Worried about a data breach or identity theft? Here’s what to do now, soon and always

Fraud/ identity theft is the No. 1 complaint to the Federal Trade Commission, with 2.6 million complaints in 2023. Consumers reported losing more than $10 billion in 2023

Consumer alerts

Tips & Guides


Updated

Towfiqu Barbhuiya | Unsplash.com

One in 20 people is affected each year by identity theft or some type of fraud. Nearly everyone is at risk, given all of the data breaches in recent years.

Sometimes, it’s only one new piece of stolen data added to the dangerous databases out there that peddle our information. Other times, it’s a massive trove of information: The Equifax breach of 2017, which hit half of the adult population, was particularly harmful, disclosing Social Security numbers, dates of birth and other information you can’t just change. We will all be feeling the effects of the Equifax breach for decades.

It’s important to remember the bad guys may already have a bunch of information about us and may use that to impersonate a company we do business with or even a friend or relative.

Whether you’ve just found out you’re a data breach victim, or whether you’re trying to be proactive just in case, here are easy steps you should consider taking to protect yourself.

We’ve divided it into things to do now, soon and always.

NOW:

1. Make sure your contact information is up to date with the banks, credit cards, investment firms and other financial institutions you do business with. You’d be surprised to learn how many people have fraud on their accounts and don’t find out quickly because companies don’t have their current cell phone number or even a correct email or mailing address.

2. With any company that offers it, opt in for two-step authentication for online access. This requires more than just your username and password. It requires a one-time code that is sent almost immediately by text or email and that you need to actually log in. (And never, ever share this code with anyone else.)

3. Sign up for transaction alerts with your financial accounts, so that you get text alerts or email messages about any withdrawals or transactions above a certain dollar amount, new transfers, payees added or any changes in contact information. Then, if you haven’t opted for real-time alerts, make sure to check for texts or emails at least once a day.

4. Put a freeze on your credit files with the major credit bureaus. You should be able to do it in less than 20 minutes total by phone.

Check out our easy, step-by-step guide. To do it by phone: Equifax, 800-685-1111; TransUnion, 888-909-8872; and Experian, 888-397-3742. Freezes prevent someone not only from opening credit accounts in your name, but also block someone from fraudulently creating online accounts with tax offices and the Social Security Administration.
Do a freeze, not a lock. A freeze protects your rights to take action if a credit bureau messes up; a credit lock doesn’t.

5. Be on the lookout for phone calls from people posing as your bank, Amazon, the Social Security Administration, FedEx, your health insurer, etc. Don’t provide or confirm any personal information to a caller you weren’t expecting. Just hang up politely. If you think the call could be genuine, contact the company or agency at a number you look up independently (using the back of your credit card, your account statement, etc.)
Don’t just look it up online. Scammers actually pay to put fake customer service numbers online.

6. Protect your cellphone and primary email account that you use for financial accounts above all else. If someone is trying to breach your account and tries to reset your password, the notifications will generally go to your cellphone or email of record. Make sure the password for your primary email account isn’t used on any other account you have.

7. Keep an eye out for mail addressed to someone else that uses your address, or mail addressed to you that makes no sense: denials for loans you didn’t apply for, health insurance statements for medical visits you didn’t have, etc. Contact the sender by mail to get to the bottom of it.

8. For financial online accounts, don’t use the same password on more than one account. If there’s a breach or your account gets hacked, the thief can obviously do more damage if they can get into more accounts.

SOON:

9. It’s old advice but worth repeating: Check your credit reports regularly to make sure there are no accounts or inquiries you don’t recognize. You are entitled to one free report every week from each of the three bureaus. This once-a-week policy started during the pandemic and became permanent last year, the Federal Trade Commission said.

Go to annualcreditreport.com or call 1-877-322-8228. You’ll be asked to provide your name, address, Social Security number and date of birth.

