Click below to listen to our Consumerpedia podcast episode on how to protect yourself from identity theft.

Hackers continue to steal astonishing amounts of customer data from corporate and government databases, fueling a worldwide scamdemic.

In 2023, there were 3,205 reported incidents of compromised company databases affecting nearly 350 million consumer accounts in the U.S., according to the nonprofit Identity Theft Resource Center (ITRC). Scammers can acquire your personal info—and bank or credit card details—to forge your identity or steal your assets.

Massive data breaches at American Express, 23andMe, Equifax, LinkedIn, T-Mobile, Xfinity and many other businesses over the last decade have affected tens of billions of accounts. At this point, crooks have access to the personal information for nearly everyone in the U.S.—credit card and bank account numbers, user IDs and passwords, Social Security numbers, dates of birth, medical records, even our genomes.

That’s why you need to take measures to protect yourself. “So much of our data is out there in the wild that we have to adopt the mindset that we’re protecting information that the thieves and scammers already have access to,” said Eva Velasquez, president and CEO of ITRC. “Taking some simple steps—like freezing your credit to ensure that your data that’s already out there can’t be misused—is so important right now.”

Here are the best ways to safeguard your identity, credit, and assets.

Freeze Your Credit Reports

If you haven’t already done this, go do it right now.

A credit freeze (also called a security freeze) locks your credit file, making it difficult for thieves to open new accounts in your name. Potential creditors won’t approve new credit card or loan applications submitted by bad guys, or allow them to open new bank accounts using your stolen identity info. Your current creditors will still be permitted to check your files, and initiating a freeze won’t impact your credit scores.

Place freezes with each of the three big credit bureaus—Equifax, Experian, and TransUnion. It’s free, and you can do it online quickly—certainly in less time than undoing the damage caused if you have your identity stolen.

“Freezing your credit is the most robust and proactive consumer protection step you can take to protect your identity. It stops the thieves in their tracks,” Velasquez told Checkbook. “Even if someone has all of the identity credentials necessary to impersonate you and attempt to open new accounts, they still can’t do it.”

Federal regulations require the credit bureaus to put your report on ice within one business day of receiving a request online or over the phone, and within three business days of getting a mailed-in request.

If you wish to apply for credit—including signing up for new cell phone or utility services, or trying to rent an apartment—you can temporarily lift the freeze by logging on to your accounts at each credit bureau’s website. Those bureaus must unlock your file within an hour.

Note: Credit bureaus will try to sell you monitoring services or other costly products. They’re useless (see the end of this article for more info).

Lock Down Your Children’s Credit Reports

More than one million children have their identities stolen each year. Because thieves love to impersonate people with no credit histories, children are common targets. After obtaining kids’ Social Security numbers, crooks exploit their blank credit histories with less risk of discovery; parents are unlikely to stumble across the problem, or even think to check their kids’ reports.

If your child doesn’t have a credit file, upon request the credit bureaus are required by law to let you create one and freeze it. Do so, and then order a copy of their credit reports each year through AnnualCreditReport.com.

Watch for warning signs that an identity thief has accessed your child’s credit file. A minor should not be getting calls or mail from bill collectors, credit card offers, or jury duty summons.

Regularly Check Your Credit Reports

Use AnnualCreditReport.com at least twice a year to obtain your reports with Equifax, Experian, and TransUnion. Other websites offer free credit reports, but AnnualCreditReport.com was set up by the federal government and is the only one you should use. And if you search the internet for “free credit report,” you might land on a scammer’s website.

Review your reports for warning signs of identity theft, such as accounts you didn’t open or a false history of late payments.

Monitor Your Credit Scores

Credit scores are generated from the information in your credit files. Most banks and credit card companies now give customers access to free credit score information to help them guard against identity theft.

If you have good credit, and your score suddenly drops for no obvious reason (you didn’t max out your credit cards or make late payments), that could signal that an identity thief has opened accounts in your name and is racking up debt.

Use Multi-Factor Authentication

You should use a strong and unique password for each of your financial accounts (see below). But because even the best password can be compromised (or stolen during a data breach), sign up for multi-factor authentication (MFA).

MFA means that to log into an account, you’ll enter both a password and use at least one other identifying factor (fingerprint, facial recognition, or entering a code from a text, email, or authentication app). It’s not foolproof, but MFA can stop most hackers from using stolen passwords.

