Get Access to Print and Digital for $23.99.
Subscribe for Full Access
May 2018 Issue [Essay]

Seven Years of Identity Theft

An epistolary sequence

Dear Most Honorable President of Nigeria, Muhammadu Buhari,

It all started at the Crossroads Literary Festival in Macon, Georgia, on October 2, 2011. Or that is my guess. I was at the festival to give a reading and serve on a panel, and I had flown a great distance, from El Paso, Texas, to be there. I suspected the festival would be modestly attended, and in this I was not wrong. I read to an audience that was both warm and small.

Illustrations by Hanna Barczyk

Here is the relevant part of the story. In the middle of the afternoon in Macon, between events, I decided to find a cash machine. I wandered down a major thoroughfare looking for a bank, or deli, or convenience store—and at one end of the street, I found my quarry, an outdoor cash machine that would readily suck my ATM card into its viscera. I withdrew $200 or so and, in my haste, immediately hurried away from the machine. I found a cab, climbed in, traveled to the airport, padded down the tedious airport corridors to the plane, boarded the plane, and laid over at DFW.

Was it in the middle of the second flight that I realized I’d left my card in the ATM? I had a moment of clarity about my own powerlessness, the total impotence that comes from being aloft and beyond the reach of telephony and its customer-service buffet. My debit card was perhaps still sitting in the slot, waiting for the grifters and panhandlers and bunco artists of Macon to come by and snatch it up, after which they could do with it whatever they pleased.

It is possible that this was the beginning of the theft of my identity, Your Excellency. I have arrived at this supposition because it was only a week later that my brand-new replacement card was rejected at a ­MetroCard vending machine in New York City. Then, soon after, the card was rejected for an online transaction. In due course, a visit to my bank revealed the problem: my card had been deactivated because of fraudulent transactions.

The seizure of my information may have begun even earlier than my trip to Macon. I say this not because I have hard evidence of the police-procedural sort, but because I have learned that one casualty of identity theft is the traditional association of criminal activity with narratives that have beginnings and endings, victims and perpetrators, and a shapely trajectory of justice. Identity theft is much more slippery. So I cannot be certain that losing my ATM card in Macon first turned the screw of fraudulence in my life. On the other hand, the crooks who found their way into my checking account in 2011 did so right on the heels of my trip to Georgia. It makes for a reasonable theory.

Within a few weeks of the first hold on my checking account, I had a second hold. The perpetrators had tried to get additional ATM cards in my name mailed to them. I had to cancel multiple cards. I had to close my bank account and then reopen it, after which there was the laborious process of informing various parties that the checks I had written them might bounce. Some of those checks did bounce. For example, a check made out to my daughter’s day care center bounced, and when I explained the whole business to the director of the facility, she observed that, alas, my identity theft was not her problem. She felt for me, but I would nonetheless be dinged an additional $50. Your Excellency, this was just the first of many opportunities I have had to pay good, hard-earned cash in my capacity as the victim of a crime.

In researching online, I learned that I should keep a log of events relating to my identity theft, as per the Federal Trade Commission. The resulting document more or less bulges with criminal ingenuity.1 Within a week or two of the initial theft in October, an ETrade account was opened in my name and then quickly closed. (I didn’t even know what ETrade was.) The sum of $5,000 was debited from my checking account in early November, then restored by Citi­bank. In January, my AOL account was repeatedly hacked, as was my Gmail account. In early February, my Amazon account was hacked, then closed by the company. That same month, my American Express card was hacked, and the perpetrator tried to purchase $8,000 worth of merchandise on the Walmart and QVC websites. Around the same time, my new Gmail account and my PayPal account were breached as well.

As you can see from this catalogue, in those days I was a guy who occasionally used products authored by the multinational corporation known as Google. It is very difficult not to use products by Google, even if you come from the dark ages of dial-up, as I do. And it was on Gmail, when the first wave of identity theft crested over me, that I began to have an unsettling experience. Not only would I be locked out of my own email account, but somebody else would be using it—and the whereabouts of that person would be indicated to me in a bright red box on my Gmail screen. As you have probably guessed by now, President Buhari, I would often discover that the user manipulating my account was in Nigeria.

