Can you distinguish a real e-mail from a fake one that’s out to steal your identity? Do you know how to pick the best security software for your computer? Looking for tips on protecting your children online or reducing the amount of annoying spam you receive on your cell phone? A new Consumer Reports Web site helps you with that and more.

The Consumer Reports Guide to Online Security site brings together the best of our reporting, tests, and survey data to create a one-stop place to get the latest information on how to protect yourself, whether on your cell phone, mobile device, or computer.

The information, most of it free (ratings are available to subscribers only), covers such subjects as spam, viruses, phishing, and ID theft; security software; and the newest threats you should guard against. Current features include 19 tips for staying safe online and findings from our 2008 investigative State of the Net survey. You also can take our interactive “Phishing Trip” to test your ability to distinguish legitimate e-mail messages from fraudulent ones.

The site also features videos, including a musical animation about e-mail scams called Gone Phishin’ and a clip on the Lenovo IdeaPad laptop, which lets you log on by scanning, believe it or not, your face. The guide also includes gateways to our online security blog and security and privacy user forum.

If you’re concerned about identity thieves ruining your credit, you’ve probably considered putting your credit report on ice. A credit freeze prevents anyone who obtains your Social Security number or other personal information by nefarious means from opening credit accounts in your name. But freezing your files also inconveniences you. While the freeze is on, no one—not even you—can open an account in your name. Companies and individuals you want to do business with, including lenders, prospective employers, landlords, and utilities, will not be able to evaluate your credit.

You can have the freeze lifted, or “thawed,” to let people peek at your info, but that can take time. Say, for example, you want to apply for a store credit card to save 10 percent on a digital camera you’re about to buy. Some states require credit bureaus to lift the freeze in as little as 15 minutes—which is fine if you also planned to look at tripods and camera bags—but it can take days in other places. And depending on your state and circumstances, freezing, temporarily unfreezing, or permanently removing the freeze can cost you nothing or require a fee of $3 to $20. To learn your state's law, go to Consumers Union's Guide to Security Freeze Protection. If your state is not listed because it’s one of the handful without a freeze law, you can contact the three credit-reporting agencies—Equifax, Experian, and TransUnion—directly and each one will freeze your file for $10. (There is no charge if you’ve been the victim of ID theft.)

A freeze won’t block access to your report by a company you already do business with, certain government agencies, and other exempt entities, including insurers in some states. And a freeze won’t prevent creditors from placing negative information in your file, such as late payments. It also won’t protect your existing accounts from being pillaged.

What to do. If you suspect that someone has stolen your personal information, initiate a freeze at all three credit agencies. If that isn’t the case, and you’re about to apply for a loan, a job, or anything else that requires access to your credit report, you might wait before initiating a freeze. If you wish to temporarily lift a freeze, allow enough time to make sure any companies you want to do business with won’t be blocked. And remember: Even if your files are frozen, you still need to check them at least once a year for suspicious activity.—Anthony Giorgianni

Be stingy with your Social Security number if you want to avoid becoming a victim of identity theft, warns FINRA, the largest private regulator of the securities industry.

Generally, you do need to disclose the number to your employers, for wage and tax reporting; to banks, brokerages and other financial institutions, for tax reporting and credit checks; to your landlord and utility companies, for credit checks; to government agencies, for providing services or accepting tax payments; and to credit reporting agencies, including when you request a free copy of your credit report.

If an individual, business, or agency requests your number, FINRA recommends that you ask why it’s needed, how it will be used, how the number will be protected, and what would happen if you don’t provide it.—Anthony Giorgianni

Experian, one of the three giant credit reporting bureaus, recently filed a lawsuit in U.S. District Court in California, designed to stop LifeLock from selling a service that, among other things, puts temporary fraud alerts on customers' credit reports and automatically renews them every 90 days. LifeLock charges $10 per month or $110 a year for this service.

Fraud alerts warn prospective lenders that a credit applicant might be an ID thief, and they should take steps to verify the identity of the borrower. Under the federal Fair Credit Reporting Act, consumers who make a good-faith assertion that they suspect they are, or are about to become, a victim of identity theft, have a right to file such alerts on their own—for free. That’s one reason we criticized LifeLock recently in the Consumer Reports Money Adviser.

