Ever since the Equifax hack, lots of people are worried about their financial security. As someone who has been a victim of identity theft and unfortunate mistakes a few times, I learned the ins and outs of protecting yourself. The key is eternal vigilance, but let’s go into the specifics.
How I Became a Reluctant Expert On Identity Theft
I’m changing the facts around slightly in these stories to protect the innocent.
Around 15 years ago, my father passed away and it caused a financial crisis in my family of origin. Money was tight and I helped out when I could. However, that was not enough. At one point a family member made a threat to me and started to act on it. I realized that he knew everything about me to apply for credit in my name. For those things he didn’t know, he could ask Mom. Think about it. Any family member could apply for credit in your name. They even know the answers to those “security” questions like best man at your wedding or where you graduated from high school. That’s when I froze my credit and haven’t looked back.
Fast forward to about three years ago, and I get a strange email from an insurance company I did business with a long time ago. I had a life insurance policy with them but canceled it years before. Then I got a password reset email. That kinda bothered me. As a tech expert, I could examine the origin of the email and the URL. It all looked legit. I logged into that account and all of a sudden I had a large home and three cars insured with them. Moreover, my social security number had changed. I panicked that someone stole my identity and had apparently done it for years! Human error at the insurance company merged my data with another David Greenbaum’s. I almost canceled this guy’s insurance policies.
Finally, a few years ago, I lost my wallet. All the typical things were in there like my driver’s license, ATM card, credit card, business cards, health insurance card, in-case-of-emergency info (ICE), and some cash. I had to replace it all.
Equifax Stole Your Wallet-So What?
According to Equifax, the information about you that was probably leaked includes:
- Your Name
- Your Social Security Number
- Birth Date
- Driver’s License
- Credit Card numbers
- Credit History
Photo by mroach
Guess what? Your wallet probably has most of that information. That’s not meant to minimize the hack, but rather put it into perspective. You might not have your social security number or your credit history in your wallet, but most everything else is in there. In my case, it also had health insurance info, my spouse’s name, and both of our places of employment since we had work numbers. For an identity thief, that’s probably more information than the Equifax hack.
Who Else Has That Information? Everyone!
Look at that list again of what was stolen and think about, besides your wallet, where else that information is stored. The most obvious places are your company’s HR department. The only thing they might not have is your credit history. How secure is your company’s HR database? Is it subject to social engineering hacks like in Mr. Robot? I’ve seen hiring managers haphazardly leave things like I-9 forms – which have all that information – on a desk. You won’t read about those hacks in the news.
I’ve already discussed family members who have that information. In a messy breakup, your significant other probably has most of that information too. Your child who is struggling to make ends meet in college has that data. The college would have that information too, especially if the student applied for financial aid.
Once you freeze your credit as I did, you start learning who has your personal information and runs credit reports on you.
Protecting Yourself and Your Family, Regardless of the Hack
Step 1: Freeze Your Credit Everywhere, Even If You Have To Pay
Credit freeze rules vary by state, but they all allow you to freeze for free if you’re a victim of identity theft. If Equifax says your stuff was stolen, I’d say you’re a victim. I’m not an attorney, but it seems to me you should be able to file a report in this case. If your local police department doesn’t accept a report, you might be able to file an affidavit with the FTC. They allow that affidavit if you’ve ever had a fraudulent charge on your credit card (who hasn’t?). Your circumstances and mileage will vary.
In my case, I didn’t file a report because I didn’t want to get my family member in trouble. I paid about $15 per agency to create the freeze. I also have to pay if I want to unfreeze it. If you file a police report, both the freezing and unfreezing is free. You can’t change it later, so although my cards have been used and I could file an affidavit, my freeze will always be chargeable.
It should be obvious, but you need to freeze your credit with all the major agencies: TransUnion, Equifax, and Experian. Scammers can use the information gained from Equifax or any of the other sources to get goods or services in your name.
A credit freeze prevents people pulling your report without the special PIN; it’s the closest thing we have to 2FA for credit. It doesn’t impact any other aspect of your life. Your credit cards and loans work just the same. It only impacts future applications after the freeze. If you already have a credit card and ask for a credit limit increase, they’ll pull a report and you’ll need to “unfreeze” your credit.
Photo by paalia
Special Note: Unfreezing Your Credit
Unfreezing your credit is a minor pain, roughly about as hard as changing a password. A few minor hoops to protect yourself long term.
When you’re trying to shop for a house, get a new credit card, or even a job, they’ll often run a credit report. It’s easy to unfreeze your credit (although in my case it costs me about $15). Ideally, the company requesting the report can tell you what agency they’re using. Rarely do they know this. It isn’t until you’re denied goods or services that they say they couldn’t pull a report from an agency.
Over the years I’ve seen companies get better about understanding what a freeze is. I suspect after this hack, even more will understand. You don’t get a “bad” credit report. They just get a notice there is a problem. Credit card experts tell me it’s like they have the wrong social security number or name. Unfortunately, somewhere along the line, someone might read “no report” as “bad report.” That’s happened to me more than once. I just explain, “This is due to my credit freeze and please tell me what agency you use.”
