Ah, another year has passed and we’re ready to jump into the future of 2019. First, let’s take a look back at our predictions from 2018 that came true. We discussed the potential of AI to stop hacking, scammer’s new techniques to take advantage of social media users and transparency in IoT devices.  Of course with the emergence of technology and cybercriminals evolving their techniques, unanticipated challenges have arisen.

2019’s focus will be on data: Data breaches, data abuses, data privacy.  Even though ITRC is first and foremost a victim service and consumer education organization, we know that the thieves need our data in order to perpetrate their fraud and identity theft.

Data breaches: Consumers will gain more clarity (about how a specific breach actually effects them.  Breached entities will be pushed to be more transparent and less vague about the specifics of the type of data that has been breached.  Vague terms such as “and other data” or “client records”, that appear on data breach notification letter currently will no longer be tolerated by breach victims. Thieves are always looking to get their hands on our data and with a little technique called “credential cracking,” we think we’re going to be seeing more security notifications, not just breach notifications in 2019. Here’s what’s going on: following a large-scale data breach, and in order to gain access to your online accounts, a hacker simply uses a large database of usernames and allows the computer to “guess” the passwords for each account they are attempting to log into. We’re beginning to see companies send security notifications to their customers that their username/email credentials are being used – possibly by an unauthorized user – to login to their platform even if there is no account (i.e. Warby Parker & Dunkin Donuts).

Data Abuses: The public will gain more insights into data abuses, not just breaches.  More incidents, like the Facebook/Cambridge Analytica event will come to light.  As we as consumers demand more transparency, and as regulators probe deeper, the ongoing act of using our data for other than the purpose for which we have given consent will come out of the shadows.  Consumers will also start paying more attention to the notifications they receive from businesses that say their information was shared with third parties and what that means for them.

Data Privacy:  Consumer empowerment around privacy and data privacy is top of mind in a way that it has never been before.  Other states will follow California’s lead and pass their own data privacy legislation in the hopes of empowering consumers and keeping industry in check. Especially seeing as California, Florida, Texas, New York and Pennsylvania (in that order) had the highest numbers of cybercrime reports last year.  This will likely not provide the much needed long term solution, or the necessary cultural shift.  Just look at the condition of the state by state data breach notification laws, and the years-long discussion (that’s at a stalemate by the way) of a more universal regulation and process.  Will we start that cycle over again here?  Probably. Until the public has a concrete understanding of the complex relationship between data creators (consumers), data owners (the platform on which the data was created, generally) and data users (every industry currently operating in the US) these statewide measures will fall short of making any real headway into actually giving us more control over our data or more privacy.

Even though it has been discussed for over 13 years, there is a good chance that 2019 will be the year that a federal data breach notification law will become a reality.  Of course, predictions are just an educated guess based on previous events and information. Industry, policymakers and the public alike will have to wait and see how 2019 will be impacted by identity theft, cybercrime, hacking and data breaches. One thing we can be sure of though is that the ITRC will be here, working to fight back against the latest techniques to commit identity theft and scams.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Better than any Oscar nominations or National Basketball Association (NBA) rankings, there’s a different kind list that keeps cybersecurity experts and consumer advocates on the edge of their seats each year. This list, compiled from actual, intentional user mistakes, ranks the worst—make that “least secure”—passwords by how frequently they’re used.

Note: Why do far too many consumers continue to use ridiculously weak passwords? Because of a misunderstanding of how passwords are “guessed” by hackers. Despite what people might think, no one sits at a computer and types in one attempt after another. Instead, they deploy software that is capable of “guessing” random words, phrases and character combinations at literally billions of guesses per second.

(As one tech user said to the Identity Theft Resource Center when justifying the use of “password” as his online banking password, “It’s so easy no one would think to guess that one.” Unfortunately, that’s not how this works.)

This year’s list of worst passwords not only includes some that have been haunting the security industry for years, it also includes a few newcomers.

