People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

A Florida-based healthcare provider has issued a warning to its patients that their highly-sensitive personally identifiable information (PII) and personal health information (PHI) may have been stolen in a data breach. In what appears to have been a ransomware attack, Florida Orthopaedic Institute’s servers were infiltrated by malicious actors who then encrypted patients’ files, blocking access to them by the facility’s staff members. The facility is a conglomerate of orthopaedic physicians’ offices, meaning it could be possible that patients affected by the Florida Orthopaedic Institute data breach are not familiar with the company’s name.

The Florida Orthopaedic Institute’s investigation also uncovered reasons to suspect that some of the patients’ complete identities had been stolen before the encryption. That would include such data points as names, birthdates, Social Security numbers and more. Right now, the Florida Orthopaedic Institute has not found evidence that those identities have been used. Other compromised information from the Florida Orthopaedic Institute data breach includes medical data or PHI like appointment times, insurance plan numbers and payments for services, just to name a few.

While the facility was able to regain access to the encrypted files, affected patients should take immediate action. Some important steps include:

  • Changing the passwords on any accounts that share a username and password with their Florida Orthopaedic Institute account
  • Requesting a free copy of their credit report from AnnualCreditReport.com to look for signs of unusual activity
  • Signing up for the free credit monitoring and fraud protection tools that Florida Orthopaedic Institute is providing to the victims of this breach. It’s also important for victims of the Florida Orthopaedic Institute data breach to place a freeze on their credit report if their financial or payment card information was affected.
  • Contacting their insurance provider and asking if they can change their insurance account and card number. Victims should see what additional protections they can put in place such as an additional password when calling for service
  • Checking medical insurance billing statements closely to ensure the company is not covering services received by a thief that the victim has not received

As with any data breach event, including the Florida Orthopaedic Institute data breach, consumers can also reach out to the Identity Theft Resource Center (ITRC) for help and information by live-chat or calling toll-free at 888.400.5530. The ITRC’s free ID Theft Help app for iOS and Android is a place for victims to manage their case-specific action plans and find other helpful resources.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

In 2019, the Identity theft Resource Center (ITRC) saw a 17 percent increase in data breaches compared to 2018. Credential stuffing attacks exploded in 2019, as well as third-party contractors being breached. 2020 has been a different story.

While scams are up due to COVID-19, publicly-reported data breaches are down in the U.S. Despite millions of Americans shifting to working from home – where cybersecurity and data protections may not be as strong as their regular workspace, the number of data breaches has dropped by one-third (nearly 33 percent) in the first six months of 2020 compared to 2019. The data compromise decrease statistics do not stop there. More significantly, the number of individuals impacted by breaches dropped by 66 percent over the same time period one year ago.

ITRC-Year-over-Year-Jan-Jun-Breaches-2020-v2
Year -over-year January – June 2020 data breach trends provided by ITRC

The 2020 data breach statistics are good news for consumers and businesses overall. However, the emotional and financial impacts on individuals and organizations are still significant. In fact, the impact on individuals might be even more catastrophic as criminals use stolen personally identifiable information (PII) to misappropriate government benefits intended to ease the impact of the COVID-19 pandemic.

External threat actors continue to account for most successful data compromises (404), compared to internal threats from employees (83) and third-party contractors (53). Internal threat data compromises are the lowest they have been since 2018.

In comparison, January 1, 2019 to June 30, 2019 saw 588 breaches caused by an external threat actor, 126 breaches caused by an internal threat actor and 89 involved a third-party. The data compromise decrease can be attributed, in part, to more people working from home.

Due to the increase in remote work, employees have less access to the data and systems necessary to easily steal PII. However, businesses and employees are also hyper-focused on preventing identity theft.

Unless there is a significant uptick in data compromises reported, 2020 is on pace to see the lowest number of data breaches and data exposures since 2015.

Year-over-year data breach trends 2020 provided by ITRC
Year-over-year data breach trends 2020 provided by ITRC

With that said, there is reason to believe the lower number of breaches is only temporary. Cybercriminals have been using the billions of data points stolen in data breaches during the last five years to execute different types of scams and attacks, which include phishing, credential stuffing and other exploits that require PII. With so much data being consumed and so much focus on improved cyber-hygiene, both at work and at home, the available pool of useful data is being reduced.

At some point, cybercriminals will have to update their data, which should lead to a return of the normal threat pattern. While there are signs of increased cyberattacks that – if successful – could lead to PII being compromised, it is too early to tell when the uptick may occur. Even then, it is more likely to be a “dimmer switch” approach rather than just flipping on a light switch, meaning it will not happen all at once.

