Full Report
Private data such as addresses and social security numbers can be just as valuable to cybercriminals as valid credit card details can be to thieves - if not more so. Lock yours down with our tips.
Analysis Summary
# Best Practices: Protecting Against Identity Theft
## Overview
These practices address the critical need to safeguard personally identifiable information (PII) such as social security numbers and addresses, which are highly valuable to cybercriminals for identity theft and financial fraud. The focus is on preventative measures, monitoring for signs of compromise, and securing sensitive data handling.
## Key Recommendations
### Immediate Actions
1. **Verify Contact Legitimacy:** If you receive unsolicited calls from financial institutions, assume the caller is fraudulent. **Hang up immediately** and initiate contact yourself using the official, publicly listed number for the institution to verify the claim.
2. **Review Financial Documents:** Immediately check for and scrutinize any unexpected letters from financial institutions (e.g., banks, credit card companies, loan providers) that you do not recognize or use.
3. **Change Key Passwords:** Immediately update the passwords for all online banking and credit card accounts. Ensure these new passwords are strong and unique.
4. **Secure Physical Documents:** Ensure all critical documents containing PII (tax returns, credit card statements, government ID copies) within your residence are stored under lock and key, especially if you employ external contractors or cleaning services.
### Short-term Improvements (1-3 months)
1. **Obtain and Review Free Credit Reports:** Request free credit reports from all three major credit reporting agencies (e.g., Experian, Equifax) to check for unauthorized accounts or loans opened in your name.
2. **Implement Credit Monitoring/Freezing:** Contact credit reporting agencies to look into setting up a **fraud alert** or a **credit freeze** to block unauthorized applications for new credit in your name. Document the verification processes required if a freeze is implemented.
3. **Improve Password Change Habits:** Review existing password update policies. If changing a password periodically, avoid predictable modifications like simply appending sequential numbers or standard special characters, as crackers target these patterns.
4. **Review Data Sharing Habits:** Cease completing online forms (e.g., social media quizzes, raffles, free offers) that request PII equivalent to what would be required for a credit card application.
### Long-term Strategy (3+ months)
1. **Establish Document Mailing Protocol:** For highly sensitive mailings (e.g., tax returns, credit applications), cease using internal company mail systems or standard residential mailboxes. **Deliver these documents directly** to a secured postal office drop box or counter.
2. **Develop a Monitoring Schedule:** Establish a recurring, mandatory schedule (e.g., quarterly or bi-annually) to check credit reports and monitor banking activity for irregularities.
3. **Security Awareness Training (Social Media/Phishing):** Educate all users about the risks associated with oversharing personal facts on social media platforms, specifically highlighting quizzes and surveys that harvest sensitive attributes.
## Implementation Guidance
### For Small Organizations
- **Adopt Strong Password Policy:** Enforce a minimum password length (e.g., 12 characters) and mandate the use of a password manager if no centralized system is in place.
- **Physical Security Audit:** Conduct a simple walkthrough to identify any unsecured cabinets or filing areas where employee or customer PII might reside, implementing basic locks immediately.
### For Medium Organizations
- **Formalized Credit Monitoring:** Budget for and implement a service that proactively monitors employee or customer PII if the organization handles significant amounts of sensitive data.
- **Internal Communications Policy:** Develop clear guidelines discouraging employees from discussing sensitive application data (like SSNs or account numbers) over internal messaging systems or during unverified phone calls.
### For Large Enterprises
- **Implement Robust Identity Verification:** Ensure all external and internal communication protocols that involve requesting PII adhere to the principle: **It is the requester's responsibility to prove identity, not the responder's.** Reject any unsolicited request seeking PII confirmation.
- **Data Minimization Review:** Conduct an audit to identify and reduce the storage and retention of sensitive PII where it is not strictly necessary (e.g., securely destroying old customer PII records that exceed regulatory retention limits).
## Configuration Examples
*No specific configuration examples were provided in the source text; focus remains on policy enforcement and behavioral changes.*
## Compliance Alignment
- **NIST SP 800-53 (AC family):** Focus on Access Control and protecting media containing sensitive information.
- **ISO/IEC 27001 (A.18):** Focus on compliance requirements related to PII handling and privacy.
- **FTC Guidelines:** Adherence to recommended best practices for obtaining and managing free consumer credit reports.
## Common Pitfalls to Avoid
1. **Dismissing Suspicious Mail:** Treating letters from unknown financial entities as "junk mail" without verification, which can mask the opening of fraudulent accounts.
2. **Insecure Password Recirculation:** Reusing old, weak passwords or slightly modifying existing ones when forced to change them periodically (e.g., always adding '123' to the end).
3. **Believing Caller Authority:** Assuming a caller is legitimate because they claim to be from your bank or a financial institution, leading to voluntary disclosure of data.
4. **Ignoring Social Media Data Leakage:** Underestimating the risk posed by seemingly innocuous activities, like filling out online quizzes, as a pathway for PII harvesting.
## Resources
- **FTC Website for Free Credit Reports:** (Consumer.ftc.gov/articles/0155-free-credit-reports) - Use this resource to find contact information for the three major credit reporting agencies.
- **FTC Guidance on Fraud Alerts/Credit Freezes:** (Consumer.ftc.gov/articles/0279-extended-fraud-alerts-and-credit-freezes)
- **Guidelines for Creating Strong Passwords:** (Reference material linked in the source for creating strong, non-predictable passwords.)