The rise of malware and ransomware is frightening for consumers, but the truth is you are your own best identity theft protection.
It seems like no matter where you look, you’ll find headlines about critical infrastructure being shut down by ransomware. George Kurtz, CEO of cybersecurity firm CrowdStrike (CRWD), recently told Yahoo Finance that, “Ransomware is going crazy right now. What we’ve seen at CrowdStrike, is … almost 50 attacks per week, targeted attacks. And it’s only getting worse.” If private companies and governmental agencies seem powerless to prevent these attacks, what chance do consumers have? The good news, at least on that front, is that you won’t face the same kind of targeted attacks and the way you respond to hacking attempts is actually your best identity theft protection.
Most individual web users will not face the same kind of technical attacks as large companies and organizations. Individual users are far more likely to be victims of “phishing,” which is an attack that relies more on social engineering than on actual technical exploitation. Per Frontiers in Computer Science, phishing (in which email, text, voice, or web contacts are used to gather personal data) represents 90% of all online attacks and 95% of the successful attacks are the result of human error.
The same article addresses a wide variety of technical tools, such as security software and email spam filters, but also recommends education to ensure you have the best identity theft protection. With that in mind, we’ve put together five rules to follow to be your own best identity theft protection.
5 Rules for Being Your Own Best Identity Theft Protection
Rule 1: Slow Down
One common theme cited in most phishing attempts is urgency. You’ll frequently see words like “emergency, urgent, immediate, critical, impending” and the like. That’s intentional. The Frontiers article mentioned above highlights that stress is a big predictor of whether a user will fall victim to a phishing attack. If you receive a text, email, or social media message demanding immediate contact, slow down. Does the link look authentic? Links with long strings of characters, misspellings, or unexpected prefixes (the article mentions a successful hack that used translate.google.com to convey a sense of authenticity to otherwise fraudulent websites) are your first clue that the contact may not be authentic.
If you’ve clicked a link or responded to a text and find yourself in contact with somebody purporting to be “technical support,” slow down. Real technical support representatives won’t rush you and would be perfectly happy to provide a reference number or accept a call back via a trusted number.
Rule 2: Make Contact on Your Terms
Most phishing attempts rely on the appearance of authenticity. Scammers trust that you’ll believe they’re with a software company, trusted website or financial institution. If you’ve received a link or a request to contact Microsoft support or your bank that you’re unsure about, don’t follow that link. Instead, find a trusted phone number (on the back of your credit or debit card for your bank, or on a company homepage for many software providers) and initiate contact on your own terms. If you really do need to resolve an issue of some sort, customer service agents through a trusted, proactive contact will be able to identify it.
Rule 3: Change Passwords
If you believe any of your information has been compromised, either because you provided it to someone you believed to be technical support or because you downloaded software and entered login credentials, you need to change passwords where appropriate. If you clicked a link or downloaded software, you’ll first need to run antivirus and anti-malware software. Malwarebytes, CrowdStrike, McAfee, and Norton are all good options that offer free or affordable scanning software. After you’ve ensured that your computer is malware free, change any potentially compromised passwords. Adding two-factor authentication (2FA) is always helpful as it can prevent logins and password changes from new computers.
Typically, with 2FA you’ll provide a phone number where you can receive an authentication code via text.
Rule 4: Review Account Activity
If you’re concerned that you may have disclosed banking or financial information due to a phishing attack, you’ll want to monitor your account activity and be on the lookout for unexpected charges. If you see any unexpected activity, contact your financial company immediately. You may face the inconvenience of waiting for new cards or even setting up a new account, but it’s far better than losing money to fraud. You also may want to consider using credit monitoring services to ensure that your information is not used to create new accounts.
Rule 5: Never Buy Gift Cards
If you’ve done your best to follow the tips above but still find yourself talking with a service agent that is requesting payment via gift card, stop immediately. Gift cards are a popular exploit because once you’ve purchased them, they’re essentially untraceable. Plus, if you’ve gone out and purchased a gift card you have little recourse with your bank because the purchase itself is not fraudulent. If you find yourself in this situation, end your contact and immediately go through the previous steps on this list.
One final note, scammers may attempt to use older victims’ age against them by calling and pretending to be a younger relative like a nephew, niece, or grandchild. If you receive a call from someone acting like a family member and requesting help getting out of trouble (like being arrested in another country and being too ashamed to go to their own parents), ask other family members if that person is traveling or may actually need assistance before taking any steps to move money. Scammers use embarrassment as a tool, but an uncomfortable conversation is better than the feeling of being “had” by a scammer.
How do you protect yourself from identity theft?
*This post has been updated from a version published in 2021.