Top 11 Ways to Prevent Fraud and Identity Theft
Almost every day we hear stories from families affected by some form of fraud. According to the Federal Trade Commission (FTC), identity theft is one of the most commonly reported types of fraud. Here are some suggestions for staying out of harm’s way, and a few of them might surprise you.
1. Credit Cards are Safer than Debit Cards
As long as you can control your spending, and pay off your card balance every month to avoid double-digit interest-rate charges, credit cards are safer than debit cards. If someone commits fraud with your debit card, there is often a long process before getting your money back, and you have to prove the spending wasn’t you. With a credit card, on the other hand, you’re protected by the Fair Credit Billing Act.
As long as you report the fraudulent credit card activity promptly, your liability is limited to just $50 per incident, but typically there is no loss at all because the card company catches the first fraudulent attempt to use your card. Credit card companies employ sophisticated screening algorithms (including your purchase history) to quickly identify suspicious activity, block any such charges, and immediately contact cardholders to verify the fraudulent charges, freeze the card number (if deemed necessary), and rush replacement cards to you with different numbers.
Debit cards are not as easy. You could literally spend months trying to get back your entire account value, and potentially end up with a negative balance for a while as a result.
2. Don’t Write Checks
Don’t make the mistake of thinking that what you have always done in the past is safer than new methods. Many people feel more comfortable paying bills by mailing in checks, rather than paying by credit card or online bill-paying. The problem is that writing a physical check introduces multiple points of failure into the transaction.
Checks have your name, address (and often phone number), checking account number and bank information reflected right there for people to steal and potentially use. Carrying your checkbook means that it can be easily stolen, or individual checks removed without you noticing. Even if a mailed check makes it safely to its destination (which they usually do), the risk doesn’t end there. An employee processing the payment for the company you are paying can easily see (and possibly photograph) your check.
When you pay a bill online using your bank’s “billpay” system, on the other hand, you’re logging directly into your bank’s encrypted website, and many bills (e.g., credit cards and utilities) are paid to the recipient electronically (no physical check is ever handled by a human). Even when a physical check is issued and sent to the recipient, there is less opportunity for the account information to get stolen or compromised.
You can also set up many recurring bills (including utilities, cable, Netflix, etc.) to be automatically paid each month by credit card. Even if the card number is compromised, you’re protected by the Fair Credit Billing Act, as is described above. Many credit card companies will even provide you unique card numbers to use online, which provides another layer of protection.
3. Use Two-Factor Authentication (TFA)
Some websites and apps not only require a login ID and password, but they ask you to input a code that they text to your phone (while you’re in the act of logging in). This is called “two-factor” authentication because you must:
- First, prove that you know the login information (user ID and password); and
- Second, prove that you have in your possession the cell phone linked to your account (which no hacker would have).
While this two-step process is a slight hassle, it is tremendously powerful—one of the most effective and foolproof ways to prevent un-authorized access to your accounts. Ideally, you would use TFA for every online login, but at the very least you should use it for logging into your password manager (e.g., LastPass), as well as any financial accounts that you access online (banks, investment custodians, credit card companies, etc.).
4. Use a Password Manager
We hear about big companies getting hacked all the time (and this doesn’t include those who don’t publicize it). It’s not a question of if your login information will be obtained by crooks, just when. Let’s be honest—we all started out using the same password (or two) for everything. If you added them up, you probably have dozens, if not hundreds, of different logins, and most of them may still be using those same few passwords. Unfortunately, nowadays that is like handing your car keys to a complete stranger…who you know is a car thief.
If you have a login to one website (Target.com, for instance) that gets hacked, the hackers:
- Get (and quickly sell to other bad guys) your email address (which is probably also your login/user ID in most cases) and passwords;
- Start immediately attempting to use that ID and password on other sites (Amazon, Ebay, Walmart, Bank of America, etc.), and if the login works, they can do substantial financial harm.
I know how hard it is to remember even a dozen different passwords; remembering a unique one for every website you use is literally impossible.
The solution is surprisingly simple—get a password manager. Password managers only require that you remember one “master” password. That master password logs you into a “vault” that contains all of your IDs and passwords, no matter how many there are (one of my associates has 683!).
There are several good password managers available, including Dashlane.com, 1Password.com, and KeeperSecurity.com. The one I personally recommend is LastPass (it’s actually what all of us here at Viridian use), available at www.LastPass.com. LastPass encrypts your passwords so that not even LastPass’ employees can see them, but you can access them from almost anywhere, using your master password.
