Resources

What steps can you take to protect yourself online?

  • Public databases often provide an ongoing front for the exposure of personal identifying information. They are a common source of information for data brokers and people search websites.

    Set up a post office box or a virtual mailbox:

    • A USPS Post Office Box is relatively inexpensive but be aware that not all banks or services will accept PO boxes.

    • A UPS Mailbox provides a physical address for greater cost.

    • Virtual PostMail or Traveling Mailbox can scan your mail and send you an electronic copy, and can shred your mail, too.

  • To limit how your contact information is exposed on the internet, consider setting up an intermediate phone number to share instead of providing your direct number. Use Google Voice for your alternate number; you can connect it to an existing Gmail account or set up a new account.

    Note: Be aware that some services may not accept a VoIP number such as Google Voice to link to your account. This is common among financial services to prevent fraud.

  • To enhance your privacy, we recommend using a public email account that forwards to your main email account. The public account can be used anywhere on the web: to log in to social media and e-commerce accounts, and sign up for newsletters. Do not use it as an inbox, but as a relay to forward email; do not keep email in the inbox. This limits the exposure of your actual email account, making it harder to hack. Here are a few common email providers, and how to set up forwarding for them:

  • Fundamental practices to securing online account security go a long way towards improving your overall security posture. Strong passwords are important, but more critical is good credential hygiene: enabling two factor authentication where possible, minimizing password reuse with unique passwords, and changing passwords periodically.

    Implementing these practices can take time since they likely involve re-configuring your accounts, either by turning on 2FA (Two Factor Authentication) or resetting your existing passwords (especially if you are currently re-using passwords between accounts).

    While we recommend that all accounts have a unique password and 2FA, to make the process manageable we suggest starting with critical accounts, such as your primary email address and the recovery email for these services. Consider also accounts where you may have stored sensitive data, and once you feel comfortable doing these tasks with your critical accounts, expand it to your other accounts:

    • Enable 2FA where available. Be sure to use an authenticator app; we strongly recommend Authy to store and manage your 2FA authentication codes. While other authenticator apps such as Google Authenticator and Microsoft Authenticator also work, Authy provides the advantage of being easy to migrate between devices. This will keep you from needing to reconfigure your 2FA when you get a new phone. We do not recommend using SMS messages for your 2FA method, if given the option, as these can easily be intercepted.

    • Set unique passwords that have not been used before. We suggest allowing your password manager to generate passwords for you. Password managers such as Dashlane or LastPass are very helpful tools for supporting this. We recommend paying for the premium versions of these tools since a subscription is needed to use the service/app on multiple devices.

  • Orphan accounts are those that have been left inactive but not closed. Orphaned accounts are vulnerable, as the passwords are likely simpler, and with less activity, you’re unlikely to notice an intrusion. Depending on the data contained in the account, the outcome can be damaging. Here’s what you can do with any orphan accounts:

    Limit access to the account:

    • Close the account if you no longer need it

    • Strengthen the account’s security, in case you prefer to keep it. Specifically:

    • Enable 2FA if available, and update with a robust password

    • Change the login email address to your public-facing address (see above), using an active, secure email account as the recovery address

    Manage the content of the orphan account if you decide to keep it. Depending on the content, you have the following options:

    • Change the privacy settings, if available.

    • Delete content entirely if you prefer.