Steer clear of low-tech hacks: How to keep your information safe

It doesn't take a coding genius to steal your Social Security number, but you can be smarter than identity thieves.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
6 min read

Joe Raedle/Getty Images

Someone going by the name Jesse B. Harding lied on the Internet to steal people's Social Security numbers -- and the real Harding simply didn't know.

A fraudster posed as Harding, posting a fake property listing under his name and real job as a real estate agent, all with the goal of conning potential renters into sharing their Social Security numbers and other personal information.

It was a low-tech approach to identify theft, but it was meticulous and effective. The fake posting on Trulia.com used stolen pictures of the house, listed a too-good-to-be-true price and directed potential renters to a fake property management website.

"They could have stolen it from a variety of places because I advertised it widely," the real Harding said in retrospect.

Luckily, one potential renter named Cindy Herrera grew suspicious of the person posing as Harding and alerted the real real estate agent. But still, the damage had been done: Herrera had handed over her Social Security number, date of birth, husband's name and a host of other personal information to the schemer in her rental application.

What happened to Harding and Herrera is one of countless stories that describe how criminals can steal personal information without carrying out a sophisticated hack. It's completely different from the seemingly relentless headlines about big data breaches. Those larger hacks have come to the public's attention as a perpetual parade of the world's largest retailers, health insurers and even the federal government have announced that hackers have stolen millions of credit card numbers, Social Security numbers and health records.

Those attacks require sophistication often only found among notorious hackers. Lower-level thieves have found an easier way to take your information, experts say: through lies, a little ingenuity and con games.

"There are lots of ways that a person's identity can be stolen, from very high-tech to very-low tech," said Sally Hurme, who writes books for the AARP and is an attorney who specializes in elder law.

In the physical realm, thieves might go through your garbage, steal your wallet or open your filing cabinet. This could allow them to use your health insurance and open up credit cards in your name. Online, they might learn your birth date off Facebook and find your mother's maiden name on Ancestry.com, allowing them to crack your security questions for any number of important online accounts.

Finally, they might lull you into handing over your information by impersonating a legitimate person or business, as happened in Herrera's case.

So how do you stop it? The only way is to lock down the entryways into your identity, according to fraud prevention experts.

All of this shows that identity theft -- whether done with advanced coding skills or with simple thievery and lies -- affects everyone's life now. The situation can be chalked up to the increased use of computers to store information combined with our reliance on Social Security numbers and credit reports as gateways to health care, credit and general proof of identity. It's a potent mix that draws some nasty flies.

With that in mind, here are some of the best ways to protect the information that you actually have control over:

1. Lock down or destroy paperwork with your information printed on it.

That means destroying documents before they hit the trash. "One of the cutest names for a low-tech hacking method is what we call dumpster diving, or going through trash out on the street, for documentation that may have your personal information on it," Hurme noted, adding, "Shred, shred, shred."

Carrying around too much information in your wallet can be a bad idea, too. Your Social Security card, your health insurance card, and all your extra credit cards? They don't need to live in your wallet, Hurme said. In fact, they shouldn't.

Go ahead and lock your filing cabinets or get a safe deposit box for important identity papers, while you're at it, said Susan Grant, director of consumer protection and privacy at the Consumer Federation of America.

"You either need to lock up your sensitive personal information, or make sure that it's disposed of safely," Grant said.

2. Beef up your privacy settings.

There's also all that information easily taken off public sites on the Internet. To keep thieves from guessing answers to your security questions, pay special attention to your privacy settings on services like Facebook and Ancestry.com.

Facebook offers privacy checkups that take you through all your settings so you can decide who can see which information.

For its part, Ancestry.com says it places a high premium on privacy. "Every family tree has privacy settings and every user makes a personal determination whether to make their tree private or not, and we automatically hide information for living individuals in family trees," the company said in a statement.

Now you're ready for more advanced ways to protect yourself. You'll need those, because when it comes to cases like Harding's and Herrera's, it takes extra vigilance from everyone to stop identity thieves.

3. Find posers by running their images through Google.

The scammer got Harding's information and the description of a property he was trying to sell right off public websites. To check if photos are legitimate, a potential renter could run them through a Google Images search to see where they originated.

This can be easily accomplished by clicking on an image and dragging it over into a Google Images search field. For example, by dragging any Facebook profile photo into a Google images search, a curious Internet user can see if it's been used under any other names or other accounts. This might not have helped Herrera, though, because her fraudster was smart enough to use the real estate agent's real name.

Incidentally, this technique also applies to online dating sites, where many people are not who they say they are.

4. Ask yourself: does it pass the smell test?

Herrera, the renter who fell for the scam, is also a real estate agent in her own right. However, the Trulia posting and the website it led to were legitimate-looking enough to fool her.

A super-low asking price might have been a tip that something wasn't on the up and up. But in Herrera's defense, the low asking price seemed possible because rents go down in the winter, and the neighborhood in question was "still transitioning," so property values were fluctuating, she said.

But once she got a fishy-sounding email from the supposed real estate agent, with no phone number in it, she knew something was wrong. That's when she looked up the real Harding in a real estate database and called him on the phone.

For its part, Trulia says the company works hard to fight fraud, with a team of more than 20 employees, including developers, "who are focused on building fraud detection and prevention capabilities," Trulia spokesman Matt Flegal said in a statement. The firm also tries to educate users and make it easy for them to report wrongdoing.

Harding said he wasn't satisfied with the amount of time it took the site to eliminate the fraudulent posting, which popped up again a few days after Trulia removed it the first time, but that was eventually resolved.

Grant, the fraud expert at the Consumer Federation of America, said some criminals, such as the one Harding and Herrera encountered, are actually working in teams. "You can have organized crime rings that just recruit lots of people to get information for them," she said.

5. If and when all this fails, put a fraud alert on your credit report.

Of course, once your information is out there, it's out of your control. Herrera immediately put a fraud alert on her credit report and didn't encounter any problems after that.

Michael Bruemmer, vice president of credit reporting agency Experian, said that was the right move.

"One of the first things you should do is put a fraud alert on your credit reports and start reviewing all financial accounts regularly," he said. "Signs of fraud and identity theft often first show up on your credit report or bank and credit card statements."

What's more, it's important to keep in mind that your information might have been compromised for a while before you realized you were hacked, so a review of past credit activity is also a good idea.

"It's important to look back," he said.