That hasn't stopped LifeLock from selling the service—heavily advertised through TV, radio, and newspaper ads featuring LifeLock's CEO Todd Davis, who claims the company offers protection so ironclad that he reveals his actual Social Security number. LifeLock says it's now adding 120,000 new subscribers a month and is closing in on 900,000 total customers.

Experian’s central argument is that the Fair Credit Reporting Act “does not permit the placement of an initial fraud alert by corporations such as LifeLock.” But the law does allow a “consumer” to directly place a fraud alert or an “individual” representing a consumer to place fraud alerts; it does not specifically say "corporations."

Experian also argues that LifeLock violates the FCRA, which allows temporary fraud alerts lasting only 90 days, saying that it doesn't anticipate a series of 90-day alerts that are perpetually renewed. Consumers who have had their identities stolen can get a 7-year extended fraud alert if they file an ID theft report.

The Federal Trade Commission has made no policy statement on the matter, but offers advice to consumers on whether or not to buy services that claim to protect against identity theft.

Davis says Experian’s suit is “frivolous.” Experian’s retort: “This is not a frivolous thing we’ve done. We don’t file frivolous suits,” says Donald Girard, a spokesperson.

Protect yourself
As Davis himself admits, a fraud alert “isn’t 100 percent bulletproof” protection against identity theft. Consumers Union, our parent organization, recommends that you consider using a “security freeze” to completely block access to your credit reporting file by all prospective lenders. This would stop ID thieves from opening new accounts in your name. You can unfreeze your file with a personal identification number. As of last year, all three credit bureaus allow anyone to freeze and thaw their credit report as they wish for about $10, less in some states, and for free if you've been the victim of ID theft. Click here for more information.—Jeff Blyskal

With the Hannaford heist still in the news, here are further tips on how to protect your financial information, courtesy of “Money Mom,” who blogs on our parent organization’s Web site, ConsumersUnion.org.

The latest data breach involving consumers’ credit- and debit-card numbers has hit the Hannaford Brothers supermarket chain, which operates primarily in New England, and the related Sweetbay supermarkets in Florida.

The company says cyber crooks made off with customers’ card numbers and expiration dates but not their names or addresses.  It offered this advice to anyone who might be affected.

For tips from Consumer Reports on preventing such thefts in the first place and dealing with one if it happens, click here.
 

We often advise consumers to obtain copies of their credit reports once a year to monitor them for accuracy and possible fraud. If you haven't done so in a while, now is a good time to get a look at what your creditors have been saying about you.

Credit reports contain information on your payment history with different creditors, inquiries made by various financial institutions, and public records such as foreclosures or bankruptcies. Consumer reporting companies collect and sell this information to lenders and other businesses that have a permissible interest in it. Your credit record can influence the rates you pay for borrowing and insurance, among other things.

Order your free credit reports online at www.annualcreditreport.com or by calling 877-322-8228. This is the official channel through which you can get your report from each of the three major consumer credit reporting bureaus—Equifax, Experian, and TransUnion. You can get all three all at once, or stagger your requests over the year to keep closer track on your records.

Other Web sites also promote free credit reports, but many of them tie those reports to fee-based services such as credit monitoring. A 2007 Consumer Reports WebWatch analysis of 24 such sites found that nine were owned or closely connected to TransUnion and eight were owned or otherwise closely connected to Experian. The report found that many of the alternative sites had names—like freecreditreport.com—that are similar enough to annualcreditreport.com to cause confusion.

Once you have your credit report, check it for accuracy:

• Make sure that your name, address, Social Security number, and all other personal information is correct.
• Make sure that there are no accounts, debts, bankruptcies, or court judgments on your report that don’t belong to you.
• Make sure that payment histories and balances are correct and that any errors you have reported have been fixed.

To help consumers take advantage of their rights to a free annual credit report, Consumers Union is offering a free online guide, Your Credit Matters, with advice on how to order a free credit report, review it for accuracy, and correct any mistakes. 

An economic stimulus package proposing tax rebates for most Americans hasn't yet been signed, but scam artists already are using it to try to separate us from our money.

