This article has been updated as of November 2, 2020

Update 11/2/20 – According to the IRS, anyone who does not usually file a tax return, or did not file a tax return in 2018 or 2019, might not know if they qualify for an economic impact payment. Nearly nine million people that fall into this category will receive a letter from the IRS with information on how to register on their website to claim their payment, which has a deadline of November 21, 2020. The letter is legitimate. Anyone who receives one should either call the IRS directly at 800.919.9835 to register, or visit  

However, if anyone receives a phone call, text message or email from someone claiming to be the IRS and wants to help you receive your stimulus payment, hang up, do not respond, and do not click on any links or attachments. The IRS will not text, email or call about an economic impact payment. They will also never ask anyone to pay a fee to get their money.  

The IRS and it’s partners will do a final push on November 10, National EIP Registration Day, to reach out to people who do not normally file their taxes. To learn more about stimulus payments, visit the IRS website.  

This article was originally posted, April 14, 2020

The Treasury Department and the IRS continue towards getting consumers their stimulus checks due to the COVID-19 pandemic. With the distribution of stimulus checks underway, non-filers are now able to get their stimulus payments sooner thanks in part to an online tool that was created to help consumers that aren’t required to file tax returns. However, it is important non-filers know the proper steps to take to protect their personal data and information so they don’t fall for a stimulus check scam.

First, non-filers should go directly to the IRS website, Always start at the most trusted source.

Second, non-filers should click the tab that says “Non-Filers: Enter Payment Info Here.” If consumers do not see this tab on the front page, they are not on the right page.

Image of

Consumers should proceed to click on the “Non-Filers” tab. Once they click on the tab, it should take them to a page that has information on the “Economic Impact Payment” and additional information on what consumers need to provide and what they should expect. The next step is to, once again, click on the tab titled “Non-Filers: Enter Payment Info Here” that can be found in the middle of the page.

Image of

Once the tab is clicked on, visitors will be redirected to The redirect could feel like a scam. However, if the homepage looks like the one below, consumers are at the right place. (The ITRC has verified that this is a valid redirect)

Image of

From there all people have to do is hit “Get Started” to begin. Once a profile is created, non-filers will be asked for personal information like their Social Security number, address, dependents and direct deposit information. In this case, it is okay for consumers to provide sensitive information.

However, if anyone receives emails, text messages or phone calls about non-filers filing for a stimulus check, they should ignore it because it is probably a stimulus check scam. People should be going directly to the source, in this case, the IRS, to complete the process.

Since the stimulus package was merely a thought, scammers have increased their efforts around stimulus check scams. It is important for people to never give out personal information over the phone or to anyone they do not know personally. Also, it is important to know the facts. The IRS will not call anyone.

If people have questions regarding non-filers or stimulus check scams, they can live chat with an expert ITRC advisor. For those that cannot access the website, they can call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist you as quickly as possible.

Read more of our latest educational information below

COVID-19 Pandemic Leads to Unemployment Benefits Identity Theft

IRS Stimulus Check Scams Ramp Up

Coronavirus Testing Robocalls See a Spike 

On November 3rd, citizens will cast their votes for governors, state officials, or members of Congress, either continuing to support the incumbent or opting to make a change with a new candidate. In any event, the work of campaigning and elections are big business…especially for scammers.

With so much discussion about the mid-term elections, thieves have launched a wide variety of election season scams to steal personally identifiable information, financial resources, or both.

1. Phishing attempts – Candidates and political parties rely on emails and phone calls to connect with voters, and scammers are using the same tactics. By posing as members of a campaign, scammers target their victims with phony donation requests, fake news articles that encourage them to click and input their information to read, and more. The goal in these scams isn’t just money, but also access to your personal data.

2. Donation requests – It takes a lot of money to put on an effective campaign, so political candidates often request donations, host fundraisers, and more. Thanks to online platforms, candidates or their team members can request money via social media and platforms like GoFundMe or PayPal. However, the natural mechanism that allows candidates to do that effectively also means a scammer can do it, too. Be on your guard for similar names, “patriotic”-sounding organizations, and issue or party-centric groups that are not actually affiliated with anyone campaigning.