How did your countrymen get my information, Your Excellency? I asked this question of a friend, David, who has long worked in a private detective agency and is well versed in such things. He could not tell me precisely how the information was seized, of course. But he observed that in general, personal data plundered online is most often employed very rapidly. The store is open for business, as it were, for three to six hours, because that is about how long it takes for someone to realize that his or her credit card is being used fraudulently. During this brief span, the thieves favor large, pawn-worthy electronics purchases: televisions, laptops, car stereos, and the like. Then, when the three-to-six-hour window closes, they usually move on.

But the process doesn’t end there. Once a credit card goes cold for a particular thief, my detective friend told me, the personal data is sold, whereupon someone else with energy and resources tries to employ those zeros and ones anew. Perhaps someone from Nigeria.

It soon became obvious that whatever was happening on Gmail was happening so quickly—the malefactors seemed to possess my new passwords the moment I created them—that it was almost as though they were reading over my shoulder. The IT experts out there already know where this is going, so I will make it plain: the identity thieves were reading over my shoulder. Or at least reading everything on my old Dell laptop, even though my antivirus program alleged that the computer was free of malicious spyware.

As my predicament dawned on me, I junked my Dell. (Actually, it’s still in my closet, since I’m afraid to throw out even a purportedly wiped hard drive.) I went over the fence to Apple, closed my Gmail account, stopped using Google products, closed my ­PayPal account, and achieved, at least for a few weeks, some small measure of peace. But then the Nigerian guys started text­ing me.

Your Excellency, there are many boast-worthy aspects of the Federal Republic of Nigeria. This I recognize. Nigerian cinema is really very strong these days, as is Nigerian fiction. But it seems that digital malfeasance is also among your primary exports. If you remember your Dante, you will recall that the sin of fraud is punished in both the eighth and the ninth circles of hell. In the eighth (and therefore somewhat less punitive) circle, con artists are thrown into a river of boiling tar. If these unfortunates attempt to climb onto the shore, they are impaled on grappling hooks by demons and returned to the pitch. Seems reasonable, doesn’t it?

As it happens, I was attending a meeting of my Dante study group in 2011 when I was contacted by some faux Citibank employees using a fanciful simulation of corporate diction. Our exchange was conducted via text, and all dialogue below is guaranteed genuine:

hacker: yes this is the Citi bank from CA
moody: I have already tipped off the cops and Amex, so you’d better move on.
hacker: What do you mean Hiram Moody?
moody: Tell me about your childhood dreams. Did you have childhood dreams? Did they involve bad grammar?
hacker: What do you mean i wanna ask you some Question about you order?
moody: I am at my Dante group right now. Did you ever read Dante? The thing I can’t figure is why misappropriation of funds is punished in a circle right next to murderers. Well, maybe I can understand a little bit now. In the lowest circle of Inferno a guy is stuck eating another guy’s head for all eternity. What do you think? Is it a just punishment?
moody: What gives? I thought we had a nice conversation going on?
hacker: Hello, who are you?
hacker: Who are you?
moody: I am the guy who has been getting fraudulent messages from your number. Who are you?

At this point, the conversation went cold. Your Excellency, if you consider international bank and wire fraud to be an important Nigerian cultural product, you’re going to have to improve the business En­glish of your professional class. Had I been not a writer but rather a pensioner in his late eighties, living alone and uncertain about digital stuff, this grammatically loose approach might well have worked. For that matter, I am not usually one to carp about nonstandard usage—indeed, I find such carping frankly elitist. But in this case, it was the casual, punctuation-averse syntax that tipped me off.

“Who are you?” the Nigerians asked that night. In my first year of identity theft, I had no reason yet to be made uncomfortable by this question, though it now causes me an existential shiver. Back in 2011, I still honestly believed that I could get to the bottom of my case, and that there was an authority to whom I could appeal for help. Because I believed this, I worked hard to follow the threads and keep abreast of developments. At one point, it seemed that there was a guy in California who was somehow involved: people calling to ask for my personal data used his number, and his address was briefly appended to my Amazon account. I found a satellite image of his apartment building using a Google product and could even see the communal swimming pool. But as I now know, masking your phone number is a routine ploy in the world of identity theft.