The IRS reported a new scam today, in which consumers get a phone call from someone identifying himself as an IRS employee. The caller tells the targeted victim that he is eligible for a sizable rebate for filing his taxes early and asks for the victim's bank account information for direct deposit of the rebate. Without direct deposit, the caller says, there will be no rebate.

It's a hoax. The economic stimulus package hasn't been signed, and process for distributing the rebates has not yet been finalized.  And besides, the IRS would never contact a citizen that way or require direct deposit for a rebate. If you follow through on this scam, you risk being robbed of your money and your identity.

In another scam—a first, according to the IRS—citizens get e-mails addressing them by name and suggesting they're candidates for tax audits. The e-mail instructs recipients to click on links and fill in account information--data that thieves can then use for identity theft.

Don't fall for this one, either. The IRS says it doesn't send unsolicited, tax-account-related e-mail to any taxpayer.

                                                                       ********************

If you're wondering what you will get from the economic stimulus package, check this blog regularly. We'll update you on your due—and advise you on sensible ways to use it—as soon as the bill is signed.

--Tobie Stanger

Two e-mail scams purportedly from the IRS recently landed in my “in” box from baffled friends. Like all e-mail attributed to the IRS, these were phonies.

One had an official-looking e-mail address with irs.gov on the end. The subject line said, “IRS USA for Businesses: Important messages to all business Accountants and Treasury Managers!” The main message told recipients to download information on recent changes to business and corporate tax laws, and offered an address to click on for more information, including “www1.irs.gov” in the URL.

Point 1:  There is only one official IRS Web site: www.irs.gov.

The other e-mail was scarier because it looked so real. It, too, was sent from an e-mail address with irs.gov on the end, and informed the recipient that she was due a tax refund of $93.60. To add to its verisimilitude, a copyright line for the IRS was posted at the bottom.

Clicking on the provided link led to a Web page with official-looking IRS letterhead, and that very familiar san serif typeface that says “I’m not kidding.” And what did the “IRS” want from my friend? Her Social Security number and a current credit card number—for who knows what kind of mischief. The only thing that gave away the scam was the URL that popped up on that second page: www.drunkenmedia.com.

Point 2: The IRS never communicates with taxpayers via e-mail. Even the electronic confirmation you get after filing electronically comes through the tax-prep software provider, not the IRS.

I checked later and both offending Web pages had been taken down. Someone had obviously reported them, a wise move.

Point 3: Never respond to e-mails that purport to be from the IRS.

Otherwise, you could become the victim of identity theft. Report any e-mails you receive from the IRS to phishing@irs.gov. Check the IRS Web site for more examples of common e-mail schemes.

--Tobie Stanger

As if the catastrophe of the recent southern California wildfires was not bad enough, scam artists are reportedly using the disaster to prey on victims and good Samaritans alike.

The IRS warns taxpayers to avoid a fraudulent e-mail soliciting charitable contributions to aid fire victims that appears to be from the IRS and the U.S. government. The scam leads readers to a phony Web site with a donation form requesting the recipient’s personal information.

The IRS says the site is another example of phishing, in which recipients are tricked into providing personal and financial information that can be used to steal their assets. For tactics on protecting yourself from phishing, click here.

Other post-disaster threats

After a disaster, you may receive a phone solicitation from an organization purporting to be collecting for disaster relief. The Identity Theft Resource Center, a San Diego-based not-for-profit organization, recommends you hang up on such calls and initiate the call yourself to your charity of choice. Most legitimate relief agencies are too busy administering to disaster victims to solicit donations, the ITRC notes.

If you have been dealing with a business affected by the fires, call as soon as you know they’re back in business to confirm that your identifying data—financial records, social security number, etc.—have not been compromised, which could lead to identity theft. If you’re told otherwise, visit the ITRC’s Web site for guidance on what to do. And click here for our article on preventing identity theft. —Tobie Stanger

Today’s identity thieves seem to be heeding the advice of 1930s bank robber Willie Sutton. Asked why he robbed banks, Sutton famously replied, “Because that’s where the money is.” 

So it is with many identity thieves, according to a new study by the Center for Identity Management and Information Protection at Utica College in New York. Its sample of U.S. Secret Service cases found that contrary to the conventional image of identity theft targets as unlucky individuals, the largest category of victims (37 percent) were banks, credit unions, credit card companies, and other financial-services providers. Retail businesses accounted for another 21 percent of victims, with individuals representing 34 percent.

