Identity theft cost Americans $10 billion in 2023. Most of it is preventable with a handful of simple protective measures. Here’s exactly what to do.
Freeze your credit (most important)
A credit freeze prevents anyone from opening new accounts in your name — even if they have your Social Security number, address, and full personal information. It’s free, takes about 15 minutes across all three bureaus, and can be temporarily lifted when you need to apply for credit. There is almost no downside for most people. Go to equifax.com, experian.com, and transunion.com and freeze your credit at all three.
Use unique passwords for every account
Using the same password across multiple accounts means one data breach exposes everything. A password manager (1Password, Bitwarden, Dashlane) generates and stores unique, complex passwords for every account. You only need to remember one master password. This is one of the highest-impact security steps you can take.
Enable two-factor authentication on financial accounts
2FA requires a second verification step (text message, authenticator app, or biometric) when logging in. Even if someone has your password, they can’t access your account without the second factor. Enable this on every financial account — bank, brokerage, credit cards, email (especially email, which is the master key to everything else).
Monitor your credit regularly
Check your credit reports at AnnualCreditReport.com — you’re entitled to free weekly reports from all three bureaus. Look for accounts you don’t recognize, inquiries you didn’t authorize, or addresses you’ve never lived at. Early detection limits damage significantly. Apps like Credit Karma also send alerts when changes appear on your report.
Be cautious with your Social Security number
Your SSN is the master key to your financial identity. Don’t carry your Social Security card in your wallet. Don’t provide your SSN unless absolutely required (medical forms, tax documents, new employer, credit applications). When asked by businesses, ask if an alternative identifier works instead.
Watch out for phishing
Most identity theft starts with phishing — a fake email, text, or call pretending to be your bank, the IRS, Amazon, or another trusted entity. Key rule: never click links in emails or texts asking for credentials or sensitive information. Go directly to the website by typing the URL. No legitimate organization will demand immediate action via an unsolicited message.
What to do if it happens
File a report at IdentityTheft.gov — the FTC’s dedicated site provides a personalized recovery plan. Contact the affected companies directly. File a police report. Place a fraud alert or extended fraud alert with the credit bureaus. The recovery process is bureaucratic but manageable.