Fact Sheet 17:
How to Reduce Your Risk of Identity Theft
Send to Printer
Privacy Rights Clearinghouse
Using a variety of methods, criminals steal Social Security numbers (SSNs), driver's licenses, credit and debit card numbers, and other pieces of individuals' identities such as date of birth. They use this information to impersonate their victims, spending as much money as they can in as short a time as possible before moving on to someone else's name and identifying information.
There are two types of identity theft:
- "Existing account fraud" or "account takeover fraud" occurs when a thief acquires your credit or debit card information and purchases products and services using either the actual card, a counterfeit card, or the account number and expiration date. Victims may not learn of account takeover until they receive their monthly account statement.
- "New account fraud" or "application fraud" occurs when a thief uses your SSN and other identifying information to open new accounts in your name. Victims are not likely to learn of application fraud for some time, because the monthly account statements are mailed to an address used by the imposter.
This guide discusses strategies for reducing the risk of both types of fraud.
Generally, victims of credit card fraud are liable for no more than the first $50 of the loss. In most cases, the victim will not be required to pay any part of the loss. But debit card users have less protection against fraud. Not only are individuals' checking accounts wiped out, debit card users could be liable for the total amount of the loss depending on how quickly they report the loss to the financial institution.
Even though victims are usually not saddled with paying their imposters' bills, they are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, they have difficulty getting credit, obtaining loans, renting apartments, and even getting hired. Victims of identity theft find limited help from the authorities as they attempt to untangle the web of deception that has allowed another person to impersonate them.
Identity thieves obtain SSNs, driver's licenses, credit card numbers and other pieces of identification through a variety of means:
- Sending email messages that look like they are from your bank or credit card company, asking you to visit a web site that looks official in order to obtain account information. This is called "phishing."
- Hacking into data files of financial institutions, retailers, and credit card transaction processing companies.
- Accessing unsecured websites that contain sensitive personal information such as Social Security numbers and financial account numbers.
- "Dumpster diving" in trash bins for unshredded credit card and loan applications and documents containing SSNs.
- Stealing wallets and purses.
- Stealing mail from unlocked mailboxes to obtain newly issued credit cards, bank and credit card statements, pre-approved credit offers, investment reports, insurance statements, benefits documents, or tax information.
- Accessing your credit report fraudulently, for example, by posing as an employer, loan officer, or landlord.
- Obtaining names and SSNs from personnel or customer files in the workplace.
- "Shoulder surfing" at ATM machines in order to capture PIN numbers.
- "Skimming" your credit or debit card information at a point of sale terminal or ATM machine.
You cannot prevent identity theft. But you can reduce your risk of fraud by following the tips in this guide.
- Reduce the number of credit and debit cards you carry in your wallet.
- We recommend that you do not use debit cards because of the potential for losses to your checking account. Instead, carry one or two credit cards and your ATM card in your wallet. Nonetheless, debit cards are popular. If you do use them, take advantage of online access to your bank account to monitor account activity frequently. Report evidence of fraud to your financial institution immediately. Read more about the dangers of debit cards on our site.
- Do not use debit cards at all when shopping online. Use a credit card because you are better protected in case of fraud.
- When using your credit and debit cards at restaurants and stores, pay close attention to how the magnetic stripe information is swiped by the waiter or clerk. Dishonest employees have been known to use small hand-held devices called skimmers to quickly swipe the card and then later download the account number data onto a personal computer. The thief uses the account data for Internet shopping and/or the creation of counterfeit cards. Likewise, examine point-of-sale devices and ATM machines for tampering.
- Keep a list or photocopy of all your credit cards, debit cards, bank accounts, and investments -- the account numbers, expiration dates and telephone numbers of the customer service and fraud departments -- in a secure place (not your wallet or purse) so you can quickly contact these companies in case your credit cards have been stolen or accounts are being used fraudulently.
- Never give out your SSN, credit or debit card number or other personal information over the phone, by mail, or on the Internet unless you have a trusted business relationship with the company and you have initiated the call.
- Always take credit card receipts with you. Never toss them in a public trash container. When shopping, put receipts in your wallet rather than in the shopping bag.
- Never permit your credit card number to be written onto your checks. It's a violation of California law (Civil Code sec. 1725) and laws in many other states, and puts you at risk for fraud.
- Watch the mail when you expect a new or reissued credit card to arrive. Contact the issuer if the card does not arrive.
