The President/CEO Continues to Recognize and Help Victims of ID Fraud
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
Eva Velasquez, who has a long history of scrutinizing economic crimes, admits she did not take a traditional career pathway to the position she has held for a decade as president/CEO of Identity Theft Resource Center (ITRC). The El Cajon, Calif.-based ITRC, a national nonprofit organization, empowers and guides consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.
“Let us put it that way. I actually never went to college and I never finished high school.” Velasquez explained that when she was 17, she became pregnant with her daughter and needed a full-time job. She began as a summer intern during her sophomore year of high school at the San Diego County District Attorney's office. After her junior year she dropped out and started as a temp legal clerk at the DA's office. “Fast forward, I spent 21 years there.”
Learning About ID Crime
Velasquez worked her way up the San Diego County District Attorney’s office ranks through different roles and civil service classifications and 10 years in, moved into the investigative tract. There she started probing economic crimes as a fraud investigator. “I spent the last 11 of those 21 years doing economic crimes investigations and I was exposed to identity crimes, but more importantly, I was exposed to how little we could do for victims of this crime type.”
Velasquez explained her office did not have anywhere to send the victims when they needed help. “My job was to get the bad guy, do the fraud investigation, get it ready for prosecution and help put the criminal behind bars.” She added, “I realized again very quickly just how few resources we put into helping these victims and how dismissive the system could be of their trauma and what they were going through.”
She went over to the Greater San Diego Better Business Bureau as vice president of operations for about five years, where she continued to aid with investigative practices, finding fraud patterns, and helping determine the difference between legitimate disputes and scams that needed to go to a law enforcement or regulatory agency.
The ITRC Finds a Leader
The ITRC, founded in 1999, searched for new leadership in 2012. Velasquez recalled the organization was not doing well. “I decided that I needed to take a chance on myself and on the organization (ITRC), because if it did not exist, where would people go? There is not any place else.” Since taking over as president and CEO she said the ITRC has quadrupled in revenue, size and scope. “We have a huge footprint and we're doing the work nobody else is doing for this victim population.”
“We're a 501(c)(3), it is a nonprofit organization, even though we are national in scope, we are still relatively small. There are 14 of us,” Velasquez said who does everything from determining the strategic direction of the organization to being down in the weeds and fundraising. “We wear a lot of hats.” Besides staying engaged with a very active board of director, connecting with outside individuals, both for fundraising and financial support perspective, she helps ITRC further its advocacy goals.
Velasquez explained the ITRC role in the information security space in addressing trends particularly around data breaches, which almost always involve a personal element. “We definitely have the role in cybersecurity of tracking trends, analyzing them, informing the public and decision makers, but then also informing end users, the individuals, for the most part, that want to do the right thing.”
The ITRC also issues data breach reports, which it has done since 2005. “That's not the only report we issue, and it's not the only research that we do, but it is the only one we use to leverage publicly reported information.” That reported data breach can come from a variety of sources such as federal agencies, various state attorneys general, corporate email blasts or website messages, and media coverage. “We have to have confirmation that the company itself has, in some manner publicly, acknowledged and reported this breach.”
The Human Element
Velasquez takes her role in information security seriously. “I actually really care about people and want them to be safe. That is my purpose. And it actually, selfishly, makes me feel very good about what I do with my life when I can teach people, answer their questions, give them a sense of both empowerment and a sense of security because they now know what they need to be doing.”
The ITRC advocates for the victims of identity fraud by raising awareness among lawmakers, decision makers and policy makers. “I have not seen a time when these folks are more engaged and more willing to listen and devote resources to this particular victim population,” Velasquez said.
ITRC focuses mainly on identity crimes because the way people use ID credentials, especially digitally, broadened in scope over the last 20 years. The ITRC president/CEO said originally the organization focused primarily on identity fraud, the actual misuse of credentials. But now it looks at data compromises since almost all data breaches, scams and fraud, have an identity component.
“It was really important for the public to have one place to go when it came to identity crimes and not just ‘what do I do?’ after it occurred,” Velasquez said. To that end, the ITRC offers free public education on just the basics. “Here's how you stay safe online. Here are basic cybersecurity practices. Because it is really confusing.” The ITRC also directs victims on getting free recovery services.
Specific Threats That Cause Sleepless Nights
What has Velasquez deeply concerned these days is the scope of fraud and how the entry has lowered considerably. She pointed to the identity marketplaces and the proliferation of information and resources available for cybercriminals on the dark web. “Not just the data, all of the programs, software, malware and guides on how to be an identity criminal. It is just there ready for purchase. You do not have to have any particular skillset, just a little bit of seed money in order to pull that off.”
Velasquez also voiced concerns about government platforms’ accessibility. “We have to remember that government services are essential services and the government cannot choose their customers, you need to have these essential services available to everyone. And that means that there has to be a digital off ramp for people.”
Velasquez said the off ramps needed for people who are not digitally capable may mean different channels, or someone to walk them through the process by phone or in person. “It is very broad and the solutions are going to differ from platform to platform and situation to situation. We have to take into account that not everyone can use (digital-only systems) as they are currently set up today.”
She noted, “Citizens should be able to avail themselves of those services and not have an undue burden placed on them to verify their identity. And yet a lot of our processes do. Because we seem to think if we get about 80% in government services, we are good. Well, no, we are not. You have to have processes everyone can use.”
Remember Those Impacted by ID Crime
Velasquez suggested financial service organizations need to show awareness of the victims of cybercrimes. “We have all of these financial transactions occurring, this money flowing back and forth, and that is great. It creates a level of convenience.” But when that goes wrong and particularly when there is some type of fraud involved in those transactions, she said it gets easy to forget there is a person behind that transaction. “That incident, that occurrence rate, maybe it is in your margins, maybe you feel great, ‘I have only got 4% fraud.’ ‘I'm not going to worry about it.’ But, those 4% of people are having their lives impacted sometimes seriously.”
Another point she made was opening accounts. “We saw opening of new accounts at financial institutions increased significantly (during the pandemic) because the fraudsters needed somewhere to park and then move the money, they were getting from all of the government identity crimes that they were committing.” While that seems like relatively low risk to the financial institution, it can have long-term implications on ID theft victims. “That's the piece that I would like all your readers to not forget, there's a person behind all of this data and these incident rates.”
Velasquez also encouraged organizations to take a look at idtheftcenter.org, which includes a resource center, publications and other information. In addition, the ITRC is always looking for help. “There are number of ways to get involved with us.” She explained the ITRC board is comprised of fortune 100 companies as well as solopreneurs and other nonprofits. “And of course, as a nonprofit, we are always looking for, for financial supporters. I would just encourage anyone take a look at our information and if there is a fit there to reach out and I would be happy to have a personal conversation with them.”