Get Smart About Passwords

Most people use the same password for multiple accounts. Bad idea. If criminals steal your password from one company, they can use it to hack into your other accounts.

“It’s like having the same key to start your car, unlock your house, open your safe deposit box, and lock your desk at work,” said cyber security expert Adam Levin, author of the book Swiped.

At the very least create unique passwords for your most sensitive accounts, such as bank, credit card, investment, government benefits, and social media. They should be long (at least 10 to 12 characters—longer is better) and strong (include random numbers, uppercase and lowercase letters, and special symbols). Avoid common phrases such as LetMeIn, ILoveYou, or LukeIAmYourFather. Don’t use song lyrics, or names of pets or sports teams.

A better option is to use a password manager, which will automatically generate strong passwords and store them in an encrypted digital vault that can be accessed only with the master password you create.

Consumer Reports regularly evaluates password management apps. It currently recommends 1Password Families (from $60/year), Dashlane Premium (from $60/year), Keeper Unlimited (from $34.99/year), and Keeper Free Version.

Your phone, tablet, and computer probably already have password managers. Apple’s embedded password manager is called FileVault. Most internet browsers also employ them, with options to sync passwords across multiple devices. While these features are convenient, they’re not as robust as a dedicated password management program. Even so, “any tool that encourages you to use unique passwords, and hopefully complex ones, is a win,” said Chester Wisniewski, director and global field CTO at IT security company Sophos. “If you decide to use the password storage feature on Firefox, be sure to set a ‘master password’ to ensure the passwords will be stored safely.”

Especially Guard Investment and Retirement Accounts

By law, you are largely protected from fraudulent activity on credit card, checking, and savings accounts. If a crook obtains your credit card number and goes on a shopping spree, or steals money from your checking account, you usually won’t be responsible for those losses.

But investment and retirement accounts don’t automatically get regulatory protection from fraud losses, leaving your life savings exposed and vulnerable. And, unfortunately, if theft occurs many investment companies have absurd requirements their customers must meet to qualify for reimbursement.

A few years ago, Consumers’ Checkbook reviewed the websites of nine major investment firms and found two lacked specifics about any policies that might protect their customers from theft. Meanwhile, companies that explicitly offer such coverage often have dozens of requirements to qualify for reimbursement if there’s a problem. You might, for example, have to log in to your account at least once per month, enable MFA, and report theft within a few days. And many investment companies won’t reimburse victims who unwittingly provided their log-in information during phishing attacks or over the phone to con artists.

Enable MFA for these accounts and use your password manager to create and use strong unique passwords for them. Check account activity regularly, and immediately report possible theft or fraud. And check your mail and email often for alerts about potentially suspicious activity.

Set Up Alerts for Credit Card and Bank Accounts

The sooner you spot identity fraud the easier it is to undo the damage and prevent future problems. Use the security section for the websites of your credit cards and banks to set up account alerts that notify you of transactions in real time. For example, you can get a message any time there’s an ATM withdrawal, an online or phone transaction, a deposited check, a foreign transaction, or a wire transfer. To avoid getting a text or email every time your spouse orders a pizza, you can customize alerts. But know that even a small charge or deposit could be a criminal testing your credit card or debit card account with a stolen number.

Don’t Click on Links in Email or Text Messages

Thieves prefer to hack the weakest link in a long security chain, and that link is often you. They’ll “phish” for your login credentials by sending you an email, text, instant message, or online pop-up that looks like it comes from your financial institution, credit card company, package-delivery service, or other trusted business. Click on one and you’ll land on a bogus website that looks legit, where you will be asked to log in to your account or provide payment info. Do so and you’ve let the thieves in.

Always access your online accounts, especially financial accounts, by typing the legitimate URL into the browser’s address bar, or by using a browser bookmark or the official app for that company or financial institution.

Verify Phone Numbers Before Calling Customer Service

Fraudsters are increasingly buying ad space on Google and other search engines and sending texts and emails that contain bogus customer service call centers for airlines and other big companies. Call them and you’ll be asked for personal information or a credit card number, which they’ll use to steal from you.

Instead of doing an internet search for customer service phone numbers, navigate directly to the company’s website. Yes, you’ll need to know the real URL for the company; if you don’t know it, watch out for fake postings in search results.