- Order your credit report at least once a year. Federal law gives you the right to one free credit report each year from the three credit bureaus: Equifax, Experian, and TransUnion. If you are a victim of identity theft, your credit report will contain the tell-tale signs – inquiries that were not generated by you, as well as credit accounts that you did not open. The earlier you detect fraud, the easier and quicker it will be to clean up your credit files and regain your financial health.
We recommend that you stagger your requests and obtain one report each four months. That way, you can monitor your credit reports on an ongoing basis. But if you are in the market for credit or are a victim of identity theft, order all three at one time. The FTC’s website provides useful information on your free credit reports.
How to order your free annual credit report:
- Residents of seven states can obtain additional free annual credit reports under state law. These states are: Colorado, Maine, Massachusetts, Maryland, New Jersey, Vermont, and Georgia (two free reports per year in Georgia). If you live in one of these states, be sure to order both your free reports under federal law as well as state law each year – enabling you to even more effectively monitor your credit files on an ongoing basis.
- Individuals nationwide are able to "freeze" their credit reports with Equifax, Experian, and TransUnion. By freezing your credit reports, you can prevent credit issuers from accessing your credit files except when you give permission. This effectively prevents thieves from opening up new credit card and loan accounts. In most states, security freezes are available at no charge to identity theft victims and for a relatively small fee for non-victims.
- The California Department of Justice’s Privacy Enforcement and Protection Unit provides a guide on security freezes for Californians.
- For other states, see the Consumers Union guide.
- Brian Krebs' post How I Learned to Stop Worrying and Embrace the Security Freeze is a primer on what you can do to avoid becoming a victim of identity theft.
While a security freeze may be the best available deterrent to new account fraud, it may not be the best solution for everyone. It can be cumbersome for individuals who frequently apply for credit, are contemplating a new mortgage, or who plan to change jobs.
On the other hand, a security freeze is particularly well-suited for seniors who are no longer in the market for new credit. For a more complete discussion of the pros and cons of security freezes, read tips from Consumers Reports.
- Many companies, including the three credit bureaus, offer credit monitoring services for an annual or monthly fee. They will notify you when there is any activity on your credit report, thus alerting you to possible fraud.
We do not endorse credit monitoring services because we believe that individuals should not have to pay a fee to track their credit. If you decide to subscribe, be sure to choose a service that monitors all three credit reports on an ongoing basis. You can create your own credit monitoring strategy at no cost by ordering one of your free credit reports each four months, as explained above. We have more tips about credit monitoring services here.
- There are many identity theft insurance products available to consumers. We do not recommend them unless they are available as a free or low-cost rider on an existing insurance policy. For more information on such insurance products, visit www.iii.org/individuals/other/insurance/identitytheft (no endorsements implied).
- When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother's maiden name, your birthdate, middle name, pet's name, consecutive numbers or anything else that could easily be discovered by thieves. It's best to create passwords that combine upper and lower case letters, special characters and numbers. Use a reputable password manager to keep track of your passwords.
- Ask your financial institutions to add extra security protection to your account. Use an additional code or password (a number or word) when accessing your account. Do not use your mother's maiden name, SSN, or date or birth, as these are easily obtained by identity thieves. If asked to create a reminder question, do not use one that is easily answered by others.
- Shield your hand when using a bank ATM machine or retail point-of-sale terminal. "Shoulder surfers" may be nearby, or a pinhole video camera could be recording your keystrokes.
- Protect your Social Security number (SSN). Release it only when absolutely necessary (like tax forms, employment records, most banking, stock and property transactions). The SSN is the key to your credit and banking accounts and is the prime target of criminals.
- If a business requests your SSN, ask if it has an alternative number that can be used instead. Speak to a manager or supervisor if your request is not honored. Ask to see the company's written policy on SSNs. If necessary, take your business elsewhere. If the SSN is requested by a government agency, look for the Privacy Act notice. This will tell you if your SSN is required, what will be done with it, and what happens if you refuse to provide it.
- If possible, do not provide the SSN on job applications. Offer to provide it when you are interviewed or when a background check is conducted. Read PRC’s guides on SSNs and on online job-seeking tips.
- Do not have your SSN or driver's license number printed on your checks.
- Do not say your SSN out loud when you are in a public place. And do not let government agencies, health care providers, and others say your SSN out loud. Whisper or write it down on a piece of paper instead. Be sure to retrieve and shred that paper.