The ITRC will continue to monitor all of the publicly-reported data breaches daily and analyze them to keep businesses and consumers educated on what the cybercriminals are doing.

If someone believes they have had their information exposed as part of a data compromise, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them.

Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

For more information on the ITRC’s data breach tracking and trend analysis, or if your organization would like to subscribe to our monthly data breach product, please email notifiedbyITRC@idtheftcenter.org.

Third-party sellers on Amazon are buying their own products so they can leave five-star reviews, then using victims’ names and addresses to disguise themselves as customers. 

Who Is It Targeting: Amazon customers

What Is It: Brushing scam that uses another person’s information to place fake orders

What Are They After: This Amazon brushing scam is tricky because while victims are not charged for the goods that appear on their doorstep, being a victim still means that someone has gained access to your name, mailing address, and other information. Some people may not think of this as being victims of a scam, but there is no way of knowing what else these scammers could be doing with your personal data.

In a post on Reddit, one user randomly received a weeding tool and posted to understand what he received in the mail by mistake, unknowing it was part of a brushing scam.

Image of Reddit.com

Another Reddit user let the original poster alerted them to the possibility of this being a scam and referred them back to our resources for assistance.

How Can You Avoid It: If you begin receiving packages that are addressed to you but you did not order, contact the retailer immediately. Change your passwords on your online accounts, just in case the scammer got your address by hacking an account.

According to The Verge, Amazon will start disclosing the names and addresses of US-based third-party sellers on its Marketplace platform as part of an effort to fight counterfeiters. The company announced the change in a note sent to sellers on Wednesday, and goes into effect on September 1st.

If you think you may be a victim of identity theft or an Amazon brushing scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. Find more information about current scams and alerts here.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Brushing Scam: Can it Really Hurt You?

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the previous week. The ITRC has the most comprehensive databases of information about publicly-reported U.S. data breaches. The ITRC has been compiling data breach information for the last 15 years, recording close to 12,000 publicly-notified data breaches. This week we are highlighting a couple of longer-term unconventional 2020 data breach trends and what is behind them (specifically, publicly-reported breaches in the U.S.) and what cybercriminals are doing with all of the personal information they have stolen the past few years.

Tune in to the Identity Theft Resource Center’s newest podcast – the Weekly Breach Breakdown with host, James Lee, Chief Operating Officer.

Since 2015, data breaches and the number of people impacted has been on the increase, with the exception of one year. However, 2020 is shaping up to be very different. While many believed employees working remotely due to COVID-19 would lead to a spike in data breaches and identity theft, the data tells a different story. The number of publicly-reported data breaches are down 33 percent in the first six months of 2020 over the same period in 2019. More importantly, the number of individuals impacted by data compromises is down 66 percent compared to last year. In the first six months of 2020, the ITRC tracked 540 data breaches and approximately 164 million people affected, including those who received more than one breach notice.

While the 2020 data breach trends are good news for businesses and consumers, the emotional and financial impacts on organizations and individuals due to data breaches are still significant. In fact, the impact on individuals could be even more damaging as criminals use stolen identity information to misappropriate government benefits intended to ease the impact of the coronavirus. While the ITRC sees a drop in data breaches reported, it also sees an increase in reports of identity-related fraud.

There is never just one reason why data breaches go up or down. It is a complicated issue with many moving parts. However, related trends give a clue about one of the primary drivers of the reduction in mass data theft: all the identity information stolen in data breaches over the past few years. In fact, a new research report shows there are 15 billion credentials for sale in the marketplace where identity criminals buy and sell personal information. That is a lot of information – and right now, cybercriminals are cashing in on all of that data by running COVID-19 and other scams that require identity data. Cybercriminals are striking with phishing attacks and other automated attacks using apps designed to crack open accounts using stolen credentials that cost as little as $4.

In other words, right now identity thieves do not need any more data. They are consuming more data than they are gathering. Unless there is a significant increase in the number of reported data compromises, 2020 is on pace to see the lowest number of data breaches and data exposures since 2015, an unconventional 2020 data breach trend that might not have been expected at the beginning of the year – and is counter to other reports. With that said, there is reason to believe the 2020 data breach trends of a lower number of breaches is only temporary.

At some point, cybercriminals will have to update their data warehouses. When they do, the ITRC expects a return to the normal threat pattern. It could happen in the second half of 2020, or early 2021. Whenever it happens, it is not expected to happen overnight. Rather, it is expected to gradually happen over time.

For more information, as well as analysis of the 2020 data breach trends, subscribe to our data breach newsletter.

