Monitoring your Credit – Should you Lock or Freeze?

In my Cybersecurity 101 post I discussed the top 3½ things you should do to improve your security online. One of these was to regularly monitor your credit using Credit Karma so you would know if your credit score was changing and more importantly if someone had queried the credit agencies outside your knowledge. One of the first indications that your identity has been compromised may come from inquiries against your credit.

Earlier this year, the U.S. Congress modified consumer protection laws requiring all three of the major credit reporting agencies to allow all consumers to freeze and thaw their credit for FREE. While this is a good thing, it is important to understand the benefits and limitations that come with freezing your credit. The benefit is easy: Once your credit is frozen at all three agencies, NO ONE (see exceptions at end)—not even you (or Credit Karma)—can access your credit in any form or fashion, and this protection is enforced by federal law, meaning should someone gain access, then the credit agency would have some explaining to do.

On the surface, one might think it’s a no-brainer, I will just freeze my credit until I need it, thinking they don’t plan on applying for a loan or refinancing their mortgage (especially with rates going back up). Just freeze it and forget it, right? Unfortunately, our credit information is being accessed more than we might think. If you apply for insurance, even a new quote on your homeowners or auto, many insurance companies will first query your credit and base your rate on that score. If they cannot access your credit, they may or may not tell you that. They may simply quote you a higher rate. The online instant quotes many times do this (I’ve tested it). You may be shopping in a new store and they have a great offer if you sign up for one of their credit cards. You fill out the form and the associate comes back in a few minutes and whispers to you, “I’m sorry but your credit was denied.” (Been there done that.) They don’t know that your credit is frozen, only that the automated process they use denied it. Employers many times will make a credit check part of their pre-employment as well as ongoing employment checks, and there are many more.

Even if you are very internet savvy and think you can just hop online whenever you need and quickly thaw your report, you should know that you must do this for all three agencies, each time and they do not make this an easy process. I personally used to believe this and locked our credit for three years. During that time, I had to thaw it no less than seven times and each time it was painfully frustrating—and I’m a geek! During this freeze/thaw process, I had the distinct impression they purposefully make it difficult and frustrating on purpose, because if your credit is frozen, they cannot sell it. After three years of irritation, I stopped freezing our credit and just monitored it with Credit Karma.

However, they do make locks very easy to use, they even have smartphone apps that allow you to lock and unlock with a simple “push of a button.” Great you say, “I will just lock my credit and unlock on demand.”  But, what exactly is a credit lock? Well, none of the agencies make this really clear.  What is clear is that when your credit is locked (not frozen), it is not protected by federal law so if someone does access your information and steals your identity, you have no recourse with the credit agency. Another major difference is it appears that when you lock your credit, the agencies can still sell your information to third parties (credit card companies), but all three do state that hard pulls, the type of inquiry performed when applying for credit are not allowed.

So, which, if either, is right for you? This recent article on Nerd Wallet gives some good examples that we would recommend you use as guidelines. [Note, this article states the Experian lock option is only part of a paid plan, but I have found that no longer to be the case. They do have a free option.]

Regardless of which option you choose, I do recommend that you sign up for a free account on all three services and go through at least the lock/unlock process so you will know how to do it quickly, should the need arise. If you are feeling industrious, go through the freeze/thaw process once as well. Make sure you save your PIN (currently only required on Experian) in your password manager as you cannot thaw or remove the freeze online without it. All of the credit agencies currently require additional steps to freeze/thaw that are not required with locks, and the processes are separate, meaning you cannot perform the lock and freeze on the same website/login, which is what can make this process even more frustrating.

Hopefully, Congress will go one step further and make this a one-step process where you can lock or freeze your report with one agency and they are required to report it to the other three, like they do with the fraud report. Until then, I’m hoping some industrious third party (Credit Karma are you listening?) will provide that option in an easy to use app. THAT is something I would pay a small monthly fee to use.

Following is from the Equifax site as of October 2018. My experience has been different from this, so your mileage may vary.

If my Equifax credit report is locked or frozen, who can access it:
Freezing or locking your Equifax credit report will not prevent access to your credit file at any other credit reporting agency. Freezing or locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:

• Companies like Equifax Global Consumer Solutions, which provide you with access to your credit report or credit score, or monitor your credit report as part of a subscription or similar service;
• Companies that provide you with a copy of your credit report or credit score, upon your request;
• Federal, state, and local government agencies and courts in certain circumstances;
• Companies using the information in connection with the underwriting of insurance, or for employment, tenant or background screening purposes;
• Companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe;
• Companies that authenticate a consumer's identity for purposes other than granting credit, or for investigating or preventing actual or potential fraud; and
• Companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.

