The combo of increasingly sophisticated scammers and so much of our personal data living online is a scary and frustrating thing to think about. I’d been curious about the topic of cybersecurity and identity since someone tricked Chase into ordering a Macbook Pro with my Ultimate Rewards points, but I finally got connected with an expert in the space, Adam Levin, and learned so much from our conversation (π§ Ep77).
After talking to Adam I went really deep on the topic myself and wanted to share all the ways you can protect yourself and your family. I’ll try to cover it all here, but for more detail, I also recorded an action list episode of everything you can do (π§ Ep78). While I know this whole process can be stressful, I can’t tell you how much better I feel having gotten through it.
π Cybersecurity
Let's start with easy ways to protect the devices you use most to minimize your risk of exposure.
-
Computer: Ensure your encryption is turned on on your computer or laptop. If you have a Mac, you can use FileVault. And for PCs, you can enable it in the device encryption settings.
-
Phone: Set up a PIN and passphrase that will automatically erase after multiple failed attempts. When your phone is locked, prevent notifications that may contain private information from showing up while the phone is locked and disable automatically connecting to new USB devices.
-
Internet: I don’t trust internet service providers (ISPs) to not sell my data, so I always recommend changing DNS from using the one provided by your ISP. But on top of being more secure, using another DNS like Cloudflare 1.1.1.1 is much faster.
-
VPN: Since most traffic is now happening over HTTPS, you probably don’t need to worry about someone stealing your credentials or reading your emails, when you’re using public wifi. However, the owner of the WiFi and their ISP will see the domains of the sites you’re visiting, so if you want a bit more privacy, you should use a VPN like NordVPN (← big discount here). This is especially important when traveling internationally, where many countries have much less restrictive data privacy laws.
-
Ad Blocker: There are a lot of ad blocker chrome extensions (like uBlock Origin) that will prevent ads from seeing info about you. For iOS users, if you pay for iCloud+; you can use Private Relay to add additional privacy in Safari and the Mail app.
-
Email: Set up dedicated emails for social media and financial institutions that you don't give out to anyone.
Also, if you ever receive a link to login to a site you have an account at, please be very careful and look at the entire URL (there are so many tricky ways to make it look authentic, like opening a new window for mail.google.com.[something else].com that’s so small you only see the mail.google.com). Or better yet, instead of clicking any of the links to site logins, just go to the site yourself. Most organizations with any credibility and authority (IRS, police departments) will not be sending you emails as the first line of communication. But in the few instances where it appears to be official, call the agency to confirm.
π Login Credentials
A lot of people have terrible password practices. First, they pick easy-to-decipher passwords because that's what they can most remember. Second, they use the same password for everything. For hackers, it's low-hanging fruit. However, even the strongest, most sophisticated password can be useless if it’s exposed in a security breach (check Have I been Pwned? to check if you’ve been exposed and set up free monitoring alerts). And if you use the same password for multiple logins, a single breach can cause you a massive headache. This is why password managers are becoming a standard practice. They will help create a unique hard-to-decipher password for every site/login and you only have to remember one master password.
My favorite is 1Password, but they have moved to be a fully cloud-hosted platform, which means your credentials are encrypted and stored on their servers (though they don’t even have access to your data). Alternatively, you could self-host your passwords on your devices, but despite that might be more secure, the convenience of cloud-hosting, to me, is worth it.
Here is how you can add even more strength to your login credentials:
-
Email: Use the "+" feature on Gmail. If your email address is: johndoe@gmail.com, you can use johndoe+twitter@gmail.com, and it will create a unique user ID but still route all emails back to your primary address. So now you have a central email, but the login is now different for each site.
-
Security Questions: Make up new (and fake) answers to all of your security questions. It doesn't matter if it is true; what matters is that it's hard to decipher. You can store these new answers in your password manager.
-
2FA: Set up two-factor authentication for all your logins, and where possible avoid the use of SMS (it’s just too common for someone to hijack your phone number and get your 2FA codes). You can use Google Authenticator or Authy or even store them in 1Password (while this might negate the TWO factor part, I still think it’s better than SMS, and you can use true two-factor authentication to get into 1Password). However, If SMS is required (looking at you banks), set up a second phone number (e.g. Google Voice) that you haven’t shared anywhere. You can take it one step further and use a physical security key. I use a YubiKey 5C NFC and as a bonus, you are now eligible for Google Advanced Protection which adds an extra layer of security to your account.
-
Authorized Permissions: Audit all the apps you’ve given permissions to your accounts (e.g., Google, Facebook, Twitter) and delete the ones you no longer need. You may also want to delete and refresh the ones you want to keep, because many services have improved the permissions for what is shared.
π³ Credit & Financial
Your money and credit are major targets for hackers and scammers and you should probably assume your SSN and personal info is online. Here are some precautions you can take to protect yourself:
-
Credit Reports: Review your credit reports, which you can get free each year at AnnualCreditReport.com (though because of the pandemic, you can get them free each week right now). When reviewing, keep an eye out for any accounts you don’t recognize. If you find something wrong, contact the credit reporting agency. You can also set up free credit monitoring alerts with Credit Karma and Experian. If you have been part of a security breach, you might also be eligible for a premium credit monitoring service from the company that leaked your data.
-
Credit Scores: Monitor your credit scores for any big changes that you can't explain, which may suggest you need to investigate further. You can get your score free from Credit Karma and many credit card companies also give you access to your free score (e.g., Chase’s Credit Journey).
