Thieves work nonstop to hijack your identity to steal your credit and assets. Due to a massive theft of data from credit bureau Equifax, plus hacks of countless other businesses, the crooks now have enough information to victimize hundreds of millions of consumers. At this point, if you have a credit history, assume it is compromised.

To help keep the opportunists and grifters at bay and cut through the confusion, we share how to protect your credit and identity.

Identify and guard unprotected assets.

Your investment accounts enjoy little to no regulatory protections from fraud losses, which leaves your life savings exposed and vulnerable. By far, the biggest financial risk to consumers is theft from their online investment and retirement accounts. But our review of the websites of nine major investment firms found two that lacked specifics about any policies that might protect your assets from theft. Meanwhile, companies that explicitly offer such coverage often lay down dozens of requirements for you to qualify for reimbursement if there’s a problem. Click here to learn more about this risk and what steps you should take to best protect yourself.

Monitor and protect existing bank accounts.

Fortunately, your credit accounts and bank deposits are largely protected from unauthorized transactions. If someone hijacks your credit card or uses your info to create bogus accounts and shops until your credit score drops, you’re usually not liable for those losses. And if someone drains your checking account, your bank will typically cover that. If you are victimized, immediately notify the company that holds your account, and ask that fraudulent charges be removed or stolen money returned.

Nevertheless, it can be a huge hassle if a crook gets into your checking account, which is the core of your financial house. You might not get your money back for a few days to a couple of weeks while the bank investigates and sorts things out, and that can disrupt bill paying and result in a cascade of late-payment and returned-check penalties. So guard your account and PIN numbers. Set up account alerts which notify you of transactions that may be fraudulent. Review your account activity by monitoring the monthly statements or—better yet—regularly checking transactions. And sidestep hackers by paying for online purchases with a credit card rather than your debit card.

Freeze your credit report.

A credit freeze makes it difficult for thieves to open new accounts in your name by locking them out of your credit report: If creditors can’t see your credit info, they’re less likely to grant new loans, and the bad guys can’t get the money they don’t intend to repay.

The freeze can’t be lifted unless you temporarily or permanently authorize it and provide a security code that only you know. That can be a hassle when you’re shopping for credit, signing up for utility services, or hunting for a new apartment, but it’s worthwhile protection. Lenders, insurers, cellular service providers, and other creditors with whom you already deal will still be able to check your file.

You must place a freeze with each of the big three credit bureaus, Equifax, Experian, and TransUnion. Starting in late September, credit freezes will be free, and new regulations require the credit bureaus to put your report on ice within one business day of receiving a request online or over the phone and within three business days of a mail request. If you make a phone or online request to temporarily remove a freeze (say, to apply for a new credit card), the bureaus must thaw your file within an hour.

Alternatively, you can use a credit lock to turn access to your credit on and off in a flash, using your smartphone or computer, which may be quicker and easier than a freeze. Currently, Equifax and TransUnion provide locks for free—no gimmicks. Experian, however, uses a "free" lock for 30 days as an introductory enticement for you to sign up for and pay $19.99 a month for its identity theft protection service, which you don’t need (see below).

Of the three, TransUnion's credit lock, part of its free TrueIdentity service, is best, because it also lets you sign up for free email or text alerts whenever someone (including you) applies for new credit in your name. It also lets you refresh and view an also truly free version of your TransUnion credit report, which is stripped down but contains all the essentials, including account details (current balance, credit limit), public records, payment status, and payment history. Yes, your TrueIdentity dashboard also comes with soft-sell promos for "premium" TransUnion credit monitoring ($9.95 per month) and your three-bureau credit report ($29.95 per one copy of the trio), neither of which you need. But you don't have to buy, either.

Check your credit report every few months.

Your credit report is a key pillar of your financial identity, and it’s the official record of your good payment history that identity thieves ruin when they borrow money in your name and don’t pay it back. Banks, credit card companies, insurers, and many others use your credit score, derived from your credit report, to set terms and rates and decide whether they want to do business with you at all. So it’s critical for you to keep a close eye on this report to detect new-account fraud as well as errors that can pop up there.

