Identity theft can range from someone opening credit-card accounts in your name to creating social-media accounts using your photos to taking out a loan based on your Social Security number and credit history.
This type of fraud can be inconvenient at best and extremely costly at worst: approximately 14.4 million people (opens in new tab) were victims of identity fraud in 2018 at a cost of $1.7 billion, according to Javelin Strategy & Research.
Identity theft can also take months or years to unwind, which is why it's better to take preventive measures ahead of time to protect your personal information rather than to scramble to clean up the mess afterwards.
How to know if your identity has been stolen
Identity theft may not be immediately obvious, even to the victim, but the Federal Trade Commission says there are warning signs (opens in new tab):
- You receive bills for things you didn't buy or medical services you didn't use.
- Mail or bills that you should be getting don't arrive.
- You get calls from debt collectors for unknown accounts.
- You see odd withdrawals from your bank accounts or charges on your credit-card statements.
- There are unfamiliar accounts on your credit report.
- The IRS receives more than one tax return in your name.
- You are unexpectedly turned down for a lease or a loan.
So what are the essential tips to protect your identity?
Keep your personal information private
The simplest way to protect your data is to keep it to yourself. Don't give out any bit of personal information — your phone number, address, date of birth or Social Security number, for example — unless it's absolutely required to sign up for a service or create an online account.
Your phone number, especially a mobile phone number, is one of the keys (opens in new tab) to the rest of your data and offers scammers an "in" to steal your identity.
You should also stop oversharing on social media. You probably aren't posting your address on Instagram, but other seemingly innocuous information, such as your birthdate, your grandparents' names and your kids' photos, can be used to access personal accounts or create fake profiles.
Finally, don't answer any requests for personal information from unknown callers or texters. Your bank, credit-card company, or doctor's office is not going to contact you out of the blue and ask you to confirm your Social Security number. If you think it's a legitimate request, hang up (or ignore the text) and call the requesting party directly.
Follow password best practices
Strong, unique passwords can help keep your online accounts — and the personal data they contain — secure. They are the first line of defense against identity theft, as weak or repeated passwords make it easier for hackers to crack your logins.
We've got a guide to creating and storing secure passwords, but a good starting point is to use long, complex passwords and to ensure you're using a different password for every login. Where possible, use biometrics like Face ID or touch sensors instead of alphanumeric codes.
Two-factor authentication (2FA) adds another layer of security to your logins. Even if an identity thief manages to guess your password, they'll need a second form of authentication to get into your account. This may be a code from a third-party authentication app or a physical key. If possible, avoid using SMS codes for 2FA, as they can be easily intercepted or viewed outside your physical device.
To make sure you don't reuse passwords, use one of the best password managers. Most are inexpensive and a couple are even free.
Finally, use nonsensical answers to security questions associated with your accounts. Anyone can look up your high school mascot or track down your mother's maiden name using your social media profiles.
You can say the mascot was Donald Duck and your mother's maiden name was Rockefeller — as long as you remember those "answers."
Clean up your digital existence
We live a lot of our lives online, and some level of risk to our data is unavoidable. But you can take steps to minimize security gaps.
Start with your physical devices. Always keep the software, both applications and operating systems, on your phone, computer, smartwatch, and other devices up to date, and enable automatic updates where possible. This is how known security flaws are quickly patched; install one of the best antivirus programs to fill in the gaps.
The same goes for apps and online services. Limit mobile-app access to vital pieces of information, such as location, contacts, and photos, to those apps that truly need them. Check to see how many apps and services can access your Apple, Facebook, Google, Microsoft or other widely used accounts, and revoke access when it's no longer necessary.
You can also clean up your browsing behavior. Check to ensure that a website is secure — look for HTTPS or a lock icon in the address bar — before you enter any personal information. (Keep in mind, though, that sophisticated scammers can spoof this.) And skip public Wi-Fi networks for, well, almost everything.
"Remember not to do anything that requires sensitive information on a public network," says Peter VanIperen, a security expert and managing partner at PWV Consultants in New York. "You're literally asking to have your information stolen."
If you must hop on an unsecured Wi-Fi network, use a virtual private network (VPN), which encrypts your information and keeps your online activity private from everyone else on the same local network.
Watch for scams
Scammers are using increasingly realistic emails and text messages to prompt you to click links or provide your personal information — a tactic known as phishing. Remain skeptical of emails that are pushing you to take action to solve an apparently urgent problem, even if they appear to be from a trusted company.
"Today's phishing schemes are socially engineered to look incredibly legitimate," VanIperen says.
Just like you'd contact your bank directly rather than giving out your account information to a random caller, go directly to websites rather than clicking links in emails or text messages. A bad actor can easily steal your data when you click the wrong link.
Watch your financial records
Freezing your credit can prevent identity thieves from accessing your credit report (which contains your personal data) or using your personal information to open new lines of credit, such as credit cards or auto loans. You can freeze your credit for free with the Big Three credit bureaus — Equifax, Experian, and TransUnion — and request a "thaw" if you need to apply for credit yourself.
This isn't a perfect system, so you should still request one free credit report every four months via annualcreditreport.com (opens in new tab) and continue to monitor your bank accounts and credit card statements for unusual activity. (For the duration of the coronavirus crisis, you can get a free credit report every week.) You can also use one of the best identity theft protection services that includes credit monitoring.
