There I was, minding my business on a subway platform waiting for a train, when I got a text alert from my credit card company. Someone was trying to charge me $220 for Uber rides I never took. Three days later there was a similar alert about my debit card. An enterprising crook was hitting up gas station ATMs 400 miles away. In both cases I quickly contacted the bank, flagged the charges as fraudulent and requested new cards. Aside from the hassle of updating all my automated bill payments, it was no big deal.
I was lucky. Typically, financial fraud is the easiest form of identity theft to deal with, because most major banks have set procedures and protocols in place, provided you contact them quickly. Victims of other types of digital wrongdoing may not be as fortunate. In 2017 nearly 17 million people in the U.S. had their identities stolen, netting criminals a whopping $16.8 billion, according to experts at Javelin Strategy & Research. More than a million of those victims were children, whose unsullied credit histories are especially valuable to thieves. Nearly 20% of identity theft complaints impacted Americans 60 or older, because seniors tend to have more assets than most and are often easy prey for scammers.
The consequences are often far worse than needing to order new cards, says Eva Velasquez, CEO and president of the Identity Theft Resource Center. Someone can open new accounts in your name and destroy your credit, making it impossible to pass a background check to land a job or rent an apartment. And if someone steals your medical records, it can literally be life threatening. Thieves can use personal health information to file bogus insurance claims, obtain treatments for themselves and even blackmail victims by threatening to expose embarrassing conditions. If a crook’s medical history gets mixed up with yours, the results could be catastrophic: Imagine being wheeled unconscious into the emergency room and the attending physician accessing an electronic medical record with the wrong blood type or allergy info.
There are many ways for bad guys to steal your identity, but the simplest is to buy it on the Internet. Over the last three years some 15 billion records have been exposed, fueling a thriving black market in stolen social security numbers, credit cards, email addresses and more. “Unless you’ve been living on a deserted island in the middle of the ocean, your info has undoubtedly been compromised in one or more data breaches,” says Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse (PRC).
Bottom line: The likelihood is that your identity is already out there. It’s only a matter of time before criminals access it in ways that benefit them and harm you. Protecting yourself is key.
Illustration by Julie Houts
1. Monitor your credit.
You can go either of two ways: the expensive way or the (much thriftier) DIY way.
Dozens of identity and credit monitoring services exist, some more reputable than others. They’ll cost anywhere from $100 to $300 a year for legwork you can do yourself, as long as you’re diligent and methodical. If you choose to go this route, start with a round of robust Googling. Avoid any services that have been fined by regulators or have settled class-action lawsuits, and make sure you pick one that specifically offers real-time alerts. As a wallet-wise workaround, know that Credit Karma and Credit Sesame offer many of the same monitoring services for free, provided you put up with their ads for loans.
By law, you’re entitled to order a free copy of your credit report every 12 months from Experian, Equifax and TransUnion. Be sure to order it only via Annualcreditreport.com, not similarly named sites that offer credit reports for a fee. Request a new credit report every four months from one of the big three agencies, scan it for accounts that look unfamiliar and file a dispute if you find any. While you’re at it, request a credit report for your kids. The agency should tell you it can’t find one. If your 14-year-old already has a credit history, that’s probably a big red flag.
2. Freeze your credit.
Experts agree that the best thing you can do is put a security freeze on your credit report. Thanks to a new federal law starting this fall, it’s free for all consumers in every state. You’ll have to contact all three agencies and you may have to submit a bunch of documents. But no one—including you!—will be able to open a new credit account in your name until you “thaw” the report. This is an especially good option for seniors, who are less likely to need new loans. And it’s a good way to protect your kids under 16, though that’s more of an ordeal. First you’ll have to create a report, then freeze it.
But a credit freeze only stops new accounts from being created; it does not stop existing accounts from being abused. That’s why Neal O’Farrell, CEO of the Identity Theft Council, takes a slightly different approach. “I freeze two reports and monitor the third,” he says. “That way, if someone is trying to steal my identity, I’m
going to get that warning. When you freeze all three, you won’t know what they’re trying to do until it’s too late.”