Of course, these statistics will be of little comfort if you fall prey to an identity thief. Here is Consumer Reports’ latest advice on ways to protect yourself. 

Americans who live abroad are likely to be mucho frustrated if they request the free credit reports they are entitled to by law. That's according to an investigation by Consumer Reports WebWatch.

WebWatch says the official Web site for requesting free reports, AnnualCreditReport.com, is denying access to anyone with a foreign Internet Service Provider, due to security concerns. Affected are Americans working or retired overseas, including military personnel. WebWatch's report provides more details, along with addresses for anyone wishing to request their reports by conventional mail.

FamilySecure, a new credit-monitoring and fraud-alert service introduced by the credit-reporting company Experian last week, purports to address a growing problem: identity theft involving kids younger than 18. For $19.95 a month, Experian says it can help.

Experian says many kids find after they turn 18 that someone has stolen their Social Security number and used it to run up bad debts. The resulting credit reports can make it difficult for the victims to get credit themselves.

Jay Foley, executive director of the Identity Theft Resource Center, based in San Diego, agrees that child ID theft is a real problem. He estimates that more than half of such cases involve adult family members who use children’s Social Security numbers to open accounts after ruining their own credit.

To put the risk in perspective, the Consumer Reports Money Adviser newsletter recently noted that just 19 percent of Americans who were told their personal information was compromised reported that the breaches led to credit-card charges, bank account losses, or other ID fraud.

What’s more, many of the protections that credit-monitoring services offer are things you can do yourself, at little or no cost.

FamilySecure does add a new twist to Experian’s traditional credit-monitoring and fraud alert services: a guarantee to pay up to $2 million in expenses related to cleaning up your or your children’s ID-theft mess, including stolen funds, legal expenses, loan application fees, and telephone costs. An Experian spokesperson tells us that a parent or guardian can enroll an unlimited number of children for the one $19.95 monthly fee.

While that may provide some peace of mind, it’s far from inexpensive. A parent enrolling a 1-year-old in FamilySecure would pay more than $4,000 for the service by the time the child turned 18, assuming the annual price never goes up. Parents may have other, perhaps better, uses for that money. —Tobie Stanger

The Internal Revenue Service is warning about yet another bogus e-mail that looks like it was sent by the agency. The scam offers recipients $80 for participating in an online survey. Along with customer-satisfaction questions, the survey asks participants for their name, phone number, and credit-card data. The information will probably be used to call the participant later in an attempt to get other financial details, which could enable the scammers to withdraw funds from bank accounts, run up charges on credit cards, or take out loans in the victim’s name. The IRS says it never sends unsolicited e-mail.

Earlier this year, the IRS and the Federal Trade Commission issued warnings about e-mail that appears to come from either agency but is actually an attempt to install malicious software on computers. The fake IRS e-mail includes a link or attachment that you are instructed to open or click on for more information. Doing so can infect your computer with a virus that allows the spammer to take over your machine remotely. Click here for more information from the IRS on email scams.

The FTC warning concerned a bogus e-mail supposedly sent by the Federal Trade Commission but actually sent by third parties hoping to install spyware on computers. The spam poses as an acknowledgment of a complaint filed by the recipient, and includes an attachment. Consumers who open the attachment to this e-mail unleash malicious spyware onto their computer.

For more on potential threats from e-mail and Web browsing, see Net threats
Why going online remains risky —Anthony Giorgianni

On Oct. 15, TransUnion will become the first (and so far, only) of the Big Three credit reporting agencies to allow all consumers to put a security freeze on their credit files.  A freeze stops credit issuers from accessing your file and can thwart would-be identity thieves from opening accounts in your name.

TransUnion says it will charge $10 to place, temporarily lift, or remove a freeze. If you have been a victim of identity theft, the service is free.

Most states already have freeze laws that apply to all three reporting agencies. Before contacting TransUnion, be sure to check what your state provides.

In a statement, Consumers Union, nonprofit publisher of Consumer Reports magazine and this Web site, said TransUnion's move was a useful step that the other agencies should follow but added that it needs some improvement and doesn't eliminate the need for state freezes laws or a future federal one.