Can Anyone Give Any Advice Regarding Identity Theft?

TLDR
Spouse nearly got scammed. Scammer has all personal details and license number and has started opening bank accounts using info. What do should we do to stop it?

Details:
My spouse received a call on their personal mobile from Afterpay. The caller ID was another mobile number.
The caller said their had been some fraudulent activity detected on the account and they asked for all the personal details to confirm identity.

Spouse is suspicious so refuses to give any info. The caller then states my spouses full name, including middle name, address and obviously knows phone number.

They then explain they are going to send them a verification code by sms. A code is received which my spouse gives to the caller.
Call ends and basically straightaway my spouse realises they have been scammed and the verification code was one to authorise a purchase.

They contact Afterpay who confirm a $900 purchase from the Good Guys. The Afterpay account is then disabled and Afterpay confirm the credit cards on the account. There's two cards on file and only one belongs to my spouse.

Obviously the Afterpay account got hacked somehow.

Incident reported to crimestoppers on the advice of Afterpay. Follow up call from local cop shop says watch out because there has been identity theft reports in our area from mail getting stolen.

We reported the transaction to the Good Guys with the order number afterpay had.

Today, about 2 weeks later, spouse receives a 86400 debit card in the mail. They havent opened an account.

86400 freeze account and report to fraud department. They confirm that a driver license or medicare card mustve been used to open account.
That means the scammer must have the license number or the Medicare number as well. You dont need the physical license to open an account, just the number and the cards have never been lost.
The email used was spouse full name @gmail.com

86400 advised reporting this to the police too, so thats now been added to the original report.

Now I'm thinking that because 86400 is just a visa debit account, there needs to be money in the account to make any purchase so the scammer probably wants a bank statement to start building 100 point ID. Thats my guess.

It seems a bit amateurish to open an account when you know a physical card will be delivered 5-7 days later potentially alerting the victim.

Service NSW confirmed that no one has attempted to change address on driver license but apparently theres no point in getting a replacement license because the license number will always be the same, only the card number will change.

We've filled out the request for help with IDcare.

Passwords have been changed in all other accounts.

Theres nothing of note in haveIbeenpwned.

We dont know how the Afterpay account got hacked or how they got the license number.

We're worried about identity theft, got any advice?

Comments

  • +2 votes

    Sorry to hear this :(

    Have all your credit cards, debit cards reissued.

    Register for ServiceNSW if you haven't already and set up 2fa - to stop scammer potentially setting it up with your spouse's details.

    Maybe reissue drivers licence anyway, with an updated photo so you can at least track the usage of the older photo/licence details.

    Reissue medicare card, only changes expiry date and card issue number, but at same time you can separate scammers usage from your spouse's legitimate usage.
    https://www.servicesaustralia.gov.au/individuals/services/me...

    Rotate all your online passwords again weekly, for at least a month or so.

    Good luck OP.

  • +5 votes

    Moneysmart has a checklist of things to do when your ID is stolen

    https://moneysmart.gov.au/banking/identity-theft

    Other things that I think might be helpful is to also lockdown your social media pages — set everything to private, including Facebook, LinkedIn so as to remove any clues to things like Secret passphrases or Secret Questions

  • +4 votes

    Only thing I can think of is. If someone calls you, tell them you will call them right back on the number on number on the website (make sure you hang up properly then call the number on the real website, not the google ads). Whenever people want to call me to talk about financial details I am not interested, will call back. You can't be sure who it is.

    Drivers licence and medicare together would be part of your 100 pt check, your partner might need to look back on recently where they showed both documents or one document (especially drivers licence) which might narrow down where the leak came from.

    Best of luck. Pain in the bum these scammers.

    • +2 votes

      If someone calls you, ask for a reference number to get back to them quicker and tell them you will call them right back on the number on number on the website

      Added an extra point to save some time if it's a legit call.

  • +1 vote

    In addition to this, try to get regular credit checks throughout the next few years to ensure there isn't anything new created (and it doesn't impact you negatively). Also do not pay for anything if debt collectors come, apparently they'll try to ask you to "pay a bit to buy time and then you can deal with it later" which is a tactic to try to get you responsible for the debt.

  •  

    Was it a Citibank Credit card they used

    •  

      No, BankWest credit card they've had for years

  •  

    That's why I never answer any mobile or land line numbers I haven't saved onto my phone first, I just let them ring out and if its important they always leave a message.