This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

By Paul Pocalyko, CPA, CFF, CFE

We likely all know someone who has been either a target or victim of identity theft or some other form of loss related to the improper use of their personally identifiable information (PII).¹ This is a large data set that is related to your life, and this information can expose you to fraud and theft.

What many people do not realize is that your PII takes many forms that can be compromised by new techniques. Most people are familiar with the more common PII that we’ve been told to secure for decades: Social Security numbers, birth dates, addresses, credit card numbers, and bank account numbers. What is becoming more problematic are those areas of information that are typically not protected, are publicly available, and are often used in your daily work or personal activities. These include, but are not limited to, your drivers license number, your passport number, your personal and work email address, your cell phone number, your employee identification number, the places you lived or worked in the past, your high school, your frequent traveler numbers, your student loan information, or your doctor’s name.

I was recently at a cybersecurity event² where FBI agents and other professionals who specialize in these crimes provided an overview of the significant increase and sophistication of the criminal activity in the United States. My biggest takeaways were the following:

• Compromising data is a full-time job for these thieves.
• Identity theft and PII fraud is being conducted with a designed strategy.
• There appears to be an array of collaborative people throughout the world.
• It is highly likely that deep-pocket funders are backing some efforts.

Here is one crafty fraud event that came to my attention.

A consumer – we will call him John – was in the middle of a home purchase. John received a call allegedly from the title company that was working with the mortgage broker. They were confirming the transaction and requesting John’s email. They kindly noted that he would be receiving closing instructions via an email, with a hardcopy to follow by regular mail. The email arrived noting that money should to be wired to the title agent account prior to the closing. In a typical transaction, one brings a cashier check to the closing. John went to the bank to make the wire transfer two days prior to the closing. Fortunately, the banking officer suspected that this was improper and had John call the title company. The fraud was discovered, and the wire transfer did not occur.

How did the thief know about John, the home purchase, and the loan? It stated with the property records, which are public information. The thief had contacted the current homeowner, who confirmed who had purchased the property and who was handling the closing. The thief tracked home sale data, property records, and found John, the target.

There is no absolute method to secure all your PII, but there are several simple steps you can take to protect the misuse and deter fraud. Here are 10 suggestions:

1. Be careful with your personal and work email information; do not simply comply with email requests. Do not open suspicious emails. This can lead to penetration in your accounts.
2. Be extra vigilant when you are involved with a large financial transaction, including a home or car purchase, an estate, the transfer of money, refinancing, or a large consumer purchase. Large transactions are a main target for a thief.
3. Reconcile bank statements monthly. Many frauds start in small dollar increments and increase over long time periods, so know what you are paying.
4. Review your credit card statements monthly, noting any anomalies. Card-not-present fraud persists in the united states, so keep track of what you buy.
5. Restrict the dissemination of your important numbers. Know who is asking for the information and why. If it does not make sense do not provide it.
6. Create multiple personal email accounts for those times you are concerned about who is requesting the information. If you must provide an email do not use the same email that is linked to your work, your bank and your credit card accounts.
7. Shred any documents that contain any form of PII. Even magazine address labels have been used to compromise people’s identity.
8. Choose the option to avoid the receipt of any paper or other mail communication for any accounts, either banking, credit card, investment accounts, or other materials that include PII information. Paper documents allow for many types of PII theft.
9. Change your passwords on all accounts frequently and get confirmation of the changes. Passwords serve as a gateway to your accounts.
10. Do not put passwords on post it notes. Do not store passwords in an unsecure manner, such as leaving them in a desk drawer. Too often passwords are made readily available to thieves.

Employing some of the 10 techniques below will help you with early detection should a breach of your PII occur:

1. Set up push notices with your bank and credit card company that will send you emails or text messages for all transactions. This form of two-step or dual authentication3 helps confirm that banking activity and purchases are valid.
2. Set up notifications with your frequent traveler accounts to update you on any new activity.
3. Consider freezing your credit. This will prevent thieves from opening accounts in your name.
4. Obtain verbal confirmation from trusted employees of companies you deal with. Make confirmation calls to phone numbers that you know relate directly to the actual entity. Do not rely on what is provided in email communications.
5. Review your investment accounts monthly to confirm balances and that activity is valid.
6. Put your credit cards on vacation. When you go on vacation, call the card companies to let them know you will be traveling. This will create a flag to identify unusual activities should they occur.
7. Never provide personal information to anyone that simply requests it without knowing who and why the information is needed.
8. Check your credit reports at least quarterly to make sure information is accurate. Thieves will often apply for credit. While it may be caught and denied, you may know nothing of the event.
9. Check your health benefit activity on a regular basis since some thieves use stolen identities to get medical care.
10. Think like a thief. Secure your PII like it is money in your wallet or a new mobile phone.

¹ Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. 

² https://cybersummitusa.com/philadelphia19/

³ “There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options." Eric Griffith, "Two-Factor Authentication: Who Has It and How to Set It Up," PCMag.com (March 11, 2019).

Paul W. Pocalyko, CPA, CFF, CFE, is with HKA in Philadelphia. He can be reached at ppocalyko@comcast.net.

To get more personal finance and small-business tips, subscribe to PICPA's Money & Life.