How to Guard Against Identity Theft in Times of Increasing Online Fraud

Introduction

In part one of this series, we noted the three most important things you can do immediately to guard against identity theft. In part two, we discuss why protecting your identity matters and additional steps you can take.

The widespread unemployment benefits fraud that occurred throughout the United States during the COVID-19 pandemic provided the backdrop for this two-part article about protecting your personal identity. The opportunity for this and other types of fraud to flourish is due in part to the fact that massive data breaches in 2015,¹ 2017,² and 2019³ compromised nearly every American’s social security number. This not only makes it easy for cybercriminals to carry out successful fraud campaigns, it increases every American’s risk of identity theft for the foreseeable future since a social security number is the one piece of personally identifiable information (PII) that none of us can change. Identity theft reportedly affected nearly 60 million Americans by 2018⁴ and an additional 13 million in 2019.⁵

Why You Should Care About Identity Theft

Given this stark reality, it’s surprising how many consumers appear unconcerned about identity theft. Many people think, “Why would cybercriminals want to steal my identity? I’m nobody.” The simple answer is that no one is a nobody to fraudsters. The average American has more than $22,000 in available credit across all credit cards,⁶ which is not a bad haul for a scammer.

While it’s true that cybercriminals often go after “important” and high-value targets, most simply go after the vast number of easy targets. If you make yourself one of them—and that happens by default if you don’t actively protect your identity—you’re far more likely to become a victim of identity theft. Your life can go from simple and uncomplicated one day to totally upside down the next when you are inexplicably turned down for credit or a loan, your utilities are suddenly shut off, you discover your bank account has been drained, or learn you have a criminal record. Identity theft can send your credit score plummeting and, depending on the type and extent of the fraud, it can take months⁷ and cost thousands of dollars for you to recover.⁸

How to Avoid Identity Theft

In part 1, we noted the three most effective things you can do to protect your identity:

• Freeze or lock your credit with the three major U.S. credit bureaus (Experian, Equifax, and TransUnion).
• Review your credit reports monthly for suspicious activity.
• Opt out of preapproved, unsolicited credit and insurance offers.

These three steps alone will go a long way toward protecting your identity, but you can also take the following additional steps:

• Request a fraud alert through a credit bureau. A fraud alert notifies potential lenders that you may have been the victim of identity theft and advises them to take extra steps to verify your identity before granting credit. Fraud alerts are free and typically last one year. Extended (seven-year) and active-duty military alerts are also available. When you request an alert with one of the nationwide credit bureaus, it is automatically shared across all three.
  
  
• Monitor your credit card and bank accounts regularly for suspicious activity. The sooner you’re aware of and report fraudulent charges to the card issuer, the better. Many major financial institutions now allow you to set up alerts for high-value purchases, large withdrawals, or out-of-area transactions.⁹ While U.S. federal law limits your responsibility for unauthorized credit card charges to $50, the story is different for debit cards.¹⁰ The extent of your liability varies—from $50 to the full amount stolen from your account—depending on how quickly you report the loss or theft. Never use a debit card online; consider not using one at all (use cash instead), or use one only at businesses you know well where the card never leaves your sight. Always protect your PIN.
  
  
• Protect your social security number. To reduce the risk of an imposter creating an account in your name, go to the Social Security website and create accounts for yourself and each of your minor children. Then, monitor your accounts regularly to check for unauthorized use of your social security number. Never carry your card with you, and never give your number to anyone who initiates unsolicited contact with you. If an online web form requests your number (for example, to set up a new account), leave the field blank or enter nine zeros instead. If that doesn’t work, consider not opening the account or contacting the provider for an alternate means of identification.
  
  There is no reason for any commercial business today to use your social security number as a primary means of personal identification. In fact, at least 25 states have laws restricting commercial businesses from collecting, using, or disclosing social security numbers.¹¹

While these specific steps apply to U.S. consumers, parallel measures may be available in other countries for those who have experienced similar fraud or have had their personal information compromised. The following suggestions are best practices for anyone who wants to proactively guard against identity theft:

• Use a password manager. It’s estimated the average person has 70 to 80 passwords,¹² making it nearly impossible to remember them all without writing them down. Worse yet, two out of three users admit to reusing passwords across multiple accounts.¹³ A password manager helps you create strong, unique passwords for each of your accounts and encrypts and stores them in a secure password vault; you only need to remember one master password. This makes password managers a far safer option for today’s consumers. The alternative is risking dozens of your accounts being compromised at once due to the use of weak, duplicate passwords. While it’s possible for attackers to hack a password manager app, your encrypted passwords would be of no use to them. The only way your accounts would be in jeopardy is if attackers obtained your master password, which they could only get from you.
  