3. Fake robocalls – There have already been reports of robocalls associated with particular candidates for promotional purposes, and remember, charitable organizations and political ads are two of the categories that are exempt from the Do Not Call registry. However, some of the robocalls have not only been spoofed or use stolen recordings of the candidates, but some of them have also even been highly offensive and designed to get the listener to interact.

So how are you supposed to protect yourself from elections season scams? By using the exact same good habits that are designed to keep you safe from scams throughout the year. Never give out your information or verify your identity to someone who contacts you; never make a spur-of-the-moment donation or spontaneously pay a fee, fine, or bill; remember that anyone can create an email account or website, and it doesn’t take any effort or know-how to copy or mimic an existing organization.

Keep your identity and your finances secure by being cautious about how you interact with the campaign process this year…and don’t forget to vote!

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: “Vote By Phone” Scam

Natural disasters and large-scale emergencies are part of our reality, no matter how much we wish that weren’t true. Since you cannot prevent the next earthquake, wildfire, or hurricane, you can make sure you have a plan to be identity safe for when a disaster strikes.

While other knowledgeable sources will help you determine how much clean water or prescription medications you need to store, the Identity Theft Resource Center wants you to plan for a different emergency aspect: identity theft protection and fraud prevention during events like these.

Scammers Prey During Vulnerable Times

Identity theft is a threat when any disaster strikes. After a natural disaster, documents may be accessible to looters who can steal them and commit identity theft with your personal information.

The National Center for Disaster Fraud (NCDF) was created in 2005 to improve and further the detection, prevention, investigation and prosecution of fraud related to natural and human-made disasters, and to advocate for the victims of such fraud. Since their creation, they have had over 100,000 disaster fraud complaints.

Make a Plan

September is National Preparedness Month, and the Federal Trade Commission urges all people to make a plan.

In any emergency, you may have to prove your identity while also being cut off from access to your important papers. During the aftermath of a dangerous event, you may need to be able to access your funds and deal with insurance agents, contractors, maintenance specialists and more.

Secure and Access Your Documents and Funds

Your personal papers can play a strange role during a crisis. They are both proof that you are who you say you are, but they are also a hot commodity for scams, fraud and theft.

Keep them protected at all times, be able to access them in a crisis, but do not let them fall into the wrong hands.

Remember, if you’re evacuating in a sudden emergency like a house fire or flash flood, your documents are not necessary for receiving medical care, emergency housing or other basic needs.

However, there will be instances where you need to provide some proof. When planning your emergency supplies, consider including a small, password-protected flash drive that holds pictures of critical documents to keep yourself identity safe. You will not endanger your originals—or leave them stored unsafely when not needed—but you can call them up when the emergency has passed.

For every other time, make sure you secure your papers from harm and theft in a safe deposit box, home fire safe or another protected place.

As part of any preparedness plan, you need to know how you will get to your money and your insurance documents if you need them. Emergency medical services should be provided without documentation or money to those in crisis. Still, if you’re able to provide things like medical insurance cards for less serious issues, it might be helpful.

To stay identity safe, place your expired medical insurance cards in your preparedness items. That way, the hospital will at least have the information they need to contact your provider and verify your current coverage.

To be prepared, make sure your documents are always stored together in a safe place. If you need access to them, you can grab the entire bundle of birth certificates, marriage certificates, property deeds, Social Security cards and more.

If a disaster separates you permanently from your important papers, contact the proper authorities as soon as it’s safe and feasible to do so.

Beware of Scams

Scammers and fraudulent individuals use news of significant events as a gateway to target victims with everything from repair scams to fake government handouts.

If someone demands your driver’s license or Social Security card before they’re willing to provide assistance, you might be dealing with a scammer. Be careful about who you deal with after an event, and get all price quotes in writing before work begins.

If you are unsure or uncomfortable with anyone you encounter, even if they claim to be a state or federal emergency management official, do not give out your personal information. It will keep you identity safe when a disaster strikes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Summer has arrived, and usually that signals summer vacations, fun in the sun and time to enjoy summertime events. With the COVID-19 pandemic still impacting people in many ways, some summer plans will look different. It won’t stop scammers from targeting victims, but 2020 summer scams could have a different spin than summer scams in years past.

