An unfamiliar bill. A call from a bank asking about unknown charges. Being turned down for a loan or an apartment because of red flags in your credit check. All these are signs your identity may have been stolen.
Forms of identity theft include using stolen payment-card information to make a purchase; taking control of existing accounts with banks and online payments platforms such as PayPal; and opening new accounts with online sites such as eBay and Amazon, mobile carriers or utilities.
Identity theft has been one of the top three consumer complaints filed with the Federal Trade Commission for many years. More than 26 million people were victims of identity theft in 2016, according to the latest report from the federal Bureau of Justice Statistics. It's also big money for the thieves, with Javelin Strategy and Research estimating $16 billion in identity theft-related losses in the United States for 2016.
MORE: Best Identity-Theft Protection Software
"The situation around credit card and identity theft is getting worse, and shows no signs in the near or intermediate term of getting any better," said Christopher Budd, a senior manager of threat communications at Palo Alto networks in Santa Clara, California.
Identity theft can happen to anyone — there's no single group that is more or less susceptible to being victimized.
"We're not so smart and careful that we can control everything," Budd warned.
How identity theft happens
Your identity can be stolen because a store's point-of-sale terminal was compromised, as happened in the massive Target data breach in 2013, or because someone cloned your credit card when you were paying a bill at a restaurant, or perhaps because a malware infection on your computer intercepted your financial details.
Your identity can also be stolen by non-digital means. For example, someone could fish an old checkbook or credit card statement out of your trash.
"We're at a point where people have to start taking active responsibility for protecting themselves, because no one else is going to do it for them," Budd said.
Here are some tips that can help you protect your identity.
Don't use your Social Security number as ID
Eighty percent of the top 25 banks and 96 percent of top credit-card issuers will let you access your accounts with your Social Security number (SSN) instead of an account number, according to Javelin. Tell your bank you will never do this; that way, your bank will know anyone trying to access the account with the SSN isn't you.
In general, don't blindly hand over your SSN when it's asked for. Instead, ask why such information is necessary, and if there is an alternative form of ID that can be used.
Secure your personal data
If you keep your financial records online, on a computer or on a mobile device, secure these records behind a strong password. Change passwords frequently on all accounts, use a password manager, and turn on two-factor authentication wherever possible.
Check activity regularly for any account that involves money, not just bank and credit cards. For example, regularly check statements from your mobile carrier to make sure additional devices or services haven't been added.
MORE: How to Turn On 2-Step Verification
Be savvy about email
Whenever a data breach makes headlines, scammers piggyback on the news by sending out fake emails to already jittery consumers, containing bogus fraud alerts and fake password-reset links. Treat every email you get about a potential data breach, or warning about potential fraud, with skepticism. Don't ever click on a link or open an attachment in a data-breach-notification email message.
Protect your devices
Make sure your computer and mobile devices are running the latest versions of their operating systems and software, as well as up-to-date versions of anti-virus software. Don't use Windows XP or Windows Vista systems for online shopping or banking, because Microsoft no longer supports those operating systems with security patches. (Patches for Windows 7 end in January 2020.) Consider using super-secure "hardened" browsers or virtual software when accessing sensitive accounts.
MORE: Best Antivirus Software and Apps
Buy a shredder and use it
Identity theft doesn't always require a computer. Professional identity thieves know that garbage cans and company dumpsters are rich troves of financial documents, including canceled checks and credit card and bank statements. Don't toss out your identity with the trash — instead, shred anything sensitive before you throw it away.
Erase computer and smartphone hard drives
Clean out your personal information before getting rid of old PCs, tablets and smartphones. It is surprisingly easy for someone to get access to personal data if the hard drive hasn't been totally reformatted and cleaned.
Sign up for alerts and monitoring
Ask your financial institution to email you whenever funds are transferred out of your account. If your credit card company offers an alert service for suspicious charges, take it. Consider instituting a credit alert with the three major credit bureaus to let you know about new accounts being opened in your name; you can do so for free every year. You can also institute a credit freeze for free, which means no one can look at your credit report without your say-so, although that could complicate things for you financially.
Consider paying for a real-time identity-theft and credit-monitoring service, most of which now incorporate identity-monitoring services, which monitor thousands of black-market websites and notify you if your data ever shows up.
MORE: Best Identity Protection Services
Don't take calls from the IRS or Social Security Administration
The Internal Revenue Service, or any organization authorized to act on behalf of the IRS, will not initiate contact via email, social media, text message or telephone. The government will use the good old postal service first. The same goes for the Social Security Administration, which is in charge of issuing Social Security numbers.
If you get a call, text or email claiming you owe back taxes or exorbitant fines, or that your Social Security number has "expired" or been deemed invalid, it's fake. Don't hand over your credit card number. Hang up instead, and call the IRS or Social Security Administration directly if you have questions.
Lock your mailbox
Every day, millions of bank statements and credit card bills land in mailboxes. Passports and Social Security cards are also sent through the mail. If you have an old-style curbside mailbox, it's easy for anyone to steal your mail. Invest in a locking mailbox; many come with a slot into which mail can be deposited, while others have keys you can share with the mail carrier.
MORE: What to do if your SSN is stolen
Get copies of your credit reports and check for any unusual account activity you don't recognize. Even a quick check of social-media sites and search engines can reveal if someone is impersonating you. When you find a problem, report it immediately. A quick response will reduce the amount of damage you will have to suffer.
Take data-breach notifications seriously
One-third of the people who received data-breach notification letters became identity-fraud victims in 2013, according to an older Javelin report. Forty-six percent of consumers with compromised debit cards in 2013 became fraud victims in the same year, compared to only 16 percent of consumers with a compromised Social Security number. If you receive a data-breach notification letter that includes an offer for a free monitoring service, take advantage of it. Take all the steps recommended in the notice, such as changing passwords and monitoring financial statements closely.