In those days, I was spending two or three hours a week, sometimes more, trying to stay ahead of the story. It didn’t do much good. At one point, I called the police in Brooklyn, where I was living at the time, and told them the whole wretched tale. Although their official position these days is that they will investigate all such crimes, I was told to call back only when some real money had been stolen from me.

And that, Your Excellency, was the first act of my story, as carried out by Nigerian fraudsters or the international equivalent. By the end of it, I had begun to wince whenever anyone online or on the phone employed my given name, Hiram Moody. It was always bad news. And therefore, I sign this missive otherwise.


Rick Moody

Dear Stephen J. Squeri, Chairman and Chief Executive Officer of the American Express Company,

Sir, I would like to describe to you what it feels like to suffer on an ongoing basis from identity theft, so that you can better understand the experience of your many customers who struggle with this violation.

Identity theft is said by some to have emerged widely only in the aftermath of Prohibition. Following the repeal of the Eighteenth Amendment in 1933, one had to be of age, and to have identification proving this, in order to drink of the newly legalized alcohol. Along with the forged passports of wartime (so meticulously scripted and lovingly aged), the identification cards of the post-Prohibition period may well have been an early attempt to create erroneous identities en masse.

Large-scale financial fraud via impersonation followed with the advent of the modern credit card, the first of which was created by Diners Club in 1950. The funny thing about the American Express card, Mr. Squeri, which followed the Diners Club into the market in 1958, is that I had the most difficult time obtaining one. Being not terribly employable as a young person (too bookish), I finally applied for your product in 1988, after I secured a poorly remunerated job as an editorial assistant at a big publishing house. The very day my card arrived in the mail, I also received a letter rejecting my application.

What was going on there, Mr. Chairman? Mistaken identity? Were there two Hiram Moodys? I did not inquire into the specifics of this mishap, not then. As I saw it, the mere possession of the card transformed me into an actual person, a responsible American consumer. My father, who worked in finance, told me to be very careful with my credit card, and so I was. I think that in the first couple of years I had my traditional American Express green card, I made only one major purchase: an area rug.

You do know, Mr. Chairman, about the Eriksonian stages of psychosocial formation? The psychologist Erik Erikson argued that as one approaches adulthood, one consciously graduates into the true formation of identity, and rejects the diffused sense of self that is typical of adolescence. Identity, so much less stable when we are young, acquires a weighty and final stolidity. One integrates. But the irony of my life as a victim of identity theft is that forces beyond my control have led me to worry about such matters in my early fifties, long after the period of diffusion was supposed to have ended. I sometimes feel that I no longer have an identity in any reliable, contemporary way, because the capitalist reifications of self that come with state-issued identification, purchasing power, and credit history have become increasingly fraught for me, and liable to be revoked or called into question at any moment. People may interact with me as though “Hiram Moody” or “Rick Moody” are stable, uncontaminated concepts, representations of a person with definable features—but that doesn’t mean that I feel like him.

There was a moment when a teller at Citibank took on the byzantine strands of my identity theft as a personal project, calling me every day for a week or so to tell me which checks had cleared, and when, and that the activity on my account appeared to be secure. This was a bolt of human kindness as sudden and overpowering as a monsoon. His name was Anthony, and he was definitely just passing through the Citibank branch in Park Slope. He was a young guy, first-generation Chinese-American, and incredibly affable and friendly. There was no reason why he had to be kind to me in the way he was, Mr. Chairman. There was no particular reason why he had to call me every day, but he did so, and this proved to be a model for interactions relating to identity theft in the coming years. If the onslaught of the experience leaves your reliable sense of self in tatters, and effects a financial isolation that feels emblematic of psychic isolation, only one thing can help: actual human interaction of a meaningful sort.

So, Mr. Chairman, the second act of my identity-theft saga began in December 2016. Let me say that at this late date, it takes a significant amassing of fraud for me to do anything about it—even to lift the phone and contact the relevant parties. My feeling now is that identity theft is above all a quality-of-life crime. Any attempt to address the problem with a multinational financial corporation (like yours) leaves one with an overpowering feeling of being effaced. You are, again and again, in the netherworld of ongoing customer-service entanglements, no more than a depersonalized, residual, contestable account number. As long as the amounts stolen are not so large, why bother to protest?