10. When you check your credit report, look for inaccurate information. If there are actually accounts on the credit reports that aren’t yours, you need to do more. Initially, you can file a dispute with the credit bureau to get the information removed or corrected.

In addition, contact the creditors directly by phone to find out whether these are mistakes or whether you’re the victim of more serious identity theft. If it’s the latter, you should take additional steps to protect yourself, including filing an identity-theft affidavit with the Federal Trade Commission (it will provide you with prewritten letters to send to creditors). The FTC site is great and even has a chat function.

11. Pay attention to your credit scores provided on any of your credit card accounts. While the scores may be different than your actual FICO score, they shouldn’t change dramatically from month-to-month. If they do and you’re not sure why, you need to find out. It could be a sign of fraud.

12. Never use a password that you use for a social media account such as Facebook or Twitter or Instagram on any other account, and especially not your email account or any financial account. Social media platforms are hot targets for hackers.

13. Buy a shredder and use it to destroy sensitive documents.

14. Consider buying a locking mailbox. A lot of important personal information can be stolen if someone raids your mailbox.

15. Consider signing up for online statements from entities such as your bank, your employer, your credit card company, etc., so that you don’t have to worry about the items getting in the wrong hands.

16. Ask your banks, creditors and investment firms whether you can put additional PINs or verbal passwords on your accounts that don’t involve any public record data, such as your date of birth or mother’s maiden name. You want to make sure someone can’t access your accounts for wire transfers or change your contact information without your secret password.

ALWAYS

17. Watch out for links in emails or text messages that you weren’t expecting that bait you to click on them out of fear or curiosity. Your bank, credit card, the IRS, FedEx, etc. will never send you links asking for your login password or Social Security number or anything like that. If you get an unexpected email or text that you think could be legitimate, contact the company or agency at a number you look up independently. Even if you don’t enter information, just clicking on the link could infect your phone or computer with a virus that steals your information.

The same advice applies to messages on social media, such as Facebook. It’s common for information-stealing viruses to be sent with a message like, “Is this you in this video?” Your instinct is to click and look at what the sender is talking about. Don’t give in to the temptation.

18. Be careful about joining WiFi networks in restaurants, hotels or other public areas. Many identity thieves create look-alike networks. Maybe instead of HILTON HOTEL, the imposter network is called H1LTON HOTEL. On a small screen, it can be difficult to tell the difference.

19. If you’ve put freezes on your credit files, great. But don’t get complacent. Remember that 88% of identity theft involves existing accounts. Freezing your credit files does nothing to protect your existing credit cards, loans or accounts. And a credit freeze doesn’t protect your deposit accounts.

20. Whether you get your statements by mail or online, know when to expect them each month and reach out if something is missing. It could be a sign someone has intercepted the item or changed your contact information.

21. Try to avoid using payment terminals where you swipe the magnetic strip on your card. It’s safer to dip your card’s EMV chip, visible as a the little silver square on your card. If a store or restaurant has its payment information hacked, information from a mag stripe can be used to create fraudulent cards. But with EMV chip cards, the microprocessor chips are extremely difficult to duplicate. And each transaction is approved using a unique authentication code, which can’t be used again. Without a working EMV chip, an authentication code can’t be generated.

22. If you’ve chosen to get identity theft monitoring, realize that most of these services don’t prevent identity theft — they just notify you once a problem has been detected.

Topics
Authors

Teresa Murray

Consumer Watchdog, U.S. PIRG Education Fund

Teresa directs the Consumer Watchdog office, which looks out for consumers’ health, safety and financial security. Previously, she worked as a journalist covering consumer issues and personal finance for two decades for Ohio’s largest daily newspaper. She received dozens of state and national journalism awards, including Best Columnist in Ohio, a National Headliner Award for coverage of the 2008-09 financial crisis, and a journalism public service award for exposing improper billing practices by Verizon that affected 15 million customers nationwide. Teresa and her husband live in Greater Cleveland and have two sons. She enjoys biking, house projects and music, and serves on her church missions team and stewardship board.