In addition to keeping and filling in IDs and passwords, most password managers can also autofill forms (with your name, address, credit card number, etc.) to make online shopping easier. LastPass also eliminates the need to think up new passwords by auto-generating random ones; for example, it just took me only a few seconds to create this one: jX$K#mG9#!8B%*x. That would obviously be extremely difficult to remember, and it is also tough for hackers to crack.
I also find Lastpass extremely helpful for IDs and passwords that I want to share with my wife and family (she and I know all of the kids ID/passwords, but they only see the ones that we specifically share with them). We no longer need to constantly ask each other for passwords we can’t remember, and when any of us changes a password, it is automatically saved so everyone has access to the new one. It also ensures they can access important account information if something ever happens to me.
A quick word about your master password. Only keep it written down on a piece of paper in your safe or safe deposit box (just in case you forget it), not anywhere near your computer. After all, anyone who finds it will have access to all of your account logins. When creating your master password, make it at least 20 characters long, and it should contain all four character types: upper and lower case letters; numbers; and special characters (?!&#, etc.). Don’t worry; it doesn’t need to as complicated as that sounds. I suggest creating a long sentence that meets the above requirements, but is easy for you to remember. Here’s an example of a master password that is 46 characters long (the spaces count), and all four character types, but is actually pretty easy to remember:
I like black&white movies better than color 1s
Like most password managers, LastPass will work on all of your computers and mobile devices. It can be added to almost any web browser (Chrome, Firefox, Safari, Internet Explorer, etc.), where it will automatically save login info for any new websites you sign into. The apps for your mobile devices are nice because they can utilize your fingerprint or face recognition for ease of use. The slight inconvenience of logging into a password manager prior to other websites is a small price to pay to have a unique, hard-to-hack password for every single website you log into.
5. Don’t Take the Bait!
When you receive an email that asks you to click something, DON’T! Here are three common ways that clicking the wrong thing can hurt you:
- Clicking a link to access an account, view an invoice, claim a special reward, or retrieve a message. Links in emails are the most common way that scammers gain access to your personal information, and the term for it is “phishing.” Online thieves send out millions of phishing emails as “bait,” knowing that they’ll trick lots of people into clicking…and thereby giving them login information. Phishing emails look like legitimate emails from websites and sources that you recognize (Bank of America, Chase, Microsoft, American Express, etc.). They even have perfect company logos, phone numbers, etc., and often even say things like, “This message is certified to be virus-free” at the bottom.
The goal of phishing is to get you to enter your username and password into their fake (but identical looking) website, where they save your information, and they can then use it to log into the real website, posing as you. Even if an email looks completely legitimate, DO NOT CLICK THE LINK! Instead, open a new browser tab and go directly to that company’s website (BofA.com, Chase.com, Microsoft.com, AmericanExpress.com, etc.), and log in there.
- Opening an attachment (often an innocuous looking PDF file) that contains/triggers (invisibly) the installation of “malware,” a program that not only does harm (e.g., recording all of your keystrokes and transmitting them to crooks), but also immediately send an email (containing the same malware) to every one of your email contacts (that’s how they spread).
To avoid this, never open an attachment unless it is:
you are expecting; or
- From a trusted source and there is a personal note from the sender, e.g., “Sue – the attached article reminded me of you and Jim. Best regards, Bill”. If it’s from a trusted source, but doesn’t have a personal note, it might mean that their computer is infected with malware (which just forwarded itself to you and everyone else in their email address book).
- Installing software from a pop-up window. Unless you have actively sought out a program that you want to install, don’t let a website trick you into thinking you need something, such as scanning your computer or installing an antivirus program. Such pop-ups often install malware (e.g., a virus) on your computer and—like attachments—immediately send themselves to everyone in your email contact list.
- Anti-virus software. Speaking of anti-virus software, unless your computer is more than a few years old, it probably came with an antivirus program already installed. But if you don’t have one, get one, and do it now.
Two of the best are McAfee (www.mcafee.com) and Symantec/Norton (www.symantec.com). If your computer has Windows 10 or later, however, just use Windows Defender; it is free with Windows. Antivirus software will generally keep you safe…as long as you don’t click on the things in the preceding paragraphs.