Warning signs that you’ve phoned a crook:

• The “representative” doesn’t know anything about your account; they provide only generic details.
• They ask you for personal information that isn’t needed to handle your problem, such as a credit card or Social Security number to verify a recent purchase or account balance, or to switch seats on a flight you’ve already booked.
• They say you need to pay money to have your problem resolved. Typically, they want to make a withdrawal from your bank account, seek a credit card payment, ask you to buy them a prepaid gift card, send cash via wire transfer, or push you to make a transaction at a cryptocurrency ATM.
• They request remote access to your computer or smartphone in order to help solve your problem. They may ask you to download and install software to enable this remote access.

Don’t Trust Caller ID

It can be spoofed to display whatever bogus information criminals want, such as the name and number of your financial institution or credit card company, the IRS, Social Security, Medicare, or even your local police department. It’s a sneaky way to make you believe the call is legit.

Be Careful When Mailing Checks

Thieves love to steal checks from the mail, often obtaining them by using stolen or copied keys to postal service drop boxes. They then deposit checks in temporary bank accounts they’ve set up in other people’s names or alter the checks by “washing” them. This crime has been around for ages, but is growing again because the chemicals needed to remove the ink are cheap and widely available, and real checks can be deposited remotely and anonymously at ATMs or via mobile deposit. Plus, a single altered check can be used to steal thousands of dollars.

If you need to mail a check, walk it into a post office, rather than leaving it in your home’s mailbox or depositing it in an unmonitored curbside collection mailbox.

Trust Your Gut, and Don’t Let Anyone Rush You

The Better Business Bureau (BBB) asked people who were targeted by scammers, but didn’t take the bait, how they avoided losing money. The top response: It didn’t feel right, so they stopped engaging.

“There’s nothing, no transaction or anything, that’s important enough to move forward without doing additional due diligence, or even getting off the phone and talking to a friend about it,” said Melissa Lanning Trumpower, executive director of the BBB Institute for Marketplace Trust. “If you’re feeling something’s off, just stop and don’t move forward, and that will help protect you.”

Be wary if someone tries to rush you into a decision. Many con artists obtain credit card or bank account information from their victims by creating a fake crisis or push consumers to act quickly so they don’t lose out on a special deal.

When in Doubt, Pay with a Credit Card

How you pay matters, especially when you shop online or by phone. Credit cards provide the most protection. According to federal law, if the merchandise isn’t what you ordered or is damaged—or never arrives—you can dispute the charge and, in most cases, get your money back.

Debit cards provide some fraud protection, but not as much as credit cards. If you challenge a credit card transaction, you don’t have to pay the disputed amount while the credit card company investigates. When you purchase something with a debit card, the money is automatically withdrawn from your checking account, and you won’t have access to those funds while the bank investigates—and that can take weeks. If the bank denies your claim, that money is gone forever.

Peer-to-Peer Payment Apps Are Scam-Enabling Nightmares

It’s a huge warning sign if a merchant asks you to pay with a peer-to-peer (P2P) app (such as Zelle, Venmo, or Cash App), prepaid gift or debit cards, or cryptocurrency. Don’t do it.

Because P2P payment services are offered by well-known companies and even major banks, many users incorrectly assume they are protected from fraud. Not so. Sending money through these services can be akin to handing someone cash or wiring them money: Once you’ve paid, it’s up to the recipient to issue a refund if you’re unhappy with your purchase, paid a scammer, or goofed and sent funds to the wrong email address or phone number.

P2P apps warn customers that they should only be used to transfer money to friends, family, or others you know and trust. They are not for shopping online or paying bills.

Shred Stuff

Before getting rid of old credit cards and documents that contain Social Security numbers, account numbers, and other personally identifiable information, run them through a cross-cut shredder. Many local governments and some banks and credit unions regularly host free shredding days.

Don’t Overshare on Social Media

To avoid arming potential imposters with info about where you travel, lists of friends and family, and what you like, make sure your social media profiles are set to private. Avoid posting anything publicly.

Wipe Your Data Before Getting Rid of Devices

Before recycling or donating old smartphones, tablets, computers, or smart TVs, make sure you’ve wiped them completely. It’s not enough to simply delete all your files; that usually won’t permanently destroy digital data.

