“Identity theft is not a joke, Jim!” How can I protect my sensitive data online?

When it comes to unusual cyber security cheerleaders, The Office US’s Dwight Schrute tops the list. In one of the show’s most meme-worthy moments (which is saying some­thing, as a quick Google search reveals an extensive list) Dwight loudly proclaims, during a heated exchange, that Identity theft is not a joke, Jim! And we at F‑Secure couldn’t agree more.

Unfortunately, identity theft is a problem that’s only getting worse, with Federal Trade Commission data revealing that identity fraud (which is when ID theft results in a crime) increased from 270,000 to 1.4 million cases between 2012 and 2022 in the U.S.

And the results of digital identity theft are no laughing matter, as they can manifest them­selves in many negative ways, depending on the severity of each case. These can include:

• physical and emotional stress;
• exposure of medical records;
• loss of access to online accounts;
• embarrassment and reputational damage;
• replacement of all your credit cards;
• and, in the most severe cases, financial losses via identity fraud.

In F‑Secure’s recent Living Secure report, which surveyed the views of 7,000 respondents around the world, 57% of people said that they would rather have their car stolen than their identity. Which shows that most people under­stand the associated threats that accompany identity theft.

However, despite the growing awareness around identity theft, the Living Secure report also found that 58% of people said that photos were the most important data stored on their device — with only 40% considering their pass­words as the most vital thing to protect; this is a concerning statistic, given that most cases of identity theft begin with a data breach.

And, according to previous F‑Secure research, 60% of people had suffered a data breach during a 12-month period, with half of them continuing to use exposed pass­words on other accounts — even after they’d received a warning that their accounts were no longer secure.

These results indicate that, whilst being aware of the threats of identity theft, people are still unsure of the steps they need to take to adequately protect them­selves. Thankfully, though, there are some simple steps you can take to ensure that your sensitive data is secure online.

1. Keep your pass­words strong

Despite stolen credentials being the main way that cyber criminals gain unauthorized access to accounts, brute force attacks — where trial and error is used to try and crack a pass­word — still account for around one-in-10 data breaches, according to Verizon’s annual Data Breach Investigations Report (DBIR). And with brute force attacks often reserved for targeted data breaches on high-value targets, where the potential damage is much greater, it’s important to make all pass­words as strong as possible.

There are various techniques for creating a strong pass­word, such as picking five completely random words — but that’s a lot more difficult than you might think. So, instead, you can use a free tool like F‑Secure’s strong pass­word generator.

2. Create unique pass­words

You can have the strongest pass­word in the world, but if the site you’ve trusted with your details is compromised, that pass­word (along with those of every other registered user) can end up in the hands of cyber criminals. In fact, Verizon’s annual DBIR claims that 86% of data breaches happen because of stolen credentials.

Therefore, to minimize your risk of a data breach, you should ensure that your pass­word is not just strong, but unique for every account, using a tool like F‑Secure’s strong pass­word generator to create them.

3. Enable two-factor authentication

Two-factor authentication (also known as 2FA) works by adding an extra layer of security to online accounts, which goes beyond your user­name and pass­word, requiring an extra login credential (such as a one-time passcode, sent to your phone via SMS).

So even if someone acquires your user­name and pass­word, with 2FA enabled, they still need to get through a second layer of security. And with two-factor authentication enabled 99.9% of automated attacks are prevented (according to 2019 research from Microsoft).

4. Check URLs and attachments

Phishing scams are a prominent form of social engineering, designed to trick you into sharing private information, or to convince you to click on links or attachments that subsequently lead to malware or fraudulent sites.

These scams often come in the form of text and a URL, which means attacks can target anywhere you might receive digital communication, such as email, social media messages or SMS. To avoid such threats, ensure that you use a security product with browsing protection and virus scanning.

5. Utilize a pass­word manager

If you want to go a step further than generating strong and unique pass­words, you can use a tool called a pass­word manager, which will also enable you to easily store and access your login credentials.

The beauty of a pass­word manager is that you only need to remember one master pass­word, and your pass­word manager does all the hard work for you. F‑Secure’s highly-rated ID Protection enables you to generate and manage strong pass­words for every online account that you have, with all the data encrypted using TLS/SSL.

6. Monitor and respond to breach alerts

Following a data breach, compromised user credentials often circulate on the dark web. Monitoring these data breaches is a useful way to determine if you’ve been a victim of identity theft. And you can use a manual tool such as the F‑Secure identity theft checker to check.

Whilst free tools are good starting point, a more proactive approach is to consider automated 24/7 identity monitoring, such as that available in F‑Secure Total, which continually scans for breaches and notifies you of any that include your details. And if you receive a notification that your details have been exposed in a data breach, it’s vital that you update your details for that account, as well as anywhere you might have used the same login details.

7. Use a VPN when accessing public Wi‑Fi

Public Wi‑Fi can be incredibly convenient, but it comes with a number of risks, as cyber criminals often use hotspots (and their vulnerabilities) as a way to harvest confidential information from unsuspecting users.

This can be done via an evil twin hotspot, where scammers set up a fake access point to mimic your current location (with a name like AIRPORT WIFI, for example), or via a method known as a man-in-the-middle attack. This is where a hacker exploits the poor security of a legitimate hotspot, uses a technique such as ARP spoofing, and then collects data being shared over the network. In both cases, the web­sites that you visit, and all unencrypted information that you share can been seen and retrieved via a third-party.

To avoid data breaches whilst on public Wi‑Fi you should avoid sensitive activities such as banking and ecommerce. Also, make sure you set your device to forget previously used Wi‑Fi networks. And — most important of all — use a VPN, which will encrypt your connection end-to-end between your device and the VPN server so your traffic can’t be spied upon.