Protecting Yourself from Fraud, Theft, and Scams (Part 1)

Want To Reach FI Sooner? Join more than 18,000 others and get new tips and strategies from Can I Retire Yet? every week. Subscription is free. Unsubscribe anytime:

Last month, I published a guest post from David Champion about the benefits he’s derived from gamifying his retirement spending. A discussion developed in the comments related to the challenge of securing your online accounts.

Lock on computer to protect against fraud and theft.

David was a software engineer before retiring early. In addition to the expertise his background provides, he’s spent time and energy educating himself on the topic of securing your identity and financial accounts.

He has generously offered to share that expertise in a practical and actionable way. Take it away David….

The 80-20 Rule

We’ve all heard of it, right? The 80-20 rule holds that 80% of outcomes are attributable to 20% of causes. It has been used to explain results in domains as diverse as engineering, economics and psychology. It can be a useful heuristic when choosing between options where the right call is not otherwise obvious.

Here I want to apply it to an area that many of us neglect, but that we should probably pay more attention to: securing our financial assets from identity thieves and cybercriminals.

Protecting ourselves from all possible threats would require a mind-numbing array of preventative measures. It is simply not worth the effort for the vast majority of us.

But I propose that implementing just two of them will protect us from 80% of the threat universe. That is, in terms of the 80-20 rule, implementing just 20% of preventative measures will net us 80% protection.

As a bonus, in a follow-up post I will present two additional steps that, when combined with the first two, will get us closer to 95% protection.

Related: Protecting Your Assets in a Digital World

Freeze Your Credit Reports

Freezing your credit reports is perhaps the single most effective step you can take to mitigate the risk of identity theft.

Background

Before a financial institution agrees to sell you a product, it needs to know that you are who you say you are and, if so, that you are a good financial citizen. It does this by pulling your credit report, typically from one of the three principal credit reporting agencies: Equifax, Experian, or TransUnion.

To pull your credit report, the financial institution needs your social security number, along with other bits of personally identifiable information (PII), to present to one or more of these agencies. You provide these details to the financial institution. In exchange, they consider you for the product or service you are applying for.

Now, consider this chilling fact. Despite your best efforts to keep it a secret, your social security number is likely already available on the dark web, just waiting to be exploited by an identity thief.

Along with your other requisite PII–most of which is readily available in the public domain–an identity thief can use your social security number to apply for a loan or credit card, or open a bank account, in your name. Once this happens, the damage to your financial bona fides can be devastating. The burden is entirely on you to clear it up.

If your credit reports are frozen, however, the identity thief has a problem: the credit reporting agency won’t release a report that has been frozen without authorization to do so. Since you instituted the freeze, only you can provide this authorization. And without the credit report, the financial institution will deny the application for the financial product or service.

Suddenly, your leaked social security number is a lot less valuable to the identity thief, and he will move on to the next victim.

Action Items

The home pages of the big three credit reporting agencies I linked above provide step-by-step instructions for freezing your credit report, so I am not going to regurgitate the details here. Suffice it to say it’ll take you an hour, tops, to implement freezes at all three.

Best of all, thanks to a federal law passed in 2018, all three agencies are required to provide this service at no cost to you.

You may have to scroll down the homepage a bit to find the right place to start (after all, these agencies want to sell you their paid services, not give away the free ones). I just confirmed that each homepage features the relevant link.

Caveats

There are a couple of details worth mentioning. All of the credit agencies offer credit locks, in addition to freezes. I recommend the latter. Locks are theoretically easier to lift, but the agencies charge you a fee for the privilege. Unless you are planning to apply for loans, credit cards, and the like in the near future, if you choose a lock you’ll be paying for a convenience you likely won’t use.

Also, if you do wind up having to lift a freeze, you’ll need to know at which agency to lift it. For example, recently I applied for a Chase credit card. Chase did not make it clear which agency they use to pull credit reports.

A simple Google search yielded the answer. With that, I logged in to my account at that agency and unfroze my file. They even allowed me to set an expiration date for the thaw, so I didn’t have to remember to log back in to re-freeze it.