The second act began, in fact, with my American Express card being declined at a bookstore in Dutchess County, New York. There’s something humiliating about having one’s card declined, as I’m sure you know, and because I was looking for Christmas gifts that afternoon, the suggestion by the cashier that I try a different card was especially unwholesome. And yet I didn’t give the matter another thought for some days. Not until the card was declined again. And even then, instead of getting right on it, I just shifted my credit usage away from your business. “American Express is just very cautious,” the bookstore owner had said to me.

If I had become more passive about identity theft, more resigned, it was matched by a resignation on your part, Mr. Chairman. In my experience, as the large financial corporations have come to understand the inevitability of identity theft, they have also decided to treat it as the cost of doing business: they have erected procedures to minimize the impact on the bottom line, without caring if a particular hacker or fraudster is apprehended. (Look, for example, at the recent Equifax hack, following which the corporation initially agreed to protect consumers for a fee.) What I am trying to say is that I didn’t get any message from American Express in December 2016 to tell me about my card being declined. Only in February, in fact, did I notice that I hadn’t received a bill for two months—at which point I looked into the matter and discovered the very bad news.

First, in late January, there was $975 charged to my card for an exceedingly large purchase of liquor in Georgia—and then, in February, a $400 cash advance. Because I don’t drink, the former was particularly distressing to find on my monthly statement. Had I somehow made the purchase without being conscious of doing so—in a blackout, perhaps? Was my doppelgänger in the midst of a furious booze-fueled bender in the Deep South? Eventually, I collected myself and called your company to alert your people to the disputed transaction. Then, a few hours later, in the middle of the night, I got the bright idea to check the address associated with my account online.

My account now sported an address in Alabama, where I have never lived. And then, of course, there followed the dreary succession of transactions, which had already begun and would continue for many more weeks. In January, an unauthorized change of address had interrupted the mailing of my monthly statements. In February, my Citibank checking account was drained of nearly $2,200, most likely to cover the earlier charges. In March, there was a request for an extra card to be mailed to my Alabama address, and a new trading account was opened in my name at Capital One. In June, there were more fraudulent transactions at Citibank to the tune of $2,000, which caused my account to be closed and reopened.

Mr. Chairman, I have become very well acquainted with the customer-service wing of American Express in these recent months, and in particular with the fraud prevention department. And what I found, during my endless telephone calls, was a paradox: identity theft begins to confer criminality, or at least the veneer of criminality, on the victim. That is, Mr. Chairman, I found myself again and again having to defend myself on the telephone with the large multinationals, desperately attempting to prove that I was myself the victim of the fraud rather than the perpetrator.

Throughout this Kafkaesque forking of narrative paths, I was made to verify my so-called identity in newer and ever more baroque ways. I would produce not just my mother’s maiden name (which had long since become public property), not just my “Social,” as you and your kind call it, but my first pet’s name, the elementary school I first attended, the town of my birth, my father’s middle name, my long-abandoned address in Hoboken, New Jersey, and so on. I had so many PINs at the various financial institutions, I couldn’t keep them straight and still cannot. And inevitably I would fail at some or all of the “additional security questions,” in a way that seemed to suggest to customer service that I myself was scamming to gain access.

One night, your company called me, Mr. Chairman, right after my account was closed and reopened and a new card issued. This call came from a working AmEx number. (I know because I checked online.) The caller asked whether I had received my new card and would I please verify the number and expiration date and security code. My wife, who is adept at sniffing from afar the perfume of my crisis, started yelling at me from the other room: “Don’t give them that number! Those are the frauds! Don’t do it!” But I was exasperated, and I wanted to trust someone. I wanted to believe this caller was acting in good faith when he asked for all the security codes on my card, in part because he kept saying, “Okay, you’re good to go!” with such verve.

He was not acting in good faith. The hackers instantly attempted to ring up a few new charges on my new card, the one I’d just provided to them. Whereupon I had to close and reopen the account again, for the second time in a week. As it happens, I still get periodic calls from this fictitious but genuine American Express telephone number.

