Last updated February 2021
Click below to listen to our Consumerpedia podcast episode where a former cyber thief explains how to protect your online accounts.
Thieves work nonstop to hijack our identities and steal our credit and assets. Massive data breaches at Equifax, Facebook, First American Financial, Marriott, Twitter, Yahoo!, and many others in the last few years have affected tens of billions of accounts. At this point, assume your personal information has been compromised and is available for cyberthieves to use.
Here’s advice on the best ways to protect your credit, assets, and identity.
Get smart about passwords.
Passwords are the keys to our digital lives, yet many people are careless and sloppy with them. They create simple, easy-to-remember passwords that are easy to crack (such as “abc123” or “password1”) and then use them again and again for all their accounts.
“Hackers love this because it makes their life so much easier—if they can snag the password from one of your accounts, they can use it to attack all the others,” said digital security expert Adam Levin. “It’s like having the same key to start your car, unlock your house, open your safe deposit box, and lock your desk at work. Doesn’t make a lot of sense.”
Make passwords long and complex. Secure passwords consist of at least 10 to 12 characters (the longer the better) and have a combination of uppercase and lowercase letters, numbers, and special symbols, such as punctuation.
Avoid common phrases and words (“LukeIamYourFather”), song or movie titles, the name of your dog, high school, or favorite sports team. One effective strategy is to pick a relatively obscure but easy-to-remember secret phrase and insert extra letters, numbers, and symbols. For example: “&Iheartluv1625Checkb00k$t!”
Password management tools such as Keeper, LastPass, and Dashlane make it easy by creating strong and unique passwords for each of your online accounts. They’re stored in an encrypted digital vault accessible from all your devices. You just need to create (and remember) one strong master password that unlocks the password manager. You may already have password managers on your devices. Apple’s embedded password manager is called “Keychain.” Most internet browsers also have them, with options to sync those passwords across multiple devices. While browser “save passwords” features are convenient, they’re not as robust as what you’d get from a dedicated password management program.
Several websites, including haveibeenpwned.com, let you check on whether hackers have stolen your logins or passwords from major websites such as Adobe, LinkedIn, Yahoo!, and so many others. You can use it to search for email addresses you use; it keeps track of which ones were likely affected by breaches. Change passwords for businesses that were hacked, and make sure you don’t use possibly stolen ones to access other sites.
Turn on multi-factor authentication.
Even the best passwords can be compromised—so opt for multi-factor authentication (MFA), when available. MFA requires a password and at least one other identifying factor that only you should have access to—such as a fingerprint, or entering a code from a text, email, or authentication app—to log in. It’s not foolproof, but MFA can stop most hackers from using stolen passwords on accounts that use them. When it comes to protecting your digital life, MFA provides much stronger protection than even the best passwords alone.
Identify and guard unprotected assets.
It’s especially important to lock down your retirement and investment accounts, which unlike most checking and savings accounts don’t automatically get regulatory protection from fraud losses, leaving your life savings exposed and vulnerable.
A few years ago, Checkbook reviewed the websites of nine major investment firms, and found two that lacked specifics about any policies that might protect your assets from theft. Meanwhile, companies that explicitly offer such coverage often have dozens of requirements to qualify for reimbursement if there’s a problem.
Enable MFA for these accounts and use your password manager to create and use strong, unique passwords for them. Once a month, check account activity and immediately report possible theft or fraud.
Monitor and protect existing financial accounts.
You are largely protected from fraudulent transactions on your credit cards, checking, and savings accounts. Typically, if someone hijacks your credit card, or uses your info to create bogus credit card accounts in your name, you are not liable for those losses. Your financial institution should cover any losses from fraudulent checking or savings account transactions. Contact the credit card company or financial institution as soon as you spot something suspicious.
Nevertheless, it can be a hassle if a crook gets into your checking account. You might not get your money back for a few days to a couple of weeks while the institution investigates. That can disrupt bill paying, and result in a cascade of late-payment and returned-check penalties. So, guard your account and PIN numbers. Set up account alerts that notify you of transactions in real time, making it easier to spot a problem. Review activity on your monthly statements or—better yet—monitor transactions online or by phone at least every few weeks.
Freeze your credit report.
A credit freeze (also called a security freeze) makes it difficult for thieves to open new accounts in your name by locking your credit report. If potential creditors can’t access your credit file, they can’t generate credit scoring for you, which makes it highly unlikely they would approve new credit card or loan applications, or open new bank accounts to bad guys using your stolen identity info. All your current creditors will still be able to check your file, and a freeze will not negatively impact your credit scores.