Employment Scams

Typically, employment scams are a hot summer scam because teachers, school transportation drivers, high school/college students and residents of resort areas look to make some extra money in the summer months. While that may end up still being the case, employment scams could be a 2020 summer scam because over 40 million people are unemployed due to COVID-19 and areas are now loosening restrictions.

Some telltale signs that a job might not be genuine include high hourly rates for minimal work, requirements to pay for supplies and materials, offers that request consumers to provide their sensitive identity credentials (driver’s license or Social Security number) to apply and offers that contain misspellings, vague information or links to click and software to download.

Loyalty Account Scams

Travel is usually at its peak in the summer months as families and friends embark on their vacation plans. However, travel is down due to the coronavirus and it is unknown how many people will be willing to take the risks associated with traveling. That is why scammers may attack loyalty accounts.

A popular 2020 summer scam could end up preying on loyalty accounts because people are not flying and staying at hotels. If anyone receives a message regarding a loyalty account, they should ignore it and reach out to the proper company directly. However, scammers could still strike with too-good-to-be-true offers or create fake websites and steal photos of real properties to lure in their victims. Travelers should avoid any high-pressure (i.e. “Book NOW to receive”) opportunities or messages about their accounts and investigate thoroughly before proceeding.

Moving Scams

Summer is a popular time to move, whether it is recent graduates or families waiting for their kids to finish the school year. Moving scams can still strike at any time. That means moving scams may make a resurgence as a popular 2020 summer scam. There are many different types of moving scams, but some of them involve taking information including PII and payment card information; hidden fees and companies that change their names to circumvent bad reviews.

Ticket Scams

Outdoor concerts, music festivals and big-name concert tours are great summer fun. Ticket scams could be a popular 2020 summer scam. Not because there will be concerts, music festivals and sporting events going on, but because sports and other outdoor activities have many unknowns regarding how ticket sales and refunds will work. Scammers can take advantage of the confusion by overcharging for an event through a fake website that steals people’s information and selling a fake ticket. Scammers have sent messages previously regarding ticket refunds with links to click or files to download. People should only purchase tickets from trusted retailers. If anyone gets a message they are not expecting about a ticket sale or refund, they should ignore it and contact the retailer directly.

Social Media Scams

People’s Facebook accounts and Instagram accounts are also a target when the weather turns warm. Everything from romance scammers and phishing attempts to burglars who scope out who is not home based on their posts can lead to harm. COVID-19 romance scams are already making the rounds and scammers could continue to use that tactic.

People should be mindful of what they post online. Also, they should beware of friend requests from accounts they do not recognize or requests from people they thought they were already connected with (i.e., hacked or spoofed accounts). Finally, people should make sure they are not oversharing or giving away too many details to anyone who can see them. Remember, there are things on social media accounts that could be used to determine the challenge questions for other more sensitive accounts (date of birth, pet’s name, mother’s maiden name, etc.).

If anyone falls for a summer scam or potentially self-compromises their identity information, they can live-chat with an Identity Theft Resource Center expert advisor that will help guide them through the next steps to take. They can also call toll-free at 888.400.5530.

You might also like…




Video game giant Nintendo announced their investigation of a data breach after users began reporting suspicious activity. As part of the Nintendo data breach investigation, the company found that at least 300,000 accounts may have been compromised by unauthorized users due to an issue with legacy login procedures. On 4/29/2020 security provider SpyCloud announced that credential stuffing was the cause of the Nintendo data breach. However, Nintendo would not confirm or deny.

Legacy login systems allow longtime customers the ability to log into updated or revamped platforms for companies they have used in the past. Their old logins enable them to access a new site within the same company without having to create an entirely new account—or lose their previously stored information.

As Nintendo has gone through a variety of iterations over the years, Nintendo’s login system made sense for some time. For example, users who had created a Nintendo Network ID (NNID) for the 3DS system or Wii U did not have to establish brand-new Nintendo accounts now that they were Nintendo Switch owners. Unfortunately, due to the Nintendo data breach, the NNID legacy system was compromised by malicious actors, which allowed unauthorized access to certain accounts. This gave the hackers access to those users’ stored payment methods, including PayPal accounts and payment cards that were stored on file.