In the aftermath of the second wave of assaults on my various accounts, your company, Mr. Chairman, would no longer talk to me on the phone unless I took my passport and a form generated by your fraud department to the nearest notary public to verify that I was me. For some weeks, I failed to undertake this process because, as I later said to an AmEx customer-service representative: I suspect I know who I am. When the CS representative threatened to freeze my account if I didn’t fill out the form, I did in fact say, on a recorded line: “Please! Please suspend my account! I beg of you!” And later: “If it was a choice between keeping my account at American Express and joining the military, I would join the military. At least the military attempts to confer dignity upon their employees.” When I asked to speak to a supervisor about this additional layer of humiliation, I was told that I wouldn’t be able to speak to anyone at American Express ever again until I had filled out the verification form. The process, I was told, was there to protect me.2

I decided to go to the state police again. It was now March 2017.

At this point, I have to ask again, Mr. Chairman: What is identity? Is this not the question at the heart of our discussion? Webster’s Third New International defines the word as the “unity and persistence of personality.” The dictionary also adds a philosophical codicil, calling identity “reality at its deepest level at which subject and object are one.” By the time I went to the state police in Dover Plains, New York, which is just down the road from my house, I was experiencing a failure to identify with my identity, and I was not feeling a unity or persistence of self, and I was also experiencing a kind of horror at the way technology enables and encourages the misapprehension of “reality at its deepest level.” Technology remakes identity in its own image. And identity, on the internet, becomes an effect of technology, contested and fragmentary, easy to replicate, conferring on the self an absence of self. Hence the perhaps self-evident fact that the glimmering of poignant material in my story is to be found only in exchanges with other human beings.

To Troop K in Dover Plains I brought my gigantic stack of paperwork, nearly a hundred pages of credit card statements, credit reports, bank statements, and a fraudulently obtained credit card from Capital One. These I presented to a trooper there, and in the Beckettian monologue that followed, in which I told her all that I have just told you, I sounded a little unhinged. My recursions and doublings-back must have seemed scarcely believable. (I scarcely believe them myself.) The trooper took down all my information and asked me to write it out in an official complaint, and then she made me come back a day later and repeat it all to an official investigator, who said that he had just closed an identity theft case on which he had been working for an entire year. He wanted to know whether I meant to press charges. To which I said, “Hell, yes.” And yet I already understood that a story like mine, a crime like mine, generates threads, or implications, or waves of recurrence, rather than the adamantine material of resolution. Who committed my fraud? Some Nigerians? Some alcoholics in Georgia and Alabama? A woman in Las Vegas trying to buy a used car at ­CarMax? These were all plausible perpetrators at various points in my journey. Were they working together? Or were they just pieces of a massive fraud built into the online world itself, into its dark web of exploitation?

What was different about the trooper in Dover Plains on the day I reported my case to her was that she looked me in the eye, and sighed, and said, “I’m really sorry you’re going through this.” It was the least she could do.

Since then, as I have said, I have once again had $2,000 pilfered from my checking account, which I had to close and open anew, and I had to open an official investigation at Citibank, which takes up to ninety days before the bank is willing to reinstate the money. This also led to the addition of some new and adverse activity on my credit report, which threatened to upend the purchase of a new home this past summer.

My intention, Mr. Chairman, is more unambiguous now. My intention is to resist abstraction. My intention is to recover what is left of being human in this process, and right now, come what may, that involves closing my remaining account with your firm, closing my account with Citibank, opening a bank account with a dowdy old credit union, and continuing my attempts to shed layers of online presence. No ­PayPal. No personal Google account. No online trading. No direct deposit. Fewer online transactions. But more than that, my intention is to experience my being as the actual Rick Moody rather than the virtual Hiram Moody, even if that constitutes an idealization of pre-internet life. Better the human interaction, with all its morbid and fleshy complexities, than the perfect fantasy of the fleshless and fungible and shadowy life of the web.

And thus, sir, my letter to you.


Rick Moody

More from

| View All Issues |

December 1994

“An unexpectedly excellent magazine that stands out amid a homogenized media landscape.” —the New York Times
Subscribe now