My husband was reviewing our bank records recently when he turned to me and asked, "Did you withdraw money from the checking account on Sunday morning?"
"Why do you ask?" I said.
I had not withdrawn money for a few days, but an unusually large withdrawal had been made over Columbus Day weekend—in another city.
We quickly realized that my debit card account had been hacked, even though I still had the card in my possession.
Several weeks later, I'm deep into the process of getting the fraud resolved, and it hasn't been easy.
What it's like to have your bank account info stolen
In the days following my incident, I had to file a police report, visit my local bank branch managers and reach out to LifeLock, an identity theft monitoring service I subscribe to.
The most shocking part of the experience was how little help I received from my bank. I've always had great relationships with the bankers at my local branch, so I expected the same level of service from the parent company, too.
Instead, the bank sent me a letter the day after the charge posted, saying that no fraud had occurred. Why? Because there had not been any incorrect attempts when my PIN was entered.
Obviously, I'm not the first person whose PIN has been stolen, and it's not difficult for criminals to use your information once they have it.
A criminal that gets hold of even basic information, such as your name, birth date, Social Security number and address can steal your identity, open credit card accounts in your name and even claim your tax return. It can take years to resolve situations like this.
With fraudsters getting more sophisticated, how to prevent identity theft should be top of mind for anyone who shares sensitive information online. But as I discovered, there's no foolproof way. If you make digital payments or use debit or credit cards, you are entrusting your personal details to the companies with which you do business.
Even multimillion-dollar corporations with sizable cybersecurity budgets get breached regularly. In fact, 41 million Americans have experienced identity theft, according to a 2016 survey by Bankrate. And in the wake of the 2017 Equifax data breach, nearly 142 million more people had their personal information leaked—making them likely targets of identity theft in the future.
But that doesn't mean you can't decrease your chances of being scammed. "Usually, it's important for consumers to watch their own backs," said Jonathan Broche, founder of Leap Security in Miami.
How to prevent identity theft online
Preventing identity theft is about creating obstacles that make it harder for criminals to breach your identity in the first place. Here are some ideas on how to protect yourself from identity theft.
Use a password manager
Too many of us fall into the trap of using the same password for multiple accounts because it's easy to remember. This is especially risky when the password you use for sensitive accounts, such as your bank account, is also used on another website or email account with less stringent security.
Another mistake is using a predictable password, such as a birthday or a common word. To protect yourself online, choose a long password that has combination of capital and lowercase letters, numbers and symbols. It shouldn't follow a predictable pattern or word. While this makes it harder for you to remember (which is a good thing), password managers make this easy.
- Dashlane: You can use this free site to secure your passwords, protect them and access them when you need them.
- KeePass: Use this free open-source password generator to manage your passwords securely. It lets you store them in a database locked with a master key file.
- LastPass: This is a password generator, manager and vault. It is available for free, with a premium version for $2 and a family version for $4.
- 1Password: If you can't keep all of your passwords straight, you'll appreciate the simplicity 1Password brings, enabling you to use a single password and access all of your other passwords by using its search tool.
If you opt not to use a password manager, then you need to be especially conscientious of the passwords you assign to each account. "All of your passwords should be different," said Broche.
You should also avoid behaviors that would make it easier for a crook to use a stolen password. "The best way to do it is to not advertise your personally identifiable information online," said Braden Perry, a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC. That includes your phone number, address and information about your vacation travels. The more a criminal knows about your identity, the easier it will be for them to pose as you and access your accounts.
Be careful where you sign on
With the emergence of online banking, location sharing and IoT products, such as Amazon Alexa, a lot of sensitive information is up for grabs if a hacker gains access to your devices over Wi-Fi. Signing on to an unsecured network or website can make you an easy target. Fortunately, there are ways to prevent identity theft.
Use a Strong Wi-Fi password. Make sure your home's Wi-Fi connection is secured with a complex password. It should never be the same word you used to name your Wi-Fi connection, your address or any other logical word that would be easy to guess.
Be cautious on wireless hotspots. Take care when accessing sensitive accounts while on public networks. Your favorite coffee shop might be a great place to do homework or surf the web, but since anybody can join that network, the information you send and receive is easier to intercept. Check the upper left corner of your browser to make sure the site you're on is secured. In Google Chrome, there will be an s at the end of "https," at the beginning of the URL, and to the left of the search bar, the word "Secure" will be listed next to a green padlock icon. In Apple Safari, there will just be a gray padlock. If these are present, the site you're on is encrypted and others on the network can't access your information.
Use your powers of observation. Regardless of what network you're on, make sure you look carefully at any site you're logging into, including familiar ones, to make sure it's the real deal. It's not uncommon for criminals to create a copycat site with a slightly altered URL. Look for the same security signals mentioned in the last tip, and check to make sure the URL you're visiting is spelled correctly—especially if you reached that page through an external link posted on a different site.
