| TL;DR – Quick Takeaways |
|---|
| Data breaches are happening more frequently, and identity theft can strike anyone. Protect yourself by freezing your credit at all three bureaus (and placing a fraud alert as an immediate first step), monitoring your credit through free tools like AnnualCreditReport.com and Credit Karma, locking down your cell phone account against SIM swaps, enabling two-factor authentication with an authenticator app (not text messages), using strong unique passwords with a password manager, keeping your software updated, and staying alert for phishing and AI-powered scams. Also be aware of tax, medical, and child identity theft. If it’s already happened, report it at IdentityTheft.gov for a free, personalized recovery plan from the FTC. These steps won’t make you bulletproof, but they can make you a much harder target. |
Protecting Your Identity in the Age of Massive Data Breaches
“Not so good…” was not the response I expected when two of my clients called a few weeks ago and I asked the typical question of “How are you?” They immediately had me worried, and that worry only grew after they told me how their identities, along with their Mom’s, including their social security numbers, emails, many of their online accounts, including their bank and 401(k), along with one of their cell phones, had all been hacked.
With one of the recent data breaches, a hacker obtained their information, which was just the start of their scheme. One of the first things the hacker did was walk into their cell phone provider’s store and claim that they had lost their cell phone and needed a new one. This shut off my clients’ cell phone and gave the hacker access to any two-factor authentication via text message. As the hacker already had my clients’ email address, between that and their phone, they now had the ability to complete any two-factor authentication for any of their accounts. This allowed them to simply click ‘Forgot Password’ and gain access to any of their accounts. And when my clients tried to get into their own accounts doing the same thing, they were shut out.
Long story short, the hacker was able to draw some money from their checking account and their 401(k), and they wasted a lot of my clients’ time as they had to file a police report, work with their bank, 401(k) provider, cell phone provider, and all of the other accounts the hacker gained access to. Fortunately, all of their other investment and retirement accounts that we manage are safe and the hacker wasn’t able to do anything with them, so they at least had some comfort there.
So, what can we do to prevent identity theft?
With all of the recent data breaches you have surely seen reports of in the news lately, this is definitely something we need to address. Nobody wants to constantly be worried about whether our data is secure, and if the next data breach could affect us. Or if it already has.
First, before we go any further, if you have had, or suspect, that your identity has been stolen, you should contact the police right away to report it. This will be one of the first things you need to do (along with everything else mentioned below) so that you can get any fraudulent charges, erroneous withdrawals, etc. reversed.
Of course, these tips alone will by no means prevent you from ever having your identity stolen or getting hacked. But, our goal is to make it as difficult as possible. Unfortunately, we should all assume that at some point or another, if it hasn’t happened already, our personal information is going to be part of a data breach, and be out there for someone to exploit. I say this not to discourage you and have you throw your hands up in the air, but to show you the mindset that will help us to be as proactive as possible.
Placing a Credit Freeze through all 3 Credit Bureaus
With our first point, let’s start with an easy analogy: The best offense is a good defense! Having binged Ted Lasso multiple times with my family over the past few years, another sports analogy comes to mind, so let’s compare a lockdown goalie to an identity thief simply not being able to open a new credit card in your name because you have frozen your credit. If they have your personally identifying information, including your social security number, one of the easier ways for them to profit is to open a new credit card (or two, or three), and start using the digital card they receive immediately after approval, using your once-stellar credit.
If we assume that all of our personally identifying information has already been stolen and is out there already, we would want to make sure that nobody can do anything with it, right?
Placing a freeze on your credit can help protect you from fraud as potential creditors will not be able to access your credit report, which they need to be able to approve ‘you’ for a new credit card or loan. By doing this, you have a lockdown defense against any new credit accounts in your name. Of course, if you legitimately want to open up a new credit card or apply for a loan at some point in the future, you will need to temporarily unfreeze your credit – just make sure you remember to freeze your credit again after you are approved.
If you truly want to freeze your credit, you will need to request and manage the freeze separately at all three major credit bureaus. You can place a credit freeze or lift a credit freeze by calling or mailing, but the easiest way to do so tends to be online. Placing, temporarily lifting, and permanently removing a security freeze is free at all three bureaus.
How to freeze your credit with all 3 bureaus:
| Bureau | Online | Phone | |
|---|---|---|---|
| Experian | experian.com/help/credit-freeze | 888-397-3742 | P.O. Box 9554, Allen, TX 75013 |
| TransUnion | transunion.com/credit-freeze | 800-916-8800 | P.O. Box 160, Woodlyn, PA 19094 |
| Equifax | equifax.com/personal/credit-report-services/credit-freeze | 888-298-0045 | P.O. Box 105788, Atlanta, GA 30348-5788 |
Credit Freeze vs. Fraud Alert – What’s the Difference?