Taking the number one spot once again was “123456.” Interestingly, after the #2 spot went to “password,” the remaining top seven most commonly used passwords were the number variations “1234566789,” “12345678,” “12345,” “111111,” and “1234567.”

There were some odd choices this year, as the #8 spot went to “sunshine” and #10 was “iloveyou.” Number 9 was no surprise, unfortunately, as the ever-popular “qwerty” landed there.

“Admin” and “football” made the list again this year, as did “123123.” A shockingly high number of tech users thought they could beat the bots by holding down the shift key while hitting those number keys, which means “!@#$%^&*” was the 20th most commonly used password this year. Not to be outdone by the qwerty fans, a few more people tried to outwit the hackers by running their passwords straight up the bottom row of keys: “zxcvbnm” took spot #26.

People’s first names were surprisingly common passwords. Jordan, Joshua, George, Harley, Summer, Thomas, Buster, Hannah, Daniel and more were all in the top fifty.

The complete list of 100 most commonly used passwords is available by clicking here, but remember—it’s a guide of what not to do, not a list of passwords that are so simple no one would think you’d ever use them. So what kind of password should you use?

A strong, unique password is one that you only use on one account (not repeating it on multiple accounts), and that contains a long, virtually unguessable combination of letters, numbers, and symbols. Eight characters is typically considered the bare minimum for security but the longer the password, the harder it is for hacking software to guess it. While you’re creating this hopefully-foolproof password, remember to avoid common words, phrases, variations on your name, or the name of the website where the account was created.

So how are you supposed to remember a really long, secure password and make a separate one for each account? You could use a widely-respected password manager software, but there’s always a risk of those companies’ servers being hacked. If you’re really struggling to protect yourself, you can come up with your own cheat.

For example, pick a song or a book title that you will always remember, such as, “These Boots Were Made for Walking.” Now, pick a long number combination, like your childhood phone number. You can weave together the first letter of each word in the title (alternating uppercase and lowercase) and each digit in the phone number so that you end up with something that looks like “?T2b5W6m1F9w67!” Note the extra symbols at the beginning and end.

This fairly strong password is only good for one of your accounts, though. So here are a couple of things to try:

1. You can also weave in the name of the website, like PayPal or Amazon, by putting one of the letters at the beginning and one of the letters at the end. That way, you only have to remember two letters for each account and your strong password in the middle. This is NOT ideal from a security standpoint, but it’s far better than reusing your dog’s name on every account you own.

2. Use your very strong password for your email and simply click “forgot my password” every time you log into a different sensitive account. You’ll get an email to change your password on that site, and you can change it to anything you like—even just mashing keys on your keyboard—since you’re going to change it again the next time you log in.

There’s something else to consider about password security. Changing your passwords from time to time is important for keeping hackers out of your accounts. The ability to steal or purchase databases of old login credentials means someone could get your current password by stealing information that’s several years old. Protect yourself with regular updates to your password.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

The Federal Trade Commission announced that it will be closed due to a lapse in its funding until the government shutdown ends. That means a number of critical services for consumers, businesses, law enforcement agencies, and other organizations will be temporarily unavailable. Some services—as outlined on the FTC’s website and the announcement on the shutdown—will still be in operation but with reduced staff numbers; this can have a big impact on those services and the timeliness of the support.

Consumers will not be able to file reports or notify the FTC of scams, fraud, or other similar issues during this time. Identity theft reports will also be on hold, as will the National Do Not Call Registry, the Consumer Sentinel Network for law enforcement, and other critical functions.

In the meantime, the non-profit partner Identity Theft Resource Center is ready and willing to help consumers in need and provide valuable insights to any law enforcement agencies or policymakers. The toll-free helpline (888) 400 – 5530 and live chat feature provide immediate answers to questions and concerns about your data, your privacy, and your first steps in the event of suspected identity theft.

