• On the Identity Theft Resource Center’s (ITRC) last Weekly Breach Breakdown podcast, we discussed our inaugural Business Aftermath Report. The report shows how data and security compromises impact small businesses. 
  • In this week’s episode, we look at what businesses can do to protect themselves. To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to regular operation is the top priority.
  • Make sure team members know their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. Also, have good back-ups and patch software as soon as possible.
  • To learn about recent data compromises or small business data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

No Small Attacks

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 5, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Last week, we focused on our inaugural Business Aftermath Report findings that show how small businesses, including solopreneurs, are impacted by data and security compromises. This week we look at how to protect your business from cyberattacks.

In the entertainment business, the saying goes that there are no small parts, only small actors. In the security world, you might say there are no small attacks, only small attackers. That’s the name of this week’s episode: No Small Attacks. This week, we will talk about what you should do to protect your business from cyberattacks and prevent data breaches.

2021 Business Aftermath Report Findings

First, a brief recap of what we found in our survey of small business owners and leaders – nearly two-thirds of which had fewer than 50 employees.

  • Fifty-eight (58) percent of the small business owners or leaders reported a data breach, a security breach or both.
  • Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven percent said they had not returned to pre-breach performance levels at the time of the survey earlier this year.
  • Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger companies with ransomware. It also means this is likely to be a permanent condition.
  • Forty (40) percent of compromises were caused by outside cybercriminals. However, 35 percent were attributed to malicious insiders – an employee or a contractor.

That last statistic – the number of malicious employees is much higher than for larger enterprises with more tools and processes to detect bad actors. In fact, through the first half of 2021, there were zero data breaches attributed to a malicious insider in the U.S. Given this information, what should a business do?

How to Protect Your Business from Cyberattacks or Prevent Data Breaches

There is no going back to the days when small businesses could get by with minimal cybersecurity and data privacy protections. Every business owner, leader and team member should operate as if you are already under attack (because you probably are).

To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to normal operation is priority number one. Once that’s done, the highest long-term priority is restoring trust among your customers and prospects. Ensuring you know what happened, why it happened, and taking steps to prevent another breach are the bare minimum actions.

Be prepared to invest in more training, more policies and more solutions. Then, communicate all of that to your stakeholders – employees, investors, customers and community. If you don’t tell them, no one else will.

Additional Tips

  • Make sure every team member knows their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. There’s no such thing as too much training.
  • Patch software as soon as updates are available and make sure you have good back-ups. If you don’t have in-house resources, hire a managed security service provider (MSSP) to handle all your routine IT and OT tasks and monitoring.
  • Require multi-factor authentication (MFA) for your team and vendors, and offer it to your customers. MFA linked to an authenticator app is best.
  • Threat actors don’t just want your money. They want your data, too. The more you have, the bigger the target you become. To protect your business from cyberattacks, practice data minimization and don’t collect more information than you need. Also, don’t keep it longer than necessary to complete a transaction. You can’t lose control of what you don’t have.
  • Know your vendor’s security posture, too. It’s not enough that you have good cybersecurity. Everyone you work with also needs protections equal to or better than yours. That’s the law in some states now, and it is non-negotiable when it comes to protecting your customers.

Contact the ITRC

The ITRC offers low-cost training and vendor due diligence for small businesses. For more information on those services or how to protect your business from cyberattacks, contact us at www.idtheftcenter.org.

Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.

  • A data exposure revealed an Amazon review scam. Messages were found between Amazon vendors and customers willing to provide fake Amazon reviews for free products. 
  • According to Safety Detectives, the database contained over 13 million records and 200,000-250,000 affected users. The information exposed included full names, emails, usernames, PayPal addresses and links to Amazon profiles. 
  • Vendors and customers who had their information exposed should keep an eye out for phishing emails, as well as their Amazon or PayPal accounts being accessed by scammers. 
  • The data exposure is a great reminder that no one is immune from falling victim to a data compromise. Whether it is a consumer or a scammer, anyone can fall victim to these crimes and should practice good cyber-hygiene habits to reduce their risk. 
  • For more information, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Visit www.idtheftcenter.org to get started.  

A recent data exposure of an ElasticSearch database divulged an elaborate Amazon review scam. According to Safety Detectives, the database, which contained over 13 million records and anywhere from 200,000 to 250,000 affected users, had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. Now, people who were ready to get paid to leave fake reviews have had their data and messages exposed, leaving them vulnerable to a rise in phishing emails and having some of their accounts accessed. 