Mobile Device Security

The vast majority of mobile devices today are either from Apple (iPhone and iPad), which all run Apple’s proprietary iOS, or they are running a version of Android from Google. Most security researchers consider the Apple iOS to be far more secure than Android for the following primary reason*:

Apple strictly controls their operating system, and only Apple-approved apps can be installed on their devices. Every vendor that uses Android can, and typically does, modify it. As a result, there are hundreds of different versions and varieties of Android on millions of devices. Security updates are typically the responsibility of the different vendors, and newer versions from Google may never be available for your device.

*In all cases, we are assuming that you have NOT “jailbroken” your device (opened a backdoor to its built-in security to allow you (and others) to install software from outside the vendor approved methods) and you apply all patches as they become available.

For this reason, I use and recommend only Apple devices as I consider them the most secure mobile devices currently available.

While there have been some bugs and exploits of Apple devices, Apple has been quick to fix them. The number of instances where devices have actually been compromised is believed to be very small and typically a result of user error and/or carelessness. You can decrease the likelihood of exposing your devices to problems by doing the following:

1. Keep the device updated.
2. Be very selective on the apps that you install. If you let your children/grandchildren play games on your iPad, then you may not want to use that device for banking.
3. Don’t connect your mobile device to any computers you do not own and control.
4. Avoid public Wi-Fi or use a VPN if you must.

If you already own an Android device and cannot or will not switch to Apple, then you may want to consider installing security software from one of the major vendors. Webroot, our first choice for your desktop/laptop, also has software for Apple and Android.  If you use an Android device to do anything other than basic email, we recommend you install security software to help protect that device. Before purchasing the security software, make sure it works with the version of Android on your device.

Amazon Kindle

I have owned Kindles since Amazon first released them and love it. The Kindle runs a customized version of Android, but it cannot run a lot of the apps in the Google Play store. While Amazon updates the Kindle software periodically, and I think it is a wonderful device, I do not and would not use it for doing anything sensitive (i.e., banking). I use my Kindles for reading books, streaming video and ordering stuff from Amazon. If your email provider supports multi-factor authentication (Google) then I would consider it likely safe for email purposes. While I have tested Gmail on the Kindle and my wife uses it for that purpose, I still prefer the iPhone/iPad for that purpose as they are more secure.

Travel

Finally, if you are traveling and find it necessary to use public Wi-Fi (and of course always with a VPN), then I would recommend you install Webroot on those devices, even Apple devices. You simply cannot be certain of what is going on “under the covers” when using public Wi-Fi.

Cybersecurity 102: The top 3 things you should NOT do to enhance your online security

Nothing is 100% safe—and the sooner you understand that when it comes to all things on the Internet, the safer you’ll be. In Cybersecurity 101, we discussed the 3 ½ things you must do for personal cybersecurity: using a password manager, protecting your email, monitoring your accounts and auto-updating devices. To review the Cybersecurity 101 education module visit: http://www.henssler.com/cybersecurity-101

However, vigilant cybersecurity doesn’t end there. There are several things you should try to avoid, limit your exposure to or at least be aware of to protect your computer and networks, regardless if you’re at home or at work.  

Bottom Line: While there are bad things and bad people using the internet, by following these two set of guidelines, you can use the Internet in (relative) safety. Don’t let the FUD factor (Fear, Uncertainty, and Doubt) keep you from using and enjoying the world of technology. 

Definitions

Phishing: the fraudulent practice of sending emails claiming to be from someone you know or reputable company to induce you to click on a link that will take you to a website asking you to reveal personal information, such as passwords and credit card numbers.

Smishing: a form of criminal activity using social engineering techniques via a text or SMS message when someone tries to trick you into clicking a link that leads you to giving them your private information.

Vishing: the telephone equivalent of phishing. It is described as the act of using voice calls to scam the user into surrendering money or private information that will be used for identity theft.

Detailed Information

1. Be Wary of all Links

The primary way the average person gets into trouble on the Internet is by clicking on links within emails. Security researchers say that ‘phishing’ accounts for over 80% of all problems. Some of the most devastating Internet attacks started with nothing more than a simple email containing a link that someone clicked on. When you click on a link it may appear that nothing happened, or it can open a seemingly harmless page on a website. However, ‘under the covers’ and unseen, malware has taken over your computer.