Freezing your credit reports won’t completely erase the value of your social security number to bad actors. An identity thief could still file a fraudulent tax return, or apply for (and even work at) a job, using your social security number. Neither action requires the intervention of a credit reporting agency.

But herein lies another manifestation of the 80-20 rule. The 80% protection gained from freezing your credit reports is better than the 0% without.

Last Word

Don’t give out your social security number to just anyone. A good rule of thumb is this: if you didn’t initiate a contact, and that contact asks you for your social security number, don’t divulge it. And if you did initiate the contact, at least ask them why they need it.

Related: Identity Theft Strikes Home!

Don’t Open Unverified Attachments or Links

The second most important step you can take to protect yourself is not something you should do, but rather something you should not do; and that is open attachments or links on your smartphone, tablet or computer unless you are sure they are legit.

Background

Malicious attachments and links are types of phishing attacks. They can come not just in the form of email attachments, but also clickable links embedded in emails and text messages.

If you open a malicious attachment or link, your device may become compromised. In the best case, this could mean it will be co-opted in a cryptocurrency mining pool, causing your device to slow to a crawl (see cryptojacking). In the worst case, the data on your device could be encrypted, making it inaccessible to you pending payment of a steep ransom (see ransomware).

Action Items

Develop Good Habits

Avoiding these (and potentially other catastrophic) outcomes simply requires developing good habits; like fastening your seatbelt before you even start the car, or brushing your teeth first thing in the morning.

Start by assuming every attachment or link you lay eyeballs on is malicious. That is, assume it is guilty until proven innocent.

Due Dilligence

How do you prove an attachment or link is innocent? It starts with the same advice I gave for divulging your social security number. If you requested the email or text message containing the attachment or link, it is probably okay. But if you didn’t request it, it probably is not.

Even if the email came from a person you know and trust, if you didn’t request the email, check with that person to confirm they indeed sent it before opening the attachment or link. Email spoofing is astoundingly easy.

As a result, the tactic is commonly used by cybercriminals. This tactic has tricked even the savviest of recipients into opening malicious attachments.

If the email came from an entity you do not know personally, but with whom you have a relationship (say your bank), read the email carefully before opening any attachments. Does the email make sense? Is it written in good English, using correct spelling and grammar? If the answer to any of these is no, then the attachment is almost assuredly malicious.

Even if it passes the native-English test, be suspicious if the email contains baiting language. For example, an email from your bank requesting that you log in immediately to change your password due a “security incident” is a red flag. A bank or financial institution will never ask you to take such action via a link embedded in an unsolicited email or text message.

When In Doubt

Finally, if the email came from somebody or something you’ve never heard of, assume it is malicious and delete it (or move it to your spam folder) summarily. This can be especially hard to do if the message contains baiting language of another sort, such as, “Click here to claim your prize!

Generally speaking, the more tempted you are to open an attachment or link–by fear, greed or some other powerful emotion–the more suspicious you should be.

Social engineering techniques are specifically designed in this way to manipulate potential victims. Don’t let yourself be one of them.

Caveats

There are many other ways a hacker can try to trick you; far too many to catalog here. Just being aware that social engineering is a thing will put you ahead of the curve.

Above all, remember the 80-20 rule. If you develop a habit of healthy skepticism toward all attachments and links, you will protect yourself from the vast majority of threats.

Last Word

For an extra layer of protection, keep the software on your devices up to date. New vulnerabilities are being discovered literally every day. Device and app vendors are in a constant race to stay ahead of them via software updates.

The more up to date your software, the less likely your device will be compromised if you accidentally open a malicious attachment or link. That’s because the vendor may have included protections against the malware in a recent update.

So the next time your smartphone, tablet, or computer prompts you to do an update, think twice about rejecting it. Better still, enable automatic updates on your device. That way, you won’t even have to think about it.

Wrapping Up

Freezing your credit reports and practicing vigilance with attachments and links will go a long way toward protecting your assets and identity. You get lots of protection for minimum effort and zero cost.

In an upcoming post I will propose two additional steps you can take to stretch your protection even further. To whet your appetite, the topics of that post will be multi-factor authentication and good password hygiene.

True to the 80-20 rule, there are ways to maximize the benefits of those, too, while avoiding needless additional complexity. So stay tuned for those details in the next post.

