I was in a meeting when my phone buzzed, so I let it go to voicemail. When it buzzed again, and I saw it was my dad who normally wouldn't call twice, I knew it had to be important. When I answered, he told me he had fallen for a remote access scam, he had some of my passwords on his laptop from having helped me with tax prep in the past, and I better change them.
He was on a news site when a popup warned that his computer had been frozen and in order to unlock it, he'd have to call a certain number, supposedly to reach a big tech company. Despite warnings about online scams—from my siblings who worked in tech and from an article on this exact scam I had previously sent him—he called the number. Over the next few minutes, the person on the other end of the line instructed him on how to grant them access to view his screen. Once that person was in, they asked my dad to log in to financial accounts to make sure they hadn't been compromised.
Was the scammer tracking every keystroke to steal passwords? Or copying files like the one on the desktop marked "Passwords" that included other account numbers? My dad sensed something wasn't right, hung up, and powered down the laptop. We don't know what or how much info the scammer managed to get, but we knew we couldn't wait to find out.
Here's what I did next to protect myself from identity theft and what you can do too.
I changed my account info to avoid becoming a victim of identity theft
I called my financial institutions to change my account numbers, and then I changed my logins and passwords online. I'd once read that you should keep a list of usernames and passwords (none identical) somewhere that couldn't be hacked, like a notebook. Prior to the incident, careless me did a sloppy and unsafe combination of pen/paper and an online document. Now I use a password manager, which creates hard-to-replicate passwords and stores them securely.
I stopped sharing my passwords
If someone accesses a financial account and drains your money, you may not have any recourse with your institution if you shared your password with another soul. (Your losses may be covered otherwise; check to make sure you know under what circumstances. How soon you report it can play a role in how much you get back.) Just because I wasn't the one who got scammed, the fact that I gave my password to my dad exposed my financial institution and me. If I want him to have access to my account(s), I can add him as an authorized user and have him create his own username and password.
I set up extra levels of protection
I started using 2-factor authentication, authenticator apps, and PINs on every account, including my email address and my phone (which I can unlock with facial recognition, a form of biometrics—fingerprint unlock is another form). Authenticator apps generate one-time-use codes valid only for a limited time. You can also set up login alerts and activity notifications, like when money is withdrawn. Check to see if your financial institutions have other security measures like Voice ID or locking down money transfers that you can apply to protect yourself from identity theft and fraud.
I would have frozen my credit, if I hadn't already
Before my dad got scammed, I froze my credit with all the major credit reporting bureaus after various security breaches when cybercriminals stole customer data from major companies I shopped with. If you haven't done this, consider freezing your credit online, by mail, or via phone for free. Credit freezes prevent anyone from opening new accounts in your name. They also restrict others from accessing your credit report, but you can temporarily lift freezes for when a potential landlord, employer, or other service provider requires a credit check.
You can freeze your kids' credit too. This requires documents verifying your identity and those of children under 16. According to a Javelin Strategy & Research report,1 1 in 50 children are victims of identity fraud, and families might not know about it for years.
Keeping up with locking down
My dad took the same actions I did and now knows to ignore and close popups. We were lucky not to lose any money, but if we had, homeowners insurance may have covered the losses. I know someone whose policy refunded a 5-figure sum lost to a scammer. Check if you have such coverage.
Months after the incident, I was still dealing with residual fallout. For instance, I had to update my since-changed bank account info on a government site, which had added security measures. Was the process time-consuming? Sure, but not nearly as intense as being a victim of identity theft (such as someone opening a credit card with your personal info) or identity fraud (such as someone making a purchase with your credit card), which friends have experienced. Most recouped lost money, but only after lots of paperwork and lengthy dealings with their financial companies.
We might think, I wouldn't fall for something like that. I don't answer calls from unknown numbers or open emails or download attachments from unknown senders. Instead of clicking on links from companies I know that say I have a new message or document, I go to their site directly to view it. I call customer service to confirm they really did send a particular email, don't visit sites deemed suspicious by browsers, and navigate away from weird popups. But I could have been more vigilant about protecting my accounts from identity theft. Could you?