The card numbers and account numbers were not accessible. The only thing hackers could do with the cards was make purchases in the Nintendo system for things like V-Bucks, a virtual currency used in the game Fortnite. However, NNIDs that were linked to Nintendo accounts may have also compromised information like usernames, email addresses and birthdates, all of which can be used to target victims with spam, phishing attempts and ransomware.

The legacy NNID was being used to gain access to the current Nintendo network, which means current payment methods. That creates a single point of failure.

Due to the Nintendo data breach, the video game company launched a forced reset for the affected passwords and disconnected the ability to use an NNID to log into a Nintendo account. For all account holders, the company recommends activating two-factor authentication to protect these accounts. This incident serves as a reminder that old or reused login credentials can still be used for harm, and should, therefore, be protected and updated frequently or canceled if no longer used. If someone has been affected by the Nintendo data breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor.

You might also like…




In what has become a common occurrence, another company—this time a credit card payment processing start-up —has suffered an accidental overexposure. A Paay data exposure left credit card details and transactions exposed for anyone to see. Accidental overexposures happen when a database of information is stored in an online or cloud-based server, then the information’s owner fails to protect it with a password. The result is the data housed in the database is open for anyone to discover online.

The New York-based processor acknowledged on April 3 that the incident happened after the data was discovered by a security researcher. The researcher contacted Tech Crunch for help in verifying the information and notifying the company so they could take protective steps. After further review, Paay discovered that the database involved had been unsecured for about three weeks, containing more than two million separate card transaction records dating back to September 2019.

One of the major factors in several data breaches recently is the failure to protect information that the company did not even realize they had. Experts have cautioned businesses to delete information they do not need to store and to stop collecting information that they do not need. In this case, it appears that Paay might not have been aware they stored credit card numbers and then failed to protect that data as a result.

Paay will issue data breach notification letters to the individual consumers whose numbers were left exposed in the Paay data exposure. While expiration dates were visible in this incident, no security codes or account holders’ names were compromised. In the event anyone’s card number was exposed, it is a good idea to contact their financial institution for a new card number. Those affected should also monitor their accounts closely for any suspicious activity and unauthorized transactions.

In the Paay data exposure or any other incident, anyone who suspects their identity has been used fraudulently should file a police report. If anyone needs further assistance, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor. The ITRC also offers a free app for iOS and Android called the IDTheftHelp app, which offers resources, a location to store the steps victims have completed and the option to chat with an agent.

You might also like…




Canadian toymaker Ganz, owner and developer of the popular Webkinz platform for children, recently announced that a malicious, unauthorized actor had accessed 23 million usernames and passwords as part of the Webkinz data breach. The credentials accessed were the users’ platform account data, the majority of which are routinely accessed by young Webkinz users.

Webkinz is an online and app-based platform in which users “adopt” a virtual pet after buying its plush counterpart. The plush’s code is entered into the user’s account and the user can play with his/her pet online. The platform also features an arcade section with both entertainment-based and educational games that let the players earn virtual money to take care of their pets, design homes for them and more. One feature of the platform allows users to send pre-selected, approved phrases to each other and compete against one other in certain challenges. No information is shared or exchanged in those interactions.

The company’s statement indicated that usernames and hashed passwords (passwords that are a scrambled representation of themselves) were the only information accessed, but that does not mean there isn’t cause for concern. Hashed passwords can still be unencrypted if hackers have the means to do so. Reused passwords, or passwords that account holders use on multiple websites—especially in conjunction with the same email address that was used to create the account—can lead to the takeover of other accounts once hackers have compromised the first one.

While reusing passwords is convenient, it is more important now than ever that passwords are strong enough to withstand automated software that can make many password attempts per second, and that passwords are not used on more than one website or account.

The Webkinz parent company Ganz issued a statement on its website, notifying users of the incident. They recently launched a forced reset in response to the matter, but also recommend that users change their passwords on any other accounts where they may have used these same login credentials. A strong reminder for Webkinz users, especially those who used the platform as children but are now adults, that may be utilizing the same email/password combination.

It is not yet known whether or not the data compromised in the Webkinz breach is archived or active account information. However, in the company’s statement, they said they have not and do not collect more sensitive information.

