The risk of sensitive personal data leaks is higher than ever, fueling identity theft, phishing attacks, financial account hijacks, and scams. It’s also a time when nation-backed hackers skillfully target critical infrastructure like mobile networks. A major hack revealed last year led the FBI to advise trusting only end-to-end encrypted communications.
No security is foolproof against a determined attacker, but you can make yourself a harder target. Nancy and I have so far avoided major cybercrimes but have faced fraud attempts.
One stemmed from a non-profit’s security breach that exposed our personal data from background checks. Freezing our credit records avoided a lot of misery.
In the past, many HumbleDollar readers could just avoid the online world and hope for the best. Today, hope is not a plan. Avoiding the online world may now place you at more risk.
Failing to create secure online accounts – like with the IRS or Social Security – only makes it easier for criminals to impersonate you because so much more personal data has become available on the dark web. The National Public Data breach last year was allegedly large and damaging. Troy Hunt’s excellent site will show if you were likely affected.
The IRS, for instance, has a backlog of 470,000 open fraud cases from fake tax returns for fraudulent refunds. Who suffers in situations like this? You do, when you try to file your legitimate tax return after a scammer used your identity, whether you file with paper or electronically. This kind of cybercrime is easier to avoid if you’ve already created an IRS.gov account and secured it well.
Ready to boost your security? Follow this Sweet 16 checklist – an hour a week, and in a month or two, you’ll be far better protected. If tech isn’t your strength, ask a trusted friend or family member for help.
Online Account Security
- Use a Password Manager – Replace weak passwords with strong, unique ones. Apple, Google, and Microsoft offer free built-in managers, while cross-platform options like DashLane work across all major operating systems (OS) and web browsers. Good password managers also simplify digital estate planning.
- Enable Two-Factor Authentication (2FA) – Start with your password manager, then secure critical accounts: your cell phone provider, email, banking, and investments. Email is crucial for password resets, and securing your cellular account helps prevent SIM swap
- Freeze Your Credit – Lock your credit at Equifax, Experian, and TransUnion for free. Temporarily lift a freeze when needed. Store your freeze PIN securely in your password manager or a home safe.
- Freeze ChexSystems Data – Banks use ChexSystems to verify new accounts. A freeze here lowers your risk of bank account hijacking.
- Get an IRS IP PIN – This newer IRS PIN offering differs from e-filing PINs by making it harder to file fraudulent returns. Enroll first in ID.me for identity verification, then activate IP PIN on IRS.gov. A new, unique PIN is generated annually by IRS for filing.
- Secure Your Social Security Account – Create a Login.gov account, then register on SSA.gov to prevent fraudsters from claiming your benefits before you do.
- Upgrade Your 2FA – Move beyond basic SMS/email codes to more secure methods:
- Hardware passkeys like YubiKeys
- Biometric passkeys (FaceID or TouchID)
- Passkeys, or
- An Authenticator app (ensure it has backup/restore capability to avoid lockouts when changing phones)
Device Security
- Install Security Updates Promptly – Update your OS, browser, and apps as soon as updates are available. Security flaws are patched before they become widely known, but once revealed, attackers exploit them within hours.
- Replace Unsupported Devices – If your device no longer receives updates, it’s a security risk. Even hardware has vulnerabilities, and manufacturers release firmware updates to mitigate them. Most devices get 5-7 years of support—when yours stops, upgrade.
Networking Security
- Secure Your Wi-Fi – Enable password protection on your home network. Use a password manager to generate a long, random Wi-Fi password and securely share it with family.
- Change Default Admin Passwords – If you own your router or networking gear, replace the default admin password. If updates aren’t automatic, set a calendar reminder to check for updates twice a year.
- Use Encrypted Communication – Apple and Google encrypt calls/chats only when both parties use the same OS. For highly sensitive conversations, use WhatsApp or Signal for end-to-end encryption.
Avoiding Scams
- Never Click Links in Emails or Texts – Instead, go directly to the official app or website. If the request is legitimate, you’ll find notifications or secure messages there. This prevents attackers from stealing your login credentials.
- Use Call Screening Tools – Enable scam/spam filters on your phone. Cellular providers offer free tools:
- AT&T: Active Armor
- Verizon: Call Filter
- T-Mobile: Scam Shield/Scam Block
- Learn Scam Prevention Tips – AARP offers 25 tips to help members avoid scams.