You must place a freeze with each of the big three credit bureaus—Equifax, Experian, and TransUnion. Federal regulations require the credit bureaus to put your report on ice within one business day of receiving a request online or over the phone, and within three business days of a mail request.
Should you ever want to apply for credit—which includes signing up for new cell phone or utility services, or seeking approval to rent an apartment—you can temporarily lift the freeze using the security code only you know. If you request to have your account “thawed” online or by phone, the bureaus must unlock your file within an hour.
Lock down your children’s credit reports.
Identity thieves love children because they don’t have credit histories. It’s estimated that more than a million children have their identities stolen each year. Armed with your child’s Social Security number (which can be purchased on the “dark web,” where criminals often buy and sell stolen information), crooks can create and exploit a fresh credit history with less risk of discovery. Parents are unlikely to stumble across the problem, or even think to check their kids’ credit reports until their children are old enough to apply for credit.
If your child doesn’t have a credit file, the credit bureaus are required by law to create one and let you freeze it upon request. To protect your children, no matter what their ages, order a copy of their credit reports each year through AnnualCreditReport.com and place security freezes on their reports at all three credit bureaus.
And watch for warning signs that an identity thief has accessed your child’s credit file. A minor should not be getting a jury summons, calls from bill collectors, preapproved credit card offers in the mail, or notices from the IRS about nonpayment of taxes.
More Info: From the FTC: Child Identity Theft
Check your credit report every few months.
Your credit report is a key pillar of your financial identity, and it’s the official record of your good payment history that identity thieves ruin when they borrow money in your name and don’t pay it back. Credit unions, banks, credit card companies, insurers, and other possible creditors use scores, derived from your credit report, to set terms and interest rates, and decide whether they want to do business with you at all. So, it’s critical for you to check your credit files at the big three credit reporting agencies to look for fraud, as well as any errors that could hurt you.
Checking your credit report is essential personal financial maintenance work. Federal law entitles you to one free credit report every 12 months from each of the three credit bureaus—Equifax, Experian, and TransUnion. Request yours at AnnualCreditReport.com. (Note: There are other sites that offer free credit reports. AnnualCreditReport.com was set up by the federal government and is the only one you should use.) Identity theft victims are entitled to their credit report from each of the three credit bureaus, regardless of whether they have accessed free reports in the last year.
You can stagger your requests to get a free report from one of the three major credit bureaus every four months. Currently, because of the pandemic, you can access a free online copy of your credit report from all three credit bureaus once a week through the end of April 2022.
Watch your credit scores.
Your credit scores are three-digit numbers that sum up information in your credit file that potential lenders use to quickly determine whether to approve your application, and if so, what interest rate to charge. While keeping track of your credit score is important, it can also be a potential warning system for identity theft. If, for instance, you have good credit and your score suddenly drops for no obvious reason—you didn’t max out your credit cards or make late payments—that could signal that an identity thief has opened credit card accounts in your name and is not paying the bills. Just remember, monitoring your credit score “is not a substitute for monitoring your full credit reports,” cautioned Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center.
Many financial institutions have set up access so their customers can check their FICO scores for free.
Don’t waste money on identity protection services.
ID protection services cost $10 to $30 a month. But you don’t need to spend that money. You can do much of what a monitoring service does yourself for free.
The biggest problem Checkbook has with credit monitoring services is the hype and fear tactics often used in their advertising. For example, many services now claim to monitor the dark web. This sounds impressive, but with so many breaches in the last few years, chances are your personal information is already on the dark web. Even if a monitoring service finds it there, there’s nothing it can do to remove it.
Many of these companies also brag about covering your losses up to a million dollars. Just more hype. Most identity theft victims do not have any out-of-pocket losses. When fraud occurs, financial institutions and credit card companies typically make victims whole, so any million-dollar promise is basically useless. Most of the hassles caused by identity theft involve the time it takes to document the fraud, canceling accounts, and opening new ones. None of this is reimbursable by any identity theft insurance policy.
Beware phishing scams and follow other smart security precautions.
Thieves prefer to hack the weakest link in a long security chain, and that link is often you. They’ll “phish” for your login credentials by sending you an email, text, instant message, or online pop-up that looks like it comes from your financial institution, credit card company, or other trusted business. These bogus alerts warn you there’s an “urgent problem” with your account, and you need to log on right away by clicking on a link in the message. Do that—and please don’t—and you’ll land on a bogus website that looks just like the legitimate online portal, where you will be asked to log in to your account. When you do that, the crooks capture your username, password, and any login credentials they can use to break into that account.