-
Transaction Alerts: Sign up for transaction monitoring alerts through your financial institutions and credit card companies. It's free and notifies you anytime there's any activity in your account over the dollar amount you select.
-
Credit Freezes: Freeze your credit through Experian, Equifax, and Transunion, which prevents anyone from opening accounts with your name. You can unfreeze or temporarily lift the freeze when you want to open a new card or take out a loan. There are also two new credit bureaus that I recommend you freeze your credit at as well: Chex Systems and Innovis. You can also sign up for fraud alerts with the credit bureaus, which require additional verification to open any accounts, but it’s likely unnecessary if you’re already going to keep your credit frozen.
-
Banking Permissions: Like Google and Facebook, many financial institutions now support authenticating apps to your financial accounts, so review these regularly as well.
-
Virtual Credit Card Numbers: Some credit cards now offer the ability to generate a unique card number for every merchant you shop at, minimizing the risk that anyone will ever get your primary card number. I mostly use my Capital One® Venture X Rewards Credit Card for online purchases (since it earns 2x points on everything) and the CapitalOne Eno browser extension lets you generate free virtual card numbers that still earn points. Alternatively Privacy.com has a similar service to generate virtual card numbers for free, but you have to connect them to you bank account and won’t earn any points.
-
Credit Card Offers: You can opt-out of all the credit card offers you receive in the mail.
π Identity Theft
Millions of people have become victims of identity theft and in many instances, it’s through no fault of their own. While identity theft is a broad term, there are multiple variations to be aware of:
-
Account Takeover: your cards or credentials are stolen.
-
New Accounts: someone opens loans or accounts in your name.
-
Medical: someone pretends to be you and has medical services billed to you or your healthy insurance provider.
-
Child-related: someone steals/uses your children’s information.
-
Criminal: when your identity is falsely used and involved in a crime.
Some of these are harder to mitigate than others, but here some things you can do to protect yourself:
-
Security Requests: Call your financial institutions and cell phone providers to ask for an increased level of security.
-
Identity Monitoring: Monitor your identity with services like Lifelock or Aura. I’m not sure it’s worth it, but I know that both companies are reputable services.
-
Insurance Policies: Check if your home/renters insurance policies (homeowners/renters) have identity protection added to the policy. If not, you could add it.
-
Resources for Victims: If you’ve been a victim of identity theft and don’t have a paid service to help out, you should check out the Identity Theft Resource Center.
π Personal Data
There are hundreds of data brokers that collect your information. If you Google your name and city or your phone number (in quotes like “212-123-4567”), you’ll likely find many websites with your data. I know I did and it wasn’t very comforting.
I wanted to figure out how to tackle it myself (more on this mistake later), so I found a great list of all the data brokers on GitHub and started manually removing my data from each site. For some of them it's straightforward, others not so much. While the process is tedious, some states are adopting privacy data acts that benefit you and require data brokers to comply with your request.
With so many sites to remove my data from, I ended up spending 10+ hours on what seemed like a never-ending journey. While I (kinda) appreciated the learning experience, I ultimately found DeleteMe, a service that will take care of removing all your personal data from the web. Sure enough, despite my best efforts, they found a handful of sites I had missed that still had my personal data. So if you want to save yourself the time/hassle, I reached out to their CEO to get you 20% off DeleteMe. I also had him join me for a short interview in my protecting yourself action list episode (π§ Ep78) to explain where all this data comes from and why it’s so hard to remove.
Note: If your data is gone from the source, but still showing up in search results, you can use these tools to remove outdated content from search results: Google and Bing.
There are also a few other ways you might want to manage your footprint online:
-
Home: Contact real estate sites (e.g. RedFin and Zillow) to remove any photos, floorplans or virtual tours of your home. You may also want to contact the real estate agent who sold you the home and request they remove all the photos from the MLS. Finally, for the ultimate level of privacy, you can reach out to Google, Bing, or Apple to blur your property from their maps.
-
Location Services: Remove the geotags from public photos you have posted online.
-
Marketing Data: Request your data be removed from marketing sites like Axiom and LexisNexis.
-
Trusts/LLCs: If you want to privately buy/hold property or assets, your best bet is to do it through an LLC (likely two-tiered in many states). However, if that’s too much work and you’d rather just use a revocable trust, consider giving it a name that’s less identifiable than “LASTNAME Family Trust.”
-
Mailboxes: If you want to limit giving out your address online, you can sign up for a mailbox with a service like iPostal1 or Earth Class Mail for as little as $10/mo and use that address when you don’t expect to receive anything important from the site asking for your address. Alternatively you could get a local mailbox or PO Box at the Post Office or UPS store for as little as $20/month.
-
Unsolicited Mail: You can use DMAchoice to prevent unsolicited mail. And if you get catalogs, you can call the company and ask to be removed.
After reading this email, I wouldn't blame you for wanting to turn off all of your technology and never leave your home. The truth is, your information is already out there, so what you can do is stay vigilant and continue to monitor things. There is a lot of valuable information here. For more, check out the two episodes I did on the topic (π§ Ep77 and Ep78). It's only time before you become a target, so why not make yourself a harder target?
The content on this page is accurate as of the posting date; however, some of our partner offers may have expired.
Editor’s Note: Today, I’m grateful for the support of our partners NordVPN, MileValue, DeleteMe, Daffy, Goodr, InsideTracker, 1Password, ButcherBox, MasterClass and Vuori. Opinions expressed here are the author's alone, not those of any bank, credit card issuer, hotel, airline, or other entity. This content has not been reviewed, approved or otherwise endorsed by any of the entities included within the post.