ITRC resources can also help keep you informed about the latest scams, fraud, and cybersecurity trends, as well as provide you with actionable steps to avoid becoming a victim. Should you find yourself snared by this kind of criminal activity, our knowledgeable staff can help you take action. The website is also filled with helpful documents that are categorized by the type of consumer issue to assist you in finding the right resources. The Identity Theft Resource Center also has a free ID Theft Help app, which gives you access to resources and tips to protect your identity, a case log feature to help remediate your case as well as the ability to contact our call center advisors.

Fortunately, the FTC’s website and social media channels will still be available with past information, although these outlets will not continue to be updated during the shutdown. The ITRC will continue to post updates and new information at IDTheftCenter.org as well as on its Facebook and Twitter accounts.

During this time, it’s vital that consumers and businesses be extra vigilant about protecting themselves. There’s never a good time to let your guard down when it comes to your identity or your privacy, but at a time when the safeguards are suspended, it’s even more important that individuals use an air of caution when it comes to consumer interactions.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

The term “honeypot” is actually an old word with a lot of different connotations. Besides the obvious container for honey, it also refers to any kind of “lure,” whether it’s an attractive person, a lucrative business deal or even a criminal’s bait to snare a victim.

The tech sector has long been flipping the script on honeypots and using them to lure the criminals. Whether it’s an unsecured cache of sensitive information, a website that purposely contains vulnerabilities or some other cyberbait, the result is the honeypot can help security researchers track down cybercriminals and grab their identifying information.

Now, researchers at one university have taken the crime-fighting a step further with the invention of the HoneyBot. This robotic security guard doesn’t patrol the hallways of a building to keep an eye out for intruders, though. Instead, it serves as a connected device that hackers would want to go after, a kind of data honeypot on wheels.

You might already be wondering, “Why does a data trap need to move around?” It’s so simple that it’s genius. One of the ways hackers know they’ve hit on useful data and not a trap is by having the ability to interact with the secret honeypot in a very sophisticated, higher-level way. If there’s nothing really interactive about it, then it could actually warn away cybercriminals. Worse, it could give them a portal to infiltrate a network (the opposite function of a honeypot).

When they’re able to interact with the HoneyBot and send it around the building, they’ll think they’re actually on to something. This makes the robot ideal for factories, manufacturing plants, and even a large-scale infrastructure like a power grid. While the hackers are toying around with the robot and trying to get access to other parts of the network, the HoneyBot is scooping up all of their information and reporting it to the cybersecurity team.

University researchers are expected to share the results of extensive testing in the near future, but this kind of innovation is already an exciting new tool for fighting back against cybercrime.


Read next: “Block the Wi-Fi Nabbers”

If you pulled up in your driveway and saw an orange extension cord running from your exterior outlet to your neighbor’s house, you might have something to say about it. If your neighbors ran a long wire to your cable box to steal your cable, you would probably do something about that as well.

But your neighbors could be stealing your internet connection without your knowledge. Without the need for wires or cords, they could have gained access and your signal strength could be suffering. Worse, you don’t know what kind of activity they’re engaging in over your connection, or what else they may be able to infiltrate over your wifi.

There are a few ways you can tell if someone—a neighbor or even someone paused nearby in a vehicle—is using your internet connection:

1. Internet Slowdown – if your internet connection is suddenly slower, meaning web pages don’t load like they once did or your favorite videos just display an icon circling around instead of playing, you might be running too many devices on your connection. If you know that you haven’t increased the number of computers, phones, tablets, laptops, or IoT devices, someone else may have joined.

2. Check Your Connection Settings – if you can access the app for your router (the box that turns your modem into a signal broadcaster so wireless devices can reach it) or visit the manufacturer’s website to see your account, you should be able to see how many devices are connected to your network. Their customer service department can help you with this step.

Once you find out if someone else has jumped on your connection, it’s actually a pretty easy fix. First, password protect your wifi network, which is a good idea even if no one has been using your connection; however, if you already had a password in place, then the outsider has gained access to it somehow, so simply change it. Also, be sure to check for any available updates to your router’s software since outdated software could have vulnerabilities that outsiders can exploit.

