Identity Theft 101
August 29, 2019
Identity Theft 101: How it Happens & What to Do if It Does
In September 2017, the credit reporting agency Equifax announced that around 145.5 million consumers in the United States were affected by a data breach of their servers. Among the information collected were full names, Social Security Numbers, addresses, birthdates, and driver’s license numbers. Over 200,000 consumers had their credit card information stolen.
The effects of this breach are going to be felt for a long time – investigators are still trying to determine the true extent of the breach’s impact, a recent count estimating that as many as 147.9 million consumers were actually affected.
If the Equifax breach is any indicator, the Internet age has put us in a position where our most closely guarded information can be stolen in the blink of an eye. From 2013 to 2017, the number of global data breaches related to identity theft each year has increased from 357 to 1,085. Although the majority (about 66%) say they haven’t been affected, 22% of Americans say they have been victim to online identity theft at least once in 2017. Source: YouGov
Identity theft can come for you when you least expect it, and even the largest institutions in the world aren’t as responsible with your personal information as they could be.
To that end, it’s important to understand what identity theft is, how it can affect you, and the best ways to prevent it. With the right level of caution, and the proper tools at your disposal, you can be as prepared as possible to keep your identity from being stolen, or know exactly what to do if it happens.
What Is Identity Theft?
First, it’s important to understand what identity theft is. Essentially, identity theft is a crime in which one party steals the personal information of another for the purposes of fraud, or to commit other crimes. This kind of personal information includes your name, driver’s license, Social Security number, address, and more.
Methods of Identity Theft
Data breaches are, according to the Department of Health and Human Services, a “security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” Incidents can range from finding unwiped computers in the trash to people taking advantage of security weaknesses to collect information.
The Equifax breach is perhaps the most notable recent example of this. Thanks to various security vulnerabilities, including the unauthorized accessibility of an online portal in Equifax’s servers, bad actors had the ability to search for consumer information unencumbered.
Malware and spyware
Sometimes identity thieves don’t have to find existing vulnerabilities in your security systems; on occasion, they can install (or get you to install) programs that will collect that information for you. For the most part, these programs come in the form of malware – programs that can collect information and transmit it to other parties.
Malware can get on your computer any number of ways, but it’s mostly found by clicking on unreliable pop-ups or opening unfamiliar email attachments. Essentially, any incoming file or software, barring the proper verification, could be malware.
So much of your personal and financial information is accessible through wi-fi, especially if you sign onto unsecured or unprotected public wi-fi. Identity thieves can exploit security flaws in public routers to scan the data sent between your device and the router itself – a loophole known as a ‘man-in-the-middle’ attack.
This is one of the easiest, most user-friendly methods of hacking and identity theft – devices such as the Wi-Fi Pineapple are cheap, easy-to-use peripherals that allow people to attack public wi-fi networks for less than $100.
One of the most prominent ways an identity thief can access your personal information is if they get you to volunteer it for them. This chiefly happens through phishing emails, in which thieves pretend to be a family member, friend, or bank/retailer to get you to give them your login or account information. From there, they can log in themselves and take whatever info they need.
Phishing attempts can often come in the form of emails stating that there is fraudulent activity on your account, and that you must click a link to verify your information. (You can see one example here.) Using the panic of your information already being compromised, phishing urges you to respond immediately to prevent you from looking too closely at the email.
Credit Card Theft
Of course, not all instances of identity theft have to happen over your computer – identity thieves can get enough information from you to commit fraud simply by stealing your credit card. Even in 2016, 43% of Americans said they were victim of some kind of credit or debit card theft or fraud.
Many identity thieves do not have to physically steal your card, nor do they have to snatch your information from the Internet. You also have to be on the lookout for ATM skimmers – devices clandestinely installed onto bank ATMs which look like the credit card slot, but which you’re your credit card data as you use it, and collect it for their owners.
How Stolen Identities Are Used
Whether identity thieves have taken advantage of weaknesses in your security or the security of your institutions, or just stolen your credit card out from under you, there are a number of wildly different uses they may have for your personal information.
According to Statista, the most frequent type of identity theft is opening fraudulent credit cards; 30% of identity theft complaints in the US involve credit card fraud, i.e. using your credit card info to make charges or to set up new cards and accounts they can use themselves – ruining your credit in the process.
Other types of identity theft include stealing your tax returns, or filing fraudulent taxes to take your tax refund. If thieves don’t want to use your information themselves, they can sell it off on the dark web to the highest bidder.
