In the age of online security, it’s easy to get overwhelmed. It feels like new breaches get announced every week, and traditional advice like “pick a password you can easily remember” is no longer enough to keep our most important accounts safe.
It’s not all bad news, though: by adopting a few new habits, you can minimize the risk of identity or data theft, and even minimize the impact of a potential cyber threat. Here are the three most common ways you might be at risk — and what you can do about each of them.
Here’s what you should do if...
If a vendor or website has contacted you to alert you that some of your information was stolen, don’t panic — there are plenty of ways to make sure you’ll be all right in the long run. The first step to take is to find out specifically what information was stolen, and then respond accordingly. For example:
If demographic information was stolen, such as your name, phone number, and home address, the good news is that hackers can’t do very much with that information alone. The bad news is that you’ll need to apply a little more caution to the mail and phone calls you receive — scam phone calls are big business, and so is junk mail — which is never a bad idea, regardless of the circumstances.
If personal information like your birthday or social security number were part of a breach, the risk is more severe, because the information can be used to open new credit cards or steal existing funds. To prevent any immediate theft, your best bet is to freeze your credit with all three credit reporting agencies (Experian, Equifax, and TransUnion). Freezing your credit means no new lines of credit can be established in your name until you personally unfreeze your credit with all three agencies. To protect yourself moving forward, you can sign up for a credit-monitoring service which will automatically send you an alert if anyone attempts to use your information without your permission.
If website passwords or account information were stolen, the first step to take is to change your password — and if you’re using that same password on any other account, you’ll need to update it there too (most hackers count on users recycling passwords). While you’re establishing new passwords, consider using a password manager service like LastPass or DashLane to generate strong passwords and manage them for you so you don’t have to remember long strings of characters. Once your passwords are squared away, set up multi-factor authentication on any accounts you have that support it. Multi-factor authentication, sometimes called MFA or 2FA, makes it so that once you log in to a site with your password, you must approve the login on a separate device like your smartphone, so stolen passwords won’t be enough to access your information. Google, Facebook, Amazon, Microsoft, and DropBox all support MFA — if you have accounts with any of them, start there first.
If you’re interested in setting up multi-factor authentication but don’t want to use your phone as the secondary approval device, consider getting a security key. Security keys are small USB devices dedicated to being a second factor — so when properly set up, once you enter your username and password, all you have to do is tap your security key to confirm the login.
More than half of the phone traffic in the United States is comprised of robo-calls: automated phone dialers hoping to scam recipients out of their money. Sometimes they pretend to be from important businesses, and other times they rely on cagey language like, “We have an important update about your account.” No matter who a caller says they are, there are three things to remember to stay safe:
If it’s obviously a recording trying to sound like a person, hang up. While there are legitimate uses for automated calling such as non-profit fundraising or public emergencies, most robo-calls are scams. If a recorded voice attempts to engage you in conversation, hang up.
If you get a call from a live person, start by asking them to tell you your name. Some fraudulent calls will have a live person on the other end, often claiming that they need access to your computer or your banking information in order to help you. Before giving them any information, ask them to tell you your own name. Most phone scammers are just calling long lists of numbers, and won’t be able to respond. If they can’t — or if they simply seem untrustworthy — hang up.
Believe it or not, the most common (and effective) method of stealing information isn’t through hacking passwords or credit card numbers — most successful hacks happen through “phishing”: fooling users into clicking dangerous links or inadvertently providing personal information. You’re probably already familiar with unwanted spam emails, but spam has evolved, and now what may look like an innocuous email from a trusted contact could be an attack on your accounts and information. Here are two rules to remember when it comes to protecting yourself against phishing attempts.
Pay close attention to the “from” field. In many instances, you can spot a scam simply by noting inconsistencies in the sender’s email address. An email may look like it’s from your friend Jane Doe’s Gmail account, but if it comes from “firstname.lastname@example.org,” treat the email with caution. Before you click any links in the body of the email, consider following up with the sender to make sure it was them who sent you the message. (If you’re certain the message isn’t genuine, simply delete it.)
Hackers and online criminals will continue to find new ways to get your information, so your most valuable defense is awareness. If something about an email or phone call feels off to you, trust your instinct, and take extra precautions — now, more than ever, “better safe than sorry” is your best bet for keeping your most valuable information secure.