Natural disasters and large-scale emergencies are part of our reality, no matter how much we wish that weren’t true. Since you cannot prevent the next earthquake, wildfire, or hurricane, you can make sure you have a plan to be identity safe for when a disaster strikes.

While other knowledgeable sources will help you determine how much clean water or prescription medications you need to store, the Identity Theft Resource Center wants you to plan for a different emergency aspect: identity theft protection and fraud prevention during events like these.

Scammers Prey During Vulnerable Times

Identity theft is a threat when any disaster strikes. After a natural disaster, documents may be accessible to looters who can steal them and commit identity theft with your personal information.

The National Center for Disaster Fraud (NCDF) was created in 2005 to improve and further the detection, prevention, investigation and prosecution of fraud related to natural and human-made disasters, and to advocate for the victims of such fraud. Since their creation, they have had over 100,000 disaster fraud complaints.

Make a Plan

September is National Preparedness Month, and the Federal Trade Commission urges all people to make a plan.

In any emergency, you may have to prove your identity while also being cut off from access to your important papers. During the aftermath of a dangerous event, you may need to be able to access your funds and deal with insurance agents, contractors, maintenance specialists and more.

Secure and Access Your Documents and Funds

Your personal papers can play a strange role during a crisis. They are both proof that you are who you say you are, but they are also a hot commodity for scams, fraud and theft.

Keep them protected at all times, be able to access them in a crisis, but do not let them fall into the wrong hands.

Remember, if you’re evacuating in a sudden emergency like a house fire or flash flood, your documents are not necessary for receiving medical care, emergency housing or other basic needs.

However, there will be instances where you need to provide some proof. When planning your emergency supplies, consider including a small, password-protected flash drive that holds pictures of critical documents to keep yourself identity safe. You will not endanger your originals—or leave them stored unsafely when not needed—but you can call them up when the emergency has passed.

For every other time, make sure you secure your papers from harm and theft in a safe deposit box, home fire safe or another protected place.

As part of any preparedness plan, you need to know how you will get to your money and your insurance documents if you need them. Emergency medical services should be provided without documentation or money to those in crisis. Still, if you’re able to provide things like medical insurance cards for less serious issues, it might be helpful.

To stay identity safe, place your expired medical insurance cards in your preparedness items. That way, the hospital will at least have the information they need to contact your provider and verify your current coverage.

To be prepared, make sure your documents are always stored together in a safe place. If you need access to them, you can grab the entire bundle of birth certificates, marriage certificates, property deeds, Social Security cards and more.

If a disaster separates you permanently from your important papers, contact the proper authorities as soon as it’s safe and feasible to do so.

Beware of Scams

Scammers and fraudulent individuals use news of significant events as a gateway to target victims with everything from repair scams to fake government handouts.

If someone demands your driver’s license or Social Security card before they’re willing to provide assistance, you might be dealing with a scammer. Be careful about who you deal with after an event, and get all price quotes in writing before work begins.

If you are unsure or uncomfortable with anyone you encounter, even if they claim to be a state or federal emergency management official, do not give out your personal information. It will keep you identity safe when a disaster strikes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Summer has arrived, and usually that signals summer vacations, fun in the sun and time to enjoy summertime events. With the COVID-19 pandemic still impacting people in many ways, some summer plans will look different. It won’t stop scammers from targeting victims, but 2020 summer scams could have a different spin than summer scams in years past.

Employment Scams

Typically, employment scams are a hot summer scam because teachers, school transportation drivers, high school/college students and residents of resort areas look to make some extra money in the summer months. While that may end up still being the case, employment scams could be a 2020 summer scam because over 40 million people are unemployed due to COVID-19 and areas are now loosening restrictions.

Some telltale signs that a job might not be genuine include high hourly rates for minimal work, requirements to pay for supplies and materials, offers that request consumers to provide their sensitive identity credentials (driver’s license or Social Security number) to apply and offers that contain misspellings, vague information or links to click and software to download.

Loyalty Account Scams

Travel is usually at its peak in the summer months as families and friends embark on their vacation plans. However, travel is down due to the coronavirus and it is unknown how many people will be willing to take the risks associated with traveling. That is why scammers may attack loyalty accounts.

A popular 2020 summer scam could end up preying on loyalty accounts because people are not flying and staying at hotels. If anyone receives a message regarding a loyalty account, they should ignore it and reach out to the proper company directly. However, scammers could still strike with too-good-to-be-true offers or create fake websites and steal photos of real properties to lure in their victims. Travelers should avoid any high-pressure (i.e. “Book NOW to receive”) opportunities or messages about their accounts and investigate thoroughly before proceeding.