How to Find Out If Your Identity Has Been Stolen
According to the 2017 Javelin Identity Fraud Study, approximately 15.4 million Americans were affected by identity fraud in 2016, with more than $16 billion in stolen goods and funds taken from victims – a record high over previous years.
However, many more may have had their identity stolen without even knowing it, leaving many to wonder what they can do to check whether or not they’ve been targeted for identity theft. Still, there are several ways you can investigate your level of data security and determine whether you’ve been compromised.
Check sites designed to alert you to identity theft risk
Haveibeenpwned.com is a fabulous resource with which you can check your accounts to determine whether you have been compromised in a data breach. Just enter your email address, and the site lets you know if your information has been found on any breached sites.
From there, the site helpfully lets you know where/when the breaches happened, and how you can improve your security.
If, like many, you fear you may have been part of the aforementioned Equifax data breach, you can go to Equifax’s dedicated website for the breach to check your information for a potential breach. You also get an informative FAQ about what the breach is, what it means, and how you can protect your information moving forward.
Check your bank accounts for unauthorized purchases
This tried-and-true method applied even before the age of online identity theft – simply keep track of your bank accounts to see whether or not any large or strange purchases have been made on your account. If you see anything that cannot be accounted for, contact your bank or credit card provider immediately.
Look for missed bills and other mail
When identity thieves take over your account, one of the first things they do is change your billing address. If you still get physical credit card bills and other important mail, make sure you are still receiving those notices on time. If not, that might be evidence that an identity thief has redirected your mail elsewhere.
Receiving tax transcripts you did not request
Similarly, when identity thieves attempt to log on to the Internal Revenue Service website to get your tax information through stolen data, the IRS can sometimes mail a physical tax transcript to you in case an electronic version failed. If you receive a transcript you did not ask for, that may be an indicator of identity theft.
Also, if your own electronically filed tax return is rejected, it could be a sign that identity thieves have already filed for you.
Check your credit score for discrepancies
It may seem strange, but your identity might have been stolen if your credit rating suddenly goes up for no discernable reason. Take a look at your credit report to see if there are any other credit accounts or hard inquiries you cannot account for; if you see new cards or loans you did not sign off on, it’s a good chance those have been created by fraudsters.
So Your Identity’s Been Stolen. Now What?
If you’ve done any of the aforementioned checks, and you find out that your information has been compromised, there are a number of things you can do to secure your data and make sure identity thieves don’t get away with all of your information.
First and foremost, you must report the theft to the Federal Trade Commission’s website, or contact them by phone at 1-877-438-4338. If you do it online, you will receive an identity theft report from the FTC, as well as a recovery plan with clear, demonstrable steps to secure your identity. Of course, that requires setting up an account on the website.
If you don’t want to do that, you can get a printable version of your summary and recovery plan you can follow offline. Use that in conjunction with the FTC’s publication Taking Charge – What to do if Your Identity is Stolen, which contains checklists, sample letters and more to comprehensively protect your identity.
In the event that you suspect someone you know may have stolen your identity, you have grounds to report it to your local authorities. This will allow you to get a police report, with which you can more authoritatively document the theft.
While these resources will give you comprehensive steps to protect your identity, there are a few universal tips that will help people secure their information.
First, make sure to report any and all fraudulent activity to your credit card company and credit reporting agencies like Experian and TransUnion – credit card companies are obligated to respect fraud alerts and take extra protections to verify your identity.
If need be, you may want to freeze your credit accounts. Credit freezes limit who sees your credit report information, preventing others from opening new accounts. It also doesn’t hurt your credit, or prevent your own credit actions from changing your credit report. Costs may vary, depending on the credit agency, but states like Maine and South Carolina make freezing free.
Most immediately, it’s vital for you to change your bank accounts and credit cards. Close your credit cards and ask for new ones to be reissued (ensure that your shipping address is your own). Change your passwords and login information for your banks and other relevant accounts, to ensure that thieves cannot use stolen passwords to access your data.
How to Prevent Identity Theft
Even if you find out that your identity and personal information have not been compromised, that doesn’t mean you shouldn’t remain vigilant at maintaining your personal security. To lessen the likelihood of becoming vulnerable to identity theft, there are a few important precautions you can take.
Keep a close eye on your accounts
If you mostly leave your bank accounts alone, you may not notice when fraudulent activity happens. To that end, it’s important to maintain regular monitoring of your accounts. Make sure you balance your checkbook each month, and only work with banks and creditors that offer comprehensive, full-featured activity monitoring (e.g. call you if they see suspicious activity).