- Check AARP’s Scam-Tracking Map – Check this free Scam-Tracking Map to see scams in your area. Report your own scam close calls to help others.
Did you just log in? If you don't see the commenting form, please refresh the page.
Looks like iOS 19 may support end-to-end encryption using RCS 3.0 with Android devices, a positive step if true for folks who prefer Apple’s iMessage over 3rd party apps like Signal or WhatsApp:
https://www.macrumors.com/2025/03/15/ios-19-rcs-upgrades/
Beware the innocent looking barcode and QR code. You see them in many ads, etc. offering a fast way to get more information. You really have no idea where it actually takes you once you scan it. A(nother) scam:
Do NOT scan any mystery gift There is apparently a new scam out there and it’s exceptionally dangerous.
Here’s how it works.
Victims receive a mystery package from an unknown party complete with your name, information and official looking packaging from one of the biggies – think Amazon, Walmart etc – and in it there’s a card saying you’ve received a gift. (Read)
But you don’t know who sent it.
So, naturally, the very same note invites you to scan the QR code included at which point everything on your device is compromised… names, contacts, credit cards, accounts, links etc.
Ace analyst Hayley also tells me as I type that a variation of this is being used in England where criminals are putting fake QR codes over the top of legitimate QR codes at car parks. So, it’s a bonus – you get your money stolen and a fine from the authorities.
From, “Five With Fritz”.
A few days after “Hope is not a plan” was posted here, news hit that Bank of America had lost customer data.
I was a Certified Information Systems Security Professional (CISSP) for a while, which is perhaps the cybersecurity equivalent of a CFA in the financial world. I worked in security for Amazon, AOL, MITRE/DoD, and others. A year ago, I retired from Palo Alto Networks which is a large
security-only vendor.
During my second job in security at BankOne (now part of Chase), I entered with the belief that “surely, at a top 5 bank, security is taken seriously for its own sake.” However, I learned that the huge staff-up that I was part of, complete with Ernst & Young consultants flying in weekly from New York, was about checklist compliance.
That’s where started to stop believing.
I later developed an open-source security tool with contributions from a tech director at the NSA and the senior VP of security at Cisco, who is now an angel investor. I also published an Internet “Standard” (IETF RFC), which launched a security working group that has been active for over 20 years, driving international industry security standards.
So, back to “Hope is not a plan.” The list of suggestions is all good, and I thank David for compiling and posting it. Awareness and education are very important parts of cybersecurity. I may add some of them to my personal practices and encourage readers here to do so as well.
Just don’t confuse “doing something” with being secure.
BankOne had a very well-funded security program when I was there, and I’m sure Bank of America is similarly equipped today. The same was probably true for the US Government Office of Personnel Management when it lost sensitive background investigation data for top secret clearances. Equifax lost credit score data on 147 million Americans (almost certainly yours). “And the beat goes on, and the beat goes on…”
Cybersecurity can be a fun hobby. You can make a living at it. It’s essential to get the basics right. However, even with my professional background, I can’t single-handedly fend off all the hackers (and sheer stupidity) out there, especially as I age.
Considering this, transferring risk may be the most rational approach:
– Move my money into a trust
– Allow an investment firm to manage my assets
– Explore insurance options
– Pay a large lump sum to a CCRC and forget about it (and maybe everything else if I have to go the memory-care route).
Much as I like the tech end of cybersecurity, it’s no longer my life. I’m going to do other things with my time and energy, like hiking and booking our family trip to Europe.
The biggest challenge in security is its asymmetry: attackers face little accountability, while defenders must be nearly perfect. Still, hope isn’t a strategy—preparation is essential, not just for protection but also for financial restitution after a loss.
Glad to hear you’re living the life you want! Best wishes for a smooth and memorable trip.
You bring up a particularly good point when you said “…but also for financial restitution after a loss”. Investment firms like Vanguard and Fidelity have posted their customer requirements to be eligible for restitution after a loss. It’s prudent for an account owner to review those requirements and assure themselves they’re meeting them. For example, Vanguard expects the account owner to “regularly” monitor their account and Fidelity expects the account owner to “frequently” monitor their account. Of course, they both list additional account owner responsibilities as well that must be met to qualify for restitution after a loss.
