Module 6.1: Understanding and avoiding identity theft

Module 6.1: Understanding and avoiding identity theft

Learn the risks for identity theft and the methods thieves use. Learn how to proactively monitor your credit reports for free. Bonus: How to keep track of your account passwords without reusing the same password over and over.

Competency: Jump$tart Coalition (2015), Financial Decision Making: “Standard 7. Control personal information” (p. 41).

How can you avoid identity theft? While no solutions are full-proof, combining the following strategies will greatly lower your risks.

Don’t use checks. Checks are dangerous. They have your bank account number, routing number, full name, home address, sometimes phone number, signature, and other handwriting samples on them. This is all the information thieves need to cause problems for you. Moreover, even if you trust the recipient of the check, there are still other ways paying by check could compromise your security. For example, the check could get lost in the mail. When the recipient goes to cash or deposit it, an unscrupulous bank employee could steal your information. When the check is processed, it gets scanned and retained by the bank. What if this personal data is lost in a data breach? Of course, debit and credit transactions are vulnerable to data breaches too, but they never offer the dangerous combination of personal information that checks offer.

Guard your Social Security Number. The social security number is ridiculously insecure. At only 9 digits, there are only one billion combinations. But there are over 300 million people in America, meaning that you could completely make up a social security number and have a valid number one-third of the time! The value for identity theives, therefore, is not guessing a valid social security number, but rather, connecting it to your name, address, age, and other personal information.

• Don’t give your SSN over the phone
• If given a choice, always choose an alternate identity verification measure
• Don’t give your SSN in writing
• Shred documents with your SSN on them
• You should probably keep your SSN card in a safe deposit box and only carry it around when specifically needed
• Never email your SSN
• Even safeguard the last 4 digits of your SSN. Remember, the 1st three digits are associated with your state of birth (or state where your SSN was issued). An attacker who knows your birthplace and last 4 digits of your SSN may be able to guess the first 5 digits more easily than you would think, especially with brute force attack methods.

Guard your other personal information. Think about the information people need to open phony accounts in your name, and be careful not to tell this information to strangers or even friends. Don’t post this information on Facebook:

• Your middle name
• Your mother’s maiden name
• Your date of birth is a security risk
• Your maiden name, if applicable
• Answers to security questions that you use for online accounts
• The banks or credit cards you use
• Your address
• Your children’s names, dates of birth, and other personal info (yes, identity thieves will even open accounts with your underage children’s information!)
• A lot of other personal information can be risky to share

Of course, LinkedIn is necessary for career development but can also help identity thieves. This is a balancing act. You want to make yourself a lesser target. Most identity thieves use automated computer scripts and other processes to sift through thousands of potential targets. They are going to attack the easiest targets, typically. A determined identity thief, just like a determined burglar, is very hard to guard against. However, in 99%+ of cases, you will not be targeted by a particularly determined thief (unless they think you have a lot of money or something).

Shred junk mail and unsubscribe from unsolicited credit card offers. Credit card offers come in the mail every day, and each one is a security risk. If someone just steals or gets ahold of your mail, they might forge an application. In fact, they might even get your information wrong (such as address) and still get the card issued in your name (but mailed to a different address), then racking up thousands in charges without your knowledge.

Therefore, you should shred all credit card offers you are not interested in (ideally with a cross-cut shredder that cuts the paper into tiny pieces), and you should unsubscribe from unsolicited offers of credit and insurance at:, or by calling 888-5-OPT-OUT (888-567-8688).

Note that you may still get offers from banks or card issuers you have existing relationships with. But this will cut down on the volume of mail a lot.

Be careful of phishing emails. Phishing emails tell you your PayPal account needs to be verified, or some other financial account. They include a link to a phony website to trick you into entering your username and password. If you ever fall for one of these attacks, you need to immediately change your password for that account (on the REAL website), and whatever other accounts you use that same password for.

You can typically identify phishing emails by their bad grammar. If not, look at the email address they came from (NOT the reply-to address, but the sender’s address). It will typically not be Next, you should put your arrow over the link in the email and see what the URL in your browser status bar says. If you’re on a phone or tablet, you might have to just click the link and see the URL in the address bar of your browser. In a legitimate email, the URL will match the financial institution’s web URL (e.g.,,, etc.), and there will be some sort of green icon or check mark in your browser verifying the site’s SSL security certificate is valid.

Usually, Gmail and other webmail providers will correctly filter out phishing emails into your Spam or Junk folder, but not always. Be careful to avoid phishing scams, and report them to your email provider if that option is available.

Use different passwords and usernames. You should use different, secure passwords for each of your online accounts. Then, if someone gets one of your passwords, they can’t log into your other accounts. Your email account password should be especially secure, because if someone has access to your email, they can typically reset your password for other accounts by email.

You should also use different usernames for financial and other sensitive accounts. This adds more security. Don’t just use your last name and birth year as your user name.

How do you keep track of all this information? Use a password vault such as KeePass or LastPass. Yes, this is a single point of failure (meaning that if someone gets your “master password,” they can access your vault). However, this is still much more secure than what most people do, thereby reducing your risk. Make sure not to use your master password anywhere else. Websites routinely have data breaches, and unfortunately, many are not properly securing your passwords with salted encryption. Some password vaults can even be used on your cell phone. Make sure to read reviews and search online to see if others point out security flaws with these programs.

Use virtual account numbers. Citibank, Bank of America, and others offer virtual account numbers with pre-set spending limits for their credit cards and sometimes debit cards. These are excellent to use with merchants that may charge recurring subscription fees. Search online for more info:

Bite your tongue. Many people get in trouble just by revealing information. For example, I know friends who have mistakenly revealed personal information at work, resuling in customers or clients camping out near their home to stalk them. Be careful of small talk, and learn to “think like a criminal.” Most people don’t do this, and end up sharing information that can be dangerous. Similarly, be careful with online forums, emails, Twitter, Facebook, your website, etc. The Internet can be more dangerous, because there are so many potential attackers. Many of them come from other countries. Getting your identity stolen is a huge hassle. Don’t make it easy for attackers.

By Richard Thripp