* * *

Valuable Resources

  • The Best Retirement Calculators can help you perform detailed retirement simulations including modeling withdrawal strategies, federal and state income taxes, healthcare expenses, and more. Can I Retire Yet? partners with two of the best.
  • Free Travel or Cash Back with credit card rewards and sign up bonuses.
  • Monitor Your Investment Portfolio
    • Sign up for a free Empower account to gain access to track your asset allocation, investment performance, individual account balances, net worth, cash flow, and investment expenses.
  • Our Books

* * *

[I’m David Champion. I retired from a career in software development in March 2019, just shy of my 53rd birthday. To position myself for 40+ years of worry-free retirement, I consumed all manner of early-retirement resources. Notable among these was CanIRetireYet, whose newsletters I have received in my inbox every Monday morning for the last ten years. CanIRetireYet is one of exactly two personal finance newsletters I subscribe to. Why? Because of the practical, no-nonsense advice I find here. I attribute my financial success in no small part to what I have learned from Darrow and Chris. In sharing some of my own observations on the early-retirement journey, I aim to maintain the high standard of value readers of CanIRetireYet have come to expect.]

* * *

Disclosure: Can I Retire Yet? has partnered with CardRatings for our coverage of credit card products. Can I Retire Yet? and CardRatings may receive a commission from card issuers. Some or all of the card offers that appear on the website are from advertisers. Compensation may impact on how and where card products appear on the site. The site does not include all card companies or all available card offers. Other links on this site, like the Amazon, NewRetirement, Pralana, and Personal Capital links are also affiliate links. As an affiliate we earn from qualifying purchases. If you click on one of these links and buy from the affiliated company, then we receive some compensation. The income helps to keep this blog going. Affiliate links do not increase your cost, and we only use them for products or services that we're familiar with and that we feel may deliver value to you. By contrast, we have limited control over most of the display ads on this site. Though we do attempt to block objectionable content. Buyer beware.

16 Comments

  1. It is interesting that this comm should arrrive this AM. I was called this morning byt someone who claimed to be from the VA and asked me to prove who I am. This is a bit backword.

    I general, if someone calls you – do not supply them with any personal info. It is the callers duty to verify who they are. If you get an email, never use links in the email to contact them. Use previously verified contact info (phones, links, or address).

    Scams abound – don’t give out personal info unless you know who is getting it.

    1. Timely, indeed! And you are right that call from the VA sounds scammy. Looks like you did the right thing and did NOT divulge any sensitive information to the caller. Good for you, Shawn, and thanks for the share.

  2. Hi Chris and David! WOWEE. What a lightbulb moment. As I was reading the paragraph about freezing your credit, I thought “holy moly.” It never occurred to me but both of your points make fabulous sense. We have no plans to apply for credit soon. Should that change, it seems to be an easy fix to correct by me, when needed. I look forward to your other two suggestions for nearly 95% protection. Who needs LifeLock?! {{Hugs}} ~smile~ Roseanne

    1. Glad to know this post has prompted you to take action to protect yourself, Roseanne. I had a similar “lightbulb” moment when I learned about this feature years ago. In those days it was a huge pain to freeze your credit reports (and even more so to lift one, as I had to do once when applying for a job). Nowadays, it has become so easy there is really no good reason not to do it.

  3. Great idea. If you could address next week, I’ve wondered how safe my investment and credit card accounts are that get read and uploaded into services such as Yahoo Finance, Mint, Monarch, Empower. Thanks in advance.

    1. That’s a great question, Patrick. As someone who runs on the paranoid side, I do not share any external account information with third parties, unless there is a very good reason to do so.

      For example, I have an account at Fidelity, and use their online retirement calculator regularly. Of course Fidelity offers to make life easier by asking me to link my external accounts, saving me the trouble of entering that information manually. But I won’t do it.

      Nor do I save my credit card information when prompted when paying for products or services online.

      My reasoning goes like this: the more of my personal data I share online, the more of it is there is to steal (or get compromised due to carelessness).

