Q&A: Identity theft fears? Get a credit report, credit freeze

Dear Liz: I divorced 32 years ago. Recently, I received calls from a collection agency about a debt that has not been paid. I discovered that my ex used my phone number as one of his contact numbers. My number is supposed to be unlisted and unpublished, but he found it online. I have stopped receiving calls from the agency, but how do I stop this from happening again?

Answer: Please check your credit reports to make sure your ex didn’t swipe even more sensitive digits: namely, your Social Security number. If his credit is bad, he may be tempted to pretend to be you in order to get credit cards, loans or other accounts. That’s identity theft, and there are steps you should take now to protect yourself.

You can access your credit reports for free at AnnualCreditReport.com. (If you’re asked for a credit card number, you’re on the wrong site.) Look for any accounts that aren’t yours and consider freezing your credit reports at each of the bureaus. Credit freezes prevent someone from opening new accounts in your name. You can thaw the freeze whenever you need credit, also for free.

You can’t prevent someone from adding your phone number to their credit applications, but under federal law you can tell a collection agency to stop contacting you, and it must comply. Make the request in writing.

Q&A: How to protect your identity beyond a credit freeze

Dear Liz: I volunteer for an organization that does background checks every two years. A recent check found my name and Social Security number was used in Texas from 2019 to 2021. I have never been to Texas. What can I do to find out how this happened, and how to protect my Social Security number? I have already frozen my account with the three main credit bureaus.

Answer: You may never know exactly how this happened, but you can make an educated guess.

Most Americans’ Social Security numbers have been exposed in one database breach or another, including the massive Equifax breach in 2017 that exposed the personal information of nearly 150 million people. As a result, Social Security numbers are sold by criminals on the dark web for just a few dollars.

Because Social Security numbers have become all-purpose identifiers — something they were never intended to be, by the way — criminals can use a purloined number to get jobs, steal your tax refunds, receive medical care and apply for credit, among other misuses. They also could pretend to be you if they’re ever arrested, something known as criminal identity theft.

Freezing your credit reports will help prevent someone from opening new credit accounts. Credit freezes typically won’t help with the many other types of identity theft, however.

If you haven’t already done so, create a personal account on Social Security’s site to check your earnings record. If what you see doesn’t match your own records, contact the Social Security Administration by calling (800) 772-1213. If someone used your Social Security number to work or get your text refund, contact the IRS at irs.gov/identity-theft-central or by calling (800) 908-4490.

You also can report the fraud to the Federal Trade Commission at IdentityTheft.gov, a site that will create a recovery plan to help you navigate the next steps.

Q&A: Worried about identity theft? Here are some things you can do

Dear Liz: Last week I received my annual mortgage interest report. The envelope was not sealed and my full Social Security number was exposed. Two days later, I received an e-mail from PayPal for a purchase made online in my name with a different address. What do I need to do to protect myself from identity theft and are there any penalties my mortgage company could face?

Answer: The penalties for exposing your information depend on your state’s laws. You can contact your state attorney general’s office for more information.

At the very least, consider reporting the issue to the mortgage company and demanding that your Social Security number be redacted in future mailings. Better yet, see if you can go paperless and download your tax documents, a process that is typically more secure than having your private financial information sent through the mail.

It’s entirely possible the fraudulent purchase was unrelated to your mortgage company’s sloppy practices, but you should still take steps to reduce your odds of being victimized again. Obviously, you need to change your PayPal password but you should also make sure all your accounts — especially your financial and email accounts — have unique, complex passwords. A password manager such as LastPass or 1Password can help you keep track.

Good computer hygiene also can help reduce your risk. That means turning on your computer’s firewall, using a secure browser and keeping that browser up to date. Update and frequently run antivirus software as well.

Another important step in reducing identity theft risk is freezing your credit reports at all three major bureaus: Equifax, Experian and TransUnion. This should prevent someone from opening a new fraudulent credit account in your name but won’t prevent account takeovers, such as what may have happened with your PayPal account.

Detect account problems as quickly as possible by regularly reviewing bank, payment and credit card transactions. Consider putting alerts on your accounts for foreign transactions or transactions over a certain size or signing up with a credit- or identity-monitoring service.

Q&A: An emergency kit document hack

Dear Liz: Thanks for answering my question about storing hard copies of financial services records for emergency preparedness. My wife and I finally reached a compromise: We printed out our account numbers, but we attached code names to them that only we would recognize. Now both of us are comfortable that even though someone might have our account numbers, they’ll never know which financial institution to contact.

Answer: That’s a terrific compromise that keeps your important financial information accessible to you but not to an identity thief.

Q&A: Credit freeze may be inconvenient, but it’s effective

Dear Liz: Is freezing one’s credit reports the safest bet even though it’s inconvenient to get it temporarily unfrozen? Plus you have to pay a fee. At my son’s urging, I had my credit reports frozen since the Equifax incident but I find it very inconvenient whenever some financial firms need to look into my credit score.

Answer: Credit freezes remain the best way to prevent new account fraud, which is when criminals open up bogus credit accounts in your name.

It is somewhat inconvenient to have to remember to thaw the freezes when you apply for credit or other services, and you have to keep track of the personal identification numbers (PINs) that allow you to do so.

The good news is that the fees for instituting and thawing freezes will go away as of Sept. 21. The Dodd-Frank reform that Congress passed this spring included a clause requiring credit bureaus to waive those fees.

Q&A: Credit alert or phishing scam?

Dear Liz: I received a notice from one of my credit card companies stating that they had noticed something amiss in my credit, though not related to their card. The notice suggested I check my credit reports, which I did. Nothing showed up on the reports that was of concern. What else should I do to ensure my credit stays secure?

Answer: Vague “alerts” are a hallmark of phishing emails that are trying to get you to reveal personal information.

If you followed a link in an email to view your credit reports or accessed them on any site other than www.annualcreditreport.com, you may well have handed your Social Security number and other vital data to an identity thief.

If that’s the case, you should freeze your credit reports to prevent the thief from opening new accounts in your name. You might want to do that anyway, given the prevalence and severity of recent database breaches.

Q&A: Ease identity theft fear by checking your credit report

Dear Liz: I am suddenly receiving junk mail addressed to my estranged brother at my house. I’ve been in this house for 15 years and have never before gotten mail addressed to him. Is it possible he applied for credit or something similar using my address? He has always had money issues.

Answer: It’s more typical for an identity thief to divert a victim’s mail to his own address than to cause junk mail to be sent the victim’s way. Still, it can’t hurt to check your credit reports via www.annualcreditreport.com to see if there are any accounts or activity you don’t recognize.

Q&A: Credit freezes complicate setting up online Social Security accounts

Dear Liz: You’ve recently written about protecting ourselves by establishing online Social Security accounts. Social Security prevents me (or anyone else) from creating an online account because I have credit freezes in place. As I understand the process, Social Security uses the credit bureaus to verify my identity. With a freeze, there’s no identity verification. In other words, in order to set up a fraudulent online account, someone besides me would have to unfreeze my credit report first. Is that correct?

Answer: Pretty much. Another way to establish an online account is to go into a local Social Security office with proper identification. But most hackers are unlikely to take the trouble to do either.

You may still want to create an online account to monitor your Social Security earnings record and promptly correct any mistakes or spot employment fraud (someone using your number to get work).

You could make a trip to a Social Security office or temporarily lift your freeze with the bureau that’s providing identity verification services. Currently, that bureau is Equifax — and yes, that’s the bureau that suffered the massive database breach that started this discussion.

Q&A: Freezing Your Social Security Number

Dear Liz: Recently you answered a question about whether Social Security files could be “frozen” to help prevent fraudulent activity, and your response was no. I had just researched that question after the Equifax breach, and found out the Social Security Administration does have a way to block electronic access to your records now, so I had that set up for me. The administration advised that it can be done whether you have an online account or not (I don’t). There is additional information about this on the Social Security website: https://secure.ssa.gov/acu/IPS_INTR/blockaccess

Answer: When you block electronic access to your Social Security file, no one, including you, is able to see your records or change your information online or through the administration’s automated phone service. Blocking access could prevent someone from tampering with your record, but it also could prevent you from detecting misuse of your Social Security number if someone is using it for employment or tax fraud. Blocking access certainly won’t prevent other kinds of identity theft involving credit, medical care or criminal arrest. A better approach might be to set up an online Social Security account to prevent someone else from doing so fraudulently, and to monitor that account regularly.

There is another government service, myE-Verify, that enables you to “lock” your Social Security number. That may prevent someone from using your number to get a job, but only if an employer uses the service to determine applicants’ eligibility to work in the U.S. — and many employers don’t. Even if you succeed in preventing employment fraud, your number could still be used in other types of identity theft. Also, a Social Security lock expires after one year, so you’d need to renew it annually if you want to keep it in place.

Unfortunately, there’s no easy way to prevent your Social Security number from being misused. As long as those nine digits continue to be used as an all-purpose identifier, we will be vulnerable to all kinds of identity theft.

Q&A: Authentication apps can help thwart hackers

Dear Liz: I’ve heard that authentication apps are a better way to go than two-factor authentication that texts codes to your cell phone. Can you explain more?

Answer: Two-factor authentication adds an additional layer of security to financial, email, social media, cloud storage and other accounts. The first factor is something you know, which is a typically a password, and the second is something you have, such as a code that’s texted to you or generated by a device or authentication app.

The second factor is important, since passwords can be guessed or stolen in database breaches. Texted codes can be intercepted by hackers, so security experts recommend using an authenticator. Three popular apps are Google Authenticator, LastPass Authenticator and Microsoft Authenticator.

To use an authenticator, you must first enable two-factor authentication on the account you want to protect. Unfortunately, not every account provider offers two-factor authentication, although they should. You can find whether yours does at twofactorauth.org.

If the account provider supports authentication, you’ll typically be asked to take a snapshot of a QR code using the authenticator app to establish a connection between your account and the app. When you later log in to those sites, you’ll be asked to type in the code randomly generated by the app.

Any security approach can be thwarted, but the idea behind two-factor authentication is making your accounts hard enough to crack that most hackers will move on to an easier target.