Prevention and Detection – Key Methods to Protect Against Identity Fraud

Learn the key methods to prevent and detect identity fraud before it happens to you.

There’s always a risk that identity fraud can happen to you. Nevertheless, there are key steps and regular practices you can implement TODAY, to reduce your overall risk. Follow these key methods to prevent and detect identity fraud.

#1 - Freeze. Your. Credit.

Perhaps the single best thing you can do to reduce the risk of identity fraud – freeze your credit with each of the big 3 credit bureaus – Experian, Equifax, and TransUnion. A credit freeze keeps the sensitive data in your credit files from being accessed without your consent. This act is one of the very few ways to truly prevent several means of identity fraud. If your credit is frozen, the credit bureau will not release the data to the potential creditor to approve your application. 

Each time that your credit needs to be legitimately pulled, however, you’ll need to “unfreeze” your credit with the bureau that needs to pull your credit. Unless you’re buying a car every month, it’s very likely you can set and forget your credit freezes for 99% of each year. 

What’s seldom talked about is that this process of freezing and unfreezing your credit would previously cost you up to $10 for each act of freezing/unfreezing, with each bureau! That’s up to $60 just to run your credit. This practice ended with each bureau during the 2020 pandemic when it became completely free to freeze/unfreeze credit with each bureau. To this day, it’s never been easier to freeze/unfreeze credit. You just need to be mindful of maintaining strong authentication controls with each credit bureau account (more on that later).

How to Freeze Your Credit

OK, so you want to protect you and your loved one’s identities, but how? Step one is to contact each of the three major credit bureaus individually by online or phone (via snail mail is an option too, but it’s 2023 folks!). If you’re doing this online, you’ll need to sign up for an account with each bureau. To do so, you’ll need to provide a decent bit of sensitive personal information such as your name, address, SSN, passport/license, tax documents, utility bills, etc. Once the freezes are in place, your credit files are secured until you lift the freeze or “unfreeze” each account. You can even issue timed temporary unfreezes to apply for credit. In the meantime, you can configure email notifications related to activity with each account. 

You can also freeze the credit of a child, spouse, or incapacitated adult at all the 3 below credit bureaus by providing required documentation (birth certificates, social security cards, court orders, etc.). You’ll just need to ensure they have credit to freeze. 

• Experian
  • https://www.experian.com/freeze/center.html
  • 888-397-3742
• Equifax
  • https://www.equifax.com/personal/credit-report-services/credit-freeze/
  • 800-349-9960
• TransUnion
  • https://www.transunion.com/credit-freeze
  • 888-909-8872

How to Unfreeze Your Credit

As previously mentioned, you can likely keep your credit frozen with all bureaus for 99% of the year. However, you may need to unfreeze your credit to apply for credit so that the lender can assess your ability to pay – whether you’re trying to buy a car, furniture, a mortgage, rent an apartment, etc. 

The actual act of unfreezing your credit is the same as freezing it. You simply need to contact each bureau (online or by phone). 

Pro tips – when applying for credit, identify the bureau(s) that the creditor will be pulling and only unfreeze with the relevant bureau(s). Then set a limited time to unfreeze the credit, execute your credit application, and sleep tight knowing your credit freeze was only temporary.  

#2 - Use Strong Authentication Protocols

Strong authentication protocols aka the way in which you access your accounts – should be in place for all accounts that are important to you. This should be an absolute no-brainer for your email, financial accounts (including credit bureau accounts), healthcare accounts, social media accounts, computing devices (including laptops and phones), etc. Here are 3 easy ways to implement strong authentication protocols. 

Set a Strong Password

Remember this – password length matters more than complexity (special characters and numbers). Your brain will find that last sentence hard to comprehend because every account you sign up for these days requires the opposite (usually only a minimum length of 8 characters, and almost always requires complexity). However, truth be told, the password length is the more critical factor – our professional offensive cybersecurity team will tell you. These folks simulate the actions of real bad actors and can obtain 15-character-or-less passwords (regardless of complexity) more easily than you would be comfortable with. If you’re relying on a password alone (and please don’t) to secure your accounts, it better have a minimum of 16 characters. But why stop there – even at 16-character passwords, your accounts are still very vulnerable. The fact that this password minimum character recommendation continues to increase year after year should tell you that accessing your accounts with only a password is not enough. 

Set up Multi-Factor Authentication (MFA)

Setup required extra steps to get into your accounts. There are a lot of effective ways to implement these steps: 

1. SMS-based 2FA codes – where a random temporary code is sent to your mobile device
2. App-based 2FA codes – where a new random temporary code is continuously generated on an app on your mobile device
3. App-based 2FA prompts – where a prompt is sent to an app on your mobile device
4. Physical device-based tokens – where a random temporary code is sent to a separate physical device
5. Physical device-based biometrics – where a request for biometric data is sent to a separate physical device

Beware that even MFA is still susceptible to an attack. If a bad actor gets access to your phone number, SIM, or mobile device, this becomes a very real threat. 

Use a Password Manager

To effectively implement passwords and MFA, a password manager is imperative. Password managers are one of the best ways to authenticate efficiently and effectively so that you a) use strong passwords; b) don’t reuse passwords; and c) remember the passwords. Keep in mind that your password manager will have ALL the keys to your digital kingdom. When you sign up for a password manager (I recommend 1Password or Bitwarden’s offline versions), you’ll want to save your “secret key” somewhere safe and separate from the password manager itself, so that you can recover your account if ever needed. 

Stay Frosty!

Detection of identity theft is a critical step to protecting your identity. Here’s the punch list of items to regularly perform related to detection: 

1. Be on the lookout for scams – phishing, spoofing, skimming, the methods are endless and continue to get more sophisticated each day as we get better at protection. When in doubt – trust, but verify – before providing personal information, codes, PINs, etc. to unexpected contacts or unfamiliar sources. Just like they say it’s probably fake if it’s too good to be true, it’s probably a scam if you’re not expecting it. I whitelist all phone calls so that you have to be in my contact list to call my cell phone. 
2. Check your mailbox before your mail even arrives with Informed Delivery from USPS. Stolen mail = a high impact + easy route to ID fraud.
3. Check your credit reports regularly through AnnualCreditReport.com and subscribe to alerts through your credit card and sites like CreditKarma or NerdWallet.
4. Monitor financial accounts and statements – subscribe to alerts with your financial institutions and reconcile all of your transactions.
5. Monitor healthcare statements – review your “Explanation of Benefits (EOB)” statements and reconcile your services against your insurance benefits.
6. Subscribe to alerts with each credit bureau.
7. Subscribe to alerts with HaveIBeenPwned.com to know when accounts associated with your email address(es) have been compromised in a breach.

If you’ve made it this far and have already done or plan to do ANY of the above, then hats off to you! You and yours are safer as a result, and what feels better than that? 

Stay tuned for the next article in our identity fraud series focusing on the correction efforts, should you unfortunately fall victim to all-too-common fraud. 

This is the third article of a series dedicated to navigating the identity fraud landscape through effective detection, prevention and correction efforts. View the other articles here:

• Identity Fraud vs. Identity Theft - What's the Difference?
• Top 5 Identity Fraud Schemes of 2023

How Can Schneider Downs Help?

The Schneider Downs IT Risk Advisory Team can advise you on how to strengthen your organization’s risk management position to ensure optimal asset protection, now and in the future. Feel free to reach out to our team directly at [email protected]. 

About Schneider Downs IT Risk Advisory

Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

To learn more, visit our dedicated IT Risk Advisory page.