What Happened & What Was Exposed 

The Safety Detectives research team says the server was left open without any password protection or encryption. The personal data of people providing fake Amazon reviews, as well as Amazon vendors, could be found in leaked messages on the database. The information exposed in the data incident included full names, emails, usernames, PayPal addresses, links to Amazon profiles and more.  

Data Exposure Reveals Amazon Review Scam 

The information found in the recent exposure shines a light on a detailed Amazon review scam, where Amazon vendors send reviewers a list of items or products for which they would like a five-star review. The one’s providing the “fake reviews” then buy the products, leaving a five-star review on Amazon a few days after receiving their merchandise. Once the review is complete, the provider of the fake Amazon review sends a message to the vendor that contains a link to their Amazon profile, along with their PayPal details. 

Safety Detectives researchers say once the Amazon vendor confirms all reviews have been completed, the reviewer receives a refund through PayPal, keeping the items they bought for free as a form of payment. The refund for any purchased goods happens through PayPal and not directly through Amazon’s platform, making the five-star review look legitimate. 

Potential Impact for Those Affected   

Customers and Amazon vendors that were a part of the Amazon review scam who had their information exposed could see an increase in phishing emails. A hacker only needs someone’s email address to target them with a phishing attack. Also, depending on the password use of the people involved, there is the potential for Amazon or PayPal accounts to be accessed.  

Customers and Amazon vendors could face corporate and individual punishments for their fake Amazon reviews. ComputerWeekly.com adds that Amazon also retains the right to name the vendors involved and may pursue legal action against them in jurisdictions where paying people to leave fake reviews is illegal. The individual reviewers involved may also be legally prosecuted.  

No One is Immune from a Data Compromise 

Whether it is a cybercriminal or a regular consumer, no one is immune from being impacted by a data compromise. Anyone can fall victim, and it is why everyone should exercise good cyber-hygiene practices like unique passphrases, multifactor authentication on all accounts and use anti-virus software on their devices. It’s also a good idea for people to regularly check their accounts for suspicious activity. The more one that can protect themselves, the safer they will be if their information is exposed or fraudulently used.  

Contact the ITRC 

If you would like to learn more about the data exposure, or the Amazon review scam, check out the Identity Theft Resource Center’s (ITRC) resources online or contact the ITRC to speak with an expert advisor toll-free. You can call (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.  

Another week has gone by, and there are new data compromises for the Identity Theft Resource Center (ITRC) to educate businesses and consumers on. Since 2005, the ITRC has tracked publicly-notified U.S. data breaches and has tracked over 10,000 breaches since then; more recently, using 25 different information fields and 63 different identity attributes that are updated daily. On last week’s Weekly Breach Breakdown, we talked about the market price for consumer data in the dark corners of the internet where identities are bought and sold. This week, we are looking at the average cost of a data breach exposed to the public. We will also talk about the latest data breaches that reflect the trends in the new research. 

The 15th IBM Report on the average cost of a data breach was recently released, conducted by the Ponemon Institute. Reflecting some of the same trends the ITRC has reported, the IBM study shows that the global average cost of a data breach has dropped to $3.8 million – with the average being defined as a breach of 100,000 records or less. That is a drop of nearly a half-million dollars.

However, when you focus on the U.S. alone, the average cost of a data breach has gone up almost the same amount to an average of roughly $8.6 million. That continues the long-term trend of costs steadily increasing beyond the rate of inflation since 2005.

In regards to the calculation of the cost, costs include the following:

  • The actions required to detect and respond to a data breach
  • The costs of notifying the people whose information was stolen
  • Lost revenue and the costs of marketing and sales activities required to regain consumer trust lost as a result of the data breach
  • Legal fees, fines and settlement costs
  • Increased customer care support

Lost revenue is the single largest component at 40 percent of all breach-related costs. With all of that said, what is not included are the expenses associated with fixing the problem that caused the breach in the first place, and the changes needed to ensure it does not happen again. While it stands to reason that the bigger the breach, the bigger the costs, they are exceptionally bigger – 100 times bigger – if the number of records compromised is over one million records. If a data breach of 100,000 U.S. records costs $6.8 million, a one million record event could cost close to $900 million.

