facebook twitter instagram linkedin google youtube vimeo tumblr yelp rss email podcast phone blog search brokercheck brokercheck Play Pause
How to protect your ID and financial information Thumbnail

How to protect your ID and financial information

While the topic of projecting your ID, other sensitive information and financial accounts obviously isn’t retirement specific, I thought it would be worth sharing as it applies to everyone and is super important.

The idea to write about this was prompted by a few clients who recently became victims of ID and/or financial theft.

While the below will touch on areas that might more accurately and broadly be referred to as data and/or cyber security, I’m going to generically refer to it as protecting your ID and financial information. As, ultimately, that’s what people are trying to protect; their IDs and financial information. Some of the tips will be specific to using electronic devices and the Internet, some will be more general.

Additionally, I’m sure many of you reading this are much more knowledgeable in many of these areas than I, and I’m sure the things I’m about to mention don’t cover the full spectrum of what people should consider and be aware of. But, hopefully this list at least covers the main things that apply to most people and is comprehensive enough to be meaningful and impactful.

I suspect that ALL of us already have lots of our private info floating out there in the world, often unbeknownst to us. Such as on the “dark web” which, as far as my non-techy knowledge can explain, is a kind of sub-layer of the World Wide Web that’s not easily or publicly accessible without special knowledge, software or authorization to access. The dark web is a favorite spot for unscrupulous people with nefarious intent to hang out and share info. 

With that said, in my opinion, good protection at this point is not only about preventing your info from getting further leaked (because we have to assume your sensitive personal info is already floating around for anyone who cares enough to get it), but also about preventing bad actors from using your info to steal your identity and/or finances.

For example, considering one of the three major credit reporting agencies, Equifax, had a data breach a few years ago, you have to assume that motherload of EVERYONE’S sensitive personal info was compromised and is now out there in the world. That genie can’t be put back in the bottle, but you can at least help prevent or minimize the potential damage to you that may come of it.

And one final comment before I get into it; I’m going to be mentioning certain product and brand names throughout this. That is not an endorsement or recommendation to use any of those products. Nor am I in any way compensated for mentioning them. I’m just simply sharing some specific product names that I’m aware of. It’s ultimately your responsibility to do your own diligence and research on all of this.

Okay, let’s do it. In no particular order, here’s my list of best practices to consider to help protect your ID and financial information:


Check your credit report regularly

Your credit report is a compilation of all of the “credit,” or loans, lenders have extended to you. Any time you open or have a credit card, home mortgage loan, auto loan, etc., that account and your payment history toward it will be on your credit report.

If a fraudster pretending to be you stole your ID and were to maliciously open a credit card or take out a loan in your name, you’ll see it on your credit report. Granted, it would have been better to prevent that account from getting opened in the first place (see “Freeze your credit” below for more info on that). However, now that the fraudulent account is open and you know about it, you can at least inform the lender that it wasn’t actually you, so you can help protect yourself from whatever fallout there may be when the fraudster eventually stiffs the loan and doesn’t pay it back.

There are three major credit reporting agencies who gather information about your credit accounts and report them on your credit report: Transunion, Equifax and Experian.

Not all lenders report to all three agencies. As such, looking at your credit report from just one of the agencies may not catch a fraudulent account. Therefore, it’s best to regularly check your report with all three agencies.

Or, there are third party credit reporting aggregator tools such as Credit Karma that combine info from multiple of the credit agencies and summarize them into one consolidated credit report. And they also provide credit “monitoring,” where you can set up alerts to get notified if any new accounts are opened under your name, if any potential lenders query your credit for a potential account, etc.

I’m not an expert on all of the various third-party aggregators out there, but I know Credit Karma is one of the biggest. However, only Transunion and Equifax report to Credit Karma; Experian does not. Therefore, in theory, a fake account opened in your name may potentially only show up on your Experian credit report. And if you’re only using Credit Karma to monitor your credit, you may not become aware of it.

To check your credit from all three agencies, you can use sites like www.myFICO.com or www.CheckFreeScore.com. And I believe each of the three agencies will let you run a credit report showing info from not just them, but the other two agencies as well (though you may have to pay to have them run a three-agency report).

In summary, regardless of the tool(s) you use, regularly check your credit report, ensuring you’re capturing info from all three agencies.


Freeze your credit

Anytime you (or someone else acting as you…) try to open any kind of credit account such as a credit card or loan, the lender will “run your credit.” That means they look at your credit report and credit score (a numerical figure that represents how good and reliable of a borrower you’ve been) to determine if they’re willing to lend to you.