You may have also heard of a fraud alert, which is different from a credit freeze. A fraud alert is a free notice placed on your credit file that tells lenders to take extra steps to verify your identity before opening new accounts. An initial fraud alert lasts one year, and you only need to contact one of the three credit bureaus – that bureau is required to notify the other two. A credit freeze, on the other hand, is stronger: it completely blocks new accounts from being opened in your name until you lift it. Unlike fraud alerts, you must contact each bureau individually to place a freeze. Both are free, and you can use them together. If you suspect your information may have been compromised but haven’t confirmed fraud yet, placing a fraud alert is a quick first step you can take in under five minutes while you work on freezing your credit at all three bureaus.
Monitor Your Credit with Free Tools
Once you’ve frozen your credit, the next step is to keep an eye on it. There are a couple of great (and free) ways to do this.
First, you’re entitled to a free credit report from each of the three major bureaus every year through AnnualCreditReport.com – the only federally authorized source for free credit reports. Reviewing these reports regularly can help you spot accounts or inquiries you don’t recognize.
Second, a free credit monitoring service like Credit Karma can be a helpful companion tool. Credit Karma allows you to check your credit scores and reports from TransUnion and Equifax on an ongoing basis, and it can alert you when new accounts are opened in your name, when there are hard inquiries on your report, or when your personal information appears in a data breach. The real value is the alert system – if someone manages to open a credit card or loan in your name, you’ll get a notification so you can take action immediately rather than discovering it months later. There are other similar services available as well (such as Experian’s free monitoring), so the key is to have some form of ongoing credit monitoring in place so you’re not flying blind.
Please note: The tools mentioned above are not affiliated with Clarity Financial, and we do not receive any compensation for mentioning them. We simply believe they are useful resources worth knowing about.
Cybersecurity
Cybersecurity is a practice that allows you to protect networks, devices, and data from unauthorized access or criminal use, as well as ensure that your private information remains confidential, retains integrity, and isn’t stolen or copied. Make cybersecurity a priority every day.
Two-Factor Authentication
I used to think this was just an extra hassle and waste of time, but now I realize how important this step can be.
Multi-factor authentication (sometimes called 2FA for two-factor authentication) is when you set up multiple ways to verify your identity when logging into sites like your email account. First, you have to type in your password; then, you have to verify your identity on another device, such as a smartphone, to confirm that it’s you trying to log in. In addition to this extra layer of protection, you will get notifications whenever someone tries to log into your accounts. If you get a notification of someone trying to log into your accounts and you didn’t authorize this activity, report it right away.
One important tip: whenever possible, use an authenticator app (such as Google Authenticator or Microsoft Authenticator) rather than relying on text message codes for your two-factor authentication. As my clients experienced firsthand, if a hacker gains control of your phone number through a SIM swap, text message codes become useless. Authenticator apps are tied to your physical device and are much harder for hackers to compromise.
Protect Yourself from SIM Swap Attacks
Remember the story about my clients at the beginning of this article? One of the most devastating parts of their experience was the SIM swap – when the hacker walked into their cell phone provider’s store, pretended to be them, and walked out with a new phone connected to their number. Once the hacker had control of their phone number, text message verification codes went straight to the hacker, and my clients were locked out of their own accounts.
The good news is that most major carriers now allow you to add a PIN or passcode to your account that must be provided before any changes can be made, including transferring your number to a new device. Contact your cell phone provider (Verizon, AT&T, T-Mobile, etc.) and ask them to add a SIM lock or account PIN. Some carriers also offer a “port freeze” or “number lock” feature that prevents your number from being transferred to another carrier without your authorization. This is a small step that can prevent a catastrophic chain of events, and it only takes a few minutes to set up.
Strong Passwords
Sometimes, the simplest thing can be the difference between good cybersecurity and a terrible mistake. A strong password is a good example.
Creating a strong password is one of the best things you can do to protect your online accounts. Be aware of password-stealing practices like credential stuffing or password spraying.
Credential stuffing is when bots test every username and password in their system to see if anything works. Password spraying is when they use common or known passwords that have appeared in a data breach to see if any of those passwords work with a particular email address.
Because of this, you should always use unique passwords for every site, and your passwords should have a combination of upper and lowercase letters, numbers, and special symbols. They should also be at least 12 characters long.
