An unfamiliar bill. A call from a bank asking about unknown charges. Being turned down for a loan or an apartment because of red flags in your credit check. All these are signs your identity may have been stolen.
Forms of identity theft include using stolen payment-card information to make a purchase; taking control of existing accounts with banks and online payments platforms such as PayPal; and opening new accounts with online sites such as eBay and Amazon, mobile carriers or utilities.
Identity theft has been the No. 1 consumer complaint filed with the Federal Trade Commission for nearly 20 years. More than 17 million people were victims of identity theft in 2014, according to the latest report from the federal Bureau of Justice Statistics. It's also big money for the thieves, with Javelin Strategy and Research estimating $18 billion in identity theft-related losses in the United States for 2013.
"The situation around credit card and identity theft is getting worse, and shows no signs in the near or intermediate term of getting any better," said Christopher Budd, a threat-communications manager at Tokyo-based anti-virus company Trend Micro.
Identity theft can happen to anyone — there's no single group that is more or less susceptible to being victimized.
"We're not so smart and careful that we can control everything," Budd warned.
How identity theft happens
Your identity can be stolen because a store's point-of-sale terminal was compromised, as happened in the massive Target data breach in 2013, or because someone cloned your credit card when you were paying a bill at a restaurant, or perhaps because a malware infection on your computer intercepted your financial details.
Your identity can also be stolen by non-digital means. For example, someone could fish an old checkbook or credit card statement out of your trash.
"We're at a point where people have to start taking active responsibility for protecting themselves, because no one else is going to do it for them," Budd said.
Here are some tips that can help you protect your identity.
Don't use your Social Security number as ID
Eighty percent of the top 25 banks and 96 percent of top credit-card issuers will let you access your accounts with your Social Security number (SSN) instead of an account number, according to Javelin. Tell your bank you will never do this; that way, your bank will know anyone trying to access the account with the SSN isn't you. In general, don't blindly hand over your SSN when it's asked for. Instead, ask why such information is necessary, and if there is an alternative form of ID that can be used.
Secure your personal data
If you keep your financial records online, on a computer or on a mobile device, secure these records behind a strong password. Change passwords frequently on all accounts, and turn on two-factor authentication wherever possible. Check activity regularly for any account that involves money, not just bank and credit cards. For example, regularly check statements from your mobile carrier to make sure additional devices or services haven't been added.
Be savvy about email
Whenever a data breach makes headlines, scammers piggyback on the news by sending out fake emails to already jittery consumers, containing bogus fraud alerts and fake password-reset links. Treat every email you get about a potential data breach, or warning about potential fraud, with skepticism. Don't ever click on a link or open an attachment in a data-breach-notification email message.
Protect your devices
Make sure your computer and mobile devices are running the latest versions of their operating systems and software, as well as up-to-date versions of anti-virus software. Don't use Windows XP systems for online shopping or banking, because Microsoft officially ended support for the operating system in 2014 and it no longer receives security patches. (Patches for Windows Vista end in April 2017.) Consider using super-secure "hardened" browsers or virtual software when accessing sensitive accounts.
Buy a shredder and use it
Identity theft doesn't always require a computer. Professional identity thieves know that garbage cans and company dumpsters are rich troves of financial documents, including canceled checks and credit card and bank statements. Don't toss out your identity with the trash — instead, shred anything sensitive before you throw it away.
Erase computer and smartphone hard drives
Clean out your personal information before getting rid of old PCs, tablets and smartphones. It is surprisingly easy for someone to get access to personal data if the hard drive hasn't been totally reformatted and cleaned.
Sign up for alerts and monitoring
Ask your financial institution to email you whenever funds are transferred out of your account. If your credit card company offers an alert service for suspicious charges, take it. Consider instituting a credit alert with the three major credit bureaus to let you know about new accounts being opened in your name; you can do so for free every 60 days. Consider paying for a real-time identity-theft and credit-monitoring service. You can also look into identity-monitoring services, which monitor thousands of black-market websites and notify you if your data ever shows up.
Don't take calls from the IRS
The Internal Revenue Service, or any organization authorized to act on behalf of the IRS, will not initiate contact via email, social media, text message or telephone. The government will use the good old postal service first. If you get a call, text or email claiming you owe back taxes or exorbitant fines, it's likely fake. Don't hand over your credit card number. Hang up instead, and call the IRS directly if you have questions.
Lock your mailbox
Every day, millions of bank statements and credit card bills land in mailboxes. Passports and Social Security cards are also sent through the mail. If you have an old-style curbside mailbox, it's easy for anyone to steal your mail. Invest in a locking mailbox; many come with a slot into which mail can be deposited, while others have keys you can share with the mail carrier.
Get copies of your credit reports and check for any unusual account activity you don't recognize. Even a quick check of social-media sites and search engines can reveal if someone is impersonating you. When you find a problem, report it immediately. A quick response will reduce the amount of damage you will have to suffer.
Take data-breach notifications seriously
One-third of the people who received data-breach notification letters became identity-fraud victims in 2013, according to Javelin. Forty-six percent of consumers with compromised debit cards in 2013 became fraud victims in the same year, compared to only 16 percent of consumers with a compromised Social Security number. If you receive a data-breach notification letter that includes an offer for a free monitoring service, take advantage of it. Take all the steps recommended in the notice, such as changing passwords and monitoring financial statements closely.