According to the IBM report, the number one cause for data breaches in 2020 at 19 percent is lost and stolen credentials – logins and passwords – which is also tied with misconfigured cloud environments. In other words, someone forgot to add the password to the cloud account, leaving information exposed on the web for anyone to see. Unpatched software accounts were in third place at a little over 15 percent, while malicious employees accounted for only seven percent of breaches reviewed by the Ponemon Institute. It is also worth noting that some security and human resource experts believe the number of attacks will only go up if pandemic-related layoffs increase.

Other key findings from the 2020 IBM Report regarding the average cost of a data breach include: 

  • 53 percent of the attacks in the 2020 report was financially motivated
  • The most expensive attacks occurred in the healthcare sector 
  • The average length of time between when a malicious attack starts and ends is 315 days – 10 and half months
  • Threat actors want consumer information – especially logins and passwords – more than any other data (80 percent of the time.) However, that is not the only data they want. Nearly a third of breaches in the IBM study were thefts of company intellectual property. 

Looking back at the top breaches this past week, Nintendo, the company that gave us Donkey Kong Mario Brothers, was the victim of a cyberattack where thieves dumped a large amount of data onto the web. While there was no personal information exposed, screenshots and prototypes of games were posted online. The Nintendo data breach reflects the IMB report’s findings that company intellectual property is also a target for cybercriminals. Intellectual property theft can have a significant impact on a company’s business performance.

A recent Garmin ransomware attack shut down customer access to multiple products and services, as well as manufacturing. It took Garmin, which makes GPS devices and fitness trackers, nearly a week to publicly acknowledge the attack, and services are still in the process of being restored. According to Garmin, no consumer information was compromised, and the ransomware involved is not known to steal data. Rather, the ransomware used in the Garmin ransomware attack is known just to hold data hostage.

Finally, there’s Drizly, the popular service for ordering adult beverages for delivery. The company was hacked, and information from an estimated 2.5 million accounts was placed into the dark web’s identity marketplaces. According to Drizly, no payment information or other sensitive customer data was breached. However, the cybercriminals say otherwise and are selling the stolen data for $14 per account. That makes all of the information worth at least $35 million.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Also, keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are the victim of identity theft or believes their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

EDP Ransomware Attack and Twitter Data Breach Put a Price Tag on People’s Personal Information

The Identity Theft Resource Center, a national non-profit based in San Diego that assists victims of identity and cybercrimes, submitted the following letter to members of the House Financial Services and Senate Small Business Committees on April 8, 2020. The letter from the Center’s CEO Eva Casey Velasquez focuses on the challenges faced by non-profits in applying for the Paycheck Protection Program created by Congress in the CARES Act.

Download a PDF copy of this letter

Dear Congressional Committee Member,

Thank you for the recent passage of the CARES Act in response to the COVID-19 national emergency, especially the decision to make resources available to the Nation’s smaller non-profit organizations providing direct assistance to people in need of support. However, I want to bring to your attention a critical issue with the implementation of the Paycheck Protection Program (PPP) of the Small Business Administration (SBA). I believe the current course, if continued, will have significant negative impacts in the coming months. 

The Identity Theft Resource Center is a 20-year old national non-profit based in San Diego that provides identity-related remediation and support services to the public free of charge. In 2019 we handled more than 10,000 requests for service through our contact center and provided web-based services to an additional 548,333 people. In March 2020 alone, demand for web-based services increased 851 percent or ~413,000 first time visitors compared to the same month in 2019. That’s not a typo, and it reflects nine months of visitors in only three weeks.

Non-profit organizations provide essential services during a time of national emergency. Yet, the PPP appears to be unavailable to the ITRC at this time based on our financial institution’s criteria, not the SBA’s or Congress’ intent. And it’s not just us. I’m concerned that many non-profits will be unable to obtain assistance through PPP since it appears lenders are only taking applications from existing customers with existing loans. First-time loans and new customer applications are being denied.

When there is a decrease in funding in the ordinary course of business, a well-run non-profit doesn’t seek a loan; it scales back services until additional funding (donations, grants, etc.) is secured. Being denied access to the funds Congress has appropriated to prevent job and service reductions will inevitably lead to the very circumstance you sought to prevent.

How many non-profits will be able to jump the hurdles placed in front of them simply to apply for the PPP?  Close to zero, I suspect. The ITRC staff is working remotely and we are able to continue to provide victims with the assistance they need at a time of increased risk from cyberattacks and fraud scams. But, many other non-profits are not able to continue to provide support or will soon be unable to continue to operate without the help of PPP funds.

