When I tell people I meet outside of work what I do for a living, the conversation often evolves into questions about practical steps I recommend in order to protect against identity takeovers and fraud.
Unfortunately I sometimes also meet people who have become victims of fraud, and wished they had known what to do in advance, hence why I wanted to share this information – so that more people can proactively protect themselves.
So below are my top 10 tips on how to protect yourself from identity takeovers and fraud:
1. Protect your physical mail
Identity takeovers often start with physical mail being stolen from your home post / letter / mailbox, so it’s really important to either secure your mailbox, or consider using a PO box so that your physical mail cannot be easily stolen. Another option is to consider changing your accounts so that you don’t get sent any physical mail in the first place.
2. Use a password manager
Consider using a password manager so that you always have unique and strong complex passwords for all of your online accounts. Never ever re-use any of passwords across multiple accounts. I know several people who have become a victim to fraud purely because they re-used the same password that had already been publicly disclosed from a breach (e.g. LinkedIn, Yahoo, Dropbox etc). Most people don’t realise that hackers will often try to re-use compromised username and password across other sites and services until they get lucky.
3. Use strong multi-factor
Ensure you set up strong multi-factor to access your password manager (e.g. your bio-metric finger print), so that even if it was compromised, unless they steal your thumb or finger, they won’t get access. Make use of strong multi-factor authentication (i.e. not SMS) for the rest of your accounts where possible, so that even if your account or user credentials are compromised, the fraudster will not be able to circumvent this additional protection in place. This is often referred to as application based auth – where either the application itself provides this mechanism, or the service integrates with Google Authenticator.
4. Check for your credentials in breaches
Check your email address on haveibeenpwned.com to see if any of your accounts have been compromised, or if your user credentials are available to hackers. If you do find any breaches, ensure you’ve changed the password for the account listed, and never use the compromised password ever again.
5. Protect against mobile phone porting & SIM swapping
Understand “phone porting” and “SIM swapping” and why you need to use stronger multi-factor than SMS. These techniques are often used by fraudsters if they have managed to get your user name and password – as this final step enables them to get around SMS based multi-factor by stealing your mobile phone number so that they receive your SMS multi-factor codes instead of you. Contact your mobile phone service provider, and ask them to confirm that they have blocked the option to port your mobile phone to another provider.
6. Share your info carefully online
Be cautious with the information you share online. This includes your birth date, location, job title, plus your mobile phone number. Fraudsters can easily find this information from Facebook & other social networking platforms and will use it against you for targeted phishing attacks, or to port your mobile phone number so that they can get around SMS based multi-factor.
7. Set up extra protection with your financial institutions
Ensure you have set up a 2nd validation / security password with your banks and financial institutions, so that if a fraudster gets hold of your personal & account details, you are still protected. Most banks will implement this additional security control if requested.
8. Don’t store valuable stuff in your mailboxes
Don’t store passwords, scans / photos of your driving license, credit cards, passport etc in your email account(s). Most people forget to check their email sent items too! If hackers gain access to your mail account, they’ll look through your mailbox for any useful documents, photos etc, so ensure you never store them in your account in the first place.
9. Understand how to spot phishing emails
Some identity take overs start with a phishing email to get your credential to access to your accounts. Remember that banks and financial institutions will never send you an email asking you to click on a link and confirm your bank details. Also be cautious with unexpected links or attachments – as this is another way in which fraudsters can remotely gain access to your machine, or install keystroke loggers to get hold of your usernames and passwords. Learn how to spot and report a phishing email if you receive one.
10. Review your home security hygiene
Lastly, I always recommend that you review your security “hygiene” at home – make sure all of your personal computers and mobile devices are always up-to-date, fully patched, and that you’re running up-to-date antivirus software in order to minimise the potential for malware infection.
You also might want to consider what you do to securely back up your important documents and files, and store them offline (e.g. a handful of USB drive that aren’t plugged in to your machine). Useful if you ever get hit with ransomware, and need to recover rather than paying a ransom fee!
I value your comments or feedback
So that’s my top 10 tips to proactively protect yourself from online fraudsters. If you have any additional tips – feel free to comment below.
Feel free to contact me directly if you have any issues, or need more help.