Most agencies let you set a period for the unfreeze. Some also let you unfreeze it until further notice from a particular company. I’ve never had that work. I always have to do a blanket unfreeze for a few days.
All you do to unfreeze your credit is go online, enter your PIN, and then enter the unfreeze period. It’s that easy. If you lose your PIN, you have to request a new one through the mail. I keep my stuff in 1Password and the originals in my safe at home.
Step 2: Never Give Your Social Security Number
If your email password is stolen, you get to reset it. Heck, I can reset my password on IRS.gov, but I can’t change my username aka my social security number. Social Security numbers stay with you for life. You can’t change them like you would a username—it’s possible but not easy.
A social security number in itself is a valuable tool for theft. People have been filing fraudulent tax returns for years and stealing people’s refunds. Many companies that ask for that number don’t really need it. For example, one time an orthodontist wanted it. I said no and they denied the appointment. The reason was they wanted to do a credit check on me. I refuse to give it to my medical doctor after that.
Most places that ask for a Social Security Number want to do a credit check. You’ll find that in the weirdest of places. Applying for a loan seems obvious, getting a mobile phone is not. Anytime someone wants to give you something with the hopes of payment, they might do a credit check. Another place that burned me was utilities. Switch ISPs, and they might want to run a credit check. When you have your credit frozen, you learn all the places that run credit checks.
If you freelance or do contract work, companies might need a social security number to register the payment. After all, the IRS wants their fair share. Instead of using that number, get a Federal Employer Identification Number (FEIN). That’s linked to you with the IRS, but is a separate entity from your SSN. If you’re self-employed, you can get one, you don’t actually need employees. You’re your own employer.
Step 3: Don’t Ignore Glitches In The Matrix
In The Matrix, Neo sees a cat twice and thinks Déjà vu . That minor detail reveals a major problem in the virtual reality he was living in. That’s how you need to approach your financial transactions, don’t ignore the deja vu or other weird occurrences. Little details are tip-offs to big problems. Minor details could be major problems.
Take for example an unexpected collection letter. You never did business with the company and they’re asking for a small amount of money. You’d either ignore it or pay it. Do neither! Ask for documentation of the debt under the Fair Debt Collection Practices Act. It could be human error—for example, you share the name of a debtor. Or it could be that initial glitch. That’s why you need to track it down. These glitches include debt collectors calling or just weird bills or charges on your credit card.
I once got a water bill for a David Greenberg at my address. When I signed up for service with the city, the person saw that our names looked similar enough that he just merged the records. The problem was David Greenberg owed the city a ton of money. Ouch.
Special notice to couples and families: you need to be open and transparent about charges to know the difference between your spouse buying something and not telling you and a fraudulent charge. That might ruin the surprise of a gift. I’ve had that happen to me more than once. To protect that, we just say to each other something like, “There’ s a charge that’s going to come through that is related to a gift…can you wait a few weeks before looking at the credit card statements.” I know, it kills the romance, but fraud isn’t sexy.
Step 4: Get a Credit Report From Every Agency, Every Year
Hopefully, you file your taxes every year like clockwork. The next thing you do after sending them off is ask for your Annual Credit Report. That link is the legit one. Other companies do free credit reports for you, but Annual Credit Report, as they say, is the “only source for your free credit report authorized by Federal Law.”
Each year look it over for any glitches (see Step 3). No matter how small of a glitch, pursue it aggressively. Even if you freeze your credit, you still get a free credit report.
Step 5: Ignore Monitoring and Other Services; Stick to the Freeze
Some of these services are total scams; some are legit. Anytime there is a hack, companies offer free credit monitoring as a way of putting you at ease. That’s the last thing you want after a hack! Equifax offers credit monitoring. Maybe I’m pessimistic, but I’m unlikely to trust it.
Don’t delegate the monitoring of your credit to some service. They won’t see tiny errors that you see. They might find nothing wrong with a small charge or bill, but you know you didn’t shop there.
All credit bureaus allow you to put a “fraud alert” on your account. Anyone pulling your report can see that, but it does nothing to stop a scammer. It’s a polite suggestion, but nothing more. They usually last about 90 days. If you’re truly a victim of identity theft and can prove it, they’ll keep the alert on for seven years. However, it again doesn’t stop someone from using the information, so you’ll still need to do steps 1 – 5.
After a publicized hack like that, scammers try to trick people into giving out information. Don’t. Stick with the steps in this article. Never give out or confirm any information over the phone, email or in writing. If you get an unexpected bill or letter, treat it like a phishing attempt. Call the company directly with a number you already know, not the number on the letter.
One exception here is identity theft insurance from your homeowner’s insurance company. It’s only a few bucks a year and they’ll help you pay if you need to fight debts created by a thief in your name. When I thought David Greenbaum stole my stuff, that was my first call.
Step 6 (Optional): Fight To Have the Laws Changed
Not to be political, but if you think credit freezes should be free (or even a default), contact your state and federal legislators. They’re the people that can change these rules. Some states have freezes (and unfreezes) free.
You Don’t Have to Be A Victim
Your personal and financial information will leak out from all sorts of sources. You can’t prevent that, but you can sure minimize the harm it will do with these steps.