I want to make sure that our leaders are fully informed of these issues that aren’t top of mind during this crisis, but nonetheless remain important. Thank you for your time, attention, and interest.


Eva Casey Velasquez
President & CEO
Identity Theft Resource Center

ITRC is Available for Questions & Assistance

The Identity Theft Resource Center, based in San Diego, is operating at limited-capacity during the COVID-19 outbreak to ensure the health and safety of our staff, their families and the community. The ITRC will continue to assist individuals across the country who are victims of identity crime, data breaches and identity-based scams, including COVID-19-related scams.

We are here for individuals and businesses who may have questions or need assistance with identity crime or related issues. You can reach one of our expert advisors via our website Live Chat, toll-free phone number (888.400.5530) and email (itrc@idtheftcenter.org).

The University of Utah Health announced that it discovered two different data breaches that impacted patients’ personal data and medical records. The first University of Utah Health data breach gave hackers access to some employees’ email accounts, while a second one is believed to be linked to malware that was discovered on an employee’s computer.

In regards to the first University of Utah Health data breach, investigators believe phishing emails were the culprit. Phishing emails are nothing new—if someone has an email account, they have probably received one before—but the methods that hackers are using are constantly evolving. In the case of a professional setting, the phishing email could look like it comes from a trusted source, such as a third-party that the company does business with or even someone from within the company itself. These hacking attempts often instruct the recipient to enter their username and password to confirm their identity and re-establish their login.

Malware typically happens when someone installs the software on their computer. Opening a harmful attachment in an email, downloading a suspicious file or clicking on a link that takes someone to a malicious website are just a few of the ways hackers can get consumers to fall into one of their traps. Once the malware is installed, the hacker can deploy it on the computer and use it to steal information.

The health center has begun notifying affected patients of the University of Utah Health data breach, but that process is still ongoing. If someone believes they might have been affected, they can reach out to the Identity Theft Resource Center (ITRC) for assistance and information. They can also take some of the following steps if they believe their information may have been compromised in this or any other data breach:

  1. Change your passwords on any sensitive accounts immediately.
  2. Place a freeze on your credit reports with the three major credit reporting agencies.
  3. Monitor your insurance statements carefully for the coming months to make sure no one has used your identity to seek medical treatment or prescriptions.

Victims can reach the ITRC toll-free at 888.400.5530. They can also live chat with an expert advisor that will help them create a customized plan that is tailored to their needs.

You might also like…

The holidays have past and a new year is upon us. With that, New Year’s resolutions are beginning to surface. Some resolutions might include going to the gym every day, spending less time on social media or creating a budget you can actually stick to next year. While some of those resolutions might be more realistic than others, there are some practical resolutions you can make that will be even more beneficial. And it’s all based on protecting your identity… In 2019, the Identity Theft Resource Center saw the number of data breaches reported continue to rise. In fact, the ITRC has now recorded over 10,000 data breaches since 2005, hitting the mark this past calendar year. 2019 also saw the announcement of large-scale data breaches like Capital One and healthcare providers and insurance companies continue to be one of the hardest-hit targets, thanks to the overwhelming amount of personally identifiable information (PII) they gather. So what is your New Year’s resolution heading into 2020? If you do not have one, or even if you do, consider making some 2020 identity theft New Year’s resolutions to make your personal data as safe as you can. You can protect your privacy through your simple, everyday habits.

Resolution One: Be Aware of What You Post on Social Media and What You Share

If you are connected online through any of the several social media platforms, you need to know how they work and how to keep your information private.

  • Enact practices that include not oversharing information and change your settings to private.
  • Use different passwords for each social media account.
  • Create strong and unique passwords that include two-factor authentication.

Resolution Two: Guard Your Data

One of your 2020 identity theft New Year’s resolutions should include keeping better tabs on your PII. Do not just turn over your Social Security number without asking why they need it and verifying their plans to protect it. A lot of organizations still ask for it simply out of habit. However, your SSN was designed as a tax identification number, and by law is not to be used for everyday identification purposes.

