With the ongoing Russian attack on Ukraine, the western world has broadly unified in opposition. Although direct military intervention is not yet on the table, economic sanctions have been widespread and biting. This brings with it increased risks that the U.S. could be targeted by state-sanctioned or independent cyber crime. And, in fact, those groups are actively targeting the infrastructure of Ukrainian allies. Large-scale actions are more likely to hit infrastructure, government, and corporate targets, but individuals should be aware of cyber threats and take steps to understand identity theft protection.
While you’re unlikely to be targeted by a hacking group as part of a targeted attack, deteriorating economic conditions in Russia could lead to more desperation among cyber criminals.
Most individual web users will not face the same kind of technical attacks as large companies and organizations. Individual users are far more likely to be victims of “phishing,” which is an attack that relies more on social engineering than on actual technical exploitation. Per Frontiers in Computer Science, phishing (in which email, text, voice, or web contacts are used to gather personal data) represents 90% of all online attacks and 95% of the successful attacks are the result of human error.
The same article addresses a wide variety of technical tools, such as security software and email spam filters, but also recommends education to ensure you have the best identity theft protection. With that in mind, we’ve put together five rules to follow for identity theft protection.
5 Rules for Your Identity Theft Protection
Rule 1: Slow Down
One common theme cited in most phishing attempts is urgency. You’ll frequently see words like “emergency, urgent, immediate, critical, impending” and the like. That’s intentional. The Frontiers article mentioned above highlights that stress is a big predictor of whether a user will fall victim to a phishing attack. If you receive a text, email, or social media message demanding immediate contact, slow down. Does the link look authentic? Links with long strings of characters, misspellings, or unexpected prefixes (the article mentions a successful hack that used translate.google.com to convey a sense of authenticity to otherwise fraudulent websites) are your first clue that the contact may not be authentic.
If you’ve clicked a link or responded to a text and find yourself in contact with somebody purporting to be “technical support,” slow down. Real technical support representatives won’t rush you and would be perfectly happy to provide a reference number or accept a call back via a trusted number.
Rule 2: Make Contact on Your Terms
Most phishing attempts rely on the appearance of authenticity. Scammers trust that you’ll believe they’re with a software company, trusted website or financial institution. If you’ve received a link or a request to contact Microsoft support or your bank that you’re unsure about, don’t follow that link. Instead, find a trusted phone number (on the back of your credit or debit card for your bank, or on a company homepage for many software providers) and initiate contact on your own terms. If you really do need to resolve an issue of some sort, customer service agents through a trusted, proactive contact will be able to identify it.
Rule 3: Change Passwords
If you believe any of your information has been compromised, either because you provided it to someone you believed to be technical support or because you downloaded software and entered login credentials, you need to change passwords where appropriate. If you clicked a link or downloaded software, you’ll first need to run antivirus and anti-malware software (make sure it’s up to date if it’s installed on your computer). Malwarebytes, CrowdStrike, McAfee, and Norton are all good options that offer free or affordable scanning software. After you’ve ensured that your computer is malware free, change any potentially compromised passwords. Adding two-factor authentication (2FA) is always helpful as it can prevent logins and password changes from new computers.
Typically, with 2FA you’ll provide a phone number where you can receive an authentication code via text.
Rule 4: Review Account Activity
If you’re concerned that you may have disclosed banking or financial information due to a phishing attack, you’ll want to monitor your account activity and be on the lookout for unexpected charges. If you see any unexpected activity, contact your financial company immediately. You may face the inconvenience of waiting for new cards or even setting up a new account, but it’s far better than losing money to fraud. You also may want to consider using credit monitoring services to ensure that your information is not used to create new accounts.
Rule 5: Never Buy Gift Cards
If you’ve done your best to follow the tips above but still find yourself talking with a service agent that is requesting payment via gift card, stop immediately. Gift cards are a popular exploit because once you’ve purchased them, they’re essentially untraceable. Plus, if you’ve gone out and purchased a gift card you have little recourse with your bank because the purchase itself is not fraudulent. If you find yourself in this situation, end your contact and immediately go through the previous steps on this list.
One final note, scammers may attempt to use older victims’ age against them by calling and pretending to be a younger relative like a nephew, niece, or grandchild. If you receive a call from someone acting like a family member and requesting help getting out of trouble (like being arrested in another country and being too ashamed to go to their own parents), ask other family members if that person is traveling or may actually need assistance before taking any steps to move money. Scammers use embarrassment as a tool, but an uncomfortable conversation is better than the feeling of being “had” by a scammer.
How do you protect yourself from identity theft?
*This post has been updated from a version published in 2021.