The best advice is to be selective in your clicking. Links are common on web pages, emails and even text messages. They’re a convenience, not a necessity. You simply click the link and it takes you to exactly where you want to go. That’s so much easier than typing in http://www.henssler.com/cybersecurity-101 —that is true. However, you cannot trust every link you come across. That’s not to say you should never trust links. You just need to be aware of who sent you the link and where it really goes.

Most every major website pulls in advertising, and a lot of the time that advertising is specific to you. If you searched for motorcycle boots on one shoe website, chances are next time you’re on Google, MSN or Yahoo, you’ll see an ad for those same boots. However, you may also see ads for other things related to those boots—perhaps a matching leather jacket or maybe an ad for low-cost motorcycle insurance. These “related” ads have identified you as someone who would be interested in their products or services based on something you’ve confirmed you are interested in. Before you go clicking on these ads, take a moment and really think about why you are seeing them and where they may take you on the Internet.

The link for leather motorcycle jacket may take you to the same website as the boots you were looking at, but the link for the cheap motorcycle insurance may take you somewhere else. And then, the site may ask you to enter your address to help find you a quote; maybe even ask your household income. Stop and realize that’s a lot of personal information you’re potentially giving up without even researching this company. While many legitimate sites operate this way, there are also plenty that are less than ethical. At best, some will sell that information at the first chance they get, and at worst, it is a complete scam to get you to enter detailed financial information. Unless you directly typed in the link to the insurance company and are applying online for low-cost insurance, you should think twice about readily giving up personal information. If the ad sounds like something you want to check out, make sure your security software is up-to-date and includes a site checker that scans the URLs and determines if the site is safe. We recommend Webroot. Your best bet is to type in the URL of the company listed on the ad and visit the site directly, bypassing the link shortcut.

If you’re going to click on links, look closely at the link. If the link starts with https:// that S indicates you’re on a secure site and the info you transmit to that site is encrypted. If a website’s security certificate doesn’t match the company’s domain name or is invalid, your web browser may give you a warning that your connection is not private. We recommend you do not visit that site or send any information to that site.

Links in emails need to be treated with the same scrutiny. Just because the email says it is from your mom, your boss, or your bank doesn’t mean it actually is. Spoofing an email address is one of the easiest things to do online. The use of fraudulent emails to induce you to reveal personal information and/or click on links, also known as phishing, is the primary way crooks exploit the average user.

If you are not expecting a link from your boss—don’t click on it! If your bank is emailing to tell you “there is a problem with your account…click here to verify”—don’t click on it! Assume all links are dangerous until proven otherwise. You can call your mom or your boss to verify they sent you an email with a link. If you use a password manager, you can use that to log into your bank account to see if there is indeed a problem. You can also use a third-party site like BrightCloud or Virus Total to check the links sent to you. If you insist on using the link, first hover your mouse over the link. The mouse cursor should change to a hand and show what domain the link is actually taking you to. "https://www.secure.firstbank.com" is a different site than "https://www.secure.com/firstbank."

Notice how both go to secure websites. You can see that because of the https://. You need to pay close attention to the word that is before the final domain extension. The first link in that example goes to firstbank.com the second goes to secure.com, which may not be a legitimate site.

Finally, you should avoid shortened URLs like "www.bit.ly.24Xp3" or "www.tiny.url.xYp33r." These are common on social media or in text messages. You have no way of knowing where those links lead to, even if you hover over them. A URL shortener uses redirects to forward a user from the short link location to the destination URL location. Even third-party sites like BrightCloud or Virus Total cannot generally see past the redirects.

2. Avoid Downloading Files

Again, just because your mom, boss or bank sent you a file to download doesn’t mean the file is safe. Files with .exe, .app, .inf, and .osx extensions are examples of executable files that instruct a computer to carry out a command. While your anti-virus, internet protection, or spam filtering software should flag these files as high risk, some may still make it through to your email. And if they are on a website, there is no filter to prevent you from downloading them. For example, you receive an email from your Uncle Lou that simply directs you to download a file from Dropbox. You may likely have an Uncle Lou. Dropbox is a site you recognize. However, if you are not expecting shared files, be safe and skip the download. If it is important, Uncle Lou will call you to ask if you received the files.

Furthermore, many common file formats like, .doc, .zip, or .pdf, can hide malicious code that can infect your computer with programs that will log your keystrokes, lock your hard drive or hijack your email to replicate itself. If you are not expecting a file attachment, you should call whoever sent you the file to verify they actually sent it. Unless you are purchasing software from a reputable company, never download executable files from the Internet.