Resolution Three: Know the Latest Scams and Help Others Stay Alert Too

Fraudsters are always trying to find new ways to attack. That is why it is so important for consumers to stay up-to-date on all of the latest scams, fraud attempts and identity theft information. You can check in with the ITRC for the latest information by signing up for the TMI (Too Much Information) Weekly and following the ITRC on Facebook and Twitter. Once you know about the latest threats, you can help spread the word with friends and family.

Resolution Four: Adopt Good Cyber Hygiene Habits

While 2019 was the year of data, 2020 will be the year of privacy. That is one reason why your 2020 identity theft New Year’s resolutions should include good privacy habits. While data breach fatigue is a recognized phenomenon, the flip side is paranoia that makes you want to unplug and go off the grid. Neither is a solution. Rather, the solution is good privacy habits:

Resolution Five: Watch Out Account Hacks from Credential Stuffing

In 2019 we saw numerous data breaches and account hacks from credential stuffing. Disney+ users saw their accounts sold online after hackers were able to infiltrate their accounts and change the passwords to lock users out. Earlier in the year, TurboTax announced a data breach that was caused by credential stuffing. Consumers need to be sure they are consistently changing their usernames and passwords to reduce the risk of credential stuffing and having any accounts hacked. The unfortunate truth is that some identity theft crimes are unpreventable. However, these 2020 identity theft New Year’s resolutions are steps you can take that will reduce your risk of falling victim to identity theft and increase the likelihood of you spotting a problem quickly. The ITRC is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.

You might also like…

2020 Trends for Identity Theft, Data Privacy, and Cybersecurity

Wawa Data Breach Caused by Card-Stealing Malware Don’t Get Grinched by the Ellen Facebook Scam

Being able to celebrate 20 years gives us an opportunity to reflect on the past, connect with our supporters and envision the future. Over the Identity Theft Resource Center’s twenty-year history, we have grown. From the vision of a single person, a victim, who wanted to provide support and help to others, to a collaborative movement engaged with consumers, victims, business and government stakeholders to make changes for victims. From using a single telephone in a home office, to a nationally recognized organization that has assisted hundreds of thousands of people through a variety of platforms on which they can engage with our team of expert advisors. And we will continue that upward moment of helping victims in their time of need.

As we celebrate 20 years, it is important for us to reflect upon the highs and lows (that all organizations face), together, in order to learn from our mistakes and celebrate our progress. In the victim assistance and consumer protection ecosystem, there has always been a struggle to prioritize resources and acknowledge the impact and trauma victims of economic crime experience. I feel an extraordinary sense of pride and accomplishment when I look in the rearview mirror at the progress the ITRC has made in changing that struggle. More policy- and decision-makers acknowledge the economic and social importance of serving the vastly underserved population of identity crime and cybercrime victims as a result of our efforts.

It’s also important while we celebrate 20 years to not only look at where we have been but also where we are headed. We live in a world where fraud losses are in excess of hundreds of millions of dollars per year and it shows no signs of decreasing. Margaret Thatcher famously said, “You may have to fight the battle more than once to win it.” We embrace that sentiment every day. Each and every victim that we help – every consumer that we educate – is victory over the larger fraud battle. Every organization that embraces cybersecurity best practices and acknowledges the need for protecting consumer data through our guidance, is a victory. Every policymaker in the country who makes reducing the impact and risk of identity crimes a priority, is a victory. The ITRC will continue to fight the battle every day until we win it.

While fraudsters are weaponizing our cyber infrastructure, the ITRC will continue to assist the weary soldiers and townsfolks caught up in the fray. We will empower you and hold your hand when you are too tired, scared, or simply don’t know what to do next. We will continue to leverage technology to assist victims and consumers. We will continue to be the sage voice in an ecosystem of conflicting and confusing information. We will continue to fight the battle every day until we win it.

Looking at both our past progress and the challenges that have yet to be overcome helps us to balance the feelings of impotence or discouragement when we face the Sisyphean task before us. Yes, there is much more work to be done, but we have come such a long way in the last 20 years. Celebrate 20 years with me in our tremendous progress and join me in the continued crusade for the rights of victims of economic crimes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The holidays are almost here, and for many people that means shopping. Unfortunately, scammers and hackers are already standing by to take advantage of consumers through data breaches and fraudulent activity, increasing the importance of holiday shopping safety. Before getting involved in this year’s estimated $1.1 trillion spending frenzy and the too good to be true online offers that go with it, it is important to understand what you can do to protect yourself and exercise holiday shopping safety.

