Few people know more about identity theft than Brett Shannon Johnson, a convicted identity thief who was once on the Secret Service’s Most Wanted list. Johnson made millions developing online fraud techniques and creating two major online crime syndicates, before getting busted (several times) and spending more than six years behind bars.
“I didn’t care who the victim was,” Johnson said. “I always tried to justify it. I told myself, I’m not ripping off the person, I’m ripping off the store or the government or the bank… and they could afford it.”
He went by the nickname Gollumfun and the Secret Service dubbed him the “Original Internet Godfather.” After he was busted in 2005, Johnson agreed to a get-out-of-jail offer. He would work for the Secret Service as an informant fighting cybercrime.
Still a criminal at heart, Johnson decided to moonlight. He worked for the feds during the day and committed ID theft at home in the evenings. When the Secret Service discovered the deception, Johnson was rearrested.
When he got out on bail, Johnson bolted across the country. He was caught, went to prison, escaped and got caught again.
A federal law enforcement official familiar with Johnson’s criminal background confirmed his story, though the Secret Service did not respond to a request from NBC News for an interview.
Now 47, Johnson lives in Alabama. He says he’s sorry for what he did and claims he’s turned legit. His consulting company, AnglerPhish Security, specializes in fighting the crimes he helped perfect. He talked about his crime spree and shared his insight into the criminal mind with NBC News in a series of one-on-one telephone interviews.
Anyone can do it
Johnson’s life of crime started at the age of 10 with shoplifting. As he got older, he moved to insurance fraud. A payout from a phony car accident financed his first wedding, in 1994.
Online fraud was just the next step — scamming people on eBay by selling non-existent merchandise. Finally, he transitioned to identity theft.
Johnson claims to be “the idiot” who figured out how to use the internet to commit tax refund fraud. He discovered that it was easy to file a return and request refunds for dead people who had not yet been reported as deceased to the IRS.
It took him about six minutes to file a bogus return and he would make as much as $6,000 a week this way, he told NBC News.
“Cybercrime is not rocket science anymore. It’s extremely easy,” Johnson said. “These days someone who has no experience at all can take classes on how to commit these crimes. He can buy tutorials. He could partner with other people and commit these crimes. All the tools they use are basically off-the-shelf products.”
Stolen Social Security numbers and birthdates are readily available on the dark web for just a few dollars each. Armed with those two numbers, a crook can buy a background check that provides enough information to access the target’s credit report.
“Once you have that credit report, you basically have the entire identity profile of the person you want to victimize. And at that point, doors swing wide open and you can order replacement credit cards, set up new bank accounts, take over existing accounts or commit tax fraud,” he explained.
Identity theft still isn’t taken seriously
Identity fraud is a serious and growing problem. In 2016, a record number of Americans, 15.4 million, were victims of identity theft, according to the 2017 Identity Fraud Study by Javelin Strategy & Research. Account takeover, an especially damaging type of identity fraud for consumers and financial institutions, grew by 36 percent, resulting in losses of $2.3 billion, the study found.
“It’s going to get increasingly worse before it gets better,” Johnson predicted. “And I’m not sure it’s going to get better because of the ease of entry into cybercrime.”
An endless string of data breaches has provided crooks with massive amounts of personally identifiable information (PII) — such as Social Security numbers and birthdates — that cannot be changed and never expire. The Equifax breach will make it even easier for identity thieves, Johnson told NBC News.
“Before this, a criminal would buy information and he was never sure if it was correct. With the Equifax data you now know everything is correct — and that is priceless to a criminal,” Johnson said. “You can file false tax returns, take over Social Security accounts, file for student loans, take over a credit account or open a bank account. Any specific thing he wants to do, he’s now able to.”
Neal O’Farrell, executive director of the Identity Theft Council, agrees that the problem will get worse and the number of victims will increase unless companies, individuals and the federal government get serious about tackling this crime spree.
“After the Equifax breach, I was talking to some members of Congress about the possibility of new laws that would make a credit freeze mandatory for life; something that would be easy to switch on and off,” O’Farrell told NBC News. “All that [urgency] has gone away in just a matter of a couple of months. Can you imagine if after the Equifax breach a million people marched in Washington demanding change in the credit bureaus? We would have that change now. Unless we can find a way to get consumers mad as hell, nothing is going to change.”
How to protect yourself
Assume your personal information has already been compromised — it probably has been — and take proactive steps to fight back. Johnson suggests these three steps:
- Freeze your credit files at Equifax, Experian, and TransUnion
This will stop criminals from opening new financial accounts in your name.
“Make sure it’s frozen, because some of these credit bureaus sell a monitoring service. They like to say that it’s frozen, but it’s not,” Johnson said. “You need to make sure that the accounts are frozen, so the only way someone can request credit is if you lift that freeze.”
You may have to pay as much as $10 to freeze each account and you’ll need to pay again to unlock it, if you apply for credit, but this is the only pro-active step you can take to protect yourself. (Note: Victims of identity theft who have filed a police report can freeze their credit files for free. In many states, seniors can also do it for free.)
- Freeze your children’s credit files
Children are prime targets for identity theft because they have a clean credit file and impersonating them can go on for years, until they’re old enough to apply for credit.
Freezing a minor’s credit file may not be easy and you’ll need to work with each credit bureau to do it. But ID theft experts contacted by NBC News agree that it’s something parents should look into.
- Monitor your accounts
A freeze won’t stop criminals from gaining access and taking control of existing accounts, and it doesn’t stop tax fraud. Credit monitoring cannot stop identity theft — it can only flag the crime — after it’s happened. (If you’re offered free monitoring after a breach, you might as well sign up.)
That’s why you need to actively monitor all of your accounts: email, bank, credit card, any other financial accounts and social media. Look for anything suspicious.
Get a free copy of your credit report from Equifax, TransUnion and Experian. You’re entitled to one every 12 months. Go to www.annualcreditreport.com to start the process.
And put alerts on your credit cards and bank accounts. That way, you’ll get a text or email every time certain things happen, such as an ATM withdrawal, foreign transaction, or card-not-present purchase. This can help spot a problem in real time.
O’Farrell at the Identity Theft Council hopes everyone will follow Johnson’s advice.
“If you’re not going to listen to a cop, listen to a robber,” O’Farrell said. “Freeze your credit, stop using weak passwords, do the things that you’re supposed to do to protect yourself, and maybe we can slow down these just guys a little bit.”