Sort of related: one time a scammer conned my grandma out of thousands of dollars by calling her and pretending to be me in distress. She wired the money to my name (I think it was Western Union or something), in a foreign country, and somebody "showed ID" as me.
We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.
It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.
Thanks for reminding me about this. One thing I've established with my siblings was that none of us should transfer any money via a service like Paypal, Venmo, etc to each other without an explicit casual phone call first. It can't just be a text or a phone call asking for money, you have to have a casual conversation first. How is work? How's blah blah, what are you getting for dinner tonight, etc. For the case of elderly parents, I'm lucky that they would immediately hand that off as busy-work to siblings. Like they would never go to Western Union, they would call a child and say hey your sibling requested such and such can you go do that which would then raise all of the alarms.
If they impersonated you, aren't you technically requesting information about your self ?
Under European law, "you can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format." [1]
Im sorry that sucks, but we should not give up rights because some customers are easily fooled. This is a slippery slope you do not want to start on, because where does it end?
But that's more an issue of identity confirmation.
I believe there has to be a reasonably high bar that a person has to clear before a company should be even allowed to assume they are who they're claiming to be, but once that bar is cleared no information regarding or directly linked to the person in question should be withheld from them.
But then, hasn't the company already shown that it's bad at identity confirmation? Why would you expect them to be better at it in the other direction?
Isn't this problem solvable by looking at it differently? To me, the problem is that it's easy for scammers to impersonate someone. What if there was a way to reasonably check a person's identity in a standard way accessible to everyone without going through hoops?
That ideal won’t come true for a very long while. I appreciate your idealism, but for better or worse, we need a reasonable and attainable solution in the interim.
That's frightening. When we drew up our household information for babysitters, we put in codewords to identify ourselves and for the babysitter to identify him/herself to us in case of an emergency.
We felt more than a little paranoid (and the babysitters probably thought we were nuts) but anecdotes like yours reinforce the need to be careful when relying on easily-spoofed caller ID for identity protection.
This is a great reason for why modern data laws like GDPR and CCPA enshrine right of access so highly, I believe. I think it would be interesting to persue civil cases against fraudsters whose data you manage to collect out of PayPal audit logs or whatever, but you'd probably be contending with international courts and it would be an expensive and time consuming affair.
We reported it to the police, of course, but I don't think it was ever really pursued. I wanted to dig in myself but whoever the company was said they wouldn't give up the records without a subpoena. Very frustrating as I am the person who was being impersonated.
It seems like there are times where you should have standing as an individual to get a subpoena for information directly related to you.