“We are led to believe deleting makes things permanently go away. The truth is that data can be retrieved in most cases,” said Sophos’ Wisniewski. “Not just police or forensic experts can access deleted data. The tools are available to almost anyone, including identity thieves and nosy second or third owners. The sensitive data includes text messages, photos, documents, email, and passwords.”

You can remove these data by reverting a device back to its original state (also referred to as “restoring its factory settings”). Find out how to do that by using the device manufacturer’s instructions, which are available online.

Doing a total reset on a PC still may not remove all your info and files; afterward, it’s a good idea to run a utility program, such as Disk Wipe or DBAN.

Both of these free apps will destroy whatever data is left on the drive.

Before recycling a smart TV, make sure you log out of any subscription services (Netflix, Disney+, Amazon Prime, etc.) so they can’t be used by someone else.

Keep Your Devices and Software Up to Date

Have your computer software and hardware, mobile device apps, internet browser, and operating systems automatically update, so you get the latest security patches as soon as they come out. Familiarize yourself with your devices’ security and privacy settings, and set them to the strongest protection levels. Your router is also a potential weak spot; check its settings so that it gets automatically updated with any firmware patches. And make sure your router uses WPA3 privacy protocol. WEP, WPA, and WPA2 aren’t good enough anymore; if your router doesn’t use WPA3, replace it with one that does.

Close Dormant Accounts

Chances are you have dozens of accounts you haven’t used in years. Dormant accounts, which have saved personal information, such as your birthdate and possibly credit card numbers, are a major security risk—especially if the companies’ databases have been breached, or you set them up using weak passwords that you also used on other sites that may be scooped up by hackers.

Unfortunately, most companies make it difficult or even impossible to locate the spots on their websites where you can close accounts. Consumer Reports’ free Permission Slip app is a great help with this task. It presents users with a list of hundreds of companies. Select one and CR tells you what type of info it collects and your options for what you want to tell it to do, which include telling it to stop selling your data and/or to delete your account. You can quickly work your way through the app and tell each company to delete any account.

Note that deleting an account means you’ll be unsubscribed from that company’s service (goodbye, Disney+ or Netflix) and will have removed yourself from any loyalty program, losing accrued rewards points.

Don’t Waste Money on Identity Theft Monitoring Services or Insurance

Carefully watch your credit and accounts for signs of fraud, but don’t pay a company to do it. Identity-theft monitoring services cost $10 to $30 a month, but taking the steps we’ve outlined in this article let you do a better job for free.

Homeowners insurance companies also push optional coverage for ID theft protection, usually for $40 to $100 per year.

The biggest problem we have with credit monitoring services and insurance is the hype and fear tactics often used in their advertising. For example, many of these companies claim they monitor the dark web. This sounds impressive, but with so many breaches in the last few years, chances are your personal information is up for sale already. Even if a monitoring service finds it there, there’s nothing it can do to remove it.

Many of these companies also brag about covering your losses up to one million dollars. Just more hype. Most identity theft victims do not have any out-of-pocket losses. When fraud occurs, banks, credit card companies, and retailers typically refund losses, so any million-dollar promise is basically useless. Most of the hassles caused by identity theft involve the time it takes to document the fraud, cancel accounts, and open new ones. None of this is reimbursable by any identity theft insurance policy.

What to Do If You’ve Been a Victim of Fraud

Immediately contact your credit card company, bank, or investment brokerage and report the crime. In most cases, it will return the stolen funds or remove fraudulent charges.

If you haven’t already frozen your credit files with Equifax, Experian, and TransUnion, do so. Then, instruct at least one of them to place a fraud alert on your account. That will require all the credit bureaus to notify other companies about the alert, and they then must take additional steps to verify your identity before opening new accounts or raising your credit limits.

File a report with your local police department. Chances are it doesn’t have the resources to investigate, but doing so will document that you took steps to prevent future criminal activity and possible financial losses.

Also file a report at IdentityTheft.gov, a website run by the Federal Trade Commission. It also provides info on any legal rights you have to help recover from the crime.

The nonprofit Identity Theft Resource Center (ITRC) provides free support and guidance to victims, or those who want to learn about protecting themselves. You can speak to a live advisor by calling 888-400-5530 or live chat with one by visiting its website.

 

Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.