You can reduce your chances of falling victim to a phishing scam by using anti-virus, anti-spyware, and other security software, and keeping it up to date. But even the best security software can’t counteract you doing the wrong thing and opening a digital door to crooks. The reality is: You are the main defense against cyberthieves. You can reduce your chances of a hack attack by following these two simple rules:
- Never click on links or attachments in emails, text messages, instant messages, or windows that pop up on your computer screen, no matter how legitimate they look or how ominous they sound.
- Always access your online accounts, especially financial accounts, by typing the legitimate URL into the browser’s address bar—or better yet, by using a browser bookmark, or the official app for that company or financial institution.
Other basic do’s and don’ts to protect your identity, credit, and assets:
The most important safety precaution you can take is to create and use strong and unique passwords—a different password for each site—and turn on MFA when offered.
Never share usernames, passwords, personal identification numbers, account numbers, or answers to security questions with anyone.
Never respond to email, text messages, social media messages, or phone calls (yes, crooks still use the phone) requesting personal or financial information. When in doubt, contact the company in question, using a phone number you know is legitimate, not one provided in an email or text, or even by the caller (who could be a crook).
Use security software on your computer (anti-spyware, anti-virus, firewall, anti-spam), smartphone, and other devices.
Have your computer software, mobile device apps, internet browser, and operating systems automatically update, so you get the latest security patches as soon they come out. Familiarize yourself with your devices’ security and privacy settings and set them to the strongest protection levels.
Remember: Your smartphone is a computer, so keep its operating system and apps up to date, and use security software designed for mobile devices.
Don’t use public WiFi or hotspots. They’re not secure. Unless you’re using a Virtual Private Network (VPN) on your wireless device, assume anything you do on public WiFi is visible to the world.
Turn off Bluetooth when not in use, so a crook can’t link to your device.
To prevent hacking of your home network, use a router with WPA or WPA2 privacy protocol and change its factory default administrator password and SSID to unique, strong codes that only you know. WPA2 provides stronger security than WPA but requires more processing power. If your router uses the older, WEP encryption, get a new one.
Browse with vigilance. Look for a lock symbol in your browser’s address bar or that the URL begins with “https” indicating communication with the website is encrypted. But don’t assume websites using secure protocols means it’s safe to use; criminals can also set up “secure” websites to steal your money.
Use the “Remember my user ID” feature on websites to automatically log in. A fake site won’t be able to insert your username and password.
If you’re the chief IT officer in your household, make sure you give security training to less-knowledgeable members of the family who share your computer and mobile devices. You’re only as safe as the weakest link.
Delete online accounts you no longer use. Chances are you have dozens of accounts you haven’t used in years. Dormant accounts, which have saved personal information, such as your birthdate, and possibly credit card numbers, are a major security risk—especially if they have lousy passwords that you also use on other sites that may be scooped up in a data breach.
Choose e-delivery of statements and correspondence for your credit cards and financial accounts, and promptly open and review them. Shred discarded financial papers using a cross-cut shredder.
Stop advertisers from mailing you prescreened offers for credit cards and insurance, which ID thieves can steal from your home mailbox, by opting out at optoutprescreen.com. Caution: You will need to provide your Social Security number, so make sure you’re on the right site and using a secure internet connection.
Don’t trust caller ID. It can be spoofed to display whatever bogus information criminals want, such as the name and number of your financial institution or credit card company, the IRS, Social Security, Medicare, or even your local police department. It’s a sneaky way to make you believe the call is legit.
Destroy any information stored on old computers and mobile devices before you sell or recycle them by performing a factory reset or removing and destroying storage drives and devices. Simply deleting files does not permanently remove them from the hard drive.
What to do if you've been a victim of identity theft:
File a report with your local police department. Chances are it doesn’t have the resources to investigate but doing so will document you took steps to prevent future criminal activity and possible financial losses.
Also file a report with the IdentityTheft.gov website run by the Federal Trade Commission.
Victims of identity theft have legal rights that can help them recover from the crime. Visit the FTC’s Know Your Rights web page. You can also contact the nonprofit Identity Theft Resource Center to find out how to undo any damages and reduce your exposure to future criminal activity.