One in 20 people is affected each year by identity theft or some type of fraud. Nearly everyone is at risk, given all of the data breaches in recent years. The Equifax breach of 2017, which hit half of the adult population, was particularly harmful, disclosing Social Security numbers, dates of birth and other information you can’t just change. We will all be feeling the effects of the Equifax breach for decades. It’s important to remember the bad guys may already have a bunch of information about us and may use that to impersonate a company we do business with.
Whether you’ve just found out you’re a data breach victim, or whether you’re trying to be proactive just in case, here are easy steps you should consider taking to protect yourself.
We’ve divided it into things to do now, soon and always.
1. Make sure your contact information is up to date with the banks, credit cards, investment firms and other financial institutions you do business with. You’d be surprised to learn how many people have fraud on their accounts and don’t find out quickly because companies don’t have their current cell phone number or even a correct email or mailing address.
2. With any company that offers it, opt in for two-step authentication for online access. This requires more than just your username and password. It requires a one-time code that is sent almost immediately by text or email and that you need to actually log in. (And never share this code with anyone else.)
3. Sign up for transaction alerts with your financial accounts, so that you get text alerts or email messages about any withdrawals or transactions above a certain dollar amount, new transfers, payees added or any changes in contact information.
4. Put a freeze on your credit files with the major credit bureaus. You should be able to do it in less than 20 minutes total. Check out our step-by-step guide. To do it by phone: Equifax, 800-685-1111; TransUnion, 888-909-8872; and Experian, 888-397-3742. Freezes prevent someone not only from opening credit accounts in your name, but also block someone from fraudulently creating online accounts with tax offices and the Social Security Administration.
Do a freeze, not a lock. A freeze protects your rights to take action if a credit bureau messes up; a credit lock doesn’t.
5. Be on the lookout for phone calls from people posing as your bank, Amazon, the Social Security Administration, FedEx, your health insurer, etc. Don’t provide or confirm any personal information to a caller you weren’t expecting. Just hang up politely. If you think the call could be genuine, contact the company or agency at a number you look up independently (using the back of your credit card, your account statement, etc.)
6. Protect your cell phone and primary email account that you use for financial accounts above all else. If someone is trying to breach your account and tries to reset your password, the notifications will generally go to your cell phone or email of record. Make sure the password for your primary email account isn’t used on any other account you have.
7. Keep an eye out for mail addressed to someone else that uses your address, or mail addressed to you that makes no sense: denials for loans you didn’t apply for, health insurance statements for medical visits you didn’t have, etc. Contact the sender by mail to get to the bottom of it.
8. For financial online accounts, don’t use the same password on more than one account. If there’s a breach or your account gets hacked, the thief can obviously do more damage if they can get into more accounts.
9. It’s old advice but worth repeating: Check your credit reports regularly to make sure there are no accounts or inquiries you don’t recognize. In normal times, you’re entitled to one free credit report per year from each of the three major credit bureaus. Because of COVID-19, you’re entitled to one free report each week from each of the three bureaus through Dec. 31, 2023. For the long term, the best strategy is to order a report from a different bureau every four months.
Go to annualcreditreport.com or call 1-877-322-8228. You’ll be asked to provide your name, address, Social Security number and date of birth. If there’s any inaccurate information on your credit reports, use the dispute process to get the information removed or corrected.
10. Pay attention to your credit scores provided on any of your credit card accounts. While the scores may be different than your actual FICO score, they shouldn’t change dramatically from month-to-month. If they do and you’re not sure why, you need to find out. It could be a sign of fraud.
11. Never use a password that you use for a social media account such as Facebook or Twitter or Instagram on any other account, and especially not your email account or any financial account. Social media platforms are hot targets for hackers.
12. When you check your credit report, look for inaccurate information. If there are actually accounts on the credit reports that aren’t yours, you need to do more. Contact the creditors directly by phone to find out whether these are mistakes or whether you’re the victim of more serious identity theft. If it’s the latter, you should take additional steps to protect yourself, including filing an identity-theft affidavit with the Federal Trade Commission (it will provide you with prewritten letters to send to creditors). The FTC site is great and even has a chat function.
13. Buy a shredder and use it to destroy sensitive documents.
14. Consider buying a locking mailbox. A lot of important personal information can be stolen if someone raids your mailbox.
15. Consider signing up for online statements from entities such as your bank, your employer, your credit card company, etc., so that you don’t have to worry about the items getting in the wrong hands.
16. Ask your banks, creditors and investment firms whether you can put additional PINs or verbal passwords on your accounts that don’t involve any public record data, such as your date of birth or mother’s maiden name. You want to make sure someone can’t access your accounts for wire transfers or change your contact information without your secret password.
17. Watch out for links in emails or text messages that you weren’t expecting that bait you to click on them out of fear or curiosity. Your bank, credit card, the IRS, FedEx, etc. will never send you links asking for your login password or Social Security number or anything like that. If you get an email or text unexpectedly that you think could be legitimate, contact the company or agency at a number you look up independently. Even if you don’t enter information, just clicking on the link could infect your phone or computer with a virus that steals your information.
The same advice applies to messages on social media, such as Facebook. It’s common for information-stealing viruses to be sent with a message like, “Is this you in this video?” Your instinct is to click and look at what the sender is talking about. Don’t give in to the temptation.
18. Be careful about joining WiFi networks in restaurants, hotels or other public areas. Many identity thieves create look-alike networks. Maybe instead of HILTON HOTEL, the imposter network is called H1LTON HOTEL. On a small screen, it can be difficult to tell the difference.
19. If you’ve put freezes on your credit files, great. But don’t get complacent. Remember that 88% of identity theft involves existing accounts. Freezing your credit files does nothing to protect your existing credit cards, loans or accounts. And a credit freeze doesn’t protect your deposit accounts.
20. Whether you get your statements by mail or online, know when to expect them each month and reach out if something is missing. It could be a sign someone has intercepted the item or changed your contact information.
21. Try to avoid using payment terminals where you swipe the magnetic strip on your card. It’s safer to dip your card’s EMV chip, visible as a the little silver square on your card. If a store or restaurant has its payment information hacked, information from a mag stripe can be used to create fraudulent cards. But with EMV chip cards, the microprocessor chips are extremely difficult to duplicate. And each transaction is approved using a unique authentication code, which can’t be used again. Without a working EMV chip, an authentication code can’t be generated.
22. If you’ve chosen to get identity theft monitoring, realize that most of these services don’t prevent identity theft — they just notify you once a problem has been detected.
Consumer Watchdog, U.S. PIRG Education Fund
Teresa directs the Consumer Watchdog office, which looks out for consumers’ health, safety and financial security. Previously, she worked as a journalist covering consumer issues and personal finance for two decades for Ohio’s largest daily newspaper. She received dozens of state and national journalism awards, including Best Columnist in Ohio, a National Headliner Award for coverage of the 2008-09 financial crisis, and a journalism public service award for exposing improper billing practices by Verizon that affected 15 million customers nationwide. Teresa and her husband live in Greater Cleveland and have two sons. She enjoys biking, house projects and music, and serves on her church missions team and stewardship board.