Moving Scams

Summer is a popular time to move, whether it is recent graduates or families waiting for their kids to finish the school year. Moving scams can still strike at any time. That means moving scams may make a resurgence as a popular 2020 summer scam. There are many different types of moving scams, but some of them involve taking information including PII and payment card information; hidden fees and companies that change their names to circumvent bad reviews.

Ticket Scams

Outdoor concerts, music festivals and big-name concert tours are great summer fun. Ticket scams could be a popular 2020 summer scam. Not because there will be concerts, music festivals and sporting events going on, but because sports and other outdoor activities have many unknowns regarding how ticket sales and refunds will work. Scammers can take advantage of the confusion by overcharging for an event through a fake website that steals people’s information and selling a fake ticket. Scammers have sent messages previously regarding ticket refunds with links to click or files to download. People should only purchase tickets from trusted retailers. If anyone gets a message they are not expecting about a ticket sale or refund, they should ignore it and contact the retailer directly.

Social Media Scams

People’s Facebook accounts and Instagram accounts are also a target when the weather turns warm. Everything from romance scammers and phishing attempts to burglars who scope out who is not home based on their posts can lead to harm. COVID-19 romance scams are already making the rounds and scammers could continue to use that tactic.

People should be mindful of what they post online. Also, they should beware of friend requests from accounts they do not recognize or requests from people they thought they were already connected with (i.e., hacked or spoofed accounts). Finally, people should make sure they are not oversharing or giving away too many details to anyone who can see them. Remember, there are things on social media accounts that could be used to determine the challenge questions for other more sensitive accounts (date of birth, pet’s name, mother’s maiden name, etc.).

If anyone falls for a summer scam or potentially self-compromises their identity information, they can live-chat with an Identity Theft Resource Center expert advisor that will help guide them through the next steps to take. They can also call toll-free at 888.400.5530.

You might also like…




Video game giant Nintendo announced their investigation of a data breach after users began reporting suspicious activity. As part of the Nintendo data breach investigation, the company found that at least 300,000 accounts may have been compromised by unauthorized users due to an issue with legacy login procedures. On 4/29/2020 security provider SpyCloud announced that credential stuffing was the cause of the Nintendo data breach. However, Nintendo would not confirm or deny.

Legacy login systems allow longtime customers the ability to log into updated or revamped platforms for companies they have used in the past. Their old logins enable them to access a new site within the same company without having to create an entirely new account—or lose their previously stored information.

As Nintendo has gone through a variety of iterations over the years, Nintendo’s login system made sense for some time. For example, users who had created a Nintendo Network ID (NNID) for the 3DS system or Wii U did not have to establish brand-new Nintendo accounts now that they were Nintendo Switch owners. Unfortunately, due to the Nintendo data breach, the NNID legacy system was compromised by malicious actors, which allowed unauthorized access to certain accounts. This gave the hackers access to those users’ stored payment methods, including PayPal accounts and payment cards that were stored on file.

The card numbers and account numbers were not accessible. The only thing hackers could do with the cards was make purchases in the Nintendo system for things like V-Bucks, a virtual currency used in the game Fortnite. However, NNIDs that were linked to Nintendo accounts may have also compromised information like usernames, email addresses and birthdates, all of which can be used to target victims with spam, phishing attempts and ransomware.

The legacy NNID was being used to gain access to the current Nintendo network, which means current payment methods. That creates a single point of failure.

Due to the Nintendo data breach, the video game company launched a forced reset for the affected passwords and disconnected the ability to use an NNID to log into a Nintendo account. For all account holders, the company recommends activating two-factor authentication to protect these accounts. This incident serves as a reminder that old or reused login credentials can still be used for harm, and should, therefore, be protected and updated frequently or canceled if no longer used. If someone has been affected by the Nintendo data breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor.

You might also like…




In what has become a common occurrence, another company—this time a credit card payment processing start-up —has suffered an accidental overexposure. A Paay data exposure left credit card details and transactions exposed for anyone to see. Accidental overexposures happen when a database of information is stored in an online or cloud-based server, then the information’s owner fails to protect it with a password. The result is the data housed in the database is open for anyone to discover online.