And it’s not just potential lenders that will run your credit. Landlords might if you’re looking to rent a place to live, utility providers may if you’re looking to start utility services at your home, etc.

Regardless who’s trying to run your credit, if they can’t access and view your credit report, they won’t move forward with opening whatever the sought-after account or service is.

By “freezing” your credit, you can essentially block others from viewing and accessing your credit report. And only if/when you unfreeze your credit can they then access the info.

Each of the three credit reporting agencies lets you freeze your credit with them. You can do so via setting up accounts with them online or through their phone apps. And I believe you may still be able to freeze your credit over the phone, without having to do it via computer or app. Or at least you used to be able to do it over the phone; maybe that’s changed.

Anyway, each of the agencies lets you “unfreeze” your credit at your discretion, so potential lenders can access it when needed. And you can unfreeze it for just a short period of time, like a few hours, or for a number of days. That way, instead of unfreezing it and running the risk of not refreezing it, you can determine in advance how long the unfreezing will last, and it will automatically refreeze at the end of that period.

It used to be that unfreezes had to be done over the phone, and you had to remember a special PIN for each agency, to provide when you called to unfreeze. Now, I believe all three agencies let you quickly unfreeze and refreeze your credit right on their websites or phone apps.

Freezing your credit is very important and goes a long way in preventing fraudsters from opening up bogus credit cards or loans in your name. As I mentioned before, if lenders can’t access your credit, they won’t open the account that’s being requested. This won’t prevent bad actors from stealing your ID, but it will at least stop them from getting loans in your name and damaging your credit.


Get a tax return filing PIN from the IRS

One way in which fraudsters can steal money using your ID is to file a tax return pretending to be you, using your Social Security number. This happened to someone I know about 10 years ago, and he said it was an absolute nightmare.

He went to file his tax return in March of that year. But it was rejected because the IRS said he had already filed. He knew he hadn’t filed, so clearly something was up. What ultimately happened was someone used his Social Security number to file a return as him much earlier in the filing season (i.e. late-January), before he was able to file himself. And the person used made up info to get a sizable tax refund paid directly into their bank account.

After looking into it more, the IRS realized that first return filed was fraudulent. I don’t know what the ultimate resolution was, as I didn’t stay in touch with the person. However, I know the issue went well into that summer and he still wasn’t able to file his own return yet.

In the past, if/when a taxpayer had been a confirmed victim of tax return ID theft, the IRS would then issue the person a unique PIN every year going forward. The PIN would then be required to be entered onto each year’s tax return going forward for that person. If the PIN entered didn’t match the one provided by the IRS that year, the return would be rejected. This would help prevent the above scenario, where someone would try to fraudulently file a return as someone else.

Up until a couple of years ago, the only way to get a PIN from the IRS was if you were already a victim of ID theft. However, now everyone can voluntarily get a PIN.

The IRS will issue you a PIN, upon request, that you’ll need to provide when filing your tax return. If you, or someone pretending to be you, files a tax return under your Social Security number, the return will be automatically rejected unless your unique PIN is included on the return.

I personally just got my own PIN this year for the first time. I plan on formally recommending it to everyone going forward, but I wanted to try it out myself for a tax year and see how it goes. So far, all went smoothly!

And I know the PIN process works; when I went to file my own tax return this year through my tax prep software, I intentionally left out my PIN. When I tried to e-file my return through the software, I immediately received a rejection notice because the PIN wasn’t provided. 

Here are the instructions from the IRS on how to get a PIN. Keep in mind that your PIN changes every year, and you’ll have to login to the IRS website each year to retrieve the new PIN.


Use strong and unique passwords for all websites and online accounts

As life moves increasingly online, you probably have dozens, if not hundreds, of online accounts to various websites. And to keep your life easy in trying to remember all of those passwords, you may use the same password for every site. Don’t.

If a fraudster hacks into a site and gets access to your password, they will then try logging into other sites as you, using that same password. By using different passwords for every site, you can help prevent them from accessing other sites, even if one or a few sites are compromised.

Additionally, try to make your passwords as long and difficult as possible. Don’t just use simple words and never use personal info such as children’s names, birthdates, etc. Ideally make your passwords long (at least 8 characters, if not much more than that) using a mix of letters, numbers and special characters, and try to mix them up so they look as random as possible.

Doing so obviously means there is no way you’re going to remember them all. And, you never want to write them all down somewhere, as you then risk someone getting their hands on that paper and having access to the entirety of your online life!