- Do not carry your SSN card in your wallet except for situations when it is required, the first day on the job, for example. A California law places restrictions on the display and transmission of SSNs by companies. For more information, read the California Department of Justice’s Privacy Enforcement and Protection Unit guide on SSN "recommended practices".
- Medicare is in the process of replacing all Medicare cards with cards that display a randomly-generated identifier. If your Medicare card still displays your SSN and you feel you must carry it with you at all times, try this. Photocopy the card and cut it down to wallet size. Then remove or cut out the last four digits of the SSN. Carry that with you rather than the actual card. But be sure to carry your original Medicare card with you the first time you visit an organization or agency that requires you to show it.
- Install a firewall on your home computer to prevent hackers from obtaining personal identifying and financial data from your hard drive. Install and update virus and malware protection software. We provide more information here.
- Password-protect files that contain sensitive personal data, such as financial account information. In addition, encrypt sensitive files.
- When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. Read PRC’s online shopping tips for more information.
- Before disposing of your computer, remove data by using a strong "wipe" utility program. Do not rely on the "delete" function to remove files containing sensitive information. If you take your old computers to an e-recycling event or service, make sure they dispose of your hardware securely and can certify that they do so.
- Never respond to "phishing" email messages. These may appear to be from your bank, eBay, or PayPal. They instruct you to visit their web site, which looks just like the real thing. There, you are told to confirm your account information, provide your SSN, date of birth and other personal information. Legitimate financial companies never email their customers with such requests. These messages are the work of fraudsters attempting to obtain personal information in order to commit identity theft. Visit www.antiphishing.org.
- To minimize the amount of information a thief can steal, do not carry extra credit cards, debit cards, your Social Security card, birth certificate or passport in your wallet or purse, except when needed. At work, store your wallet or purse in a safe place.
- Install a locked mailbox at your residence to deter mail theft. Or use a post office box or a commercial mailbox service. When you are away from home for an extended time, have your mail held at the Post Office, or ask a trusted neighbor to pick it up.
- When ordering new checks, pick them up at the bank. Don't have them mailed to your home.
- When you pay bills by mail, do not leave the envelopes containing your checks at your mailbox for the postal carrier to pick up, or in open boxes at the receptionist's desk in your workplace. If stolen, your checks can be altered and then cashed by the imposter. It is best to mail bills and other sensitive items at the drop boxes inside the post office rather than neighborhood drop boxes. If you use a neighborhood drop box, always deposit the mail before the last pick-up of the day.
- Each month, carefully review your credit card, bank and phone statements, including mobile phone bills, for unauthorized use.
- Convert as much bill-paying as you can to electronic payments by using the Internet for banking and paying bills. With fewer account statements and bills mailed to your home, you will reduce the risk of mail theft and identity theft.
- Do not toss pre-approved credit offers in your trash or recycling bin without first tearing them into very small pieces or shredding them with a cross-cut shredder. They can be used by "dumpster divers" to order credit cards in your name and mail them to their address. Do the same with other sensitive information like credit card receipts, phone bills, bank account statements, and investment statements.
- Use a gel pen for writing checks. Gel ink contains tiny particles of color that are trapped in the paper, making check washing more difficult.
- Demand that financial institutions adequately safeguard your data. Discourage your bank from using the last four digits of the SSN as the PIN number they assign to customers. If you have been given the last four SSN digits as a default PIN, change it to something else.
- When you fill out loan or credit applications, find out how the company disposes of them. If you are not convinced that they store them in locked files and/or shred them, take your business elsewhere.
- Store checks in a safe place.
- Store personal information securely in your home, especially if you have roommates, employ outside help, or have service work done in your home. Use a locking file cabinet, safe, or safe deposit box.
Credit Reporting Agencies
(888) EXPERIAN (397-3742)
Federal Trade Commission
- Phone: (877) IDTHEFT (877-438-4338)
- Web: http://www.ftc.gov/bcp/edu/microsites/idtheft/
- FTC's comprehensive identity theft guide "Taking Charge: What To Do if Your Identity is Stolen" http://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf
- FTC's interactive identity theft guide: https://www.identitytheft.gov/
Identity Theft Resource Center
- Phone: (888) 400-5530
- Web: www.idtheftcenter.org
- FBI Internet Fraud Complaint Center. Report cases involving online fraud and phishing. www.ic3.go
- For tips on online safety, visit www.onguardonline.gov
- U.S. PIRG, Why You Should Get Security Freezes Before Your Information Is Stolen (October 2015)
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.