How to Reduce Your Risk of Identity Theft

  1. How identity thieves obtain your personal information
    1. Credit reports

1. Types of identity theft

There are two primary types of identity theft:

  • "Existing account fraud" or "account takeover fraud" occurs when a thief acquires your credit or debit card information and purchases products and services using either the actual card or the account number and expiration date.  Victims may not learn of account takeover until they receive their monthly account statement.
  • "New account fraud" or "application fraud" occurs when a thief uses your SSN and other identifying information to open new accounts in your name. Victims are not likely to learn of application fraud for some time, because the monthly account statements are mailed to an address used by the imposter.

This guide discusses strategies for reducing the risk of both types of fraud.

2.  How identity thieves obtain your personal information

Identity thieves obtain your personal information in many ways:

  • Data breaches in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
  • "Dumpster diving" in trash bins for intact credit card and loan applications and documents containing SSNs.
  • Stealing wallets and purses.
  • Stealing mail from unlocked mailboxes to obtain newly issued credit cards, bank and credit card statements, pre-approved credit offers, investment reports, insurance statements, benefits documents, or tax information.
  • Accessing your credit report fraudulently, for example, by posing as an employer, loan officer, or landlord.
  • Obtaining names and SSNs from personnel or customer files in the workplace.
  • "Shoulder surfing" at ATM machines in order to capture PIN numbers.
  • "Skimming" your credit or debit card information at a point of sale terminal or ATM machine.
  • Finding identifying information about you online.
  • Sending official looking email messages asking you to visit a website to confirm account information. This is called "phishing."
  • Hacking into databases of financial institutions, retailers, and credit card processing companies.

3. How to reduce your risk of identity theft

While you cannot always prevent identity theft, you can reduce your risk by being proactive:

a. Credit and debit cards

  • Limit the number of credit and debit cards you carry with you. We recommend that you do not use debit cards because of the potential for losses to your checking account. Instead, carry one or two credit cards and an ATM card in your wallet.  If you do use debit cards, monitor your account activity frequently. Report evidence of fraud to your financial institution immediately. Learn more about the risks associated with debit cards.
  • Be vigilant when using your credit and debit cards at restaurants and stores.  Dishonest employees have been known to use small hand-held devices called skimmers to capture your card data. The thief then uses the account data for online shopping and/or the creation of cloned cards.  Likewise, examine point of sale devices and ATM machines for possible tampering.
  • Never give out your SSN, credit or debit card number or other personal information over the phone, by mail, or online unless you have a trusted business relationship with the company and you have initiated the call.

b. Credit reports

  • Order your credit reports at least once a year. Federal law gives you the right to one free credit report each year from the three credit bureaus: Equifax, Experian, and TransUnion. How to order your free annual credit report:
  • Place a security freeze on your credit files at the credit bureaus (Equifax, Experian, and TransUnion) at no cost.  With a freeze in place, you can prevent new creditors (such as a credit card company or lender) from seeing your credit reports.   The freeze prevents fraudulent new accounts because new creditors are not able to check your credit report.  Requests for access to your credit file will be denied.  Most creditors will not issue new credit if they cannot see the consumer’s credit report.  You must separately request a freeze from each of the three major credit reporting agencies in order to be fully effective. The websites of each of the credit reporting agencies provide instructions for placing a security freeze:
  • If you want to apply for new credit, you can remove a security freeze temporarily.  You can also permanently remove a freeze.  A security freeze does not apply to credit checks for:
  • Employment or background screening purposes
  • Tenant screening
  • Insurance underwriting
  • Identity verification purposes

Security freezes will not impact your credit score or your relationship with your existing creditors.  Any existing creditor can continue to see your credit reports in order to periodically review your account.  A security freeze cannot stop misuse of your existing bank or credit accounts. You still must check your accounts for any errors or fraudulent activity.

Security freezes should not be confused with credit locks.  Credit bureaus often encourage consumers to use a credit lock rather than a security freeze. While a security freeze provides protection that is governed by law, locks are governed by your contractual agreement for each credit bureau. Having a contractual agreement is not as good as having protections under law.  For example, the contract may include provisions that you may be better off not agreeing to, such as an arbitration agreement.

Many companies, including the three credit bureaus, offer credit monitoring services for an annual or monthly fee. They will notify you when there is any activity on your credit report, thus alerting you to possible fraud.  We do not endorse credit monitoring services because we believe that individuals should not have to pay a fee to track their credit. If you decide to subscribe, be sure to choose a service that monitors all three credit reports on an ongoing basis.  A security freeze (above) is a much better alternative for many individuals.

c. Passwords and PINS

  • When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother's mother's maiden name, your birth date, middle name, pet's name, consecutive numbers or anything else that could easily be discovered by thieves. It's best to create long and complex passwords that combine upper and lower case letters, special characters and numbers.
  • Ask your financial institutions to add extra security protection to your account. Many will allow you to use an additional code or password (a number or word) when accessing your account. Do not use your mother's maiden name, SSN, or date or birth, as these are easily obtained by identity thieves. If asked to create a reminder question, do not use one that is easily answered by others or one that might be ascertained from social networks such as Facebook.
  • Memorize your passwords. Consider using a password manager if you can't remember all of your passwords.  Never reuse passwords.  Each account should have a unique and complex password.

d. Social Security numbers

  • Protect your Social Security number (SSN). Provide it only when absolutely necessary (like tax forms, employment records, most banking, stock and property transactions). The SSN is the key to your credit and banking accounts and is the prime target of criminals.
  • If a business requests your SSN, ask if it has an alternative number that can be used instead. Speak to a manager or supervisor if your request is not honored. Ask to see the company's written policy on SSNs. If necessary, take your business elsewhere. If the SSN is requested by a government agency, look for the Privacy Act notice. This will tell you if your SSN is required, what will be done with it, and what happens if you refuse to provide it.
  • Don't carry your SSN card with you, except for situations when it is required, the first day on the job, for example.

e. Responsible information handling

  • Each month, carefully review your credit card, bank and phone statements for unauthorized use.
  • Do not toss pre-approved credit offers in your trash or recycling bin without first tearing them into very small pieces or shredding them with a cross-cut shredder. They can be used by "dumpster divers" to order credit cards in your name and mail them to their address. Do the same with other sensitive information like credit card receipts, phone bills, bank account statements, investment account reports, and so on.
  • Store sensitive personal information (including checkbooks) securely in your home, especially if you have roommates, employ outside help, or have service work done in your home. Use a locking file cabinet or safe.