If someone believes they are a victim of an identity crime or believes their identity has been compromised, they can live-chat with an expert advisor or call toll-free at 888.400.5530 to get started on the resolution process. Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

School District Data Breaches Continue to be a Playground for Hackers

Magecart Data Breaches Grow in Popularity

Gaming Data Breaches are a Loot Chest of Data

School districts are a playground for hackers. While the education sector does not see as many data breaches as some others (it ranked third in the Identity Theft Resource Center’s 2019 Data Breach Report with 113 breaches), recent school district data breaches – and breaches of their software systems – have highlighted the value to data thieves.

There have been multiple large school district-related data breaches in the last two years, including Georgia Tech, which affected 1.3 million people; education software developer Pearson, which affected 13,000 educational institutions; and education software developer Aeries, which could have affected over 600 school districts. According to Insurance Business America, a study done by Comparitech said that since 2005, K-12 school districts, as well as colleges and universities across the country, have experienced more than 1,300 data breaches affecting more than 24.5 million records. The AZ Mirror reports that Arizona schools have leaked 2.8 million records since 2005. Arizona is second only to California, who has leaked close to 2.9 million records in that same span.

Fortunately, many of the recent school district data breaches do not involve Social Security numbers (SSN). However, a child’s SSN is a common target for hackers because children are not looking at their information for years. By stealing a child’s SSN, medical insurance card or birthdate, hackers could have up to an 18-year head start before a child discovers there is a problem with their credit or personally identifiable information. Threat actors will likely continue to try to find ways to access children’s SSNs to commit child identity theft and synthetic identity theft.  

Hackers also see school district data breaches as a prime opportunity to target financial accounts, social media accounts and retail accounts that might be linked to email addresses that they obtain. With email account information, hackers can target victims with spam emails, phishing attempts and harmful software viruses, not to mention credential stuffing to gain access to more sensitive data.

There are steps that parents and children can take to reduce the risk of child identity theft from a school district-related data breach. They include:

  • Freezing a child’s credit until they are an adult or plan on using it (for financial aid as an example)
  • Not feeling obligated to give a child’s Social Security number on every form; limit the number of places it is given
  • Changing email passwords and the passwords of any other accounts that use the same password if impacted by a data breach where an email is compromised
  • Considering the use passphrases instead of passwords, which are easier to remember and harder to guess
  • Filing an ID Theft Report with the Federal Trade Commission (FTC) and contacting all three credit reporting agencies (CRA’s) to request free credit reports if personal information is being misused

If someone believes they are a victim of a school district data breach, they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. They can also download the free ID Theft Help App for access to resources, a case log and much more.


You might also like…

Distance Learning Stresses the Importance of Child Privacy and Internet Safety Tips for Kids

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

There are many unanswered questions about the coronavirus impacts in the United States, some of which center around how schools will reopen for the fall term. K-12 school districts in many areas are scheduled to resume classes in a matter of weeks. However, what the learning environment will look like has yet to be determined in many cases. With that said, there are a lot of concerns about how schools might implement distance learning on a large scale.

One concern that parents, teachers, administrators and technology leaders face is how to protect students’ personally identifiable information (PII) in an online environment. Child identity theft is a serious problem and educational institutions have been a target for hacking due to the vast amount of personal student data their servers store. A child’s identity credentials are seen as extremely valuable to identity thieves, primarily because of the long period of time where their use by the thieves can go undetected.

Parents are considering the option of continuing to keep their students distance learning, but internet safety tips for kids using online platforms will become even more important as more students (especially K-12) utilize digital education for a longer period of time. However, with so many different online platforms being used by schools of different sizes and needs, there could still be an increased risk of student data being exposed or stolen in a data compromise and then used to create synthetic identities or sold for marketing purposes.

In one example from 2019, an online education provider in the U.S. suffered an accidental overexposure when a database of possibly more than 19,000 students’ information was left unsecured. Anyone with an internet connection was able to see the data for more than a week before it was taken down and password protected. It is still not known if anyone accessed the information while it was exposed.

As the new school year takes shape, it will be vital that administrators and IT professionals put safeguards in place to prevent unauthorized access to student records, employee files and other sensitive materials. Understanding the laws that are already in place is important in helping schools avoid costly mistakes. In California, the state’s privacy and cybersecurity law (CCPA) requires businesses and organizations to safeguard consumer data against data breaches and accidental events. Companies are also required to obtain parents’ authorization when collecting data on any child under 13 years of age, as well as have permission from the parents and student if the child is between 13 and 16 years old. The U.S. government’s Children’s Online Privacy Protection Act (COPPA) also gives parents some control over what personal information companies can collect on their children under the age of 13.