  If you’re still unconvinced about using a password manager, at least start creating unique passphrasesA passphrase is a long password that contains several unrelated words arranged in nonsensical fashion, for example, GiraffeCurlySlumberDepth. that use the maximum number of characters allowed. Reset a password immediately if an account is breached. As a general rule, don’t allow your browser to memorize passwords for accounts, and never use your credentials from one site (such as social media) to create an account or sign in to other (third-party) sites. Whenever possible, create usernames that do not include your name, email address, or clues to your birthdate. This just gives cybercriminals half of the information they need to crack your accounts. Neither debbiewalkowski nor phogue are great login names; debberstheshark333 or hoguesinvogue are better.
  
  
• Use multifactor authentication. Get over being annoyed by the “inconvenience” of multifactor authentication, which requires you to enter a code sent to you via text message after supplying your username and password. It’s an effective, additional layer of security you should use for every account that makes it available to you.
  
  
• Stop oversharing online. Nothing makes you an easier target for identity thieves than the wealth of personal information you voluntarily share online. (If you haven’t read this eye-opening article, it’s well worth your time.) Within minutes, attackers can piece together bits of information you provide¹⁴ (not to mention the data that’s “quietly” collected about you^15, 16) from multiple online sources to successfully impersonate or compromise you.
  
  Scrub your social media and networking accounts of personal information (date or place of birth, maiden name, mother’s maiden name, address, phone number, pet’s name, hobbies, etc.). Use the most stringent privacy settings, choose your “friends” carefully, and report duplicate friend requests. Don’t participate in social media quizzes or games (most are designed to collect personal information), download apps, comment on or like posts from people you don’t know, or click on links or ads in your social media feed, including those from people you know, since their accounts may have been hacked. Disable location tagging, and wait until you’ve returned home to share vacation photos.
  
  It’s impossible to list every precaution to take online! Train yourself to question, “Why is this information needed? Who does it benefit, and could it hurt my privacy or compromise my identity?”

• Protect your privacy at home. Secure your home wireless network (try these tips from the U.S. Federal Trade Commission (FTC), U.S. Cybersecurity & Infrastructure Security Agency (CISA), and Norton); only use IoT devices that let you change the password and manage security settings; dispose of old phones, laptops, and storage devices in a secure way (follow this advice from CISA and the FTC). In addition, don’t overlook these “low-tech” measures: Collect your mail daily, don’t leave your checkbook or ID cards in your car, opt out of direct mail advertising (available in the United States through www.dmachoice.org), secure your mailbox, and use a crosscut or microcut shredder to discard all documents that contain personal information (including junk mail).
  
  
• Protect your privacy in public. It’s hard to believe anyone needs this reminder, but public Wi-Fi is incredibly susceptible to eavesdropping. Never use it for online banking, online shopping (any activity that involves a credit card), or any medical- or health-related services. Do not share private information (such as credit card numbers, date of birth, social security number, or any membership numbers) on voice calls when in public places; protect PINs, membership numbers, and other identifiers when using point-of-sale systems; pay attention when you swipe a card (be aware of skimmers, which can be hard to spot);¹⁷ and remember that cash still works in most places.

Avoid Being an Easy Target

Consumers are often baffled, frustrated, even shocked by the endless variety of clever schemes fraudsters devise and the lengths to which they will go (or depths to which they will sink) to pull off their scams. The constant drip of news stories on the subject leaves the average person feeling like there’s little they can do to stay ahead of scammers. That’s definitely not true; taking these few simple steps (and the proactive steps outlined in our first article) can make a huge difference, because scammers don’t like obstacles. The more stumbling blocks you can put in their way, the more likely they are to simply move on. While nothing can ever totally prevent you from becoming a victim, remember the goal is to avoid being an easy target. That’s not so difficult to achieve when you know what to do and then remain vigilant about doing it. And it’s far more empowering than doing nothing.