We will all, inevitably, be affected by a data breach of some kind (you likely have been already). When that day comes, you’ll want to be ready to mitigate the consequences.
Between changing passwords and freezing your credit reports, there’s a lot to get done. Here’s the rundown of what to do with your finances and your online accounts when someone steals all your info:
Get a Helping Hand
If a service you use has suffered a data breach and you’re a little unsure of how to start dealing with the effects of it, check out the FTC’s simple IdentityTheft.gov website. Click on the huge “Get Started” button, and the site will ask you a few questions to ascertain the extent of what’s going on. It’ll then present some helpful recommendations in the form of a “personal recovery plan” that you can use as a first line of defense against the hack.
Assess the Damage
What did the hackers get away with? Depending on what information they stole, scammers could wreak havoc in a variety of ways:
- Charge your credit or debit card
- Steal money from your checking or savings account
- Steal your tax return
- Steal your Social Security benefits
- Access your Medicare benefits
- Access your 401(k) or other investments
- Open a credit card in your name
- Open a utility account in your name
- Take out a loan in your name (like a student loan or payday loan)
- Take out a mortgage in your name
A credit card is a nuisance, but not a huge deal: Simply call your creditor and let them know, and they should send you a new card and reimburse the fraudulent purchases. If your Social Security number is stolen, however, things are much more serious (we’ll get into that below).
Five Steps to Take Immediately If You’re the Victim of Identity Theft
Identity theft has topped the list of consumer complaints filed with the FTC for 13 consecutive…
Read more Read
Also, think about how stolen data might impact other sites and services you frequent. If attackers grabbed your login (or email address) and password—typical targets—you’ll not only want to change your login credentials for the breached site or service, but you’ll want to change your passwords for every other service that uses the same combination. (And you really shouldn’t be using the same login and password for multiple sites, but we’ll get into that below as well).
If it’s been a while and you haven’t really been paying attention to each and every data breach ever, the website “Have I Been Pwnd” is a great starting place to help you figure out if your login information appears in any of the 250+ website breaches the site tracks—including the big hacks that hit LinkedIn, Adobe, MySpace and, of course, Ashley Madison.
Freeze Your Credit Reports
If the scammers got more damaging info, like your SSN, you’ll want to freeze your credit reports (heck, you might just want to do this anyway to be safer).
The banking bill that was recently signed into law will make credit freezes free in the near future, but right now they cost $2 to $10 depending on the state you live in (Consumers Union breaks down the costs per state here), and you need to put a freeze on all three of your main credit reports, from Equifax, Experian and TransUnion, and Innovis, a fourth bureau, for good measure.
Credit freezes mean you (or a scammer) won’t be able to automatically qualify for a new line of credit because creditors won’t be able to pull your credit file—you’ll need to unfreeze your reports first (or if you give them a call, you might be able to temporarily “thaw” your file). This is a more secure option than simple fraud alerts, which will simply alert you when there’s activity on your account. If you’re not planning on opening a new credit card or applying for a mortgage any time soon, freezing your reports is a good, proactive security measure.
Everything You Need to Know About a Credit Freeze
Last week Equifax announced a “Cybersecurity Incident” that affected 143 million customers. Between …
Read more Read
Check Your Credit Reports and Bank Statements
Go over all three of your credit reports to see if any fraudulent accounts have been opened in your name. You can do that at AnnualCreditReport.com. The bureaus often have access to different information, which is why you’ll want to check all three for discrepancies.
If your Social Security number was stolen, file an identity theft report with the police and the Federal Trade Commission, and send a copy to the credit bureaus. Keep track of all correspondences you have with the credit agencies, police and any businesses you send the report to. “If you’re a victim of ID theft, the credit bureaus must block fraudulent information from your reports, and the businesses involved can’t ask you to pay any debts,” reports Kiplinger.
And check your bank statements. Credit reports won’t catch everything, for example if someone stole money from your banking accounts or investment funds. If you see something shady, call your bank or brokerage immediately. ChexSystems, which is used by banks to verify customers’ identities, offers a security alert and freeze that makes it harder for scammers to open fraudulent accounts.
How to Check Your Credit Report and Score
Your credit can impact everything from your bills to your car loan to your ability to land the…
Read more Read
Track All Your Account Activity in a Single Service
It might sound a little strange to say “consolidate your services!” when a data breach at a place like Mint would really mess up everyone’s financial lives. However, if you have bank accounts and credit cards spread out at a number of different locations, you might want to consider a service like Mint, which our personal finance writer swears by, to quickly see if there are any eye-opening charges across your accounts as a result of a data breach.
While you’re at it, check and see what kind of notifications you can set up with your credit cards and bank accounts. If you’re lucky, you’ll be able to receive text messages whenever your balance blows past a certain amount on your card, whenever an international transaction is made, or whenever a transaction is made without your card being present—things like that.
Stop Using the Same Password Everywhere
It’s 2018. There are super-inexpensive apps—and even free apps—that you can use to create, store, and recall complicated passwords across your favorite devices and web browsers. There’s no reason why you should be using the same, easy-to-type password or passphrase across multiple sites.
If a site wants you to input, say, the first car you ever purchased as an answer to a recovery question, you don’t have to. You can write anything you want.
That said, we’re all creatures of habit, and it’s a lot easier to just use your pet’s name plus 123456 and a few random symbols (!@!@) every time you create a new account somewhere. Stop doing that. Create strong, unique passwords for every service and you’ll limit the potential fallout whenever one gets hacked.
Us Two-Factor Authentication for Everything
1Password, one of our favorite password managers, now makes it easy to see whether the sites you’re using support two-factor authentication. (And if you don’t use 1Password, you can always look this up yourself.)