Unfortunately, if someone has been using your wifi, there’s a chance they also accessed sensitive information about you and your family. Change the passwords on all of your sensitive accounts like email, banking, and retail shopping sites, and monitor your accounts for any suspicious activity.


Read next: “Don’t Get Scrooged by a Holiday Scam”

Wouldn’t it be nice if criminals took a break for the holidays, leaving the rest of us to enjoy our celebrations without the worry of scams and fraud? Unfortunately, they don’t slow down at this time of year, and if anything, scammers actually ramp up their activity to take advantage of unsuspecting consumers.

Luckily, you can preserve your holiday cheer and reduce your chances of becoming a victim by learning a few signs of some common scams. Remember, these scams can take on holiday-themed forms at this time of year but can still be a threat all year long.

1. Secret Sister/Gift Exchange Scam – You may have already seen social media posts for a secret sister gift exchange, but know this: no matter who posted it or how much fun it claims to be, it’s a scam. Even worse, depending on how it manifests and where you live, it may even be illegal to participate.

This one works in a similar vein to a pyramid scheme. You buy six to ten gifts and mail them to other people on the list, and in turn, future participants send you gifts. Your initial handful of gifts is supposed to multiply as the list gets bigger, but too many victims of this scam report that all they got was a hit to their bank accounts when they sent off those first gifts.

2. Charity Scams – Thieves take full advantage of our goodwill and generosity, often with sad situations that make us feel grateful to have so much. With the widespread availability of crowdfunding and online posting through social media, it can be very difficult to know who to help and how. Be safe this season by designating your donations before the holidays and choosing reputable organizations whose values align with your own.

3. Shipping, Fake Retail Scams – As our holiday shopping gets fully underway, it can be hard to discern genuine retailers and their messages from the phonies. Copycat websites, fake internet storefronts and bogus emailed receipts that trick us into divulging sensitive information are just a few of the tools scammers can use to steal your identity, your money or both.

4. E-Cards – There are several reputable websites that offer adorable “e-cards,” complete with photo personalization, animated video, and even musical sound effects. Unfortunately, the cards arrive as an email in your inbox telling you to click the link to view it; it takes no tech skill whatsoever to launch a spam email campaign that tricks recipients into downloading a virus instead of a delightful card. Make sure you verify it with the sender before you click any links.

5. Seasonal Employment – There’s never a time when most of us couldn’t use a little extra money, and scammers take advantage of that fact even more at the holidays. Bogus job offers that steal your identifying information, criminal scams that get you to “reship” stolen property and too-good-to-be-true jobs that require you to send in money or access to your bank account are just some of the ways scammers posing as employers can harm you.

This holiday season, arm yourself with information so you won’t have to waste time worrying about scams and fraud. Also, do your friends and family a favor: give the gift of awareness by keeping others informed about these scams and more.


Read next: “What’s the Latest Threat From Your IoT Toys?”

Privacy experts and advocates have long warned about some of the threats from the Internet of Things. Our connected smart home devices have the potential to spy on us, to gather, track, and spread our sensitive information and internet activity, and even to become a target for hackers.

Unfortunately, the increasingly common combination of IoT connectivity and a child’s toy can lead to a bone-chilling scenario in which information about your family member is shared online. Previous data breaches involving kids’ apps and IoT toys have grabbed entire customer databases of children’s information, in some cases even including names, addresses and photos of the kids.

As the Internet of Things becomes more widespread and the “it toy” of the holiday season lines the retailers’ shelves, it’s important that consumers do their research before making their purchases.

One great resource is the annual Trouble in Toyland report, which highlights a variety of dangers of popular toys. These dangers range from things like choking hazards to privacy questions, so it’s an all-encompassing type of report. In its 33 years, this report has been responsible for more than 150 toy recalls.

