The internet makes life easier—but it also makes it easier for criminals to turn “small leaks” (a password here, a phone number there) into full-on account takeovers. In 2024 alone, the FTC’s Consumer Sentinel Network received 6,471,708 reports, including 1,135,291 identity theft reports, with reported fraud losses totaling about $12.5B.
The good news: protecting your identity today doesn’t require 20 tools. It requires locking down a few “high-leverage” things attackers count on—your inbox, your phone number, and your logins.
The 10-minute checklist (start here)
If you only do a few things this week, make them these:
-
Turn on multi-factor authentication (MFA) everywhere you can—prefer passkeys, authenticator apps, or hardware keys over SMS codes.
-
Switch to long, unique passwords (and let a password manager do the work). NIST’s current guidance emphasizes long passwords (15+ characters for single-factor), no forced complexity rules, and support for password managers/paste.
-
Add a carrier account PIN / port-out protection to reduce SIM-swap risk.
-
Place a credit freeze at the major bureaus if you’re not actively applying for credit.
-
Remove your address/phone/email from people-search sites and set up “Results about you” alerts in Google.
1) Protect your inbox first
If someone controls your email, they can usually reset passwords for everything else.
What we recommend:
-
Turn on MFA for your email account (again: passkeys/authenticator/security key preferred).
-
Review forwarding rules and mailbox “auto rules” you didn’t create.
-
Be strict about links and attachments—phishing is still the easiest way in.
Related MSG read: {Keeping Your Email Safe}.
2) Upgrade your logins: passkeys + phishing-resistant MFA
Passwords are still everywhere—but they’re also easily stolen (phishing, malware, reused credentials). Passkeys are a major improvement because they’re designed to be phishing-resistant when implemented correctly, and they’re now widely supported across consumer platforms.
-
Google supports signing in with passkeys (and notes prerequisites like screen lock and up-to-date OS/browser).
-
Apple supports passkeys through iCloud Keychain on compatible devices.
-
CISA recommends moving toward phishing-resistant MFA, noting that some MFA methods are vulnerable to phishing, push-bombing, SS7 issues, and SIM swaps.
Practical rule:
-
Best: Passkeys or hardware security keys
-
Better: Authenticator app codes
-
Last resort: SMS codes (because SIM swaps happen)
3) Make passwords boring (and strong): long + unique + managed
NIST’s updated digital identity guidance puts the emphasis where it belongs:
-
15+ characters for passwords used as single-factor authentication
-
Allow 64+ character max to support passphrases
-
Don’t force gimmicky complexity rules
-
Support password managers and paste/autofill
That translates to:
-
Use a password manager
-
Use unique passwords everywhere
-
Protect the password manager with the strongest MFA option you have
4) Lock down your phone number (SIM swaps are an identity attack)
A SIM swap is when someone convinces a carrier to move your number to their SIM—then they intercept your calls/texts, including password reset codes.
FTC’s guidance includes: don’t respond to messages asking for personal info, and contact companies using known-good contact info—not whatever was in the message.
CISA also flags SIM swaps as one of the risks that can undermine certain MFA methods.
What to do:
-
Add a carrier account PIN and ask about port-out protection
-
Move critical accounts off SMS codes where possible
-
Use account alerts for sign-ins and password changes
5) Freeze your credit (it’s one of the highest ROI moves)
If you’re not actively applying for credit, a credit freeze can prevent someone from opening new accounts in your name.
Start here:
-
FTC’s guidance and IdentityTheft.gov recovery steps if something happens
6) Reduce what’s publicly searchable about you
People-search sites are a type of data broker, and they can expose addresses, relatives, phone numbers, and more.
Two practical moves:
-
Opt out of major people-search sites (it’s tedious, but effective)
-
Use Google’s “Results about you” to find and request removal of personal contact info from search results where eligible.
7) Get better at recognizing identity lures
Most identity compromises still start with a message that creates urgency: “invoice overdue,” “password expires,” “unusual sign-in,” etc.
CISA’s phishing guidance emphasizes slowing down, verifying the sender, and not taking the bait.
A simple habit that works:
-
Don’t click the link. Open a new tab and sign in the way you normally would.
8) Check breach exposure (so you can act fast)
If your email shows up in a breach, attackers often try “credential stuffing” (reusing leaked passwords elsewhere). Tools like Have I Been Pwned can help you identify exposure and respond by changing passwords and enabling MFA.
9) For businesses: identity protection has to be standardized
If you’re protecting a team (not just yourself), consistency matters:
-
Enforce phishing-resistant MFA where feasible
-
Centralize identity controls (SSO, conditional access, device policies)
-
Add monitoring for identity-based attacks (impossible travel, suspicious inbox rules, risky sign-ins)
If you suspect identity theft, do this first
-
Secure your email + reset passwords (starting with email, banking, payroll, and password manager)
-
Freeze credit
-
File a report and follow the recovery steps at IdentityTheft.gov
If your organization wants a clearer picture of identity risk across users, devices, and Microsoft 365, contact us. We’ll help you pinpoint the biggest gaps and turn them into a simple, prioritized plan.