The New York-based processor acknowledged on April 3 that the incident happened after the data was discovered by a security researcher. The researcher contacted Tech Crunch for help in verifying the information and notifying the company so they could take protective steps. After further review, Paay discovered that the database involved had been unsecured for about three weeks, containing more than two million separate card transaction records dating back to September 2019.

One of the major factors in several data breaches recently is the failure to protect information that the company did not even realize they had. Experts have cautioned businesses to delete information they do not need to store and to stop collecting information that they do not need. In this case, it appears that Paay might not have been aware they stored credit card numbers and then failed to protect that data as a result.

Paay will issue data breach notification letters to the individual consumers whose numbers were left exposed in the Paay data exposure. While expiration dates were visible in this incident, no security codes or account holders’ names were compromised. In the event anyone’s card number was exposed, it is a good idea to contact their financial institution for a new card number. Those affected should also monitor their accounts closely for any suspicious activity and unauthorized transactions.

In the Paay data exposure or any other incident, anyone who suspects their identity has been used fraudulently should file a police report. If anyone needs further assistance, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor. The ITRC also offers a free app for iOS and Android called the IDTheftHelp app, which offers resources, a location to store the steps victims have completed and the option to chat with an agent.

You might also like…




Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.

You might also like…




More than 7,000 businesses applying for emergency loans may have had their personal information exposed by a Small Business Administration (SBA) data exposure. The SBA’s failure to secure the data, which was discovered on March 25, was due to a programming error in the administration’s online application portal for Economic Injury Disaster Loans (EIDL).  

According to POLITICO, the application system may have disclosed personal information to other applicants of the program. Some of the personal information from the SBA data exposure may have included Social Security numbers, contact information, names, addresses and income amounts.

According to the SBA, the Paycheck Protection Program (PPP) was not affected because it began April 3 and is also handled by a separate online system. However, businesses that applied for an EIDL were notified about the Small Business Administration data exposure and have been offered one year of free credit monitoring services.

In a statement, the SBA said “We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal. SBA continues to process applications submitted via email, paper and online.”

While exposing business data might not always rise to the same level of risk as personal data, personal and business data is often co-mingled when the business entity is a small business. Due to that, it is important that people impacted by the SBA data exposure protect both sets of data by freezing their personal and business credit if both are involved. The Identity Theft Resource Center (ITRC) also recommends those who could have been impacted monitor their accounts carefully for any suspicious activity, change the passwords for any accounts with sensitive information and to consider the free credit monitoring services that are being offered.

If anyone believes they are a victim of identity theft or have had their information exposed due to the Small Business Administration data exposure, they are encouraged to call the ITRC toll-free at 888.400.5530 or to live chat with an expert advisor. Advisors can help small businesses – who utilize a personal Social Security number – and consumers create an action plan that is tailored to their unique circumstances. Victims can also download the ITRC’s ID Theft Help App where they can track their steps in a customized case log. Documenting the process post-breach is more important now than ever with the recent requirements of victims to provide proof in order to receive compensation after a data breach settlement.

You might also like…




The IRS has started distributing stimulus check payments to the nearly 140 million Americans that are eligible. While many have received their stimulus payment through direct deposit, according to CNN, 60 million Americans are still waiting for their money.

The IRS created a portal in hopes that people would be able to check the status of their stimulus check payment. However, due to overload and glitches being worked out, the website has not worked for everyone.

One reason why people might not have received their stimulus check payment is because they are victims of tax identity theft. However, there are many other reasons why people might not have received their payment that they should explore first:

1. People who are not normally required to file a tax return. Individuals who make less than $12,200 a year (or less than $24,400 for married couples) are generally not required to file a tax return. For the process of receiving a stimulus check payment, these people have to enter their information into a new IRS portal to get their money.

2. Someone’s refund went to a temporary account that was set up by a tax preparer. According to a report by WALA-TV, when people use tax preparation services, sometimes a temporary account is set up to handle the transactions, which could lead to a longer wait for a stimulus check payment.

3. Not everyone got a federal tax refund in 2018 or 2019. Some consumers did not get a refund after their last two tax filings. In fact, if someone owed taxes the last two years, they could still qualify for the stimulus. Only consumers who received a refund from the IRS to a direct deposit account will be processed for stimulus direct payment.

4. Some people’s refunds might have gone to an old bank account. This could happen if someone filed their 2018 tax return with bank account formation that is no longer valid and has yet to file a 2019 tax return. For people who have not filed their 2019 tax returns, the IRS is using information from their 2018 tax refunds.