To make matters even more complicated, the shortened URLs, which you cannot discern where they will take you, may automatically download an executable file from the Internet. And if the shortened URL comes from a spoofed email address claiming to be your mom, you have a prime opportunity for disaster.

Make sure your operating system, browsers, and plug-ins are up to date. Software vendors often provide patches to rectify any security vulnerabilities that can be exploited. Consider turning off your web browser plugins like Flash or Java or setting them to ask before playing. This may prevent malicious ads found on reputable websites from exploiting an autorun environment. Finally, close your browser once you are finished using a secure website, like your bank or email.

3. Say no to Public Wi-Fi

Using public Wi-Fi is the high tech equivalent to having unprotected sex. You do not know who has been there, what kind of protection they’ve used (if any), and while it may look clean, it may not be. Sure, it’s very easy and convenient to go to Starbucks and use the free Wi-Fi to check your email. It’s tempting to stay and work on your computer when there is the lure of a scone and a latte a few feet away from your table. This is why crooks scope out these places. They know the convenience and comfortable atmosphere will draw people in. You don’t know who is sitting next to you watching what you are doing on a public Wi-Fi network.

Disable the “auto-connect” option on your tablets, laptops, and phones. Make sure your electronic devices are set to “Ask to Join” networks. Especially when traveling, disable Wi-Fi and Bluetooth on your devices. Instead, opt to use your cellular connection. Many of the cellular plans offer unlimited data packages, which can allow you to turn your phone into a Wi-Fi hotspot for your other devices.

If you must use a public Wi-Fi, use a virtual private network (VPN). A VPN creates a secure tunnel between your device and the website you are visiting. VPN software encrypts your data, even before Starbucks’ Wi-Fi provider sees it. The data then goes to the VPN, and from the VPN server to wherever you’re visiting online. The websites you visit see your data coming from the VPN server and its location, not from your computer and your location. We recommend Nord VPN.

Furthermore, when traveling, avoid using computer kiosks or open computers in business centers. While libraries, hotels, convention centers, and airports offer these stations as a convenience for the business emergency, the reality is you don’t know who was there before you. Even the Wi-Fi at a five-star hotel is risky because you’re sharing that network with every other guest in the hotel—so when we compare public Wi-Fi to unprotected sex, we’re not that far off!

USPS Informed Delivery

This service has been available to most of us in the US starting in October 2017, but few seem to know of it or use it. However, some crooks are taking advantage of it to order then steal credit cards.

Read this article for more details: https://lifehacker.com/sign-your-address-up-for-usps-informed-delivery-before-1830389625​​​

The one app EVERYONE should have on their smartphone

Bold statement, I know - but this is the​ simplest yet most innovative and useful app I've seen in a long time. If you have ever gone hiking, or to an outside concert or anywhere where you need to meet someone or be picked up, you are familiar with what a pain that can be giving an address for any large venue, or in the middle of nowhere - where there are no addresses (yes, I live in the sticks).

The app is called 'What 3 Words'.​ Some details here. 

Baby boomers more cybersecurity savvy than Gen-Z

Just sayin... us old folks have you young-uns beat!

​A recent Webroot survey found 23.7 percent of Gen-Z were able to accurately define ransomware compared to 47.6 percent of baby boomers. Baby boomers were also the least likely to spread malware and other cyber threats as 94.2 percent said they had not forwarded emails from unknown senders within the past year.

We beat you millenials as well! -and before anyone makes any luddite related comments about Boomers - just remember what generation CREATED the personal computer!

Full article here.​

Malvertising

Another geek portmanteau - malware and advertising: malvertising...

While bogus tech support / FBI warning pop-ups and pornados have been pretty much countered by browser security features, this method is a work around that would give most normal users consternation and worry.

For now, it appears to be Windows Chrome specific and odds are Google will deal with it quickly.

See this article from Malwarebytes (who discovered the malware) on how to deal with it. Just another reason to use an ad blocker and to never EVER click on any ads you see while browsing the web.

The Malwarebytes product has been around for years and is an excellent product. While I do not use it as my primary antivirus/PC security product, I do have it on a USB drive that I use to periodically check my system and clean-up friends computers that have problems.

Phishing, smishing, vishing... Using the web safely

All of these '...ishings' are just clever names for fraud. The primary difference is the communication method used but their goals are the same - to get someone to click on a link in an email, within a text message or believe the scammer on the phone and give them money and/or personal information.