Beware of spam emails
Spam and phishing emails can be tricky – often, they are designed to fool you into believing that they are an official email from a reputable company, redirecting you to websites that look official but are instead meant to collect your information.
Since phishing relies on social engineering rather than hacking, using proper judgment is the best way to prevent phishing schemes from working. Look at the URLs and email addresses involved in the email to ensure that it is coming from the actual company or organization. Do not open suspicious emails under any circumstances.
Create more difficult passwords
Hackers can use brute-force hacking to figure out simpler passwords and gain access to your accounts. To counteract that, make it more difficult for hackers to brute-force your login info by creating complicated passwords that would take hacking software longer to break through.
To that end, it’s important to create passwords that aren’t just your birthday, or the name of your beloved pet, or your favorite movie quote. Proper, strong passwords should include a combination of upper- and lower-case letters, use numbers and special characters or symbols, and be at least 8 characters long.
Furthermore, you should not use the same password for more than one account. If hackers find one of your passwords, it shouldn’t open the door to the rest of your data.
Use a password manager
While strong, varied passwords among all your accounts is a great way to prevent identity theft, it can be difficult to keep them all straight. Thankfully, there are password managers that not only generate strong passwords that are difficult to brute-force, but keep them organized in one secure account.
LastPass is one of the most reputable password managers out there – a simple Google Chrome browser extension that allows you to automatically generate a strong master password that works on all your various sites (which you add to your account’s ‘vault’). Each site in the vault builds its own independently randomized password that protects you from hacking.
LastPass also gives you the ability to audit your passwords, to make sure that none of your old or leftover passwords present a security risk to you.
1Password performs a similar function as LastPass, creating an account that contains randomized passwords for all your logins, and filters them through one single master password. However, it also provides a ‘secret key’ in addition to your master password, along with the option for fingerprint logins on certain devices.
That being said, LastPass offers multi-factor authentication, a feature that 1Password lacks. Still, either password manager provides effective protection from brute-force hacking of your passwords.
Protect your Internet usage
Smart, judicious modification of your online activity can do wonders to prevent man-in-the-middle attacks and other hacking methods. First, only connect to Wi-Fi networks you know and trust, such as your home networks and secured Wi-Fi routers that require a specific password. When possible, avoid using public networks altogether.
If you do need to use public Wi-Fi, however, use a Virtual Private Network (VPN). A VPN allows you to securely use the Internet by encrypting your browsing and data through a VPN server. This prevents hackers from being able to see the data you are routing through the network.
Setting up a VPN isn’t the easiest thing in the world, but it will do wonders for your data security. Motherboard has a very easy guide to picking and setting up your first VPN.
Secure your Social Security Number
Your Social Security Number is the most valuable number you can protect when it comes to monitoring your data, so it’s imperative that you only use it when absolutely necessary. Don’t carry your Social Security card with you, and don’t give it out to anyone but authorized parties who can ensure its protection.
Some federal laws already provide protections to your Social Security Number. For instance, the Social Security Number Protection Act of 2010 prevents federal, state and local agencies from displaying Social Security numbers on checks for public employees.
Meanwhile, the Social Security Number Protection Act of 2011 requires the creation of procedures that prevent SSN collection on Medicare ID cards and HHS communications.
While these measures are admirable, and help government employees and Medicare recipients lessen their chances of identity theft, it is still important for you to take the necessary steps to keep others from seeing your Social Security Number.
Review your credit information every year
In addition to keeping track of your bank accounts, it is important to know your credit rating and track your records for fraudulent activity. The best way to do that is to request an annual credit report from all three major credit bureaus that you can examine each year.
The best way to do this is through the government-mandated site AnnualCreditReport.com; all you have to do is enter your information, request your credit reports, and answer some security questions, and the site will generate a credit report for you.
Do this every twelve months – this allows you to keep abreast of any suspicious activity, new cards and accounts you do not recognize, and changes in your credit rating. Not only will this allow you to stave off potential identity theft, it will give you the best chance of maintaining or improving your credit score.
Put your mail on hold during long absences
If you plan to be away for several days at a time, it may be prudent to ask the United States Postal Service to put a hold on your mail. This will prevent thieves from stealing bills, credit card information and more they can use to steal your identity.
Alternatively, you can sign up for Informed Delivery, which allows you to preview your mail deliveries to determine whether you are missing anything.
In this world of insecure data, widespread information theft, and hackers lurking around every corner, you must know what you’re up against and how to protect yourself from identity theft. If you stay vigilant, use the right resources, and maintain a close eye on your information, you will be as ready as possible for the next Equifax-level breach.