS — into a safe.
— If anyone you don't know calls and asks for your Social Security number, don’t give it out. Instead, ask the caller whom he or she works for, then hang up and call that institution directly.
— Review the Social Security statement booklet mailed to you every year. If it says you're making a lot more money than you do, someone else may be using your SSN for employment purposes. Register to get the statements at http://www.socialsecurity.gov/myaccount/.
How to keep other people from knowing your Social Security number
When the Social Security number was first devised, skeptics warned it would become a national identification number, used by non-governmental organizations to keep track of people.
That hasn't completely happened, but many businesses and organizations do ask for Social Security numbers when they shouldn't. Such practices make it harder for individuals to be sure their SSNs don't get into the wrong hands.
The fact that companies regularly ask for SSNs is a "real challenge for individuals," said Suzanne Barber, director of the Center for Identity at the University of Texas at Austin.
As a general rule, if the Internal Revenue Service isn't involved, you can refuse to provide your Social Security number. But while government agencies still have to provide services if you don't hand over your SSN, private businesses don't have to.
That means consumers can be strong-armed into disclosing their SSNs, said Bryan Hjelm, vice-president of product and marketing at CSID, an identity-theft-protection provider in Austin, Texas.
In such situations, Barber said, it might be best to ask the business why a Social Security number is necessary.
"Ask them, 'What other data could help you feel confident about my identity without giving my SSN?'" Barber said. "If you want to get tough, ask, 'Are you willing to ensure that you will cover liability and even my losses in time and money if the SSN you collect is compromised?'"
It's critical that parents protect their children's Social Security numbers, especially at the doctor's office, Barber said. (Many children are victims of identity theft.) In most cases, a doctor's office will be happy to use a parent's SSN, or even just the insurance account number, to collect insurance payments.
Some banks and credit card issuers may ask users to verify the last four digits of their Social Security numbers as a form of authentication. This isn't as bad as it sounds, Hjelm said, since the company should already have the number on file.
But if the entity asking for this information wouldn't already have your Social Security number, then that's a warning flag, and you should refuse to provide the last four digits, Hjelm said. For persons born before 2011, the last four digits comprise the only part of the SSN that is truly unique to the individual.
Some banks allow users to put a note in their files that Social Security numbers should never be used to verify identity. That protects both the bank and the customer, and if someone does try to use the SSN, it would trigger a fraud alert. It's worth asking your bank whether it offers that option.