Very interesting information. OldITGuy, can you share a link for where Vanguard states its policy on this? I’ve looked around a little and can’t locate it. Thanks.
Update: I found it: Security Center | Vanguard Click on “Our promise”.
Yep. Here’s a link straight to it: Security Center | Vanguard
Here’s one for Fidelity: Fidelity Customer Protection Guarantee
Thanks!
OldITGuy is spot on. Little has changed since 2021 when I wrote: “Who bears the cost of these sorts of incidents is highly dependent on circumstances. There’s little consistency in cybercrime fraud policies across mutual fund and brokerage firms, and no industry-wide insurance system that pools risk and reimburses losses. Investment firms aren’t keen to bear the full burden of liability unless you’ve used certain security features on their site—many of which are off by default. This feels a bit like an automaker that sells cars with seat belts and airbags that are optional, and then accuses customers injured in car crashes of negligence.”
And you’re going to read the fine print and stay on top of things that takes them an army of lawyers to create? As you age and your mental abilities decline? You’re going to stay on top of the latest phishing campaigns, known vulnerabilities (let alone 0-day exploits) in the devices you use? I couldn’t keep up when I was in the industry and it was my job.
What’s the bigger risk? Poor investments returns due to the bite of AUM or trust fees etc or you getting duped?
ID.me works for the SSA now too.
Nice! That must be a relatively recent addition.
I had to use login.gov for the CBP’s Trusted Traveller program, so was happy switching to use it with SSA.gov.
Both work. I have ID.me and my wife uses Login.Gov. I needed ID.me to apply fir NJ’s property tax rebate programs.
I’m curious to know: in our HD community are you currently using a password manager, or not, and, briefly why?
I use https://keepassxc.org/ on Linux. Quite good. Browser integration. Built in TOTP if you like. Integrated with YubiKey. No data in the cloud.
Bit Warden works well for me
I’m using 1password which I’m pretty happy with. I use one simply because I believe, all things considered, a high quality password manager is the safest approach to managing unique passwords and unique usernames.
David, I used the Roboform free version for many years. I recently upgraded to the Premium version for $20/yr. and it syncs across my laptops. It works well and is simple enough for a non-tech guy like me to use.
David: I have used the Keeper password manager for going on 10 years just to avoid the potential for others to steal from our accounts. Costs me about $30 a year, but it is well worth the price and is easy to use.
Great list, thanks, David.
I’d add to yours and the comments below: create user names whenever possible that are difficult to guess, to act as de facto secondary passwords. The four financial sites I visit, plus Medicare and (as I seem to recall) Social Security allow for this.
Thanks to everyone for the feedback and new suggestions for improving security! Next time around, a Double Dozen list will replace this Sweet 16.
David, thank you for posting this important information.
And thanks for the additional comments.
Fidelity offers ‘Money Transfer Lockdown’ for one or multiple accounts. Go to Accounts & Trade -> Security Settings. Under ‘Money Transfer Lockdown’, you can select which accounts you want to lock down. After turning on Money Transfer Lockdown, you’ll see a message “Money Transfer Lockdown is enabled” for each account you selected (as a reminder). When you need to withdraw from an account, you’ll need to go to Accounts & Trade -> Security Settings and remove the account from ‘Money Transfer Lockdown’. I rarely withdraw from our Fidelity accounts so it’s a set it and done.
Great article and great comments on helping mitigate the risks of fraud and hacking your personal info. Back in my youth, I recall bank signature cards and your savings account book that “secured” your account, even to just deposit a roll of pennies. Your SS number was “the” top secret code to prevent fraud. Things sure have changed.
I would like to suggest that your significant other and your executors understand and know how to access these safety measures you’ve installed, as you see fit. A good reminder on your final list is to highlight that your phone and cell plan, as one example, should not be cancelled as a priority item due to its likely use for many as a 2FA device.
Ah yes, simpler days. Things haven’t entirely changed. Good security is still about what you have (like our old passbooks) and what you know (like our “top secret” SS number). The passbooks have morphed into security keys or a smartphone with biometrics, and the simple SS number is now a long, random password or cryptographically generated string of alphanumerics.
Great suggestion about leaving guidance for partners and executors around security measures. I try to mirror what I’ve done for myself with my partner, but there are still plenty of tech things for which she’ll need some help. My final instructions have recommendations for both a CFP, to help with financial questions, and a friendly tech advisor.