Can I Trust a Password Manager and Are They Secure?
If you’re thinking, “There is no way I can remember a unique, 12+ character password for every single website I use,” you are not alone. This is exactly where password managers come in.
A password manager is a tool that securely stores all of your passwords in an encrypted vault. You only need to remember one strong master password to access the vault, and the password manager handles the rest – generating strong, unique passwords for each of your accounts and auto-filling them when you log in. Popular options include 1Password, Bitwarden, and Dashlane, among others.
Are they secure? The short answer is yes – reputable password managers use strong encryption to protect your data, and they are significantly more secure than reusing passwords or writing them down. That said, no system is perfect, so here are a few best practices to use them safely: make sure your master password is strong and unique (and one you won’t forget), enable two-factor authentication on the password manager itself, and choose a well-established provider with a solid track record. The convenience and security benefits of a password manager far outweigh the risks of trying to manage dozens of passwords on your own.
Can Software Updates Protect My Identity from Hackers?
Yes! Emphatically! According to CISA, frequently updating the software on your laptop, smartphone, tablet, or any other device you may use to connect to the internet, is one of the most effective measures you can take to protect yourself and your information that lives on your digital devices, because these updates are the best defense against attackers exploiting patched vulnerabilities.
Monitor Your Financial Accounts Regularly
This one is simple but powerful: check your bank accounts, credit card statements, and investment accounts regularly. The sooner you spot an unauthorized transaction, the sooner you can act. Many banks and financial institutions offer real-time alerts for transactions over a certain amount, or for any activity at all – turn these on if you haven’t already. Even a small, unfamiliar charge can be a sign that someone is testing your account before making a larger withdrawal.
Be Cautious of Phishing Attempts
Phishing is when cybercriminals send emails, text messages, or even phone calls that appear to come from legitimate companies – your bank, the IRS, a delivery service, you name it – in an attempt to trick you into clicking a malicious link or giving up your personal information. These messages are getting more and more sophisticated, so here are a few things to keep in mind: never click on links in unsolicited emails or texts, always verify the sender’s email address carefully, and when in doubt, go directly to the company’s website by typing the address into your browser rather than clicking a link. If something feels off, or too good to be true, trust your gut.
Watch Out for AI-Powered Scams
Scammers are now using artificial intelligence to take phishing and fraud to an entirely new level. AI-generated emails can mimic the writing style and tone of people you know, making them far more convincing than the poorly worded scam emails we’re used to spotting. Even more alarming, “deepfake” voice technology can now clone someone’s voice from just a short audio clip – meaning you could receive a phone call that sounds exactly like your boss, a family member, or your bank, asking you to transfer money or share sensitive information.
So how do you protect yourself? If you get an unexpected call, text, or email asking you to take urgent action – especially involving money or personal information – pause and verify. Hang up and call the person back at a number you know is real. Don’t trust caller ID, as that can be spoofed too. If an email seems off, even if it looks like it came from someone you know, contact that person through a separate channel to confirm. The old rule still applies: if something feels rushed or too urgent, that’s often a red flag.
Be Careful on Public Wi-Fi
That free Wi-Fi at the coffee shop or airport is convenient, but it can also be a playground for hackers. Avoid logging into sensitive accounts – such as your bank, email, or investment accounts – while on public Wi-Fi. If you absolutely need to, consider using a VPN (Virtual Private Network) to encrypt your connection. A VPN creates a secure tunnel for your data, making it much harder for anyone on the same network to intercept your information.
If It’s Already Happened to You
If you discover that your identity has already been compromised, the most important thing is to act quickly. The Federal Trade Commission (FTC) provides a free, step-by-step resource at IdentityTheft.gov where you can report the theft and receive a personalized recovery plan. When you file a report, the site generates an official FTC Identity Theft Report, which serves as proof of the crime when you’re dealing with creditors, banks, and credit bureaus. The recovery plan walks you through contacting affected companies, disputing fraudulent charges, and even provides pre-filled letters and forms to make the process easier. It also tracks your progress so you can stay organized during what can be an overwhelming time.
Beyond reporting, here are the immediate steps you should take: place a fraud alert with one of the three credit bureaus (they’ll notify the other two), freeze your credit at all three bureaus if you haven’t already, review your credit reports for unauthorized activity, contact the fraud departments at any companies where you know fraudulent accounts were opened, and consider filing a police report – especially if you need documentation for insurance or legal purposes.