This is where using a password manager can greatly help…


Use a password manager

There are many password manager services that act as a central place electronically storing all of your passwords, in a safe and encrypted manner. And they will generate really long, complex, random and unique passwords for all of your various online accounts. All you have to do is create and remember a strong password for the service itself, and they’ll then do the rest for all of your other accounts.

They way they work is when you go to a website’s login page, the password manager will be running in the background, and will know to auto populate your login info for that site. So you don’t have to actually know or remember what the password is for that particular site.

However, if/when you do want or need to know the password, the password manager has a “vault” type of page you can go to that will show all of the various sites and accounts you have, and what the login info is for each. 

There are various different password manager tools out there, so shop around and see which one seems to make the most sense for you. I think they all basically work the same, but presumably with little different bells or whistles that may be of importance to you. Some of the more common managers are 1Password, LastPass and Keeper.


Use two-factor authentication (if not multi-factor authentication) wherever possible

Two-factor authentication is when you try to login to a website and, in addition to having to enter your username and password, it layers on an additional step to confirm it’s you. Most commonly, this additional step is done by sending a code via text message to your cell phone. And then you enter that code into the site you’re trying to login to.

Multi-factor authentication is when there is more than just a second form of authentication (where the password entry is the first, and the additional code entry is the second). This addition layer, or factor, might be through something like biometric data, for example, such as scanning your fingerprint on your cell phone.

You should ALWAYS enable two-factor authentication where available, especially on sensitive sites like logins to your bank or investment accounts.

Furthermore, if the site allows, use an authenticator app (more on that below) on your phone for the two-factor confirmation, instead of receiving a text message or email with the code. It’s much easier for a hacker to get access to your cell number or email than it is for them to get access into whatever authenticator app you use.

An authenticator app is an app you download onto your phone, where the site you’re trying to login to will then let you link up their site with your app. Then, whenever you open the app’s section for that particular site, you’ll get a special code for that site. And the code continually refreshes, typically every 30 seconds.

There are various different authenticator apps that all basically do the same thing. Most sites that offer authenticator two-factor verification will let you choose what app you want to use. However, some will require you use a certain authenticator.

The most common authenticator app is probably Duo. Google also has one, and I’m sure there are others.


Use a VPN (Virtual Private Network) whenever on public Wi-Fi

In my opinion (which again, I’m not a tech expert, so take my opinion for what it’s worth!), one of the most surefire ways to expose yourself to having your digital information stolen, getting hacked, etc. is by using public Wi-Fi. If ever you’re in a coffee shop, hotel, public transit station etc., try to avoid using their public Wi-Fi.

Those networks are prime targets for fraudsters to hang out in to try to hack into other people’s devices that are on the network, or to snoop on their browsing info such as what they’re typing into websites.

Ideally, avoid using public Wi-Fi altogether. Instead, do what you need to do on your cell phone, using your cellular data connection to access the Internet. That cellular data connection is much more secure than public Wi-Fi.

Or if you need to use a laptop instead of your cell phone to do something online, get a cellular data plan that lets you “tether” off your cell phone; where your laptop would wirelessly connect to and use your phone’s cellular data connection to access to the Internet.

But, if all else fails and you need to go onto public Wi-Fi, make sure you download and use a VPN, or Virtual Private Network.

A VPN is basically an overlay to your device’s connection to the Internet that helps mask and encrypt all data that’s getting transmitted into and out of your device. So, even if bad actors are able to see your device on the public network, they won’t be able to make sense of or use of anything coming in or out of your device. Or at least, that’s my non-expert understanding of a VPN…

Like any other tool, there are various different providers in the space. They all do the same thing at their core, but with different bells and whistles to differentiate themselves. A couple of the more common VPNs are NordVPN and ProtonVPN. 


Use separate e-mails for different types of accounts

If you use a single e-mail address for everything that requires one (e.g. financial accounts, utility providers, social media accounts, retail store logins, newsletters, discount codes websites, etc.), there’s a chance that if your e-mail account gets hacked, the hacker would then have access to ALL information you’ve ever sent or received via e-mail. Additionally, they could then pretend to be you by using your e-mail as a two-factor authentication source.

Consider having different e-mail addresses where you use them for different purposes. Perhaps create one that you only use for contact and login purposes for the most important and information-sensitive things, like Social Security, bank accounts, investment accounts, etc.

And then have another e-mail you use for all of the unnecessary and/or lower importance type of stuff in your life where there isn’t likely to be any of your sensitive info available. This would be places such as online news sites, weather sites, online message boards, etc.

By having multiple e-mail addresses, you’d be setting up a virtual wall between the important stuff in your life and the non-important stuff. If someone were to hack into the address used for the less important or less sensitive accounts, it wouldn’t compromise your more important or more sensitive accounts.


