top of page
  • Writer's pictureBridget Sullivan Mermel CFP(R) CPA

How to Protect Yourself from Identity Theft | Better Safe than Sorry!

It seems like every day we hear about new scams and new scandals with people stealing our identity.

On this episode, we’ll talk about actions you can take to protect your identity. Part of our work is helping people pay attention to what they should pay attention to and ignore the rest.

We talk about email, passwords, sending codes to your cell phone, as well as how to handle calls from the IRS, Social Security or other government agencies.

Feel safe, don't fall prey to scammers, and enjoy your life more!

00:00 Welcome

00:43 1st tip

04:53 2nd tip

06:16 send to your mobile

07:40 John’s experience

08:44 calls from IRS and SSA

10:26 Freeze credit

Links for the show:

How to freeze your credit (with links):

John's firm website:

For advisors around the US:

Thanks for watching and please subscribe!


John: It seems like every day we hear about new scams and new scandals regarding people stealing our identities. On this episode of Friends Talk Financial Planning, we're going to talk about actionable steps that you can take and things to be aware of to make sure that you protect your identity. Hi, I'm John Scherer, and I run a fee-only financial planning practice in Middleton, Wisconsin.

Bridget: And I'm Bridget Sullivan Mermel, and I've got a fee-only financial planning practice in Chicago, Illinois. And before we jump into identity theft, please subscribe. It helps us with YouTube. Okay. John, I'm really excited about this episode, because I think you have a better game on identity theft protection than I do, so what's your first tip?

John: Well, yeah, maybe I've been exposed to it more, and we've unfortunately had some things go poorly, so we've learned some lessons on that. And the number one tip that we have for people is to never send any confidential information over regular email. We have a consultant that works with us, and he described sending an email like sending a postcard. If you wouldn't put it on the back of a postcard and mail it out, you don't put it in an email.

So things like Social Security numbers, things like tax documents which have Social Security numbers on them, account statements, account numbers, all those sorts of things are out there and available, or at least potentially so. You've got to assume that it's like a postcard. I think that's a really easy way to think about it. And when we think about “Would you put this on a postcard?” that really helps inform some of our decisions when we send emails to people.

Bridget: Right. “Hi, my name is Bridget, my Social Security number is blah, blah.” I wouldn't put that on my postcard.

John: Right. Hopefully some of these things we're going to talk about today are self-evident, but maybe there's an idea or two or maybe you can pick some big things up. But I'll tell you what, we've got people on both ends of the spectrum in our practice. I've got a client who had a major company in town, a very intelligent person, and he would send his W-2 or his tax information on open email, and I remember saying, “Jeez, we can't do this.” One year, he got a notice from the IRS in early February, and he was always on extension because of the complexity of his tax situation.

The notice said, “Hey, we got a problem with this tax return you filed.” His response was, “What tax return?” Well, somebody had filed a fraudulent tax return, claimed earned income credit, a bunch of refundable things using his Social Security number. Every year now he's got to file a special form to make sure that the IRS knows it's him filing. On the other end of the spectrum—literally this week—I got an email from an adult child of a client of ours that we work with, mid 20s, I would think tune with what's going on in the world today, saying, “Hey, here's my W-2 with my Social Security number on it.” This was an open email from a Gmail account.

You just can't do this. It's not saying, “Oh, hey, boomer, don’t this.” No, we need to be aware of these things. What's the risk? Well, like I said, we've had some experiences. It is a real risk to do that, and it's simple to avoid it. Our businesses have secure portals where you can upload, and it's all compliant with the latest technologies and safety features. Sometimes you get an email from your bank or your mortgage company, and there's a special place you have to go to log in, or there's a password protection on it. There are ways to do this that aren't terribly complicated. It's a little bit of a pain, but golly, compared to having your identity stolen, it’s not a big deal.

Bridget: Yeah. And to me, I would say just don't trust email. The scammers depend on the rapidity that we use when we're going through email to scam us. So anytime I am concerned about it, I log in independently of the email.

John: Yeah. Not clicking on the thing in the email but going to the website to login.

Bridget: Exactly. It's a lot more secure. So if I get a weird notice from an institution, the scammers are adept enough so that they can copy that.

John: It looks good.

Bridget: Exactly. But that's okay. I have my password. I can log in.

John: So one of the things also is that when you get those emails never click on anything if you aren't expecting that email to come.

Bridget: Right.

John: But if you get something like that and you go, “Oh I think this might be useful, you can hover over that link. Don't click it. But if you put your mouse over it and it says that this is from Fidelity and the link goes to someplace in Zimbabwe, you can just delete that. I don't think about it. If it still says it's going to Fidelity, what Bridget just explained, don't click the link but then go to your Fidelity account in a separate window. Hey, you might need to pay attention to this thing, but never click on anything in an email. There's no reason to. It seems easy, but it can be a cause for problem.

One of the other things that we talk about, talking about logging in and getting things, is how many passwords do we all have these days? More than two. And we probably have heard this for a long time, but don't use the same password for multiple accounts. It sounds challenging, and it can be, but using password keepers or just keeping a list of the things can be helpful with this. And we talk in our office with clients about using passphrases and not passwords. And the evidence that we've been able to uncover says that it's not having a symbol and a number that are the deciding factors of security, it's the raw length of your password.

So once you get up past around 14 characters, then you become really protected against this brute force of a random number generator trying to figure out your password. And it's hard to remember a series of numbers and symbols, but something like football, pumpkin, apricot, right? I can't do that math in my head, but that's probably 15 or 18 letters. That's more secure than having number, symbol, ampere sign, capital, lowercase. So that's one of the things: passphrases. You can have a pretty long passphrase and make it more secure than a typical password.