The next step may be in limiting the type of information that schools gather, such as Social Security numbers or health insurance and Medicaid identification numbers. Another important child privacy step will be ensuring that all personnel who have access to stored data know how to secure it. As some educators switch to wearing multiple hats this fall, they must be well-trained on how to use the platforms their school systems have adopted.

For parents, there are many internet safety tips for kids they can teach their students when it comes to online security:

  • Parents should be mindful of what websites their kids visit and teach them about what types of information are okay to enter online
  • Parents are encouraged to help their kids be aware of the dangers of clicking links or downloading files, as these can contain viruses and malware
  • Parents should make sure all of their kids’ online interactions occur with a known and trusted individual to lessen the opportunity for social engineering
  • Parents can enact the strictest privacy control settings available on both their child’s computer, mobile devices and browsers they use

Anyone with questions about child identity theft, distance learning security or internet safety tips for kids can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Data breaches can come in all different forms. Some occur from ransomware attacks and formjacking, while others are related to security lapses at third-party vendors or cyberattacks using stolen credentials. Hackers are always thinking of new ways to target and attack businesses and consumers. Magecart data breaches have grown as the years have gone by. One of the most notable Magecart attacks was on Macy’s in October 2019 when web skimmer malware was discovered on Macy’s website collecting customers’ payment card information.

Magecart is a particular type of malware used by hacking groups that targets the payment information entered into forms on various websites while allowing the transaction to complete without the consumer being any wiser. Magecart hacks third-party components that are common on e-commerce sites. According to Forbes, by October 2019, over 18,000 websites had been infected with Magecart card skimming malware. In the article, RiskIQ said they had spotted Magecart skimmers in action more than two million times. Other notable Magecart data breaches include attacks on the Baseball Hall of Fame, international hotel chains, Ticketmaster and British Airways.

While Magecart attacks will continue, businesses should do their part to protect their customers’ data, and consumers must also exercise caution. According to SC Media, cybersecurity teams at businesses should consider a variety of defenses that limit the risk of threat actors taking advantage of software flaws to infiltrate websites.

Consumers also have a role to play in helping thwart payment information theft, starting with being cautious about where to use payment cards online. Consumers should also consider using newer payment technologies that have more built-in security features than traditional credit and debit cards. Digital wallets like Apple Pay and Google Pay, along with “virtual” payment cards that rely on random, single-use card numbers make card information useless to identity thieves.  

While cyberattacks constantly evolve, it is important for businesses and consumers to also change to ensure their information is safe. If anyone has questions or believes they might be the victim of a Magecart data breach, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Data breach victims will get guidance on the next steps they need to take. Finally, victims can also download the free ID Theft Help App, which includes a case log to track the steps taken, additional resources to refer to, instant access to an advisor and much more.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Ransomware is something no one wants to end up with. It is a type of malicious software that is designed to deny access to data or a computer system until the hacker is paid. Ransomware is just one of many forms of malware, code that is developed by cyberattackers to cause damage to data and systems or gain unauthorized access. While there are many different types of ransomware, the operators behind the Maze ransomware attacks are some of the bad-actors at the core of many of these types of data compromises or phishing emails.

Maze is considered a sophisticated Windows ransomware type with the threat actors using it to ambush many organizations with demands of cryptocurrency payments in exchange for the stolen data. The impact of the Maze group and other similar ransomware exploits has led to a growing problem.

According to healthitsecurity.com, in May, the Maze operators published two plastic surgeons’ stolen data for sale on the dark web after a successful ransomware attack. A little over a month earlier Maze operators hit Chubb, a cybersecurity insurance provider for businesses that fall for data breaches. According to CRN, the Maze group just recently stole 100 GB of files from Xerox.

However, there are actions that consumers and businesses can take to reduce their chances of an attack:

  • Consumers should use reputable antivirus software and a firewall
  • People should consider using a virtual private network (VPN) when accessing public Wi-Fi or untrusted Wi-Fi
  • Consumers and businesses are both encouraged to make sure all systems and software are up-to-date and have the relevant patches
  • People should not provide any personal information in an email, phone call or text message they are not expecting
  • It is important that consumers do not click on any links from emails, text messages or instant messages they are not expecting; instead, they should go directly to the source

The Maze ransomware has impacted many; businesses and consumers should do what they can to protect themselves and their data.

Anyone who has questions or believes they are a victim of a Maze ransomware attack, or any sort of malware attack, can live-chat with an Identity Theft Resource Center expert advisor for tips.

They can also call toll-free at 888.400.5530. Finally, victims can download the free ID Theft Help App for instant access to advisors and resources.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19