In the past week alone, Experian, Facebook and Google have all experienced (or divulged, in Google’s case) security breaches of various levels of seriousness, potentially exposing people’s private information. Never mind Equifax and the thousand-plus other breaches that occurred last year.
That’s why it’s important to be on the defensive when it comes to your financial security, and set up your accounts as if you’re going to be hacked, as Sheera Frenkel writes in the New York Times.
The most important step is also the most obvious: Creating a strong password. “If I could get people to stop two practices, they would be: Don’t use an obvious password like your name, your kid’s name or your birthday, and don’t use the same password for everything,” writes Frenkel. Use a password manager. Lifehacker likes LastPass and 1Password.
Next, pull a credit report and bring up your banking statement. Look through each for signs of fraudulent activity. As Lifehacker wrote before, “credit reports won’t catch everything, for example if someone stole money from your banking accounts or investment funds ... ChexSystems, which is used by banks to verify customers’ identities, offers a security alert and freeze that makes it harder for scammers to open fraudulent accounts.” If you find anything suspect, contact your creditor or bank.
Consider using a single service, like Mint, to keep tabs on all of your various accounts so you can check all of them more seamlessly for strange activity. Check your child’s credit report, too.
Next, freeze your credit reports at the three main credit bureaus: Equifax, Experian and TransUnion (they’re free now). When you need to unfreeze them, Equifax requires a password, and TransUnion and Experian require a PIN (don’t lose it when you initially freeze your account, otherwise it’s a headache to get a new one).
Turn on two-factor authentication for all of your accounts that allow it (and consider not using services that don’t offer it if they want your financial info). Remember, as Lifehacker wrote before, “if a site wants you to input, say, the first car you ever purchased as an answer to a recovery question, you don’t have to. You can write anything you want, so long as you remember that your ‘first car’ was actually an ‘[insert fake answer here].’” Better yet, use your password manager to keep track of your answers.
You should also be wary of calls, texts and emails from someone claiming to work at your bank, brokerage, etc. There are plenty of horror stories of “banks” calling to tell you you need to change your PIN—armed with personal info like your Social Security Number—from the number associated with your bank, only to have it be a rather savvy scam. If you get a text, call your bank and ask to speak to someone. If they call you, ask if you can hang up and call back, no matter how urgent they make the situation seem. This is also true for a government agency like the IRS—chances are they are not calling you, and they certainly won’t call you and threaten you with jail time, though that is a common scam.
Remember that you don’t need to give out your personal information like your Social Security Number just because someone, like your doctor, asks for it. “When in doubt, ask why the SSN is necessary or leave the space for it blank,” suggests Kiplinger. “Some companies want the number so they can track you down in case you fail to pay bills. An alternative identifier—say, your phone number—may suffice.”
Finally, set a calendar reminder to check one of your free credit reports every four months going forward. You might also consider a credit monitoring service for an extra layer of protection. But remember, too, that the best thing you can do is approach each new account or service as if it’s going to get hacked the next day: Choose a strong password, enable two factor authentication and be mindful of the information you hand out. And stay vigilant.
Updated October 10, 2018 at 12 p.m.: This post was updated to reflect that you need to choose a six-digit PIN when freezing your TransUnion credit report.