No matter the media nor methodology used, the vast majority of these are sent 'in the blind' to thousands if not millions of people at the same time. Targeted attacks are rare and tend to be focused on 'high profile' individuals (politicians, entertainers, the very wealthy). Fortunately, the majority of us just get the run of the mill, generic spam - but that does not make them any less of a threat.

One of the more common and successful methods used is to make the message appear to come from a trusted and/or source known to you. For example:

• an email from a friend or relative, claiming to be stranded in another country begging you to wire them money
• a text message or social media post from a familiar or 'famous' name
• a phone call from someone claiming to be with the IRS or other government authority threatening you with arrest if you don't immediately send money

The things they have in common:

• they portend to be from someone you think you know, trust or fear (IRS)
• a sense of urgency - you must do something IMMEDIATELY

Simply because you receive an email that has your mothers, childs, friends name and email address in the FROM line, does not mean it was actually sent by THEM. When you see these type of attacks the majority of the time the scammer has simply 'spoofed' the sender information. It is very easy to do, and fortunately, most major email providers (Gmail, MSN, etc) are pretty good at identifying and preventing the majority of these from getting through.  

The more difficult method to identify is when the scammer has gained access to your friends email account. They then send their phishing messages to everyone in their contacts list and only a close examination or a confirmation phone call will reveal that it is a fraud.

What can you do to limit your exposure to these types of fraud?

• Don't click on ANY links, especially for any of your financial sites. Instead, open your browser and type in the web address to login, or use LastPass to do this for you.
• If you feel you *must* click on a link, then teach yourself how to examine a link to verify it is legit. You can also use Google to examine the link for you. While not 100%, it is a quick, easy and free way to filter out many of them.
• There are also some antivirus products that have a safe browsing feature as part of their product offering. The one I use and recommend: Webroot  You can purchase a 3 device license for 1 year for under $25 from Amazon.

If you want to learn more about the most common web/internet scams and how to identify them see this article, or simply search for: 'How to identify phishing email'.

But wait! In this article you say not to click on ANY links, but you have links throughout your blog. That is true, but if you are not sure you can trust them - you should not click on those either. When in doubt, don't click.

Managing the Failure Points

Over the years (decades), I have been asked for tips on starting a business to the perfunctory cocktail question of 'What do you do'. To both, the answer is the same I manage failure points.

That tends to end most casual cocktail conversation with an odd stare (which is fine by me), but with a little explanation, I feel it's an accurate description of not only managing a business, but of most processes in life.

There are three steps to this methodology:

Identification - first and foremost you must be able to identify what is most likely to go wrong and which of those you can actually prevent, control and/or mitigate.

Preparation - what is the likelihood and order of occurrence of the failure points. What can you do to either lessen their probability or limit their damage?

Mitigation - once they do occur, how do you handle them.

Those problems that are highly unlikely/improbable or you can do little to control, even if they could be catastrophic, should not be your focus. Many times, it's the 'little things' that do you in, but because they seem minor at the time, we tend to push them off for later. Like the parable of slowly boiling a frog - [ if you put a frog in a pan of water and increase the temperature slowly, they get complacent, even doze off in the warm water, until it's too late ], a small problem ignored today can grow to one that cripples you tomorrow.

This practice also helps you maintain perspective. Anything we try to accomplish in life has hurdles to overcome. Some barely stretch our legs, others smack us square in the groin. Being comfortable with the number, size and type of hurdles you are likely to encounter and knowing ahead of time how you will tackle them, helps instill confidence and the conviction that you are doing the right things. While fear is the strongest of human emotions, self-doubt is the most destructive.

When unexpected problems arise (just like no battle plan survives the first engagement, no plan of any complexity will either), be prepared to re-assess, re-adjust and re-focus.

Another part of this process is identifying the tipping points - more on this later.

Cybersecurity 101: The top 3 1/2 things you must do for personal cybersecurity

I recently gave a presentation to some Henssler Financial clients on the three (and a half) simple things that everyone should do to protect themselves online.

The following is a synopsis of these items. You can also download a handout from that presentation here, which contains all of the salient points.

#1: Use a password manager

Each and every website for which you have an account must have a unique and 'real' password. A 'real' password isn't one that the average human can easily remember. Since the password manager is going to create, save and automatically fill in your username and password for all of your sites, you might as well use the longest and most complex password they will support. Every site is different - all limit the number of total characters and some only allow alpha-numeric. Regardless, by simply having long, randomly generated and unique passwords for each and every site - you have just greatly increased your online security.

