The Business of Exploiting the Dead

An old crime with new variations

February 2010


Of all the identity theft cases he has worked, Larry Wilson says the ones involving the deceased are the toughest. Surviving wives, husbands and children are already grieving their loss. When they discover that their deceased loved one’s identity has been stolen by a con artist, some find the pain and anger too much to bear.

“These people just lost their husband or wife,” says Wilson, founder and director of the Identity Theft Victims Support Group of North America. “They’re already having a terrible time, and then they start getting all these calls from collection agencies, which can get very, very nasty. It’s sad to see.”

Stealing a deceased person’s identity is perhaps one of the oldest forms of identity theft. Classic stories of one person stealing the identity of another often involve the great themes of literature: a pauper posing as a prince to win the hand of a princess, or a son of nobility escaping the duty of war. But in the 20th century, identities came to have financial value as well. The creation of a national income tax in 1913 meant that the U.S. government needed to track the identities of its citizens to assure that they were working the jobs they claimed, so they could be levied the appropriate taxes. Assuming the identity of an unemployed person, or a dead one, became a simple way to avoid paying taxes.

The creation of social welfare programs in the 1930s, including Social Security, and the later addition of Medicaid and Medicare, added new systems of identity tracking by the government, and new incentives to steal the identities of others – either for tax evasion, or to steal the benefits of someone else.

With each evolutionary step away from gold and paper currency, financial institutions also bestowed monetary value on individual identities. Early on, check kiting became a lucrative way to buy goods fraudulently by presenting oneself as someone else. The value of stolen identities multiplied in the 1950s when Diners Club and American Express created the first credit cards, which in many cases did not even require a falsified government ID to make bogus purchases.

Different people value the identities of the dead for different reasons, however. One reason is that a living person hopes to shed his old identity completely and live his life under the name of the deceased. This is the most intimate type of identity theft, and it has its own name: “Ghosting.” Many people who engage in ghosting are convicted criminals who hope to escape their rap sheets and begin a new life.

One recent example is former Serbian leader Radovan Karadzic, who took the name of Dragan Dabic, a Serb killed in Sarajevo in 1993 by military snipers directed by Karadzic. To escape prosecution for war crimes, Karadzic stole the dead man’s name from a database of missing Serbs, and used it to take up a new life as an alternative medicine healer. Karadzic was arrested in July 2008.

“In ghosting, you want to become that person,” says Kevin Paget, a Law and Science Fellow with the National Clearinghouse for Science, Technology & the Law at the Stetson University College of Law. Paget researched ghosting and other forms of identity theft involving the deceased. “The biggest advantage of a dead person versus a live person is the dead person is going to offer up a lot less resistance.”

Federal laws do provide a modicum of protection from identity theft to survivors of the deceased. They also create little-known vulnerabilities. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a deceased person’s medical records may only be released to a) the personal representative assigned by a court or named in a will to settle the person’s affairs, b) a funeral director or medical examiner, or c) a relative, if the information could possibly impact that relative’s health. Violations are punishable by up to $50,000 in fines and a year in jail.

But it’s that last provision, about relatives, that could provide an opportunity for crafty identity thieves to take advantage of family members’ deaths. Say for example that the deceased person suffered from diabetes, a disease that is often hereditary. Under HIPAA, a family member could call the hospital and legally obtain the dead person’s medical records simply by saying that they have diabetes or pre-diabetic symptoms (which together affect 80.6 million Americans, according to the American Diabetes Association). The family member could then use the deceased’s Social Security number, credit account numbers and medical ID number to obtain medical treatment without facing any penalties under HIPAA (though identity theft laws would still apply).

Identity theft is often perpetrated by someone close to the victim. Without realizing it, Congress may have created an obscure new avenue for identity thieves to obtain Social Security numbers and other important identity data that didn’t exist before HIPAA was created.

Another major federal privacy law, the Health Information Technology for Economic and Clinical Health (HITECH) Act, also offers protection with caveats. Signed into law by President Obama in February, HITECH requires institutions to notify next of kin if a deceased person’s identity information is stolen or lost in a data breach. But institutions only need to send out notification notices if they know that the individual is deceased, and if they already have the address of the next of kin or personal representative, according to an analysis by Barnes & Thornburg, a large corporate law firm headquartered in Atlanta. An institution is not required to figure out whether anyone mentioned in its lost data is deceased, nor is it required to obtain contact information for the next of kin if it did not already have that information when the breach occurred. This means that relatives of the deceased may be held responsible for credit charges they know nothing about, and can’t even take steps to clear their names or rebuild their own credit ratings until they start receiving notices from collections agencies.

This is the perfect example of why it’s important to carefully organize your financial documents and to have a will, no matter your age. If your bank loses your personal information to a hacker after you die, your family may never find out until the stolen information is being used to raid their bank accounts. But if they have a schedule of what credit accounts you opened and when you opened them, they may be more sensitive to news alerts about data breaches at your credit card company and use that information to find out whether they’re at risk. Providing family members with a clear roadmap to your finances is an easy way to help them protect themselves.

Other cases of stealing the identities are even more straightforward. Michael Puopolo suffered a heart attack on March 25, 2008 while he was sitting in his car. He was transported to emergency room at Sentara Bayside Hospital in Virginia Beach, where he was pronounced dead.