Other Types of Identity Theft to Be Aware Of
While we’ve focused primarily on financial identity theft in this article, there are several other forms worth knowing about:
Tax Identity Theft
This occurs when someone uses your Social Security number to file a fraudulent tax return and claim your refund. You may not discover it until you file your own return and the IRS rejects it because “you’ve already filed.” With tax season coming up, this is an especially timely reminder. If this happens to you, contact the IRS Identity Protection Specialized Unit immediately and file an Identity Theft Affidavit (IRS Form 14039).
Medical Identity Theft
Someone uses your health insurance information to receive medical care, prescriptions, or submit fraudulent claims. This can be particularly dangerous because it can corrupt your medical records with someone else’s information, potentially leading to incorrect treatments. Review your explanation of benefits (EOB) statements regularly and report any services you didn’t receive.
Child Identity Theft
Children are attractive targets for identity thieves because they have clean credit histories and the theft often goes undetected for years – sometimes until the child applies for their first job, student loan, or apartment. If you have children, consider checking whether they have a credit report (they shouldn’t unless someone has misused their information), and if you receive pre-approved credit offers in your child’s name, that may be a red flag worth investigating.
Final Thoughts and Your Identity Protection Checklist
In today’s digital world, everyone is a potential target for cybercriminals. By taking proactive steps, you can significantly reduce your risk. Remember, cybersecurity is not a one-time effort but an ongoing practice. Here is a checklist to help you get started:
- ☐ Freeze your credit at all three bureaus (Experian, TransUnion, and Equifax)
- ☐ Review your free annual credit reports at AnnualCreditReport.com and sign up for a credit monitoring service like Credit Karma for ongoing alerts
- ☐ Enable two-factor authentication on all important accounts (use an authenticator app when possible)
- ☐ Contact your cell phone carrier and add a SIM lock or account PIN to prevent SIM swap attacks
- ☐ Create strong, unique passwords for every account (at least 12 characters with a mix of letters, numbers, and symbols)
- ☐ Set up a password manager to keep track of your passwords securely
- ☐ Keep your software and devices up to date
- ☐ Monitor your bank, credit card, and investment account statements regularly
- ☐ Turn on real-time transaction alerts from your bank and credit card providers
- ☐ Be skeptical of unsolicited emails, texts, and phone calls – never click on suspicious links
- ☐ Be aware of AI-powered scams – verify unexpected calls or emails through a separate, trusted channel before taking action
- ☐ Avoid logging into sensitive accounts on public Wi-Fi (use a VPN if necessary)
- ☐ If you suspect identity theft, contact the police and file a report immediately
- ☐ Place a fraud alert with one of the three credit bureaus as an immediate first step if you suspect a breach
- ☐ If your identity has been stolen, report it at IdentityTheft.gov to get a personalized recovery plan from the FTC
- ☐ If you have children, check whether a credit report exists in their name (it shouldn’t) – pre-approved credit offers in a child’s name could be a red flag
As always, your financial security is our top priority. If you have any concerns about your accounts or need further advice on protecting your identity, don’t hesitate to reach out. Clarity Financial is here to help you navigate these challenges with confidence. Let’s do this!
If you want to talk further, schedule a complimentary Clarity Strategy Session here: https://calendly.com/clarityfinancialco/clarity-financial-strategy-session
Greg Jackson believes everybody deserves to have clarity within their lives – personally, professionally, and financially. Greg is a Financial Advisor at Clarity Financial, a division of Strategic Financial Concepts, serving clients in Broomfield, Colorado and the greater Denver-Boulder area. He can be reached at (303) 819-1869 or greg@clarityfinancialco.com.
Registered Representative and Investment Advisor Representative of and securities offered through OneAmerica Securities, Inc., a Registered Investment Advisor, Member FINRA, SIPC. Clarity Financial is not an affiliate of OneAmerica Securities and is not a broker dealer or Registered Investment Advisor.
Provided Content is for overview and informational purposes only and is not intended and should not be relied upon as individualized tax, legal, fiduciary, or investment advice. Neither the OneAmerica Securities, Clarity Financial, nor their representatives provide tax or legal advice. For answers to specific questions and before making any decisions, please consult a qualified attorney or tax advisor.
Sources
https://www.usa.gov/credit-freeze
https://www.cisa.gov/news-events/news/understanding-patches-and-software-updates
https://www.experian.com/help/credit-freeze/
https://www.transunion.com/credit-freeze
https://www.equifax.com/personal/credit-report-services/credit-freeze/
https://www.creditkarma.com/
https://www.annualcreditreport.com/
https://www.identitytheft.gov/
https://consumer.ftc.gov/articles/credit-freezes-and-fraud-alerts