But when shopping for any kind of electronic or interactive toy, consumers can keep a few guidelines in mind before committing to this new purchase:

1. Do you need to register the device or create an account to use it? – Registering your new purchase can protect you in a number of ways, including recall updates and warranty validity. However, do you need to include every piece of information? Do you have to register your child’s information or create an online account in order to use this toy? That might give you pause, depending on the information requested, the age and ability of your kids, and your comfort level with their internet use.

2. Do you leave it turned on at all times in order for it to work? – If this device needs to be left powered on at all times, you might want to think about incorporating it into your household. Besides the drain on your utilities and your home data use for a toy or gadget that might not get used all the time, an “always on” device can lead to security issues. If you can power the device off completely when not in use, it will save both your budget and your privacy.

3. Is your Wi-Fi network protected? – Wi-Fi connections need to be password protected to keep outsiders from jumping into your network. However, a lot of users with IoT-connected toys and household devices overlook the need to protect their wifi routers as well. If your router—the box that makes the internet connection work for all of your wireless gadgets—is unprotected, then anyone who accesses your laptop through a virus could conceivably travel over to your other devices via the router.

As parents and grandparents, it’s understandable to want to give your young family members something from their holiday wish lists, but rushing into a purchase isn’t the best course of action. Do your research and make sure you’re bringing the device into a secure environment before buying.

There’s one final consideration to make when purchasing a new connected toy, especially if it’s an upgrade on a previous version: don’t discard any old connected toys without completely wiping their stored data and deleting any apps or accounts that powered it. If you can’t be sure that any sensitive information is gone from the device—including its usage history, stored identifying information, and more—then physically damage the internal components before discarding it. Remember to look for a responsible recycler so that potentially harmful internal materials don’t end up in the environment.


Read next: “Boss Phishing Bah Humbug: Don’t Fall for this Holiday Scam!”

As the holidays approach, savvy consumers should already be on the lookout for scams and fraud. But what about at work? Do you know how to avoid one of the newest twists on an old scam?

Boss phishing—sometimes called CEO phishing or spearphishing, since the message appears to come from someone high up in the company—has been around for a long time, and its targets can be both financial and data-driven. Usually, in the form of a genuine-looking email, the request asks someone to send over sensitive information, change account numbers and move money around, or even change things like usernames and passwords.

It works for one very simple reason… when the boss says to do something, you do it. However, this kind of trust in following orders means the consequences can be very serious for the company and lead to blowback for the employee who was tricked. This newly reported spearphishing scam, though, is particularly horrible since the innocent employee might be the one who’s most profoundly harmed.

In the new variation, the “CEO” emails someone and directs them to buy thousands of dollars’ worth of gift cards for the employees’ holiday bonuses; this could be with their personal credit card or with a company credit card. After the cards are purchased, the “CEO” emails again and says to scratch off the protective strip then submit the card numbers so the boss can email all of the employees their gift car codes.

In a real report of this crime to the Identity Theft Resource Center, a few hours after sending the gift card codes to the scammers, the victim learned the company computer had been hacked. The emails weren’t genuine, and the scammers made off with $5,000 in gift cards.

Fortunately, you can avoid this scam rather easily, but it does require you to get in the good habit of questioning orders. Hopefully, any company leader whose employee receives a strange request won’t be too put out that they took the initiative to verify it before complying.

1. Never click a link or open an attachment in an email unless you know you can trust it. This applies to both your personal email and your business account.

2. Never follow through with strange requests from anyone within the company—like sending over all the payroll records (which contain Social Security numbers), W2s, sensitive account information, or funds—without picking up the phone and verifying the request.

3. Never hit “reply” to share sensitive information. Instead, create a new email with the requested information in case the initial email was hacked or spoofed.

Of course, it can be daunting to “second guess” the boss but that’s what scammers are counting on when they target someone within your company. Think of it this way: it’s far better to ask a silly question and risk a little awkwardness in the workplace than to put your company in a bad situation. Failing to verify a request that turns out to be a phishing attempt can have serious financial consequences for the business, especially if sensitive information is shared.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “What do you do with your scam awareness?”