Shop Online

A lot of people choose to skip the crowds and the chaos (and possible loss or theft of their wallets) by shopping online. However, in order to protect yourself from cyberthieves, you need to be prepared. If you are going to be establishing new accounts to make your purchases, do so before the big shopping holidays like Cyber Monday. Remember to use a strong, unique password, and enable two-factor authentication if it is offered.

Know Your Retailer

If you are already planning to shop online, exercise holiday shopping safety by choosing your retailers and making sure you are only using reputable websites. Look for the HTTPS designation at the beginning of the URL that indicates a secure website, and be sure that you are not redirecting to a website that has been made to look like the real thing. If you have received emails from companies that offer great deals, avoid clicking the links in the emails. Instead, go directly to the retailer’s website yourself and search for the item you are interested in.

Credit vs. Debit

Depending on which financial institution you use, your credit card may be more secure than your debit card. This is especially true if mysterious charges appear on your statement and you need to dispute those charges. Keep in mind that if you establish one credit card for all of your holiday shopping, it will be easier to reconcile any receipts and purchases later on. It may even help you stay on budget.

Computer Security

Before making any purchases online, exercise holiday shopping safety and make sure your computer itself is secure. Update your antivirus software and run a scan before starting your shopping in order to root out any harmful software that may be stealing your information.


If you are venturing out into brick-and-mortar stores for your holiday shopping, remember that public Wi-Fi can be problematic. A lot of retailers and restaurants offer free connectivity as an incentive to their customers. However, you cannot know who else is on the same connection. It could easily be a hacker who steals your information. Save your sensitive internet activity for your home connection.

Enable Alerts on Your Cards

If you have not already done so, contact your financial institution and enable alerts on your account. This is a very important holiday shopping safety tip. These alerts will arrive as a text message or email and will let you know immediately if your credit card number was used without the card being present, such as online. While you are enabling this feature, you might inform your credit card company if you plan to travel over the holidays so that your card is not declined for security reasons at your destination.

The Real Work Begins After the Holidays

Once the presents are shared and the decorations are put away, your work is not done. Monitor your accounts carefully for any signs of suspicious activity and take immediate action if you see any charges that should not be there.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Are the Wrong Toys on Your Holiday Shopping List?

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

Every year, consumers are cautioned to be extra careful when selecting toys on their holiday shopping list. There was a time when shoppers mostly worried about broken, damaged or otherwise physically unsafe toys. Perhaps there was even some concern about age-appropriateness or difficult assembly instructions. However, with more kids now using a wide array of technology-based presents, there are safety and privacy considerations to keep in mind while purchasing toys on your holiday shopping list for your nieces, nephews and children.

Over the past few years, various children’s gifts have later revealed privacy pitfalls that did not sit well with security experts, parents or child safety advocates. Everything from the potential for hacking and data breaches to establishing accounts using the children’s identifying information has become a red flag.

One very popular piece of kids’ tech, for example, has the possibility of being a parent’s worst nightmare. A smartwatch that is supposed to allow parents to pair the device to their own phones in order to keep up with their children sounds like a good idea on paper. However, the backend API for both the smartwatch and the mobile app that the parents downloaded to their smartphones turned out to be a wide-open space where anyone could access the children’s devices. Not only could someone physically locate the kids via their watches’ GPS, they could also initiate voice calls with the children. This was a perfect example of purchasing the wrong toys on your holiday shopping list.

As if that was not frightening enough, they could also change the parents’ passwords without having to go through their email accounts, lock the parents out of the account and then continue talking to the children. Someone could locate a nearby child, start up a conversation, prevent the parents from ever knowing about it and then tell the child where to meet them.

When shopping for toys on your holiday shopping list, it is important to know how any kind of children’s technology works before you buy it. Do you need to connect it to the internet for it to work, or just for it to download content? Does it require a parents’ account and children’s information as users? Is the child supposed to maintain the account? Does it incorporate password protection and two-factor authentication, or can anyone pick it up and look through its contents?

If you have the option to leave the internet connection and location settings turned off while in use, that may be safer. Of course, some items need both of those things in order to work properly. Be careful about giving a gift if the recipient is not ready for the responsibility of internet connectivity. Make sure you are communicating frequently about privacy and safety issues before purchasing any kids’ technology.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Our Holiday Shopping Tips to Keep You Cybersafe

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays