Why this matters: Online crime keeps breaking records. The FBI’s latest 2024 Internet Crime Report logged 859,532 complaints and $16.6 billion in reported losses—+33% vs. 2023. Meanwhile, Verizon’s 2025 DBIR still finds the “human element” present in roughly 60% of breaches. Federal Bureau of Investigation+1 Verizon

Identity Secure Help

Contents

  1. Use passkeys + a password manager
  2. Turn on phishing‑resistant MFA
  3. Freeze your credit & check reports weekly
  4. Monitor breaches (and act fast)
  5. Harden email & messaging
  6. Update & lock down your devices
  7. Secure home Wi‑Fi & IoT
  8. Minimize your data footprint
  9. Travel & public Wi‑Fi: do’s and don’ts
  10. Your emergency plan (account recovery & response)

1) Use passkeys + a password manager

What & why:
Passkeys (FIDO/WebAuthn) replace passwords with cryptographic keys bound to your device and the site’s domain, making phishing dramatically harder. NIST’s freshly updated SP 800‑63‑4 modernizes federal guidance for digital identity and authentication—aligned with passkey‑style, phishing‑resistant approaches. NIST Computer Security Resource Center

How to start:

  • Enable passkeys on Google, Apple, Microsoft, banking, and social accounts wherever available. (Primer: FIDO Alliance; Google explainer.) FIDO Alliance+1
  • Keep a password manager for accounts that don’t support passkeys yet, and use long, unique passwords—“three random words” is an NCSC‑endorsed pattern for memorables. NCSC

2) Turn on phishing‑resistant MFA

Good: app codes (TOTP) or SMS.
Better/Best: passkeys or FIDO security keys (phishing‑resistant MFA). CISA’s guidance explains why methods tied to the site’s domain are far harder to phish than codes you re‑type. CISA+1

Do this now:

  • Email, cloud storage, banking, crypto, social: require MFA, prefer passkeys or FIDO keys.
  • Disable “SMS only” where stronger options exist.
  • Capture backup codes and store them safely offline.

3) Freeze your credit & check reports weekly

A credit freeze blocks new credit from being opened in your name—one of the most effective consumer defenses against identity theft. The FTC confirms permanent access to free weekly credit reports at AnnualCreditReport.com. Pair a freeze with routine monitoring. Consumer Advice

Your 15‑minute playbook:

  1. Place a credit freeze (free) via USA.gov instructions. USAGov
  2. Pull your weekly reports via AnnualCreditReport.com (check each bureau). annualcreditreport.com
  3. If you suspect exposure, add fraud alerts (FTC overview). Consumer Advice

4) Monitor breaches (and act fast)

Check whether your email/phone appears in known breaches with Have I Been Pwned (HIBP), then rotate passwords, revoke sessions, and enable MFA. HIBP is the industry’s go‑to public breach checker. Have I Been Pwned

Background: massive aggregated leaks (e.g., “Collection #1”) fuel credential‑stuffing attacks—another reason to avoid password reuse. WIRED

5) Harden email & messaging

Your email inbox is the master key to your identity. If it’s compromised, most accounts can be reset.

Essentials:

  • Turn on phishing‑resistant MFA for email. (See Tip #2)
  • If you suspect compromise, follow the FTC recovery steps and your provider’s guide (Google/Microsoft). Also check for malicious forwarding rules/filters used to “ghost” your messages. Consumer Advice+2Google Help+2

Watch out for fakes:
The FBI recently warned about spoofed IC3 reporting websites (fake “ic3” portals harvesting personal data). Double‑check the domain is ic3.gov before you file a complaint. IC3

6) Update & lock down your devices

Unpatched software is a top door for attackers. The simplest fix: turn on automatic updates for your OS, browsers, apps, and firmware. CISA’s “Secure Our World” campaign highlights updates as a core cyber‑hygiene action. CISA

Minimum baseline:

  • Auto‑update OS & apps; update browsers first.
  • Lock screen with biometrics/PIN; remove unused apps.
  • Only install from official stores; avoid updating on untrusted networks. CISA
  • Review mobile device settings using CISA’s consumer checklist. CISA

7) Secure home Wi‑Fi & IoT

Your home network connects everything—laptops, phones, cameras, thermostats.

Do this:

  • Change your router admin password; disable WPS; use WPA2/WPA3.
  • Update router firmware regularly.
  • Create a Guest SSID and put IoT devices on it (network segmentation). CISA and NSA both recommend segmenting primary/guest/IoT networks. CISA+1

New in 2025 (U.S.):
The U.S. Cyber Trust Mark labeling program is underway so consumers can find IoT devices that meet baseline cybersecurity standards (look for the shield + QR). GovInfo+1

Also notable (U.K.):
The PSTI regime now bans default passwords on consumer smart devices (April 29, 2024). GOV.UK

8) Minimize your data footprint

The less data available about you, the lower your risk.

  • Use Mozilla Monitor to find/remove your info from data broker sites (auto‑removal is a paid option). Mozilla Monitor+1
  • In California, the Delete Act (SB 362) tasks the CPPA with a one‑stop deletion mechanism (DROP) slated for 2026, letting residents send a single deletion request to registered data brokers. California Privacy Protection Agency
  • Opt‑out signals (like Global Privacy Control) are being enforced by multiple states; turning GPC on in your browser can automatically signal “do not sell/share” where honored. Clark Hill+1

9) Travel & public Wi‑Fi: do’s and don’ts

Public Wi‑Fi is convenient—but be smart.

  • Prefer HTTPS; verify the exact SSID with staff; avoid sensitive transactions on unknown networks. CISA and the FTC offer plain‑English checklists. CISA+1
  • Consider a reputable VPN if you must sign in or move sensitive files on public Wi‑Fi. (VPN ≠ invincible—basic hygiene still applies.)

10) Your emergency plan (account recovery & response)

If something feels wrong—act fast:

  1. Change passwords (use passkeys where possible), sign out of all sessions, and re‑secure recovery info.
  2. Freeze credit and set fraud alerts if any financial data may be exposed. Consumer Advice
  3. Report identity theft at IdentityTheft.gov to get a personalized recovery plan and pre‑filled dispute letters. bulkorder.ftc.gov
  4. Report online fraud at ic3.gov (verify the .gov domain). IC3

Bonus (SIM‑swap protection):
The FCC adopted rules requiring carriers to use stronger authentication for SIM changes/ports and to notify customers on changes. Ask your carrier about account PINs/port locks. Federal Register+1

One‑Hour Power Checklist

  • Passkeys + MFA on email, bank, cloud. CISA
  • Run your email/phone through HIBP; change anything exposed. Have I Been Pwned
  • Freeze credit and enroll in weekly report checks. USAGov+1
  • Turn on automatic updates everywhere—OS, browsers, apps, router. CISA
  • Put IoT on a guest network; rotate the router admin password. CISA

FAQ

Are passkeys really safer than passwords + SMS codes?
Yes. Passkeys are domain‑bound cryptographic keys; there’s no reusable secret to phish or leak. NIST’s SP 800‑63‑4 and CISA both emphasize phishing‑resistant authenticators. NIST Computer Security Resource Center+1

Do I need a VPN on public Wi‑Fi?
Not always, but it adds a useful encryption layer when you must log in or transfer sensitive data. Still follow CISA/FTC basics: verify the network, prefer HTTPS, and avoid high‑risk tasks. CISA+1

How often should I check my credit reports?
The FTC confirms free weekly checks are here to stay. At minimum, review quarterly; go monthly if you’ve been in a breach. Consumer Advice

Further reading & sources