When I launched the Identity Theft Council nearly 15 years ago, I was amazed at how many identity thefts started with the purchase of a car. In fact, one of the very first cases I investigated involved the purchase of a $60,000 Lexus straight off a dealer lot.
A follow-up investigation revealed that the thieves targeted a young and inexperienced salesperson who was so excited and delighted at making such a massive first sale, he didn’t spot, or simply just ignored, the fact that the identity being used was of a partially blind 84-year-old pensioner who hadn’t owned a car in 20 years.
I’ve met a lot of identity thieves through the years, and one in particular had a fondness for buying cars using stolen identities.
He was also an amateur psychologist and fascinated with human psychology and social engineering. He believed that the best identity thieves, the most successful ones, were also the best social engineers. Capable of predicting and influencing human behavior and setting up the theft to take advantage of that anticipated reaction.
He said once that it’s usually very easy to spot an identity thief just by their behavior – not by what they do, but what they don’t do.
Here’s a paraphrased summary of what he shared with me:
“Think about a normal car purchase. Most of the behavior a typical purchaser will exhibit will not be exhibited by an identity thief.
Think about this. Purchasing a car is the second biggest purchase most consumers will make after a house. The average new car transaction is close to $50,000. So they usually take their time. Identity thieves, on the other hand, want to get out of there as quickly as possible so they’re not caught.
A real purchaser will usually procrastinate:
- Is it really the model I want?
- Is the timing right for me?
- Can I justify spending that much money and can I afford that payment?
- Do I prefer this color or that color?
- How will my insurance change?
- What extras and add-ons do I really need?
- Current year or previous year, maybe I’ll just get a slightly used and certified model?
- What about a tow hitch? We’ve been talking about buying a boat.
- Will you give me a loaner when I have to get it serviced every 12,000 miles and so on.
They might talk about their previous car or cars, they’ll usually spend a lot of time on the lot, and quite often not even want to make a purchase on their first visit. They might want to know about warranties and extended warranties, what’s covered, will servicing be included, what about free car washes, what about financing, and are there any specials or discounts, like for veterans or students.
An identity thief will usually do the exact opposite. They’re often interested in purchasing the most expensive car as quickly as possible, they’ve already done their research, and their focus is on just one car. They don’t usually care about the extras and add-ons, or procrastinate about the color, they nearly always want the newest and latest and biggest and most expensive.
They rarely spend much time on the lot, they don’t look at other models, they’re not interested in negotiating, and they’re not trying to get you to drop the price. Nothing’s too expensive or too much, they want it fully loaded but don’t ask how much that full load will cost.
Most legitimate customers are also excited and even emotional about the purchase and looking forward to enjoying their new vehicle. Most identity thieves don’t display the same emotional connection.
They’re not buying the car to own it or drive it, so they don’t ask or care at all about depreciation, performance, reliability, resale value, or maintenance and service costs. And they’ll rarely ask about a cooling-off period, what their options are if they suddenly have a change of heart.
And while a legitimate purchaser will usually be stumped to explain an inconsistency on their credit report or supporting documentation, an identity thief will usually have a very quick response, even if not a particularly convincing one. But simply evidence that they’ve anticipated that question and have practiced their reaction.”
From 40 years in cybersecurity, and 25 years in identity theft, one of the most important lessons I’ve learned is how much we need to learn from the enemy. By simply talking to identity thieves, who are usually very big talkers, we can learn so much not only about them but how they perceive us, the target, the mark.