Put a “Self-Lock” on your Social Security number within the E-Verify system

I frankly knew nothing about this until someone else recently brought it up to me. I haven’t yet done it myself but am looking more into it.

The U.S. Department of Homeland Security has a program called E-Verify, where hiring employers can use an electronic system to verify a candidate’s authorization to work in the U.S. They do the verification using the Social Security number provided by the candidate. 

If someone were to steal your Social Security number and pretend to be you, they potentially can illegally get themselves employed as you. But by putting a “Self-Lock” on your Social Security number, the E-Verify system will block anyone (yourself included) from getting E-Verified. 

Like I said, I haven’t looked too much into this yet. But I’m guessing there is a way for you to temporarily life the lock, such as if/when you’re trying to get a new job. Here’s more info about it all.


Lock your SIM card with your cellular provider

This is another one that I didn’t know anything about until someone recently brought it to my attention. And I’m still researching it before I decide whether or not to do it.

The SIM card in your cell phone is a unique chip that connects your otherwise generic device to you and your particular account with your cellular carrier. In theory, if someone wants to steal your cell phone identity (such as getting access to make and receive calls and texts to and from your number), they can simply take the SIM card out of your device and put it into their own device. And I think fraudsters may potentially even be able to make changes to your SIM card remotely, if they somehow hack into it virtually.

By locking your SIM card, your carrier will prevent anyone from making any changes to your account, transferring your number to a different device, etc. Or at least that’s my basic understanding of it.

If locking your SIM card is something you’re interested in learning more about, contact your cellular carrier to find out more.


Be cognizant of phishing and vishing scams

“Phishing” is when a scammer e-mails you and appears to be a legitimate organization seeking information from you. Specifically, they try to get you to give them sensitive info like your Social Security number, financial account numbers, etc.

An example of e-mail phishing might be an e-mail allegedly from your bank saying there is an issue with your account and that you need to provide your personal info as soon as possible to rectify the problem. They’ll provide some sort of link for you to click on, where it will take you to a website that looks like a legitimate login or info collection page from your bank. It will ask you to provide info like your name, birthdate, address, Social Security number, account number(s), etc. If/when you hit the submit button, all of that information is immediately given to some fraudulent person or organization who then has enough info about you to do a lot of damage.

The same type of scam can be carried out by phone, in which case it’s called “vishing.” For example, you may get a call from someone claiming to be one of your utility companies. And maybe they’re saying they need to do routine confirmations of your personal info to keep your service active. So they ask you for your Social Security number, the info of the bank account connected to your utility account to pay the bill each month, etc. And just like that, they now have enough info about you to do a lot of ID and financial damage.

Phishing and vishing scams are increasingly common and, frankly, sometimes very convincing. But there are some tips and best practices to help you spot and avoid them.

Here is a list from the Federal Trade Commission of how to spot phishing e-mails.

And here is an article from AARP discussing how to spot a phone scam.

While there is no surefire way to ensure you never fall victim to a phishing or vishing scam, you can greatly reduce the chance of becoming a victim by staying as educated as possible on the warning signs.

And if something doesn’t sound or feel right, it probably isn’t!


Be mindful of protecting physical information and items

Thus far, everything I’ve shared has been about digital and online security. Don’t forget about good old fashioned physical security!

For example, for any sensitive information you have at home (e.g. Social Security cards, birth certificates, marriage certificates, etc.) keep them in a locked safe.

Whenever out in your car or any other form of transit, never leave expensive items or items containing sensitive info (e.g. laptop) out in the open where others can easily see and steal them.

Whenever you’re out in public using an electronic device and you have sensitive information up on the screen, be careful to not be positioned so that others can see what you’re looking at. For example, if you’re in a coffee shop on your laptop, make sure no one is looking over your shoulder at your screen.

For all electronic devices, make sure they are set up to have the screen lock after a certain amount of idle time, so that you have to enter a password to unlock the screen. If you ever mistakenly leave a device behind somewhere, or someone breaks into your house and takes your computer or phone, you don’t want them to be able to simply turn on the device and easily access whatever is on it.


Well, that’s it. I hope you found this list helpful. Like I mentioned before, I know I’m not a privacy or data security expert. But having been in the financial services industry for 25 years, and having tried to pay attention to personal best practices in keeping information safe, I’ve gathered what I think is a decent level of knowledge about this stuff. But I’m sure there are some other things and nuances that I missed. Regardless, this list should hopefully cover the major things to do or at least give thought to. Be safe out there!