6. Phone Fraud – Only Reveal Personal Information if You Made the Call
No legitimate organization will ever call you to either:
- Threaten to take drastic action (e.g., turn off your electricity) or demand immediate payment (e.g., for back taxes in order to avoid huge penalties); or
- Ask for personal information (your social security number, credit card or bank account numbers, etc.).
This includes the IRS, your bank, the social security office, utility companies, and so on. That means that if someone calls you and does the above, even if they say they need your information just to verify that they are talking to the correct person, don’t fall for it! If they are legitimate, they’ll already know that information and can tell it to you.
Scammers often use scare tactics to trick people into thinking that it is urgent and imperative to give them personal information or money. Even if you think they sound legitimate, tell them you will need to call them back. If they are who they say they are, they will not try to argue or pressure you.
To be safe, however, tell them that you need to look up their contact number on their website (never call them back at a number they give you, since part of the scam is answering it as the company in question). If they’re legitimate, you will be able to reach them by calling their organization’s published phone number.
7. Freeze Your Credit
If you seldom get new credit cards or other types of credit, you can prevent anyone from establishing new credit accounts in your name by doing a “credit freeze,” also known as a security freeze. To do this, you must contact each of the three major credit agencies (Experian, Transunion, and Equifax), and go through a sometimes-frustrating process to freeze your credit information with that company. Later on, if you decide to get a new credit card or loan, you’ll need to go back and un-freeze all three.
There are a number of pros and cons to freezing your credit, and they are beyond the scope of this discussion. You can find more information, including the latest links to all three credit bureaus, on this FTC website: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
8. Sign Up for an Identify Theft Protection Service
In conjunction with, or instead of, freezing your credit, you might consider subscribing to an ID Theft Protection Service. These services monitor your personal information and credit, and alert you if anyone (including you) applies for credit in your name, or even does a credit inquiry on your social security number. Not only can this help prevent the nightmare of identity theft, but if you ever are a victim, most provide a certain amount of insurance and will assist you (financially and otherwise) in recovering from it.
There are many companies that offer identity theft protection, ranging in cost from $9-$27 per month. Here are a few of the better-known ones (in no particular order, although the Costco program is probably the best value if you’re a Costco member):
- Experian IdentityWorks (www.experian.com) – $10-$20 per month;
- Experian/Costco CompleteID (www.costco.com/identity-protection-services) – $9 per month for Executive Costco members, $14 per month for other Costco members;
- Lifelock (www.lifelock.com) – $9-$27 per month;
- Identity Guard (www.identityguard.com) – $9-$20 per month;
- Identity Force (www.identityforce.com) – $18-$24 per month.
9. Don’t Be Embarrassed
One in every twenty people will be affected by fraud this year. Even if you do everything right, it is still possible that you could be a victim. But don’t make the problem worse by being embarrassed about asking for help because you’re afraid of looking foolish.
Scammers will not only try to trick you, but they will try to intimidate you as well. The longer you wait to act, the worse the problem can get, so if you think you might be a victim of fraud, immediately seek help. Here’s a place to that lets you know what to do for various types of fraud: http://www.consumerfraudreporting.org/reporting.php
10. Watch for Fraud/Abuse of the Elderly and Vulnerable
Asking someone who knows you well to monitor your large transactions can add an important layer of protection. This is especially important if you know of someone in your family (or otherwise) who is vulnerable to manipulation and financial abuse. One of the worst forms of fraud/identity theft is when a caretaker takes advantage of elderly, vulnerable clients. If you suspect that someone might be a victim of elder abuse, you can see what you should do here: https://www.hhs.gov/answers/programs-for-families-and-children/how-do-i-report-elder-abuse/index.html
We ask that our clients provide us with “trusted contact persons” (adult children, close friends, etc.) whom we can contact if we see suspicious activity in their investment accounts, or if we otherwise suspect a problem. The most common reasons we call those trusted contacts are when we notice either a spike in spending or a decline in the client’s cognitive abilities.
11. Trust Your Intuition
If you find yourself in a situation that makes you uncomfortable, get out, whether it is an email, a website, or a phone call. Fear tactics are one of the most effective ways for scammers to get people to act. Examples that would strike fear into almost anyone are emails or phone calls stating that:
- Something on your computer is about to expire or be deleted;
- You’re about to pay a big penalty; or
- You’re about to have your electricity or water shut off if you don’t pay immediately.
Just remember that no reputable organization would ever require payment and/or personal information urgently, without allowing you time to confirm their legitimacy. And trust your gut; if it doesn’t feel right, don’t do it. 79f