Having your data stolen by an unknown party can be a great reminder of the power of two-factor authentication. While the process isn’t flawless, forcing a would-be hacker to get a special security code from your smartphone in order to log into your accounts might stop them in their tracks. It’s a great cover-your-butt tool in case your login and password has been leaked, but it won’t do much if hackers attack a service and yoink your personal information from a company’s servers.
Please Turn On Two-Factor Authentication
You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on…
Read more Read
Recover Your Account
If someone has already used your login information to access your account and change the password, effectively taking it over, you’re going to want to attempt an account recovery. This process varies by service—perhaps you just need to enter a previous password you’ve used or some other identifying characteristic, like answers to questions you set up when creating your account, or your address and phone number (assuming it hasn’t been changed in the services as well), et cetera.
(Speaking of, one quick trick: If a site wants you to input, say, the first car you ever purchased as an answer to a recovery question, you don’t have to. You can write anything you want, so long as you remember that your “first car” was actually an “[insert fake answer here].” This will make it a little tougher for an attacker, armed with a little bit of information about you, to trespass on to even more of your online life.)
You might also have to go above and beyond a simple web-based recovery process and talk to a customer service representative via the phone or virtual chat. (Try not to handle this over email, as that might take too long and time is precious when your account isn’t yours anymore.)
The Best Browser Extensions that Protect Your Privacy
There are a ton of browser extensions that promise to protect your privacy, which leads to some…
Read more Read
Check Your Service’s Settings
It’s possible that an attacker could gain access to your account and leave some kind of backdoor that makes it easy for them to keep tabs on what you’re up to even after you regain access and change your password. For example, if someone breaks into your email account, perhaps they’ll set up a rule that forwards any email with the word “password” in it to a secondary address, or use your sign-in to authenticate into another app or service that also gives them access to your data in some way—crazy things like that.
If a service you use has been hit with a data breach, make sure you go through your settings and linked apps (if applicable) to check for anything out of the ordinary. And if you’re notified that a service has been hacked, and you’ve connected other services like your Google, Twitter, or Facebook accounts to it, to name a few easy examples, lock down your digital life by revoking the compromised service’s permissions within these services.
Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers
Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the…
Read more Read
Avoid Phishing Attempts
In general, you shouldn’t respond to emails and share personal information without thinking about what you’re doing—especially the kind of personal information that, when combined with stolen data, could allow a person to completely lock you out of a service or kick off even more fraud and unpleasantness.
Make sure you’re being vigilant about what you click in emails and what you send as responses, especially after a site you use has been hacked. In general, you want to make sure you’re always thinking about the different ways you can separate legitimate information requests from phishing. As the FTC warns:
“Delete email or text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). The sender already may have some personal information about you, stolen as part of a data breach. Don’t let that fool you. Legitimate companies don’t ask for sensitive personal data via email or text.”
Even the best of us can get fooled by a phish from time to time, so make sure you’re looking at the real URLs for anything you’re about to click on (or anything you have clicked on and are about to type sensitive information into). Similarly, make sure the email address appears to be coming from one of your real contacts (and that the reply-to address, when you go to write back, is actually going to who you think it is). When in doubt, fire up a separate email to the person bugging you—or ring them on the phone—to make sure everything is on the up-and-up.
Modern Phishing Attempts Look More Legit, but the Methods Haven’t Changed Much
You get a new email that looks like it’s from a friend, a company, a government official, or even a …
Read more Read
Make Sure You’re Prepared for the Future
The truth is, your data is likely out there whether or not you’ve seen fraudulent activity yet. The breadth of last year’s Equifax hack—in which nearly 150 million people had their personal information stolen, including SSNs—means we’ll be dealing with fallout, well, forever. Just because fraudsters haven’t tried to use your info yet doesn’t mean they won’t. Your SSN doesn’t expire (and is hard to change), which means they can use it for years to come.
If your information hasn’t been stolen yet, be discerning. For example, your employer needs your SSN for tax reasons, but many other places that ask for it do not, like your doctor’s office. “When in doubt, ask why the SSN is necessary or leave the space for it blank,” suggests Kiplinger. “Some companies want the number so they can track you down in case you fail to pay bills. An alternative identifier—say, your phone number—may suffice.”
Further, if a financial institution or someone else asking for information or threatening you with legal action calls you, hang up and call the agency back on their main number, even if your caller ID says they’re calling from a “reputable” organization, like the IRS (and know that the IRS will typically not call you over the phone demanding money or personal information, especially if they have not sent you a bill by mail yet). Older people and non-English speakers are particularly vulnerable, so if you are close to someone in one of those groups, try to help them as best you can. Another tip: IRS scammers don’t just call during tax season—you always need to be on alert.
The IRS Isn’t Calling You
Tax season means scammers are scamming. You may be contacted by phone or email or even social media …
Read more Read
You might also consider a credit monitoring service, though that won’t catch everything (for example, it won’t detect if a scammer got access to a current credit or debit card number). There are more comprehensive services you can pay for, like EverSafe, Identity Guard or LifeLock, which also comb the “dark web” for your information and track your bank and investment accounts for fraudulent activity. As Krebs on Security notes, you don’t need to pay for one for an entire year—if you see something is wrong and are having a hard time resolving it, these services will likely be able to help you and potentially reimburse some of the costs involved.
Above all, check your bank statements and credit reports at least once a month, and preferably once a week. You can access your credit reports for free on apps from Credit Karma, Credit Sesame and NerdWallet, and your bank may also offer a free service. Put a reminder in your calendar right now.
This is a time-consuming process, but ultimately it’s time well spent. Being vigilant and safeguarding your information and identity should now be an integral part of your cyber-routine—whether it’s strengthening up your passwords, being smarter how your services are interconnected, or paying closer attention to your financial life.