Checking your credit report is essential personal financial maintenance work. We recommend that you do it every few months. Here’s how to accomplish that for free.

You can start the annual review cycle at any point in the year, but let’s begin in January. Think of that as “fraud alert month,” because that’s when you should place a “fraud alert” on your credit report with any one of the big three credit bureaus. (That bureau will then place a fraud alert on your reports at the other two bureaus.)

Ostensibly, a fraud alert is a notification on your credit report, which warns lenders that you may be a target for identity theft—and these days, who isn’t?—and to take reasonable steps to verify the identity of any person applying for credit in your name, before credit is actually granted. These reasonable steps may include contacting you by phone.

Of course, if you have a security freeze, you don’t really need a fraud alert, because a new lender can't pull your credit report for a crook. However, you should place an alert anyway, because doing so entitles you to request a free credit report from each credit bureau. So ask! Thus, you can check all three credit reports at once at the beginning of the new year. Fraud alerts are free, and beginning in September, the alerts remain in place for one year. Do not request a long-term fraud alert, which lasts seven years; you want the annual alert so that you can renew it each year and get your three free credit reports every year.

That's only the beginning of the freebies, so you should never pay for a credit report.

Federal law also entitles you to one free credit report per year from each of the three credit bureaus. Request yours at or by phone by calling 877-322-8228. Don't ask for all three reports at once. Instead, stagger your requests, so that, after checking all three reports in January "fraud-alert month," you then get your Equifax report in April, your Experian report in July, and your TransUnion report in October. In this manner, you can keep on top of your credit file every three months. Repeat this cycle each year when January rolls around. Keep a log and calendar of your requests. Check the accuracy of the report, look for fraudulent accounts, and contact the credit bureau immediately to dispute anything that’s amiss. Also order and freeze these reports for your children.

Want still more free credit reports? Eight states—Colorado, Georgia, Maine, Maryland, Massachusetts, Mississippi, New Jersey, and Vermont—also mandate one free credit report per year for consumers, on top of the freebies under federal law, according to TransUnion. And, as mentioned above, you can access your TransUnion credit report for free anytime through that credit bureau's TrueIdentity service.

Don’t fret about credit scores.

Credit scores sum up the information on your credit report into a three-digit rating. However, you don't really need scores; if you’re regularly monitoring your report, you should have a good sense of your creditworthiness, since good scores come from your good on-time payment record; keeping revolving credit balances below 30 percent of your credit limit; and not sullying your report with loan defaults, judgments, liens, bankruptcies, or other negative public records.

“A credit score is not a useful way to detect ID theft,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center, which assists victims of identity theft, because it can take a couple of months for a fraudulent account to be reported, become delinquent, and hurt your score.

Many banks and credit card issuers now commonly give you your free credit score as a perk for having an account with them. Those genuine freebies should be all you need to know generally where you stand in lenders’ eyes. The Consumer Financial Protection Bureau lists 49 credit card issuers, financial institutions, and nonprofit credit and financial counseling services that offer their customers and clients free credit scores.

Don’t waste money on identity protection services.

ID protection services cost $10 to $30 a month, but you don’t need to spend that money, because, as we discuss in this article, you can do much of what a service does on your own for free. And although millions of Americans are victims of identity theft each year, most suffer zero out-of-pocket loss costs, because the vast bulk of what’s called identity theft is actually credit card theft. Your liability for that is little to nothing under federal consumer protections and credit card issuers’ voluntary zero liability policies.

Lock down your children’s credit reports.

Identity thieves love children, because they usually have no credit history. By stealing your child’s Social Security number, crooks can create, exploit, and ruin a fresh new credit history with less risk of discovery by a real identity theft victim; you’re unlikely to stumble across the problem or even think to check the credit report until your child first legitimately applies for his or her own credit.

Under new regulations taking effect in late September, if a child doesn’t have a credit file, the bureaus are required to create one and freeze it upon your request. To protect your children, no matter what their ages, order a copy of their credit reports each year through, place security freezes on their reports at each credit bureau, and periodically check with the Social Security Administration to make sure no one is using your child’s identity to report income.