5. Some people might have filed a paper return in 2019. People who filed their taxes with paper returns will mostly receive their stimulus check by mail because the IRS has stopped processing paper returns until they can reopen their centers.

6. It has been seized by a private debt collector. If someone owes money for private student loans, credit cards or medical bills, their stimulus check could be at risk. The CARES Act does not restrict private debt collectors from taking the check to pay off debt.

7. If there is anyone who does not fall under any of the categories listed above, they could be a victim of tax identity theft. The Identity Theft Resource Center (ITRC) is receiving calls and live chats from victims claiming their stimulus checks were intercepted. According to the Treasury Inspector General for Tax Administration, the agency has already begun to see scammers pose as the IRS to get personal information from payment receipts they can use to steal money. While the IRS Criminal Investigation Unit is doing what they can to combat the problem, they have seen scams that are preying on vulnerable individuals who are not sure how they will get their stimulus check payment.

To avoid falling victim to tax identity theft due to the stimulus check, consumers are urged to not respond to any messages they receive that they are not expecting. Instead, they should contact the company, organization, or entity directly to verify the validity of the message. Also, it is important for people to stay informed about what is happening. The IRS will not contact anyone asking for personal information. If someone receives a phone call, email or text message claiming to be the IRS, it is probably a scam.

If anyone thinks their stimulus check landed in the hands of a thief, they can visit to get started on a personal recovery plan.

If someone believes they are a victim of tax identity theft, they can live chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Callers are encouraged to leave a message due to advisors working remotely. However, they will return calls as quickly as they can.

You might also like…




It is more important than ever that consumers use strong security questions with strong security answers on their online accounts. With most people home due to the COVID-19 pandemic, more consumers are required to shop online to do their food and household purchasing. That means a lot of online accounts have been and will continue to be created. One common step in creating an online account is picking a security question in case the creator of the account cannot remember their password. It is meant to be another layer of security for the authentication process.

While this alternative way of identifying customers can be very useful, it could also put more personal information at risk of compromise should the company fall victim to a data breach. For example, if someone selected “What are the last four digits of your Social Security number?” as their security question and provided that credential as the answer and the company’s online user database was breached, hackers could have that piece of personal information to use to flesh out more details of the person’s identity credentials.

However, there are things people can do to keep themselves safe while using strong security questions as another form of authentication.

When creating an answer to a security question, the response doesn’t have to be the exact answer. In fact, the Identity Theft Resource Center would encourage people that are signing up for online shopping, and other non-sensitive online accounts, to provide alternative answers. Doing so creates a strong security answer because it would be nearly impossible for anyone to research or guess. For example, if “What is my mother’s maiden name?” was selected as a security question, using an alternative like their mother’s nickname or some other name doesn’t give away a very valuable component of your security question. The answer should be stored in a password manager or on a piece of paper that is securely locked away.

With that said, creating alternative answers to security questions should only apply when someone is creating an account for a business or institution that doesn’t require highly sensitive information to verify their identity. If someone was creating security questions and answers for an account with a bank, lending institution or medical provider that uses that information to authenticate the user’s identity, they would want to provide accurate answers because the answers could be used to verify identity.

Some other tips to keep in mind while trying to pick strong security questions include:

  • Select a security question that cannot be guessed or researched over the internet, social media profiles, etc.
  • Select a security question that will not have to be changed over time
  • Select a security question that is easy to answer, but not obvious to others or easily researched
  • Select a security question with a precise answer that does not create confusion

Users should make sure they are selecting strong security questions that will keep them safe. They should not be afraid to use alternatives for the answer if it will protect identity credentials. People should also make sure their answers are as strong as their passwords. People can do their part to protect themselves and shop online for all the things they need to get through the COVID-19 pandemic, and beyond.

For more information about protecting your online accounts, contact the Identity Theft Resource Center to live chat with an expert advisor or call toll-free at 888.400.5530.

You might also like…


Schools, businesses and individuals are making drastic changes right now due to concerns surrounding COVID-19. Some of the protective measures, such as social distancing and self-isolation, translate to technology picking up the slack to keep businesses and education moving forward. However, that is leading to privacy issues particularly around kids using technology not originally intended to be utilized in the new manner many have taken to using some platforms.

One platform stepping in to fill the need is Zoom, a videoconferencing tool that allows users to talk, video chat, instant message and even screen-share in real-time. This long-time business tool is now being used for everything from online classes to social get-togethers, but malicious users have already figured out how to crash virtual meetings.