The Webkinz data breach also highlights the importance of parents doing what they can to reduce their children’s risks online. Parents should make sure their kids are not oversharing information, teach them how to keep their information safe and talk to them about good internet behavior. If kids know how to spot a fake message online, to not click any links they do not recognize and limit the amount of information they share on their social media profiles, they will reduce their risk of falling victim to child identity theft.

If anyone believes they have fallen victim to identity theft, or have had their information exposed in the Webkinz breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530 or live chat with an expert advisor on the next steps to take.

You might also like…




More than 7,000 businesses applying for emergency loans may have had their personal information exposed by a Small Business Administration (SBA) data exposure. The SBA’s failure to secure the data, which was discovered on March 25, was due to a programming error in the administration’s online application portal for Economic Injury Disaster Loans (EIDL).  

According to POLITICO, the application system may have disclosed personal information to other applicants of the program. Some of the personal information from the SBA data exposure may have included Social Security numbers, contact information, names, addresses and income amounts.

According to the SBA, the Paycheck Protection Program (PPP) was not affected because it began April 3 and is also handled by a separate online system. However, businesses that applied for an EIDL were notified about the Small Business Administration data exposure and have been offered one year of free credit monitoring services.

In a statement, the SBA said “We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal. SBA continues to process applications submitted via email, paper and online.”

While exposing business data might not always rise to the same level of risk as personal data, personal and business data is often co-mingled when the business entity is a small business. Due to that, it is important that people impacted by the SBA data exposure protect both sets of data by freezing their personal and business credit if both are involved. The Identity Theft Resource Center (ITRC) also recommends those who could have been impacted monitor their accounts carefully for any suspicious activity, change the passwords for any accounts with sensitive information and to consider the free credit monitoring services that are being offered.

If anyone believes they are a victim of identity theft or have had their information exposed due to the Small Business Administration data exposure, they are encouraged to call the ITRC toll-free at 888.400.5530 or to live chat with an expert advisor. Advisors can help small businesses – who utilize a personal Social Security number – and consumers create an action plan that is tailored to their unique circumstances. Victims can also download the ITRC’s ID Theft Help App where they can track their steps in a customized case log. Documenting the process post-breach is more important now than ever with the recent requirements of victims to provide proof in order to receive compensation after a data breach settlement.

You might also like…




Scammers are looking to scare people into falling for a COVID-19 contamination scam that contains a link that is designed to steal personal information.  Scammers are sending potential victims a text message informing them that someone they know tested positive for the coronavirus. However, it is just a trap.

Who Is It Targeting: Text message users

What Is It: A phishing scam based on fears of COVID-19

What Are They After: Text message users have reportedly received alerts that someone they know has tested positive for COVID-19. The message instructs them to self-isolate immediately, and then to click the link for further information and action. However, it is all part of a COVID-19 contamination scam. Police have warned that the link is likely designed to steal people’s personal data.

How Can You Avoid It:

  • Stay informed; COVID-19 information is not yet being shared this way
  • Never click a link, download an attachment or open a file that you were not specifically expecting
  • Follow trusted sources like the CDC or your local EMA for accurate information on the virus

If you think you may be a victim of identity theft or a COVID-19 contamination scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530 or live chat with an expert advisor. Find more information about current scams and alerts here. For full details of this scam check out this article from

You might also like…




With news of the economic hardship surrounding the containment of COVID-19, scammers are out in full force trying to get consumers to fall for CashApp scams by clicking on fraudulent and malicious links that could steal people’s money and identity.

Who Is It Targeting: Social media users, email recipients, text messaging platforms

What Is It: A phishing scam that claims to donate money to its victims

What Are They After: Like all newsworthy events, scammers have come up with a variety of ways to capitalize on the current concerns surrounding COVID-19 in order to steal money, identities or both. In this version, it is messages that offer the would-be victims’ free money via CashApp to help them through this difficult time with a link to participate. However, since it is a CashApp scam, the link is fraudulent and malicious and can lead to problems for anyone who follows it.

How Can You Avoid It:

  • No one will ever contact you out of nowhere to give you money
  • Never click a link, download a file or open an attachment that you were not expecting
  • Never input your login credentials for someone who requests them

If you think you may be a victim of identity theft or a CashApp scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530, or live chat with an expert advisor. Find more information about current scams and alerts here. For full details of this scam check out this article from

You might also like…