Note: I fixed two web links which were mangled by the publishing system.
Great list! I’d add 5 things: 1) use a vpn when on public/guest wi-fi, 2) on a windows pc work out of a user account and not a privileged administrator account so when software is installed it prompts for the administrator password, 3) use security software on your pc and phone and turn on features like “safe browsing”, 4) for the broader SIM swap problem the user generally has to change 2 settings in their wireless account: “SIM protection” to prevent thieves from swapping out your SIM and “account takeover protection” which prevents thieves from moving your phone number to a new wireless provider where they can then swap out your SIM since they “own” the new account, and 5) liberally make use of setting alerts in financial accounts so any important changes to their accounts are communicated by both texts and emails.
Good ones!
I wish my cellular service provider gave us more roadblocks for SIM swapping but they don’t. They have 2FA and an account passcode that’s separate from your login credentials, and that’s it.
Dave – Here are a few more personal access approaches we utilize specifically for our several major finance accounts:
17 – Only access your major financial accounts and credit cards from one or at most two devices. The more devices, the more potential access by thieves.
18 – Type in the passwords for the major financial accounts with every single log in – do not save the password on the device’s local, google, one-drive or other cloud account. This is annoying with long and complex passwords, but worth it in my mind.
19 – When traveling, leave the device that accesses your major financial accounts locked up or hidden at home – just use your phone to manage cash flow with a single bank account. You don’t really need to trade accounts while on vacation for a couple of weeks.
20 – Because of prior approach 19 plus the potential for a brokerage\bank service provider to get hacked, we specifically have not consolidated to a single provider – we maintain three brokerage and two bank providers for the safety of digital diversification.
21 – As much as possible, we don’t link financial accounts, bank accounts, credit cards, turbo tax, quicken(don’t use), etc. In fact, one brokerage service provider holding a solid portion of our IRA accounts is not digitally linked anywhere including to our banks – any withdrawals would have to be manual with a check. We’ll see if we will provide more linking access once RMDs start.
22 – When traveling, we never access ANY important account using public wifis like the airport or hotel lobbies, especially if they are open access.
23 – If you get an alert from your credit card or bank, call their 800 number before signing in on-line to sort it. Agree, never to click on any link to sort money or account issues before confirming if real.
Great article and additional comments. We employ a variation on John’s #21 in that our main brokerage company is linked to our bank account, but not the other way around. In other words, we can log into the brokerage account to transfer money to or from the bank, but we can’t do so by logging into the bank account. This somewhat further protects the brokerage, which of course holds more than our bank acount.
Thanks, John. Always more to do.
On travel, I use public WiFi I (mostly) trust but with a VPN.
For #18, I agree it’s best not to use a web site’s “remember me” feature, and good to avoid browsers saving your login credentials, but using a good password manager can avoid all of this. A PM securely inserts your password in the text field when needed.
#21 is good advice. I wish the industry would develop a secure, trustworthy way to provide read-only access to a small bit of data in a financial account, in a way you can control, using a separate access method, e.g. a different FIDO passkey from the one you use to manage the account.
Excellent list.
I would add one more which is freeze your SS number. This prevents someone from using it to obtain employment.
Nick – how does one do that?
I followed the following instructions from Clark:
https://clark.com/protect-your-identity/should-i-create-an-e-verify-gov-account-to-lock-my-social-security-number/
I hadn’t heard of this either. I asked Perplexity AI and here’s part of what I got back:
You cannot “freeze” your Social Security number (SSN) in the same way you can freeze your credit, but there are two effective ways to restrict its misuse:
This sounds interesting to me, but I think I’ll want to know a bit more before I try it. I’d really be interested in hearing from folks who have done this, and what (if any) problems it’s caused for them in normal daily activities. Specifically, were there any unexpected side effects that were problematic? For example, if my bank account got compromised and I needed to put in new deposit information for my monthly ssa check I wonder how hard it’d be to “unfreeze” my account so I could update it?
You’ll want to enroll in myE-Verify which is aimed at employees: https://www.e-verify.gov/employees/mye-verify
E-Verify is for employers.
Looks like myE-Verify freeze is good until you lift it. Thanks, Nick for the pointer!
you are welcome and I meant lock not freeze. I did a few months ago without any issues yet.
See my link to the Clark website above.