A new practice, known as “zoom-bombing,” happens when an uninvited user works their way into a user’s Zoom session and causes a disruption. Reports so far have included “bombers” dropping in and writing racial slurs across the screen, posting pornographic images for all the viewers to see and more.

Zoom was created to allow businesses to communicate quickly, effectively and on-the-go. Because of that, creating an account was set up to be very simple and does not require much authentication. Now that more people are using the platform, including teachers for grades K-12, and finding creative uses for this tool, the concern about privacy, and especially that of children, is even more real.

In fact, some Zoom conferences hosting children have already been compromised. Recently a Zoom conference with students from the Orange County Public School System in Florida was disrupted after an uninvited guest exploited himself to the class. In Boston, a group of students shared inappropriate content.

Zoom is working on a fix that will help stop intrusions and increase security, particularly child privacy, making it important that users download any updates issued by Zoom. Before using the platform, users can also take precautions by changing the default security settings. That includes updating the use of a password to enter the conference, using the “waiting room” feature to screen participants and only allowing authenticated users to join the meeting.

Users can also be more aware of how they are engaging with other people with their Zoom accounts. Ultimately, the platform relies on each user making smart decisions about how they are sharing their meeting rooms. Some child privacy aspects to consider:

  • Making sure to not share meeting invites with others on public profiles, such as inviting others to attend on social media
  • Teachers hosting Zoom meetings are encouraged to change the platform’s default settings before each session

This is an important reminder that this type of technology, especially platforms that function online and are accessible by other users, can have serious privacy ramifications. As many public schools and activity groups are now using Zoom to interact with children, it is even more important that users understand how to protect themselves. Parents should make it a habit to remain nearby while their children are on Zoom in order to end the session immediately if something unexpected takes place.

To increase child privacy, parents are encouraged to talk to their kids about proper online conduct before any virtual meeting. It is also recommended that if someone’s child is going to interact with other children on Zoom, parents should remind their kids that the same rules that apply in the classroom – or other in-person meetings – apply on Zoom.

If people have questions regarding their privacy on social media or accounts, they can live chat with an expert ITRC advisor at no-cost.

You might also like…

Financial Database Leak Leads to Over 500,000 Documents Exposed Online

Canon Data Breach Leads to General Electric (GE) Employee Information Being Exposed

COVID-19 Romance Scams Begin to Make the Rounds

Two financial companies that appear to be connected were the apparent leakers of a financial database leak of important client and employee data. The database was linked to the MCA Wizard app, which was created by Argus and Advantage. According to vpnMentor, who discovered the unsecured information online, Argus and Advantage had stored more than 500,000 sensitive documents—many of them financial records or personally identifiable information—in an Amazon Web Services S3 storage bucket. These cloud-based servers allow companies to store data off-site and access it remotely. However, as many other companies have learned, the security protocols are not automatic. That means the S3 bucket is not automatically password protected or requires other security steps.

The information that the security researchers discovered from the financial database leak contained a wide variety of uploaded documents. Credit reports, driver’s licenses, tax returns, bank account information and access, Social Security information and much more was included in the database, which was discovered in December of 2019. Since the date of the discovered financial database leak, the researchers saw new information added to the compromised database.

Attempts to reach the companies were also unsuccessful. VpnMentor was unable to find contact information for one of them, and emails to the other company came back as undeliverable. The only recourse was to contact Amazon Web Services, who was eventually able to take down the database.

There has been no word yet on data breach letters being issued due to the financial database leak or if any malicious hackers accessed the database before it was taken down. Potentially, anyone who thought to look for it was able to access the entire cache of information, which is how the researchers discovered it. In the meantime, there are steps that consumers can take if they are concerned that they have done business with these companies or their information might have been included in the compromised database.

  1. Victims should place a freeze on their credit report with the three major reporting agencies.
  2. People should sign up for alerts from their financial institution that will notify them of activity on their accounts.
  3. It would be encouraged for people to change the passwords on any sensitive accounts.
  4. Victims should enable two-factor authentication on important accounts.
  5. People should monitor their accounts closely for signs of unusual activity and report those incidences if they see anything suspicious.

If someone believes they are a victim of either the Advantage or Argus financial database leak, they are encouraged to contact the Identity Theft Resource Center through the website to live chat with an expert advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist victims as quickly as possible.

You might also like…

New Marriott Breach Affects Over Five Million Guests

Covid-19 Romance Scams Begin to Make the Rounds

Are you an IRS non-filer? Tips to Avoid a Stimulus Check Identity Scam