Six hours later, a nurse from the emergency room, Matthew Wiseman, appeared at a Best Buy store. Wiseman, still dressed in his hospital scrubs, used Puopolo’s Visa card to buy a laptop for $1,800, prosecutors told the Virginian-Pilot newspaper. Wiseman pleaded guilty to credit card theft and credit card fraud. He was sentenced to a month in jail and eight years of probation.

“It’s pretty common that they go into a Wal-Mart or some big box store, buy a TV or some piece of electronics, and sell it on the black market for cash,” Wilson says. “That’s the simplest way to do it.”

These simple cases are often crimes of opportunity. For years, Ralph Lee Guttormsen lived with his roommate, Robert Sterling, in Monterey, California. When Sterling died of medical problems in the home in 2002, Guttormsen assumed his roommate’s identity. Using his friend’s driver’s license, Guttormsen opened credit cards, withdrew money from Sterling’s bank account, and cashed checks using Sterling’s identity “all over the Monterey Peninsula,” Thomas Uretsky, police commander for the city of Pacific Grove, told the San Francisco Chronicle in March, 2006.

The scam lasted for four years. Guttormsen was able to get away with it because he didn’t open any new accounts in Sterling’s name. Doing so would have raised alarm bells with financial institutions, which check the Social Security Administration’s “Death Index” to make sure that a person is still alive before issuing him a new credit account. But by using an existing account, Guttormsen flew under the radar until he was pulled over by police for a traffic violation and offered Sterling’s driver’s license as his own. 

“In many cases, ghosting doesn’t look much different than other forms of identity theft,” Paget says.

Other scams are more sophisticated. Some thieves find the records of multiple dead people, either by reading newspaper obituaries or consulting the Social Security Administration’s Death Index. They combine the names of the dead with Social Security numbers and other identity information from other people, living or dead, to create new, synthetic identities that are difficult to track.

“Most of the cases we see involving dead people are synthetic identity theft,” says Gina King, Manager of Fraud Operations for Identity Theft 911. 

Armed with stolen credit card numbers and other information, thieves can use online stores to test whether the credit card numbers they’re using have sufficient credit in their accounts to make purchases.

Testing is also important because of new federal Red Flag rules, which require companies to stop and check a credit application if it raises warning signs of identity theft. “Especially now, the test buy is important because stores and creditors have to pay attention to red flags,” says Eduard Goodman, Chief Privacy Officer of Identity Theft 911. “If a person is deceased, that’s a big red flag.”

If the thief finds an apt victim, it touches off a buying spree to obtain merchandise that can be sold on the black market. These purchases are made as soon as possible after the victim’s death, before family members have a chance to report the death to creditors. This reduces the chances of getting caught. “Right when someone passes away is the most opportune time for criminals,” King says.

People don’t always steal the identities of the deceased for strictly financial reasons, however. Some are just plain bizarre. The original version of The Paper Trip, a book published in the 1970s by a leftist publishing company called Eden Press, gave step-by-step instructions for underground activists on how to steal a dead person’s identity. Now in its third edition, the book urges people to resist Big Brother’s “Naziminded effort to control records” by creating “exactly the kind of Alternate Identity you need.”

The purpose of this new identity is to help criminals escape prosecution. The Eden Press Web site covers this motive with the thinnest of fig leaves, saying that such a new identity will “eliminate problems from negative records” and allow people to “become ‘invisible’ to investigators who want to sue you.”

Few forms of identity theft are as old, or as varied, as stealing the identities of the dead. It also provides cover for crimes either traditional or bizarre, from standard credit card fraud to pedophilia.

In most cases, the impact on the families is the same: Huge legal bills spent trying to clear their credit histories of fraudulent charges, and thousands of hours wasted trying to salvage their loved one’s good name.

“I’ve seen relatives of the deceased spend thousands of dollars and the next three years of their lives fighting to recover from identity theft.” Larry Wilson says. “People attack them at their weakest point, which is absolutely sick.”

End-of-Life Planning Tips

End-of-Life planning doesn’t begin and end with purchasing life insurance. To ensure that your family isn’t victimized by identity theft after your – or a loved one’s – death, experts recommend that everyone take the following the precautions:

•  Use your power. As executor of your loved one’s estate, you can notify the three major credit bureaus that the person is deceased, get copies of their credit files, and ask that the credit reports be shut down. All it requires is proof that you are the executor, and a certified copy of the death notice. This will prevent anyone from using the decedent’s name to obtain credit. Quickly familiarize yourself with a schedule of the deceased’s accounts so you can protect the estate.

•  Consider placing a freeze on your credit file, especially if you don’t plan to make credit card purchases anytime soon. This is easier in states like Texas, which have “quick thaw” provisions in their credit freeze laws that allow consumers to call ahead and unfreeze their credit before they make major purchases.

•  Secure your documents. Make sure your identity documents are secure. Keep your birth certificate and passport in a bank safe deposit box. Keep all of your important records in a locked file cabinet, and make sure that your spouse or someone else you trust has a spare key. These basic precautions will help protect you while you’re living, and protect your family’s financial well-being after you’ve passed away.