Beware phishing scams and follow other smart security precautions.

Thieves prefer to hack the weakest link in a long security chain, and that link is often you. They’ll “phish” for your login credentials by sending you an email, text, instant message, or online pop-up that looks like it comes from your bank, credit-card issuer, credit union, investment company, or other financial institution. The imposter alerts you to some “problem” with your account, directs you to click a link to a bogus website that looks just like your financial institution’s online portal, urgently pressures you to log into your account, then captures your username, password, and any information needed to clear other security hurdles.

One investor lost hundreds of thousands of dollars a couple of years ago after he unwittingly downloaded malware onto his personal computer, recalls Velasquez. The ruse was so sophisticated, you might fall for it yourself. Here's how it worked:

The malware re-routed the victim from his investment account login page to the thief's fake website, so the crook knew when the victim tried to log in. The imposter login screen captured the investor's username and password but couldn't let the victim actually log in to his account. At that point, the crook, posing as customer service, telephoned the victim to "help" fix the "problem."

The fraudster used the victim's stolen username and password to begin logging into the investor's real online account. Security there texted a two-factor authentication code to the victim's phone, and the crook asked the investor to read him the code. That finally opened account access to the criminal, who promptly wired stolen funds to his own account.

Avoid such malware by using anti-virus, anti-spyware, and other security software and keeping it up to date. Never click links or attachments in emails, text messages, instant messages, or windows that pop up on your computer screen. Access your financial accounts online only by typing the legitimate link into the internet address bar, by bookmarking the known legitimate site on your browser and using that link, or by using your financial institution's official app.

Other basic do’s and don’ts to protect your identity, credit, and assets:

  • Create and use a strong username, password, and security questions that are not used for any other sites.
  • Never share usernames, passwords, personal identification numbers, account numbers, and answers to security questions with anyone.
  • Don’t respond to email or text messages requesting personal and financial information, especially if you suspect they are fraudulent.
  • Use up-to-date security software on your computer (antispyware, antivirus, firewall, antispam).
  • Keep the operating system and web browsers for your computers and phones up to date.
  • Don’t use public WiFi or unfamiliar hotspots, especially for conducting financial transactions; use only trusted, password-protected networks.
  • To prevent hacking of your home network, use a router with WPA or WPA2 privacy protocol (instead of WEP) and change its factory default administrator password and SSID to unique, strong codes that only you know.
  • Browse with vigilance; look for the lock or “s” secure website symbols in your browser’s address bar.
  • File an affidavit or police report to document a theft.
  • Use the 'Remember my user ID' feature on many browsers to automatically log in; fake sites won’t be able to insert your ID and someone who steals your computer should be locked out without your fingerprint or computer pass code.
  • Activate automatic updates on your security software.
  • Regularly update your computer software, mobile device apps, internet browser, and operating systems to keep them current with any security patches and bug fixes. Familiarize yourself with these programs’ security and privacy settings and set them to the strongest protection levels.
  • Don’t forget that your mobile device is a computer. Keep its operating system up to date, use security software if available, and don’t use unsecured public WiFi or hotspots. Turn off Bluetooth when not in use.
  • Turn off your email service’s preview pane, which allows some viruses to execute, even if you don’t open the email.
  • If you’re the chief IT officer of your family, make sure you give security training to your less-knowledgeable spouse and kids who share your computer and mobile device networks.
  • Pay attention to paper in today’s digital world. Opt for e-delivery of bank, credit card, and other financial statements and correspondence, and promptly open and review all such material. Shred discarded financial papers using a cross-cut shredder. Stop advertisers from mailing you paper prescreened offers of credit and insurance, which ID thieves can steal from your home mailbox, by opting out at optoutprescreen.
  • Identify fraudulent telemarketing solicitations instantly by listing your phone numbers with the National Do Not Call registry. After you’ve done that, if you do receive telemarketing calls or texts, you’ll know they’re bogus.
  • Dispose of old computer and mobile device hardware by performing a factory reset or removing and destroying storage drives and devices.