3. Set up bank alerts.
Most major banks let you set up alerts that send you a text or an email for any transaction above a specified amount. Take advantage by setting them up for the lowest possible amount. Yes, your phone will get pinged a lot. But you’ll find out immediately if someone’s trying to buy a Maserati with your Mastercard.
4. Reach for credit cards instead of debit cards.
The reason? Rules for credit card fraud are a lot more consumer-friendly. Legally, you are only liable for the first $50 of any bogus charge, and most banks waive that. With debit card fraud you may have to jump through more hoops when filing a claim, and if you notify your bank more than two business days after learning about the theft, your liability limit can skyrocket to $500 or more.
Tip: Don’t share too much on any social media channels. Scammers know how to use those details to impersonate you quite capably.
5. Check your health insurance statements.
Carefully pore over any Explanation of Benefits statements from your insurance company. If you see unfamiliar procedures or pharmaceuticals on your EOB, there’s a good chance someone is abusing your personal health info. You should also request medical records from all your health care providers, suggests PRC’s Stephens, to check that they jibe with health care you have personally consumed.
6. Use a password manager.
Identity theft often occurs because people choose brain-dead passwords (like “password” or “123456”) or recycle the same ones on multiple sites. Once thieves crack your password, they’ll leap to try it on all your other accounts, starting with email—and if they access your inbox, they can then intercept password change links for all your other accounts, like your bank. You are then officially hosed. The easiest fix is to install software that remembers your passwords so you don’t have to. (Reminder: There are no circumstances under which it’s OK to jot passwords on sticky notes.) Apps like 1Password, Dashlane or LastPass can also generate hard-to-hack passwords and even alert you when your old passwords have been breached. Prices range from free (for a limited version) to $60 per year for full family protection.
7. Be smarter online.
A lot of identity theft results from individuals simply letting their guard down, according to O’Farrell. “People freeze their credit and then get complacent,” he says. “They get sloppy about passwords, what they download and how often they check their credit reports. They treat that freeze like a cloak of invisibility. It’s not.”
The solution? Be smart. Don’t share too much on social media; scammers can use that info to impersonate you or your friends. Never click on links inside email messages; instead, always type the web address into your browser. That way you won’t fall victim to phishing emails that steal account log-ins or infect your computer. The same rule goes for email attachments: If you didn’t ask for it, don’t open it. In other words, channel O’Farrell’s advice: “Be paranoid.”
Your identity was stolen. Now what?
A clever criminal has ruined your good name with creditors, insurance companies or your employer. First, don’t panic. You’re in fine company, unfortunately—38% of Americans have been or know someone who has been a victim of identity theft, according to a 2016 survey by Bankrate. The good news: There are many online and real-world resources waiting to assist you.
Call an expert.
The Identity Theft Resource Center offers a toll-free victim support hotline.
File a report with the FTC.
IdentityTheft.gov will take your information and create a personalized recovery plan, depending on the type of fraud involved.
Issue a fraud alert.
Reach out to one of the big three credit reporting agencies. Starting this fall, that contact will trigger an alert to the other two to put a year-long hold on any new account activity.
Sponsored by AARP
In today’s digital world, keeping password and Wi-Fi security top of mind makes sense—both are essential for safeguarding your identity. But it’s equally key to remember lower-tech best practices for thwarting crooks, says AARP fraud expert Kathy Stokes. Follow her sensible advice.
Lock your mailbox so thieves can’t steal mail containing personal information or pre-approved credit card offers. If your mailbox doesn’t have a lock, strongly consider replacing it with one that does.
Shred any papers that contain personal info before recycling. Use a micro-cut shredder, the kind that cuts paper into confetti-like bits. (You should be able to find one for under $50.)
Never, ever leave your wallet, laptop or mobile phone unattended in your car, even briefly.
Use a gel pen to write paper checks. Mail thieves know how to wash off ballpoint ink so they can rewrite checks for higher amounts.
Never give out personal information over the phone or Internet unless you personally initiated the contact. Go to aarp.org/fraud for more helpful tips.