The same goes for accessing your bank account in the real world. If you're withdrawing cash from an ATM, check to make sure criminals haven't installed false devices to capture your information. "Flicker your nails over the [edge of the] keyboard to make sure it is not a skimmer," Broche said. And before you slide your card into the scanner, pull on it gently. "If plastic comes out, it is a skimmer," he said.
Avoid suspicious links and windows
If you ever receive an unsolicited email that contains suspicious links, don't click them. Clicking those links could download malware onto your computer that will harvest your information. This can also occur on scammy websites—a pop-up window will open in your browser that prompts you to update software. Scrutinize these pop-ups carefully to make sure they're coming from a legitimate company, such as Adobe or Apple, and not from a rogue website.
Install an antivirus program
If you do end up with malware on your computer, a great antivirus program can be your best friend. It can help identify and quarantine these programs so you can remove them from your computer. Some of the most popular free antivirus programs include Avast and AVG, both of which have been Editors' Choice winners at PC Magazine. The highest-rated paid antivirus programs on the magazine's 2018 list are Webroot SecureAnywhere AntiVirus ($18.99) and Kaspersky Anti-Virus ($29.99). Paid programs offer features that free programs generally don't include, such as password management, mobile security, and identity and privacy protection.
Bear in mind that PCs and Apple computers have different risk profiles when it comes to malware. For a long time, there were fewer viruses that target the Mac operating system. That said, many Mac users have been taken by surprise by viruses, such as Trojan horses, in recent years. When shopping for an antivirus program, make sure to pick one that is designed for the type of computer you use (the provider's website should tell you).
Always keep your browser up to date
The browser updates can help you avoid security vulnerabilities. For example, Mozilla recently updated Firefox 63 to block third-party trackers and protect your privacy online. It also unveiled a new service to alert you if your data has been breached.
Avoid giving away your email address
It's the job of businesses to get customers' email addresses. Once they have access to your inbox, they can market to you as much as they'd like. That's why they use every possible chance to request your email address. "Anytime I go to the grocery store, they ask, 'Do you want to join a sweepstakes to watch the Miami Dolphins?" said Broche.
"When you enter that information, they harvest it," said Broche. But when you give away your email address, you don't really know how it will be used or if it's safe.
Even if a merchant guards your email address carefully, hackers could potentially get to it. One way to reduce this risk is to create an email address you use solely for company sign-ups. That way, if it is breached or misused, hackers won't have access to all of your communications.
How to respond to the threat of identity theft
While protecting yourself online is a crucial first step in preventing identity theft from happening, it's not enough. You should also proactively monitor your credit and learn about the identity theft tools available to you, so that you'll know when and how to respond to identity theft.
1. Monitor suspicious account activity
Some people never check their banking or credit card statements. Routinely doing so to catch suspicious charges is an important way to monitor fraud. Create a regular routine where you log on regularly to check your accounts.
2. Watch for changes to your credit report
Periodically check your credit report for any suspicious changes. You can get one free credit report every 12 months from each of the three major credit bureaus—Experian, Equifax and TransUnion.
If you notice a new account or debt that you don't recognize, you should take action immediately. Notify the card issuer so it can cancel your card number and issue a new one. Also consider notifying one of the three credit bureaus, so you can put a fraud alert on your account. If you contact one of the bureaus, they must notify the other ones.
Many credit card companies, such as Discover or Capital One, offer free credit reporting and alerts if something seems suspicious, so familiarize yourself with the offerings of your card by calling the number on the back. When choosing new cards, look for one with "zero liability," meaning a guarantee that you will not be held responsible for unauthorized charges made with your account or account information.
If you don't want to monitor your credit report yourself, you can also subscribe to an identity theft protection service, such as LifeLock, Equifax ID Patrol and IdentityForce. I was relieved to find out from LifeLock that it offers legal help if your bank does not help. It also replaces stolen funds up to $1 million, depending on your plan.
3. Check to see if you already have identity theft protection
It's not uncommon for credit card companies or homeowners insurance companies to provide identity theft protection. But sometimes this protection needs to be added as an optional rider. Review your policy's coverage or contact your credit card company or insurance agent to see if you're covered. This type of insurance won't alert you to fraud but will reimburse you for it, up to a certain amount.
4. Encrypt your email
If you're a business owner and you regularly share sensitive information over email, consider using an email encryption service. ProtonMail, a free service based in Switzerland, does just this, and it was chosen as the best secure email service for 2018 by Lifewire. Hushmail, another email encryption service, allows you to send encrypted messages to both users and nonusers. Currently, you can try it free for two weeks, and after that it costs $49.98. One benefit of paid services is they sometimes offer more storage than free programs.
"Any lawyer that works in identity theft or any security expert would recommend proactive identity theft monitoring services," said Perry. "The sooner you can address an identity theft issue, the less damage will occur."