  4. Thank you for this concise and actionable information. I froze my credit reports several years and have only had to “thaw and refreeze” once. It was a breeze to do so and so worth doing. I also try to be vigilant about clickbait which is such a quagmire even if it’s from a “legitimate” source since you easily can fall down a rabbit hole moving from legit into fake sites.

    1. Thanks for sharing your experience, Rebecca, and for reinforcing how easy it is to manage a credit freeze. I hope this post–and your comments–will prompt others to do the same.

  5. Thanks for the great and timely information as better digital hygiene is a good goal for the new year.
    How important is it to freeze one’s information at Chex Systems, Innovis, LexisNexis and NCTUE and to get an IRS pin?
    I hope you’ll address password managers in your next post too.
    It’s easy to get overwhelmed or go down a rabbit-hole of paranoia with this stuff, so your 80/20 puts it in perspective.
    -RB

    1. Thanks, RB!
      I would say by all means freeze your files at these other consumer reporting agencies, although they have slightly different focuses than the big-three I mentioned in the post (ChexSystems, for example, monitors checking account activity).

      Nevertheless, all of the agencies you mention collect (and sell) information about us, so I think freezing would be worthwhile. To the best of my knowledge, freezes at these agencies are also free.

      You hit the nail on the head, though. In keeping with the 80-20 rule, my aim was to encourage readers to go after the low-hanging fruit (Equifax, Experian and TransUnion), not overwhelm to the point of taking no action at all.

  6. This was very helpful. Thank you. I’m hoping the credit freeze option is also available to Canadians.

    Another suggestion: I have a separate email address that I use when ordering online. I don’t order online often, but when I do there is a noticeable spike in spam mail on this account. Since this address is only used for one purpose, I know that the incoming emails are not legit. This account is not linked to my contacts so hopefully none of my friends/family are receiving spam with my name on it. Not sure how effective this is in keeping my personal information secure or protecting my computer, but it sure helps on cutting down on the amount of spam I have to weed through in my regular email inbox.

    1. Excellent advice, Veronica.

      I too maintain a “burner” email address, but I use mine primarily as a backup in case I lose (and need to regain access to) my primary email address (both Gmail). I should probably be more disciplined, like you, and use it instead of my primary when prompted to divulge my email address online.

      Our email addresses have become markers of our identity in the online universe. One way to preserve anonymity in that chaotic universe is to decouple ourselves from such markers, which is effectively what you are doing.

      The same can be said for our phone numbers. Unless I am sure an entity requesting my phone number really needs it, I don’t divulge it (or fake the number if is a required field in an online form).

  7. I had froze my mother’s credit on all 3 at their websites. It is a joke. Mom is for all intents and purposes blind at 85 years old. And yes I had POA. All my brother and sister in law had to do was call each credit bureau and unfreeze it by pretending to be her. I then put a fraud alert out. Again all they had to do was call and viola it went away, along with $115,000 loan they got using her credit. I complained to the credit bureaus. Quite frankly if one goes to the trouble to set up passwords and answers to questions online, it should NEVER be unfroze via a phone call. It should only be unfroze by going back into the website. So yeah you think you are protecting yourself or your loved one, but it doesn’t mean a darn thing when a phone call takes it all away.

    1. I am so sorry, Lady. What happened to you is terrible.

      I think the goal of the agencies is to walk the fine line between security and ease of use. Because if the security is too hard to set up, then nobody will use it (their version of the 80-20 rule). Unfortunately, ease of use can be abused, as it was in your case.

      If someone is determined to steal your money, 100% protection is hard to achieve.

      Really sorry this happened to you. I hope you got it sorted out.

  8. I just read your great post yet a bit late but I have a question regarding joint account w spouse. If I have my credit frozen but my spouse has not or don’t want to, can our joint account be compromised? Thanks.

    1. Great question, Art

      A credit freeze in and of itself will not prevent an account (joint or otherwise) from getting compromised. Instead, credit freezes are designed to prevent bad actors from applying for NEW accounts in your name.

      However, joint accounts will appear on both you and your spouse’s credit reports. This means that if either spouse neglects or abuses that account (say doesn’t pay the bills on time), both your credit scores will be damaged.

      If you are concerned about this, the only remedy I can think of is to separate your joint accounts.

      Hope this makes sense.

Comments are closed.