User ID: Ideally, it is NOT your email address or any part of your name. If the website gives you the option to use something other than your email address - do!

One of the main reasons to have unique passwords (and if possible user IDs) for each site is because the most common way accounts are compromised is when a website you use is hacked and their user data is stolen. The thieves use software to plow through this list, going to thousands of banking and ecommerce sites trying the information they stole, knowing that a significant number of people use the same user ID and password at multiple sites.

There are several password managers on the market that do a good job. If you are already using one, good for you - continue to do so. If not, I recommend LastPass. I've used it for years and you can use the basic version for FREE on one device (PC, mobile).  They also have several great tutorials to get you started as well as an enterprise version for businesses of all sizes.

ProTip:
Enable multi-factor authentication on your password manager.

#2 Protect your email account

Your single most valuable online account? Your EMAIL. Why - because it is the golden ticket, the keys to your kingdom.
Many websites still do two very insecure things:

1. They require you to use your email as the username for your account
2. They send password resets to that email address without any form of authentication

So, if a criminal has access to your email they will go through all of your saved and deleted emails, see what sites you use, then go to those sites and click on the ubiquitous 'Lost Password' link, which sends a password reset to...you guessed it, your email account that they now own. They can then change your contact info, shipping address - etc and if you have a credit card saved with that site, they may just make a few orders as well.

You should only use an email provider that supports multi-factor authentication (MFA) (see the handout for details on what this is).  If your provider does not support MFA, change providers. Gmail is my recommended provider.

ProTip
Create multiple email accounts:
I have one main/primary account that I use for personal correspondence, another I use for sites on which I do not buy stuff, one for my sensitive sites (banking etc) and one for spam (the one I give when you go to a site to get some info etc). Email addresses are FREE and Google makes managing these simple. You can forward all of the email from your 'other' accounts to your main and then have a rule that moves those emails into their own folder (or into your inbox if you prefer).

I appreciate this may be a bit more hassle than many want to endure - just something to consider in the future.

#3 Monitor Your Accounts

This means all of your financial accounts (bank, credit card, 401k, broker, whatever) as well as your credit. With the recent Equifax debacle, monitoring your credit reports is something all of us should do on a regular basis. The easiest way is to create a FREE Credit Karma account which will give you access to your Equifax and TransUnion information. Unfortunately, Experian (the 3rd of the big 3 credit reporting agencies) is not available through Credit Karma, but you can also create a free account on the Experian site and monitor it separately. I log onto these sites at least once a month to check my information (and credit score) - unless I get an email notification of a hard inquiry.

What you want to look / watch for is 'hard' credit inquiries. This is what is generated if you apply for credit. You can set up an email alert with both Credit Karma and Experian to notify you anytime a 'hard' inquiry is generated and if you have not recently applied for credit with the vendor making the inquiry, contact that vendor and the credit agency immediately. You will want to file a 'fraud alert' with that agency and they are required to notify the other two.

All credit card vendors and most financial services now offer some form of notification service (email and text) when certain events occur (deposits, withdrawals, charges over a certain limit, etc). I suggest you enable all of these at first and give them a try - you can change them later if they are too annoying. With American Express, anytime I use that card I get an immediate notification on my phone. It's a great way to keep up in real time what is happening with your account.

#3.5 Auto-update your devices (computers, tablets, phones etc)

Microsoft, Apple, Google - all tech vendors are constantly patching for security problems. There is no way any average person can keep up with it all. The simplest thing is to turn on auto-update and forget it. Yes, some hard core techies will claim that sometimes a patch may break something, but it is rare and the risk/reward is in favor of auto-updates.

Unfortunately, the vast majority of the Internet of Things (IoT) devices as well as your router, probably don't have an auto-update feature (for a number of reasons). While this normally would not be a huge deal, there have been some recent exploits discovered and many of these devices could be at risk. Some of these (older) devices may not even have an update capability or the process requires a degree from MIT. In these cases, you can either start with a Google search 'How do I update my Linksys [model #] router', or ask a geek you trust to stop by for a cup of coffee!

CES 2018 had some new product announcements that address this issue, see this article for details.

So, there you have it - all but the last one are relatively easy and straight forward and by doing all of three of them, you will have greatly increased you security awareness and DECREASED the likelihood of falling prey to the online predators. Should someone find a chink in your armor, your diligence in monitoring your accounts should tip you off shortly after it occurs and allow you to minimize any potential problems.