Personal #InfoSec heads up. This is my story of #identity theft. I hope it helps you avoid the hellish experience. In early December 2025, I fell for a very well-executed #phishing #fraud scam.
They pretended to be from security at my bank. They knew much more about me than I would ever expect. That was key to convincing me to stay on line, When I say “they” I’m talking about several individuals who role played (excellently) security, managers, customer representatives. I stretched out the conversation because something seemed off. I had no evidence. I don’t want to go into too much detail, but at one point I detected a slight hesitation or nervousness in one of their voices. I told them I needed a personal moment and put them on hold.
I called a guy at the bank who helps me with my retirement funds, told him the story and asked for help verifying what was going on. Within two minutes he said it was a hoax and he had real bank security on the phone with us. They wanted me to play along while they were online, looking for various clues and hoping to catch the bad guys in the act. It worked. The bad guys were in the process of transferring out everything in my accounts. It would have been a crushing DISASTER if I did not have the bank’s real security hoaxing the hoaxers! I lost nothing but time and personal esteem. The aftermath has been more painful.
It has been months since my complete identity information was stolen. I had to change every bank and credit account number, kill several email addresses I had used for decades, change all passwords, inform #SSA, #Medicare, Ibsurance companies… the whole package. I’m not done. I consider myself lucky, so far. It will never be over. I realize that protecting my identity is a constant battle.
I think it started when my info (OGE Form 450) was stolen when the #US government general administration office was hacked in 2008 (?) and virtually all employees’ financial disclosures were stolen. They gave us lifetime monitoring service which has been pretty good. It spotted and reported to me multiple breakins and data thefts over the years, including when my info was for sale on the “dark web”. I want to emphasize that I responded EVERY TIME. Nevertheless, my info from various thefts was obviously collated over time and now there is a good solid model of me for sale, complete with private information I thought I never disclosed.
This can easily happen to anyone, including you.
Everything I learned about personal infosec over the years — **advice I followed** — proved to be insufficient. I’m now looking into hardware passkeys, but that is not enough. I welcome professional #infosec and others to comment here. It is a teachable moment for all of us.