Bridget: Another thing that I like is multifactor authentication, which is a fancy way for saying have it sent to your cell phone. And so, you put your password in and then you get a code on your cell phone. Now, that is a gold standard in the industry, and it can be a pain, but then once you get more things on it, you just have it.

John: My experience is you can get one where it sends you a text message or you've got some sort of authenticator. I think Google's got one and a couple of other places where there's this number that shows up. That sort of a thing.

Bridget: Exactly.

John: You still need to have a passphrase for that. You might know my passphrase, but if you steal my passphrase, if you don't have my doohickey where I'm getting the code from, then you can't get in. Again, it seems like a pain, but it is not too big of a deal once you get used to it. And compared to having things compromised and having your identity stolen, it’s a pretty simple solution. It's true that it does get ludicrous. For example, if I make a hair appointment, I have to have two factor authentication. There's part of me that protests at times, but it's better to just go with it.

John: I'll give a personal example. So I've got a Gmail account that I use for my newsletters and all the mailing list and all the crap that comes in. And I'm guilty of having the same password for a few things. I don't care about this subscription to this magazine or whatever thing that it was. And a few years ago had notification that read, “This account was compromised.” Well, I don't care because it's Gmail. Well, the Gmail was connected somehow to my amazon or some other place. And so, the crooks went in, and they had my login information.

So they took it from here and they used it over there and they bought some kind of tokens for some video game. $300, $200 transactions that went onto my credit card. My credit card company caught it and said, “Hey, this seems kind of weird.” We were able to get it unwound, but here's this thing, I don't even care about these silly passwords over here because it's not my bank, it's not my credit card, not the important stuff. And yet it could have cost me money because of the way these things are. I mean, so much of our life is interconnected. It's a hassle. I protest, too, but it makes sense to do some of those things.

Bridget: I had a client just before I came here for filming who got a call from the Illinois Department of Revenue.

John: Interesting. Red flag.

Bridget: Now, they're stand-up folks over there. However, it can be hard to get through if you're trying to call them, much less having them call you.

John: Same thing with IRS. Those agencies will never email you, and they'll never call you. I say never, but I did have one time when they did. I was teaching a class, and there was one person that said that he got a legitimate call from Social Security. It turns out that he had called them, and it was a callback thing.

Bridget: It’s the same thing with the IRS. They might call you if you call them.

John: But you're not going to get a phone call that says, “Hey, Mr. and Mrs. Smith, you owe $5,000 in tax.” That doesn't happen.

Bridget: And buy gift cards.

John: Right. It sounds silly, but those are the real things. It comes in US Postal mail. Emails from those taxing agencies, phone calls, I mean, 99.9% of the time you ignore those things. And again, it sounds when we sit and talk about it here, but you get in a situation, you get an email and you go, “Holy moly, what's going on here?” If the IRS sends you a message, it can be scary, and you can start to not think clearly on things. And again, practicing this, having those things in place, really can make a big difference.

Bridget: Yeah, it happens to me, and my heart rate goes up.

John: And we know this stuff.

Bridget: Yeah, exactly. And then I think, “Oh yeah, that's right, the scammers.”

John: So the one other tip, the last five star tip that we have, is to freeze your credit. It used to be that you had to pay to freeze your credit and then pay to unfreeze your credit. After Experian had their breach of data a few years back, however, it became law that it's free to freeze, free to unfreeze. And is it a little bit of a hassle? Yes, you have to go and do it, but usually you can do it online. I know from personal experience, we were buying a car and trying to think about whether we should finance it or not? You go on, you log in, there's three major agencies TransUnion, Experian, and Equifax.

So you freeze your credit with all those agencies and then if you need to go and unlock one of them, you can go and say, “Let Ford Motor Company look at my credit for the next two days,” and then it gets frozen again. That way nobody can ever open credit in your name without having that unfrozen and having you take that action. It’s a simple thing, so there's very little reason, I think, for people to have not to have their credit frozen these days. I don't know if you have a different approach or think that that's less important.

Bridget: I just think it's a pain. I hate to admit it. I shouldn't say that, but I feel like I haven't had cause for it yet. I'll probably go ahead and do it.

John: So Bridget’s going to watch this episode after we finish it😊

Bridget: Yeah, exactly. But they've made it a lot easier. I think that's the point. It used to be a pain.

John: A giant pain.

Bridget: And there used to be the question: “Maybe you should get one of these agencies to handle this for you.” And now it's not necessary. We'll put a link in the show notes, while I sign up😊 Yeah, it's easy now. I guess that's the message.

John: It is way easier than it used to be. It used to be a big problem, but now it just solves a lot of those other problems. So with that, I'm John Scherer, and I run a fee-only financial planning practice in Middleton, Wisconsin.

Bridget: And I'm Bridget Sullivan Mermel, and I've got a fee-only financial planning practice in Chicago, Illinois. Both John and I are proud members of the Alliance of Comprehensive Planners. If you're looking for a planner in your area first, and if you're in Chicago or in Middleton, please contact us, but for planners throughout the nation, you can look

John: And don't forget hit that subscribe button.

At Sullivan Mermel, Inc., we are fee-only financial planners located in Chicago, Illinois serving clients in Chicago and throughout the nation. We meet both in-person in our Chicago office and virtually through video conferencing and secure file transfer.

7 views0 comments


bottom of page