Protecting yourself from identity fraud is possible, but the wisest approaches aren't always obvious.
Doing a thorough job means thinking about concepts like hard drive wiping, file system encryption and phishing detection--not everyday fare for many of us. To help you protect yourself from identity fraudsters, CNET News.com has compiled the following list of frequently asked questions and their answers.
How could identity fraudsters get my personal information in the first place?
It depends. Fraud artists can bribe employees of banks or credit card companies who have access to confidential records, or they can pose as an employer or landlord to get a copy of your credit report, or simply steal a wallet, purse or your mail. One of the most common ways that information is snatched is through lost credit cards. All of those techniques are more frequent than any methods using the Internet.
Once my information is nabbed by a crook, how is it typically used?
Plain-vanilla credit card fraud is the most common way information is used. It gets more serious when criminals use your information to open up new bank or credit card accounts, take out a loan or obtain mobile phone service. Often, you won't realize until much later that you have become a victim, because the criminals don't use your home address for statements.
A more worrisome technique involves someone posing as you in person: Obtaining a driver's license with your name but with their photograph and giving your name to the police during an arrest, for example. If you miss the court date, a warrant will be issued for your arrest.
How about my credit cards and ATM cards--am I legally liable for their use if they're stolen?
For ATM cards, the answer lies in a federal law called the Electronic Fund Transfer Act. If you report the loss within two business days after you discovered it, your losses are limited to $50. Wait 60 days, and you could be responsible for $500. If even more time elapses, you might not have any legal recourse. Check your bank statements regularly.
However, all the major credit card companies have said that they have instituted "zero-liability" policies that mean they will not hold their customers responsible for any amount at all. The Federal Trade Commission has suggestions on how to avoid credit card fraud.
How can I protect myself?
Remain vigilant. That means reviewing your credit reports at least once a year, and preferably every few months. If you have good reason to suspect mischief, you can subscribe to a credit-monitoring service (such as Experian's, at $10 a month) that sends e-mail alerts of changes to your accounts. Beware of the scam Web sites that can pop up when you search for "credit reports" or "credit monitoring" on Google and other engines.
Be careful with the passwords for your bank, credit card and utility service accounts. When using online services, make sure to type in the correct URL for the site you want to visit. Never click on links in an e-mail or on a Web site that you don't know to be reliable. These could be part of a phishing scam, which typically use forged e-mails and faked Web sites that pretend to belong to trusted service providers like a bank.
Putting a lock on your mailbox and not placing outgoing mail in an unsecured mailbox is smart. So is buying a paper shredder--identity fraudsters have been known to rummage through garbage or steal mail, and the U.S. Supreme Court has ruled that police don't need a warrant when trash-diving. Still, Dumpster diving was linked to only 2.5 percent of identity fraud cases in 2004, and mailbox theft to 8 percent, according to research by Javelin Strategy & Research.
Am I eligible to get a free copy of my credit report?
Almost certainly. Thanks to the Fair and Accurate Credit Transactions Act of 2003, U.S. residents are entitled to one free credit report a year from AnnualCreditReport.com (the corresponding phone number is 877-322-8228). Experts suggest ordering one from a different agency every four months. Check the number of open accounts on the report to make sure that the total agrees with what you would expect. You're also entitled to a free credit report when you have reason to suspect identity fraud.
What should I do if I think my identity has been misused?
Contact one of the three major credit bureaus (Experian, Equifax, TRW) to place what's known as a "fraud alert" on your credit report. You need to call only one of the companies; it in turn will contact the other two. An initial fraud alert stays in place for 90 days. If there is an alert on your record, businesses have to take extra steps to verify your identity when issuing credit. A credit card company could phone you, for example.
Once you've created the fraud alert, review copies of your credit report to make sure that all the accounts listed are yours. Close any that are unauthorized. The best way to do this is to fill out an ID theft affidavit (Click for PFD).
Do I need to give out my Social Security number?
Sometimes. Your employer and financial institutions have a legitimate reason to ask for it. But many other companies use the SSN as a convenient way to give you a unique ID number in a database. In those cases, you may not be required to divulge it. The Social Security Administration advises: "You should treat your Social Security number as confidential information and avoid giving it out unnecessarily."
I know I'm supposed to shred my trash, but what about my computer? What if I want to throw it away or give it away?
Don't even think about getting rid of it until that hard drive has been thoroughly wiped. A typical hard drive--complete with tax returns, e-mail and cached Web pages--can be a treasure trove for identity fraudsters. Two MIT graduate students found a shocking amount of sensitive information on used hard drives they purchased.
Under Microsoft Windows, even formatting the hard drive isn't enough. Windows programs like CyberScrub can ensure that the data is completely overwritten. On the Macintosh, newer versions of OS X offer a "Secure Delete" option. Use it.
That's fine for when I'm planning to get rid of a old PC. What if my laptop is stolen with all my files on it?
Encrypt your data. That once was an onerous process involving command-line arcana worthy of C inventor Dennis Ritchie. Not any more.
Anyone with a Macintosh computer running the OS X operating system is in the best shape, thanks to Apple Computer's built-in FileVault utility. It transparently encrypts and decrypts your home directory and other important areas of the hard drive. Windows users should consider purchasing an add-on such as that from PGP, which announced an expanded "Whole Disk Encryption" product line this month. Microsoft plans to offer more encryption capabilities in the next release of Windows, called Vista.
How can I tell whether e-mail claiming to be from my bank or credit card company is actually a "phishing" scam?
There's often not an easy way: The current, insecure design of Internet e-mail permits scammers to pose as legitimate businesses. American Express offers some tips, which include questioning whether the e-mail's purported urgency really makes sense.
Unless you're sure of their legitimacy, avoid clicking on links in e-mail that seem to be from banks or credit card companies. Instead, manually type in the Web site's address in your browser. Also, consider obtaining an e-mail address just for bank and other statements--that way, if you receive e-mail from a "financial institution" sent to your normal, public address, you'll know it's a scam.
There are tools that can help you detect phishing scams. U.K.-based Netcraft offers an antiphishing toolbar that plugs into your Web browser; Netscape has protection built into its latest Web browser; and Microsoft also provides technology in its MSN toolbar.
What should I do to protect my computer from Trojan horses, viruses and worms that could be used to get into my personal files?
If your computer is running on Windows software, you've got some work to do. The latest version of Windows, Windows XP with Service Pack 2, is most secure. However, do check Microsoft's Windows Update site to make sure that your operating system isn't outdated and vulnerable and that you are automatically receiving security fixes.
But if you're using Mac OS X or another Unix variant, congratulations! You should always make backups, of course, and keep your system software up-to-date. But you're likely to be much safer, since there are fewer malicious code attacks that target those operating systems. However, using Mac OS or Linux won't protect you against phishing scams, which require vigilance and common sense.
CNET News.com's Joris Evers contributed to this FAQ.